IT Security Must Enable Business, Not Disable It

However the writing on the tablet also shows that it was in fact a receipt given to “the chief eunuch” of Nebuchadnezzar II, king of Babylon, acknowledging payment of approximately 0.75 kg of gold to a temple in Babylon. So in ancient Babylon, just as today, business and government depended upon the latest technology to record transactions.

Today, organisations that are listed in the US have to comply with the Sarbanes Oxley law. The objective of this law is to ensure that the financial position of these listed companies is transparent to investors and other stakeholders. While the law itself makes no mention of IT systems, all companies have had to look closely at their IT systems to comply. The reason for this is that all financial information is held on and processed by these IT systems, and so a breach of IT security poses a risk to the key data.

Information Security

Information is a key business asset – for some companies it has become the major asset. For example, for a start up software company or small pharmaceutical company, the intellectual property which details their single product may be the only real asset that the company possesses.

Information security is concerned with protecting these vital information assets against threats, in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities. Information security is achieved by implementing a suitable set of controls, including policies, processes and procedures, as well as technologies.

The key aims of information security are to ensure:

• Confidentiality – information can only be accessed by the people who should have access, in the ways that they are allowed.
• Integrity – information is protected against unauthorised changes.
• Availability – information is available to authorised people whenever it is needed.

Ensuring Information Security – Best Practice

Frameworks like COBIT, ITIL and ISO27002 can help orgaisations by defining best practice for IT service management and information security.

These practices for processing information securely are not new; they grew out of the needs of government and military agencies to use computing systems to handle sensitive data.

These were originally described in the Orange Book. This was replaced by the Common Criteria for Computer Security now defined in ISO/ISEC 15048. The UK BS7799 provided a more comprehensive set of standards and best practice for information security management. This was later adopted as ISO standard 17799 and has now been renamed as two standards ISO 27001/2.

Specific industry standards have also emerged such as the Payment Card Industry Data Security Standard (PCI-DSS) and the banking standard, Basel II. This latter standard is interesting because it considers IT risk as part of total risk and translates risk level into financial terms.The higher the risk the more capital the bank has to set aside.