Module 1 - Information Security Management Principles
This Course introduces the core concepts and definitions used in information security and will provide you with an important foundation for the rest of the Course. It then builds on that knowledge by outlining how information security contributes to achieving the objectives of an organisation through strong governance, risk management, and compliance.
The objectives of this Course are to provide you with and understanding of:
- What security means
- The core concepts and definitions used in information security
- The key business drivers and how they shape the organisation’s approach to governance, risk management and compliance
- The benefits of information security
- The role information security plays in an organisation
- How an organisation can make information security an integral part of its business
This Course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this Course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on the benefits of information security which looks at the crucial role information security plays in an organization, and how an organization can make information security an integral part of its business.
We’ll start by identifying some key business drivers and then see how they shape the organization’s approach to governance, risk management and compliance.
Each area of an organization shares a common aim – to help the organization achieve its objectives.
This means that information security needs to be integrated with the activities of the organization and supported by senior management.
It’s too easy for security to be perceived as an obstacle to innovation and something that holds an organization back – the ‘security says no’ culture that results in security being a ‘necessary evil’, adds unnecessary costs to projects and isn’t always taken seriously.
Creating a positive security culture is critical, but it needs to be done in the right way. This means:
· Security should be proportionate – adequate but not excessive
· Stakeholders should understand the need for security and their role in enabling it, and
· Security is seen as a business enabler – giving the organization a competitive advantage
Security needs to be seen in a positive light which can:
· Enable new ways of doing things – like mobile working – which might have been considered too risky before it was evaluated by the security architecture team
· Improve working practices by forcing an organization to focus on process optimization and efficiencies
· Minimize potential costs due to non-availability or unauthorized disclosure of information – whilst it might increase costs to implement controls today, it may save money over time
Think about a large organization which is implementing a system where users swipe their ID card through a reader to authenticate to the printer when they collect their printed documents. The benefits this approach gives the organization include:
· Saving printing costs by only printing documents at the point of collection – users can’t forget to pick up their printing, and
· Enabling users to collect their documents from any printer – making it easier for them
Although not necessarily a tangible benefit, the organization also has a good story to tell about their approach to security which can have a positive effect on their public image and company value.
As well as embedding security practices across the organization, it’s important that security isn’t just seen as the responsibility of the IT function or the Information Security Manager.
It must be part of the organization’s culture, with all staff understanding their role as stakeholders; playing their part in implementing a secure environment and making sure security is integrated across all systems and processes.
One of the most expensive mistakes an organization can make is to try to retrofit security at the end of a project. Typically, this results in two things happening:
· First, the costs increase – it’s generally more expensive to add things later, and
· Second, the result will not be as good as it should be – adding in new elements at the end of a system development cycle can lead to errors and vulnerabilities
The Microsoft Windows operating system is a good example of a system not being fully designed with security in mind – it’s taken a long time for them to get to the point where Windows security is considered robust.
Let’s move on now to look at some of the business drivers that impact security.
The obvious one is perhaps the increasing use of the internet by Governments, businesses and individuals to complete transactions and communicate with each other online.
There’s also an increasing requirement to store information online, including:
· Governments holding individuals’ tax and pension information
· Businesses holding personal or business bank account details
· Credit card details for online shopping
· Personal details stored on social networking sites such as Facebook, Twitter and LinkedIn
Many organizations operate or sell goods in other countries which means they need to securely transact with overseas parties, and follow local laws and regulations relating to the storage and handling of personal data – especially if they transfer personal data abroad.
All of this makes it more important – and difficult – to keep information secure.
In an online world, there are many information security considerations and these are increasing all the time. Some examples include:
· Maintaining the integrity and authenticity of transactions and communication between parties
· The risks of malware infections through unsolicited email, and phishing attacks where criminals lure unsuspecting users to a rogue site to steal their data, and
· Data loss, such as the loss of a laptop with sensitive data on it, or the compromise of credit card information held by online merchants – there have been some well-publicised examples of this
Many security experts consider the insider threat by disgruntled staff as the biggest threat source to organizations. This can range from a system administrator with full access to an organization’s systems, to individual employees who have access to confidential information.
And, as organizations evolve, so do the implications for information security.
Consider the increased use of outsourcing and offshoring over recent years and the continual adoption of cloud services. Organization mergers and acquisitions also contribute to the changing landscape.
The information security approach must be able to adapt to new business models and support new technologies.
As you’ve seen, security cannot be an afterthought – it must be an important part of the business model.
The most cost-effective way of providing the right level of protection is to make security an integral part of the organization’s operational policy.
Involvement in information security should start with the CEO and the Board. That way the message can be cascaded to the organization in a consistent way and the importance can be suitably reinforced – it only takes one individual to lose a memory stick containing personal customer records to cause a major reputational impact on an organization.
And then there’s the heavy fine which also helps to focus Board attention!
Information security has moved up the agenda for many organizations, driven by some of the factors we’ve seen.
There are three primary strands organizations should consider:
· There must be mechanisms in place to govern risk decisions, and ensure they’re made with due care and full accountability at the most senior level;
· Risk should be assessed and reduced through security risk management measures. Good risk management ensures that the measures are proportionate, meaning they reduce risk to an acceptable level without excessive security or overspending; and
· Compliance with internal policies and standards, and national and international laws. This has become a focus of attention through GDPR, the EU’s General Data Protection Regulation, which has increased the penalties for security violations involving personal data.
Compliance also covers industry standards, such as the Payment Card Industry - Data Security Standard – or PCI-DSS – which applies to organizations handling credit card transactions. We’ll look at all these aspects further as we progress through this course.
That’s the end of this video on the benefits of information security.
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.