Printer Friendly

Defining the mission.

INFORMATION SECURITY IS LIKE BEAUTY; its definition lies in the eyes of the beholder.

And unless we can define a subject--draw boundaries around it and identify its parts--we probably cannot do a good job of managing it.

The business enterprise view of information security gives an orderly and relatively precise picture of the subject. That view is essentially the view from the company security director.

Before one considers security in the business enterprise, the following general guidelines for information security management and policies should be examined thoroughly:

* One of security's jobs is to respond to business needs. The challenge is to provide proper security at an acceptable cost given the environment, risks, and available funds.

* Information security involves the protection of an intangible; many traditional security approaches may not apply in this case.

* For many companies, information is the most critical business resource. Competitive position, market share, and profitability may depend on information generation and confidentiality.

* Information is among the most costly and perishable of business resources today. Many technology-oriented businesses spend 5 to 7 percent of revenue on information generation, delivery, and use.

IN THE ENTERPRISE VIEW OF INFORMATION security, the security function is responsible for protecting a company's reputation, employees, visitors, facilities, equipment, financial resources, materials, and information. That information is an intangible that occurs in three general forms: mental, paper, and electronic.

A well-conceived information security program provides protection to all three forms of information. This protection must be consistent and balanced considering the vulnerabilities of and threats to each from and the limits on security investment.

To be effective, an information security program must have clearly established goals from the outset. For most companies, those goals are already defined by evident business requirements and court precedents.

Goal number one is to prevent unauthorized disclosure, modification, or destruction of information, and to ensure reliable information services.

Goal number two is to establish the means for a successful claim to proprietary rights to information in a court of law, should such action be appropriate in a given situation.

Given the enterprise view and the program goals, we can define the parts of a comprehensive information security program. Work occurs in the following categories:

* administrative (procedural work)

* physical (facility protection work)

* logical (work involving the selection, development, and application of computer software and hardware)

Within the administrative work category is the foundation for any information security effort: information classification. Company information classifications identify which information is valuable or sensitive and allow responsible security managers to make appropriate decisions about security investments in the organization.

Mental forms of information are protected by administrative procedures. Mental information is job-related knowledge employees acquire during their time with a company.

Security can apply administrative work procedures to protect mental information by working with a company's legal counsel to establish controls that ensure extended protection of such information. The most common method is to write nondisclosure clauses into employment contracts.

Electronic information forms are protected through implementation of security elements in all three of the basic work categories--administrative, logical, and physical.

Administrative procedures identify sensitive information and then establish the privileges of employees to access such information. Usually access authorities are managed through access control lists established by information owners and administered by computer security specialists.

The information owner is in most cases te manager responsible for the information in question; for example, the vice president of personnel may be the information owner for personnel data files. Data processing or information systems managers should never be data owners.

Logical security measures for electronic forms of information involve the installation and operation of computer security software and hardware that control access, monitor activities, report anomalies, and react to threats. Logical security processes should support the appropriate marking, handling, and delivery of company classified information in some type of electronic form.

Physical security measures are designed to protect the information infrastructure, which may include office computers, data centers, and communications and network facilities. Most security failures with regard to electronic information forms are the result of lax administration in the company.

Protection of paper forms of information requires security elements from both the administrative and physical work categories. Note that paper forms include materials such as documents, microforms, transparencies, and photographs.

Administrative work in this area includes authorization to use information by appropriate job assignments. The "need-to-know" principle is always important, but it's especially critical for document control.

No employee has a "right" to see any information. Rather, the employee is given a privilege to access information as a result of a job assignment. There are not other justifiable privileges. Marking, storage, delivery, and destruction procedures are a part of this work category.

Physical security elements for paper forms include among others secure handling and storage facilities, secure destruction facilities and processes, protection of office workstations, and access control for facilities.

SO FAR WE HAVE CONSIDERED INFORMATION protection measures intended to support the first goal, preventing unauthorized disclosure, modification, or destruction and ensuring continued reliable information services.

Goal number two, ensuring that the company can make a successful defense of a proprietary claim, requires further effort. In general, courts have held that certain conditions must exist for an information ownership claim to be successful.

Two sets of requirements exist: those related to the information itself and those related to the information security program.

1. Required information characteristics. To be considered proprietary (or a trade secret), information must be closely held--not generally known, even within the company--and have commercial value, that is, e a requisite to profit. Obviously, much information cannot be claimed as proprietary.

2. Required information security program accomplishments. to prove that information is closely held, court precedent requires the following elements:

* The company must have identified which information is sensitive or valuable.

* The company must have established procedures for identifying and protecting such information.

* The company's employees must actually follow those procedures in routine business operations.

This last requirement is where many legal claims founder.

THE BUSINESS ENTERPRISE VIEW OF INFORMATION security shows that computer security is a subset of information security. By itself, computer security does not protect information, which occurs more frequently in other forms.

A 1990 study by SRI International, which appeared in the Information Systems Security Association's journal Access, reported that information risks, in order of severity, were the following three factors:

* loose talk

* careless paper handling

* attacks on computer systems

The enterprise view also leads to the conclusion that information security is a primary responsibility of the business security function.

A correct view of information security is essential to the development of an effective program. Business and legal considerations demand company investment in a quality information security program.

James A. Schweitzer is corporate manager of information security for Digital Equipment Corporation of Maynard, MA. He is editor of the Association for Computing Machinery's SIGSAC Review, author of books on computer and information security, and a member of ASIS.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Information Security
Author:Schweitzer, James A.
Publication:Security Management
Date:Feb 1, 1992
Previous Article:OPSEC: not for government use only.
Next Article:The next generation.

Related Articles
National trends in juvenile violence.
2000 Presidential Election--George W. Bush's Views on Defense.
Use the systems approach to design a secure environment.
Information sharing key to Homeland Security. (President's Perspective).
Tracking of commercial carriers evolves from military mission.
Forum Systems and Captus Networks partner to provide Web Services Intrusion Detection and Prevention solution.
AACN invites nominations for leadership posts.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters