Information Security for Managers

• the protection of data from accidental or malicious modification, destruction, or disclosure (FIPS);

• the science and study of methods of protecting data in computer and communications systems against unauthorized disclosure, transfer, delay, modifications, or destruction, whether accidental or intentional.

To put it rather more concisely, data security means providing the users of your data with the data that you intend them to have, and with that data only, at the time that you mean them to have it.

• evaluation of the effectiveness of existing computing security measures;

• estimation of the cost to the organization if current defences are inadequate;

• selection of appropriate, cost-effective countermeasures.

Risk analysis is a familiar concept in business as well as in everyday life. The fundamental problem is universal: how much should I pay now to reduce the possibility of some hypothetical event costing me dearly? Which one of several possible outlays reduces the likelihood most?

We have seen that the key elements in achieving information security involve the detection of threats, reduction in vulnerability to such threats (see chapter 2), and the ability to recover in the event of an impact. The controls and procedures that form part of a security programme should ideally have been established through the process of risk analysis.

Security issues in the finance and banking sectors are now of interest to management in other organizations for two reasons:

• The methods developed to protect financial networks, and the experience gained from the operation of such methods, are apposite in other sectors.

• There is an increasing trend to develop local networks for internal electronics funds transfer and to interconnect such networks into banking systems.

The concept of office automation has grown markedly over the last ten years; it now encompasses far more than photocopiers, word processing, and local accounting functions. A modern automated office may comprise a wide range of user workstations, linked via a local area network (LAN) to file servers and gateways to main computer systems. The range of software systems on the workstations have expanded to include desktop publishing, electronic mail, secretarial services such as schedule and diary planners, project planning, costing systems, financial planning, etc. In many cases the data is downloaded from corporate databases held on mainframe computers.

The law has areas of white, black, and grey. Most of us ensure that we remain in the white areas, and assume that any one who does us grievous harm will be considered to reside in a black area. In this way we believe that we are behaving reasonably to our fellow man, and that if anyone harms us then we will get redress from the law. Unfortunately it sometimes transpires that we find ourselves, possibly with some adversary, in a grey area. In this case we seek the advice of a trained legal mind. This approach to the legal system, of course, assumes that we know the location of the white-grey, and the black-grey boundaries with a sufficient degree of approximation to position ourselves. These boundaries are, however, time- and space-dependent. Laws are changed by parliament, hopefully with sufficient publicity and at a slow enough pace for us to be aware of the changes. They also differ from place to place, as some luckless tourists have discovered.