Information technology has changed the way we do business, is present in every part of the economy - from banking and finance, transportation and utilities, to food production and distribution, government, and nearly everything else of importance to economic and physical well being.
In an automation-reliant society, without information security, there is no real physical or economic security. This reality is becoming ever starker, as the worldwide information infrastructure - and the physical infrastructures it supports, comes beneath attack from hackers and cyber criminals.
The threat will increase exponentially, as more perceptive and confidential information is made available to more and more users, making it credible for trusted insiders to engage in criminal activity, including terrorism and economic intelligence. It also offers strong tools for defending against and responding to attacks, analyzing them and justifying their damage.
The vast majority of the world's information infrastructure is being operated by private organizations. Defending global cyber assets is the job of the private sector and the public sector working in partnership as appropriate to secure cyber assets.
Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the possibility and impact of security incidents is minimized.
A security policy is a precautionary way for protecting significant company data and processes. It communicates a consistent security measure to users, management and technical staff.
* Used to determine the comparative security of active systems.
* Important for defining interfaces to peripheral partners.
* Mandatory legal desires as regards security of customer and employee data.
* A prerequisite to quality control
Security policies should be an organization's first line of protection. http://view.atdmt.com/DWA/view/19/1972171534660880/direct/01/197217153It is a fine balance that needs to be monitored intimately and over and over again. The reason for today's altered concern in security policy is the sustained spreading out outside the conventional confines of an organization with partners and suppliers, and a closer tie-in to responses to business continuity should a disaster occur. The intention of information security is to put measures in place which eliminate or reduce significant threats to an acceptable level.
IT security is comprised of:
Confidentiality: To approve persons Perceptive business objects (information & processes) are disclosed.
Integrity: The business need to control alteration to objects (information and processes).
Availability: The need to have business objects (information and services) available when needed.
Legal conformity: The composed, processed, used, passed on or destroyed information/data must be handled in line with legislation of the applicable countries.
Individuals must be watchful in maintaining the security processes laid out by organizations; organizations must execute and implement security processes and measures; and business and government must use various layers of security technology to prevent threats. All three are necessary to diminish risk.
The goal of the organization:
* Information should be protected in opposition to illegal access or misuse
* Privacy of information should be secured
* Veracity of information should be maintained
* Information systems availability is maintained for service delivery
* Continuity planning processes in business should be maintained
* Physical, logical, environmental and communications security should be maintained
* Encroachment of this Policy, a chance of result in penalizing action or criminal prosecution
* Information should be disposed in a suitable manner when no longer to use.
Let us consider a banking organization, which is generally used by the people and the for the business purposes. The organization will work by using different types of electronic information systems, hardware, software and data, paper-based materials, electronic copy devices owned by the organization. The organizations mainframe network used either directly or indirectly.
This sector generally undergo with the transactions, deposits, and the properties of different firms. As it is overall an organization which should move in accordance to the people assets security, it is very important to the organization to follow the information security policy.
This Policy informs the organization's staff and other individuals entitled to use organization facilities, of the principles governing the asset, use and discarding of information.
In relation to the operation and use of its information systems, the organization requires all users to involve a duty of care.
1. Empowered users of information systems
All users of organization information systems must be formally authorised by appointment as a member of staff, or by other process specifically authorised by the CEO. Authorised users will be in ownership of a unique user identity. Any key allied with a user identity must not be disclosed to any other person.
The “Network password policy” describes these principles in greater detail.
Authorised users will pay due care and attention to protect organizations information in their personal control.
2. Suitable use of information systems
Use of the organization's information systems by authorised users will be lawful, honest and decent and have considered to the rights and sensitivities of other people.
3. Information System Owners
Organization Directors are required to ensure that:
* Systems are satisfactorily protected from illegal access.
* Systems are secured against theft and break to a level that is cost-effective
* Sufficient steps are taken to make sure the accessibility of the information system, adequate with its importance (Business Continuity).
* Electronic data can be recovered in the event of loss of the primary source. That is failure or loss of a computer system.
It is present on all system owners to backup data and to be able to reinstate data to a level proportionate with its importance (Disaster Recovery).
With a high degree of accuracy the data is maintained.
* Systems are used for their deliberate purpose and that measures are in place to rectify discovered or notified misuse.
* Any electronic access logs are only kept for a valid period to ensure acquiescence with the data protection, investigatory powers and freedom of information acts.
* Any third parties entrusted with organization data understand their responsibilities with reverence to maintaining its security.
4. Personal Information
Authorised users of information systems are not given rights of privacy to use organization information systems. Accordingly authorised officers of the organization may entrée or scrutinize personal data contained in any organization information system (mailboxes, web access logs, file-store etc).
The organization should take legal action to ensure that its information systems are not used by unauthorised persons.
Organizations can suffer the huge financial losses and information security becomes a major concern for top managers.
Organizations respond to the infringe incident by making extra security speculation to avert from any outlook breaches. This can show the way to either help decrease the negative status of the firm caused by the breach or even have affirmative long-term economic bang on the firm.
As the instant passes, organization forgets about what happened prior and the impact of the breach on financial act phases out over the long-term.
The collision of information security breaches on financial performance.
As more organizations provide greater online access for their customers, professional criminals are successfully using phishing techniques to steal personal finances and conduct identity theft at a global level. The popularity which banking services have won among customers, owning to the speed, convenience and round-the-clock access they offer, is likely to increase in the future.
However, several issues of concern would need to be pro-actively attended. While most of electronic banking has built-in security features such as encryption, prescription of maximum monetary limits and authorizations, the system operators have to be extremely vigilant and provide clear-cut guidelines for operations.
On the larger issue of electronically initiated funds transfer, issues like authentication of payments instructions, the responsibility of the customer for secrecy of the security procedure would also need to be addressed.
So for the better security multifactor authentication is best to make the banking with higher security in forth coming years. It needs to be recognized that such high cost technological initiatives need to be undertaken only after the viability and feasibility of the technology and its associated applications have been thoroughly examined.
Organizations need security policies, standards and procedures to enforce information security in a structured way. The choice of policies needed by the organization should be acquired through a thorough risk analysis, which includes security vulnerability assessments.
The assessment results, combined with a proper policy framework and standards, should determine which policies are needed for your organization. Using tools such as Symantec Enterprise Security Manager can assist in measuring corporate policy compliance. Additional services can ensure the corporate policy is always up to date and implemented correctly.
Corporate security policy is absolutely essential for securing an organization. Hackers, crackers, bugs, insecure operating systems, along with continual business evolution, will always be present. As a result, new security threats and holes will constantly appear. Today's IT security solutions must be continually improved upon to remain effective and provide business value again tomorrow.