Information Security Threats and Risks
Any information system usage or implementation may be a target for range of serious threats, including computer based fraud, espionage, sabotage, vandalism and other forms of systems failure or disaster. This may result in risk of data loss from accidental/malafide unauthorized access, use, misappropriation, modification or destruction of information and information systems.
Moreover, sharing of information for business reasons using new applications and inter-connected resources increases the threat of information pilferage. Ensuring security of business critical information is important for Organization maintain competitive advantage in the marketplace. In the course of conducting business, any such information must be shared hundreds, even thousands of times each day. Designing, building, marketing and selling products requires discussing, faxing, e-mailing or otherwise sharing sensitive, proprietary information. Each time such information is shared, it is further exposed to the risk of being lost or compromised. Each conduit for information sharing presents opportunities to unauthorized persons to attempt to acquire such information.
Inconsistent policies for assigning system usage may also result in access rights to information and information systems exceeding the needs of employees’ job responsibility. While the number of users accessing information systems are increasing, the control exercised by the system owners or provider is being dissipated.
While technological advancement has provided significant benefits, it has also equipped malicious users with more advanced means and tools to obtain unauthorized access to data/information. With the availability of Internet, there is an increasing risk that these tools are freely available.
Legal and Statutory Requirements
Security requirements also arise from and are subject to the statutory and contractual requirements of Organization, its service providers and third parties. Information Security Department will also ensure that the security policies factor account these requirements as well.
(The
Apart from the laws, there are the internationally acclaimed best practices and the standards that have evolved. 27001, ISO/IEC 17799; 21827; 15408 etc from ISO, CoBit, COSO, SAS 70 etc are few of such standards where the organizations are seeking compliance for the Security Practices and Operations.
But beyond these laws, best practices and standards, organizations need to know how to create a system and a culture that will not be susceptible to this type of illegal behavior. It’s a good practice to put some basic policies and guidelines in place and share it with the associates, consultants, customers & vendors.
Gaining User Support
It is also necessary to ensure adequate IT control environment to minimize the risk of any negative incidents involving computers. This assumes significance in view of the rapid strides that Organization has achieved in adopting newer technologies. The end-user confidence and support is one of the fundamental building block for deriving full benefits of IT resources.
Building Customer Confidence
Customers must have confidence that information systems will operate as intended without unanticipated failures or problems. Otherwise, the systems and its underlying technologies may not be utilized to its optimum level and further growth and innovation may be inhibited.
Any views?