Information Technology Reference
In-Depth Information
This chapter examines the increasing importance of security related to
information systems, and discusses the four elements of a good security
system outlined above — business, technical, human, and process.
The Demand for Security
The security environment is changing rapidly. Information is now recog-
nized as a commodity of (increasing) value by management, customers,
and also by criminals. This increase in value arises due to developments
on both the supply and demand sides of the information equation. On
the supply side, more information is being created and converted to
digitized assets. This leads to increased inventories to protect. Not only
is there more to protect, but also there are assets in digital form and thus
easily transferable: stealing a disk of medical records is easier than carting
away shelves of files. On the demand side, information has become more
valuable because, here also, most of the transactions involving people
and business are electronic in nature. Using stolen information electron-
ically is less expensive and provides a degree of anonymity (as the famous
New Yorker cartoon said, “On the Internet nobody knows you are a dog”).
Another advantage is that it allows one to work at an attractive distance
— one does not have to walk up to a bank counter with a stolen check.
We are thus in a situation where on one side there is more to protect,
and on the other, any failure to do so can cause immense harm.
For corporations, the need to protect their information has always
existed. The threats have morphed over time. Traditional threats, such as
those related to industrial espionage or competitive intelligence gathering,
were handled by restricting access to information, and by keeping data
in databases deep within the IT (information technology) infrastructure.
However, with the increase in networking, large volumes of data exist in
documents and Web pages, scattered in geographically diverse places.
This larger exposure has altered the security environment. For many large
corporations, internal threats have become a major factor. It is not just
the rogue employees whom one has to worry about, but also careless
behavior on the part of regular employees — lost CDs and laptops being
an example. In fact, one is often not clear who is “internal” and who is
“external” as systems integrate across business partners. To have everybody
connected, without having well-thought-out security frameworks and pol-
icies, is dangerous.
Consumer expectations about privacy and responsibility also have
changed. Consumers are aware that companies are tracking and retaining
a lot of personal information. They expect corporations to protect this
information with a higher degree of reliability and responsibility.
