Information Technology Reference
In-Depth Information
tice. There are various standards which can be used to implement information security. We
will discuss this topic in more detail in chapter 7.
Information security involves protection of different types of information such as soft copy,
hard copy, voice, text, and video. Each type of information is protected using different
strategies and tools. It is up to management to prioritize how they address security risks.
Normally critical areas would receive higher priority and more resources in terms of pro-
tection.
In order to implement effective security measures, it is important to first understand IT
risks existing in the enterprise. The outcome of an IT risk assessment would help determine
how IT risks will be treated and what security measures to implement. Security measures
should take into consideration the operations of the enterprise and changes to the internal
or external environments. Risk assessments should be conducted more often in order to en-
sure that new risks are addressed in time.
It is the role of the board and management to ensure that enterprise resources are secured
and data is protected. As part of its IT governance mandate, the board should ensure that
everyone in the enterprise understands the importance of information security.
One of the tools for implementing information security in the enterprise is the security
policy. Management should ensure that the information security policy is in place and sup-
ported by well-defined information security procedures. The benefits of implementing se-
curity are well known, but it is important to note that security is an enabler of business.
Clients for example would be more interested in working with enterprises which protect
their business transactions and personal information than enterprises which do not provide
such comfort.
Limiting access to information to only authorised users is a key requirement for informa-
tion security implementation. In most enterprises, access to data and information is through
a user account and password. The IS auditor will find account and password policies which
are used to implement access controls in most enterprises.
Personal privacy is important in that it protects customers' personal information from being
used for other reasons than the reason the data was initially collected. Many countries have
privacy laws which are used to make sure personal information is protected. Most enter-
prises have also developed privacy policies which are used to ensure that they are compli-
ant with personal privacy laws.
Enterprises should also be protected from cybercrime, which is a common occurrence
nowadays. Laws and various regulations related to cybercrime have been enacted in many
countries, and international organisations such as the United Nations and European Union
have been in the forefront of ensuring that countries enact cybercrime laws. The Internet
has facilitated easy communication via email, websites, and social media, but despite this
Search WWH ::
Custom Search