Information and related systems are one of the most valuable assets in business. Just like any other asset, security measures need to be in place to prevent them from risks – “this is the likelihood that a firm’s information systems are protected against certain kinds of damage” (Welkie & Straub, 2004). All organizations are exposed to the risks which may affect its information and related systems negatively. It is therefore the duty of the information technology professionals to help the management understand and manage these uncertainties by developing toolsets. These toolset should assist them in sharing a commonly understood view concerning the potential impact of various IT security related threats to their organization.
Information Systems Security
Information system security is an application of the administrative and managerial procedures and physical and technical safeguards to ensure the integrity, confidentiality and availability of the information and the information system together with its environment. The safeguards and procedures ought to not only prevent the unauthorized access to the information, but to ensure that not proper access is detected.
How to Create and Maintain Secured Information Systems
When creating a secured information system, an organization needs to plan security policies and procedures by taking the following security controls into consideration:
This involves putting in place everything that can be done to prevent the breaches, security accidents and errors by ensuring that there is a proper physical environment for systems, records and staff. The following aspects of physical security need to be considered in order to maintain confidentiality, integrity and availability of the information:
Protection of information and information systems from unauthorized people and physical infrastructure from damage or sabotage.
Maintenance of operating environment to prevent the damage by fire or flood and supporting equipment such as servers.
The main physical controls to be considered in the security control and procedure are as follows:
Controlling Physical Access
This has its main objective of stopping unauthorized people from getting near to computer systems. To control the physical access, the following controls should be observed: having personnel (e.g. security) to man the location where information system infrastructure is stored, controlling human access, installing intruder alarms, and use of locks to sensitive computer locations to control unauthorized entry to the information system room.
Advancement in technology has led to invention of computer equipment which is smaller and lighter in weight. This makes it easier for such equipment to be stolen. In order to prevent theft of the information system resources, the information systems equipment should be locked away when not in use, and equipment marked with identification e.g. bar code or security code to uniquely identify them.
The locations where information systems are held also need to be protected. The following measures can be taken: Installing detection equipment e.g. smoke detectors for detecting fire outbreak, installation of extinguishing equipment e.g. sprinklers, and protection of power supplies e.g. installing backup generators to handle unforeseen power outages.
Other forms of physical access controls to be taken into consideration include:
Human error e.g. failing to identify and correct errors, entering incorrect data, accidentally deleting data etc.
Technical errors e.g. crashing of software or failing of hardware during transaction processing. This can be controlled by backing up of data to external hard disks, using the data recovery software to recover lost data, and having substitute hardware for any eventuality.
Fraud e.g. deliberate attempt to change or corrupt data or information. This can be done by workers in the organization or competitors.
Commercial espionage e.g. gaining access to a competitor’s commercially sensitive information
Malicious damage e.g. deliberately setting out to destroy or damage data either through hacking or virus creation.