Information security is the process of protecting data from unauthorized access, use, disclosure, destruction, modification or disruption. Protecting confidential information is a business requirement and, in many cases, also a legal requirement. An increasing number of companies consider it best practice. Information security is receiving a steadily evolving recognition of its positive value. For companies, information security enables many aspects of business and can improve their organizational strength. 

Historically, information security has often been approached as a problem solely relating to information technology (IT). In fact, many companies think that they will be protected by having the latest system upgrades and software patches in place. Physical security measures such as the use of closed-circuit television (CCTV) installations add to a company’s sense of security, but these measures will not wholly prevent the unauthorized disclosure of sensitive information such as board-meeting minutes to a competitor.

Information is an asset that must be categorized, quantified and protected like any other. The security and protection of information is a business issue and not a technical issue. It is about people and processes. While technology can help to minimize risks to your information, it is ultimately people who generate these risks. The majority of information breaches take place from within the organization and the threat to your information may also come from suppliers and clients if they have routine access to your information systems.

Confidentiality, integrity and availability have been considered the three core principles of information security for more than two decades. They are commonly referred to as the CIA triad. Recently, security professionals have expanded and enhanced this concept because they felt that the concentration on confidentiality, integrity and availability alone did not adequately reflect the requirements of protecting confidential information. 

Confidentiality can be seen as an enlargement of the concept of disclosure. During a financial transaction for example, certain documents may be confidential; access to these documents may be restricted by technical controls (such as intrusion alarms or lockable archive rooms) imposed by the owner of the documents. However, an unauthorized internal user with sufficient access rights may still be able to read or copy them, thereby changing their confidentiality status.

Possession or control means control over information. When an external intruder copies the above document without authorization, he is in breach of the owner’s possession of the document.

Integrity means internal consistency.  Equally, it means that the creation, change or deletion of information requires adequate authorization.

Authenticity refers to the truthfulness of origins, attributions, commitments, sincerity and intentions between data and their representation. An illegal copy or a forged signature constitutes a breach of authenticity.

Availability means that information is readily and conveniently available. A hardware failure in an order system renders its data unavailable. While a backup may be installed, the information required by a customer, though technically still available, is no longer considered available by a customer whose order process takes longer than expected.

Utility means that a piece of information is both usable and useful for specific purposes. If the information is not useful to its intended recipient, it has limited (or no) utility. The same applies if the information is in a format that cannot be used by the recipient. For example, an encrypted email, while containing utilizable information, has no utility for a recipient who does not hold the key required to decrypt the message.

Information security as part of the risk management process

The CISA Review Manual 2006 defines risk management as:

‘The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.’

For a company, this means an iterative process in which a balance is struck between the company’s productivity, the cost involved, the effectiveness of the countermeasures planned, and the value of the information that is to be secured.

A risk in this sense is the likelihood that a threat (i.e. something that can potentially cause harm) will use a vulnerability (i.e. a weakness that can be used to inflict harm) to cause harm. When a threat utilizes a vulnerability to inflict harm upon an informational asset, it has an impact. In the area of information security, the impact is damage to any atom of the information security hexad, but possibly also other losses (of income, life or property). It is then up to the company to establish a process to tolerate, treat, transfer or terminate these risks. However, since no company can identify all its risks, and much less eliminate them, there will always be residual risk.

The ISO/IEC 17799:2005 code of practice for information security management recommends that the following be examined during a risk assessment:

• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
• Regulatory compliance

Threat and risk assessments in the area of information security usually need to answer the following questions:
• What needs to be protected?
• Who/what are the threats and vulnerabilities?
• What are the implications if they were damaged or lost?
• What is the value to the organization?
• What can be done to minimize exposure to the loss or damage?

The outcome or objective of a threat and risk assessment is to provide recommendations that maximize the protection of confidentiality, integrity and availability while still providing functionality and usability.

In terms of what needs to be protected, a thorough analysis of existing workflows is usually required to establish which risks to information are actually relevant. An oil company may find that at the core of its business, the following pieces of information may be strictly confidential: existing and contemplated business, marketing and financial business information (such as company strategies, cost estimates, pricing structures, bid and proposal information, databases for suppliers and subcontractors); existing and contemplated technical information and documentation (pertaining to, for example, patented methodology, products, processes and methods); and human resource and personnel information, especially if there is a limited number of qualified personnel available.

Threats and vulnerabilities may be known to the company already. However, an external advisor and auditor specializing in information security risks is likely to add significant value to the audit process. While the level of crimes against corporate information is rather benign when compared with countries in the Former Soviet Union, a sufficient amount of local and international resources are readily available to companies wishing to obtain information about or from a competitor. Local law may even allow for private investigators to legally advertise their use of ‘innovative and exclusive bugging taping equipment in automobiles, residences’. Assessing the threats and vulnerabilities to such attacks is usually beyond the scope of a company. Other risks that should be assessed encompass, but are not limited to, physical intrusions or burglaries; refuse searches for discarded confidential material; correspondence interception; subversion of staff; electronic and physical surveillance; and external and internal electronic intrusion.

Assessing, or calculating, the potential damage or loss can be an even more difficult process. This process also often has to take into consideration different phases in the lifecycle of a particular piece of information. For example, if technology that is still pending patent is obtained by a competitor in so timely a fashion that it allows them to have the technology patented before the owner, the loss is potentially maximal. If a company treats information security as a low priority, the ensuing weak defense measures will make the attack extremely cost effective and therefore much more likely.

Establishing information’s value to the organization can be equally daunting. If the assessment fails to adequately represent the value of a specific piece of information or an entire information system, the process will inevitably result in costly and ineffective security measures. Reversely, adequate representations can result in optimized processes and workflows that may make the organization more efficient rather than hamper its operations. However, unlike in Western Europe for example, a piece of information can have significant value to a person’s life. If, for example, an executive’s itinerary, income or private contact details become known to a kidnapper, the risks for this person will rise dramatically.

Additionally, given the economic climate, the market advantage gained by obtaining current and sensitive information can easily outweigh the risk of apprehension as perceived by the attacker.

To answer the question of what can be done to minimize exposure to loss or damage, the findings derived from the previous steps have to be aggregated and brought into a business perspective. Security in general and information security in particular, are rarely seen as business-enabling parts of a company’s operations. But in countries with heightened risks, they usually are. A common misperception, augmented by IT security measures that are often equally ineffective and cumbersome, is that information security will inevitably come at a high price in terms of usability and efficiency. A striking example from physical security would be shredders that only hold a few pages: if a shredder that is used in a department with a high output of sensitive papers can only handle a few pages, the chances are that employees will not use it. That means that in addition to the damage from misspending financial resources, the company has also increased its risk of losing sensitive information to refuse searches.

Transferring the findings from a risk and threat assessment into actions requires a thorough understanding of the efficiency and effectiveness of control measures and their effect on existing processes. The following assets are generally at risk: documents and electronic files through theft, tampering or loss; telecommunications through listening devices or tapped communications lines; and ultimately people through social engineering, eliciting of bribes and corruption.

Typical risk factors include staff and suppliers:

• Staff through lack of pre-employment screening of newcomers; downsizing without proper exit plans that immediately terminate all access rights; or disgruntled employees that can transfer data without fear of detection because there is no audit trail for documents or electronic data.
• Suppliers through failure to perform background due diligence; provision of master keys with which for example a security company can ‘access all areas’; and insufficient protection of documents in transit, e.g. unencrypted file trans-mission over public networks or use of the public postal system instead of vetted couriers.

Typical attack vectors include premises, networks and, again, people. Premises can be protected by access-control systems, CCTV or organizational measures such as the pickup of visitors by members of staff. Networks can be protected by firewall concepts, the establishment of an audit trail for sensitive information, or the proper protection of physically accessible lines. Both areas of attack vectors and countermeasures are well researched, and quality suppliers are readily available through organizations such as ASIS. The attack vector that is probably the most difficult to defend against is people: employees can be tricked into disclosing or distributing confidential information by means of deception, misuse of trust or identity theft, thereby bypassing organizational processes, technical solutions and physical security measures that were put in place to protect sensitive information. A feasible solution to this problem is to treat information security mainly as a social rather than a technical problem, and to establish social countermeasures for sensitive information held in offices, in residences or during transit.

Preventative measures to protect information in offices can include awareness campaigns; security routines; visitor procedures; escort procedures; consistent schemes for the classification, labeling and handling of data and documents; a clear-desk policy; treatment of strictly confidential information on a need-to-know basis; and the secure and controlled storage and destruction of information.

Residence security measures can include the prohibition of strictly confidential information off premises unless it is encrypted; the storage of such information in strong, lockable containers; alertness to random visitors; and the destruction of confidential papers using a quality cross-cut shredder.

Transit security measures are among the most difficult to implement, but are also highly effective. Employees should not hold sensitive conversations on telephones or with other parties in public places, and never when using public transportation. They should be aware of the sensitivity of the information that they are carrying, never leave laptops, PDAs or briefcases unattended, and not take them to restaurants and bars; such items should be stored in the locked trunk of their cars. And they should be aware of their environment when reading documentation or using laptops in public places (including airport lounges, airplanes etc).