Creating Trust Creates Profits: Security Considerations for Your Business

Alan Fraser

(Adapted from a presentation I made to customers of Triangle Infotech in Macclesfield)

This picture is, of course, contradictory - a computer in a safe is extremely secure, but also unusable!

Why do we need Information Security?

To protect the existing information management infrastructure
To act as an enabling mechanism for development, accelerating the introduction of innovative processes for competitive advantage without increasing risk
To create trust in the company, both inside the business; and between the business, its shareholders, customers and trading partners (its "extranet")

Elements of Security

Confidentiality, integrity and availability of all forms of information used by the company, however and wherever held (within the extranet)
- Some experts add "utility" to make four qualities to be ensured
These information qualities are essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image

Confidentiality has traditionally been regarded as the key quality, today availability and integrity are assuming greater importance

How?

By implementing a suitable set of controls (which could be policies, practices, procedures, organisational structures and software functions) to support business processes, systems, networks (internal and external) and important business assets
By reviewing them constantly

What?

All your information assets, whether computerised or not
Not just your enterprise but your business partners too!

Today’s Risks

Dependence upon IT
Theft especially laptops
E-Commerce
- Losses because of repudiation, fraud
Hackers
Email-borne viruses
Business criticality – 24x365 working, greater inter-reliance
More litigacious society
Disaster Recovery - more than 70% of firms suffering a major disruptive event (such as a fire) go out of business in one year

Today’s Solutions

BS7799 (now ISO 1-7799)
- Standard for Information Security Management
- Policies and procedures to ensure security
  - Based on common-sense widely-used measures, implemented in companies perceived to be well-run
Encryption - inside or outside a PKI
Internet/email activity and content management
Network security tools:
- Firewalls, sandboxes, event monitoring and intrusion detection software
- Penetration tested!
  - Constantly updated
Intelligent anti-virus tools
- Self-updating without user intervention, use "heuristic" techniques to identify virus behaviour even when the virus itself is new

BS7799 “Key” Measures

Information Security Policy
Allocated Responsibility
Education and Training
Reporting of Incidents
Virus Controls
Business Continuity Planning
Control of Software Copying
Compliance with Data Protection Act
Safeguarding of Organisational Records
Check compliance with Security Policy

Other Important Measures

Preventing theft
- Laptop theft is increasing

Fortress to Airport!

The old paradigm: Fortress
- Defend the perimeters from external intrusion
- Untenable in today’s open environment
The new paradigm: Airport
- Security risks are high but the public needs access to carry out business
- Protect what needs to be protected and let the public into what doesn’t

What This Means

People are the key!

Security is a process, not a project - it's permanently ongoing
Security is created by people, products are secondary
Security breaches severely damage company reputation
Recognised security creates trust, enables partnerships and brings business growth!

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.

Creating Trust Creates Profits: Security Considerations for Your Business

Alan Fraser

Why do we need Information Security?

To protect the existing information management infrastructure

To act as an enabling mechanism for development, accelerating the introduction of innovative processes for competitive advantage without increasing risk

To create trust in the company, both inside the business; and between the business, its shareholders, customers and trading partners (its "extranet")

Elements of Security

Confidentiality, integrity and availability of all forms of information used by the company, however and wherever held (within the extranet)

These information qualities are essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image

How?

By implementing a suitable set of controls (which could be policies, practices, procedures, organisational structures and software functions) to support business processes, systems, networks (internal and external) and important business assets

By reviewing them constantly

What?

All your information assets, whether computerised or not

Not just your enterprise but your business partners too!

Today’s Risks

Dependence upon IT

Theft especially laptops

E-Commerce

Losses because of repudiation, fraud

Hackers

Email-borne viruses

Business criticality – 24x365 working, greater inter-reliance

More litigacious society

Disaster Recovery - more than 70% of firms suffering a major disruptive event (such as a fire) go out of business in one year

Today’s Solutions

BS7799 (now ISO 1-7799)

Standard for Information Security Management

Policies and procedures to ensure security

Encryption - inside or outside a PKI

Internet/email activity and content management

Network security tools:

Firewalls, sandboxes, event monitoring and intrusion detection software

Penetration tested!

Intelligent anti-virus tools

BS7799 “Key” Measures

Information Security Policy

Allocated Responsibility

Education and Training

Reporting of Incidents

Virus Controls

Business Continuity Planning

Control of Software Copying

Compliance with Data Protection Act

Safeguarding of Organisational Records

Check compliance with Security Policy

Other Important Measures

Preventing theft

Laptop theft is increasing

Fortress to Airport!

The old paradigm: Fortress

Defend the perimeters from external intrusion

Untenable in today’s open environment

The new paradigm: Airport

Security risks are high but the public needs access to carry out business

Protect what needs to be protected and let the public into what doesn’t

What This Means

Security is a process, not a project - it's permanently ongoing

Security is created by people, products are secondary

Security breaches severely damage company reputation

Recognised security creates trust, enables partnerships and brings business growth!