|
 |
|||||||||||
 |
||||||||||||
Information Security
Information Security Management
There have been many reports of personal information being lost, stolen, copied, sold or seen by an unauthorised person over the last couple of years. Also, there has been increasing developments in and use of in wireless communications and portable memory devices, which together are increasing the importance of information security.
The problem with information security might arise from external threats e.g. a hacker, an E-mail virus or theft, or simple power failure or computer software or system failure. The costs of an information security breach can be substantial and can easily exceed the cost of the equipment being used.
Information Security Management is particularly important for users of hardware and software, but it is not restricted to the computer industry.
Since every company's needs are different and it is probably unnecessary and very costly to have systems and equipment in place to guard against every eventuality, a company needs to carry out Risk Assessments for all of its assets and facilities that it wishes to include in its system. The risks are a combination of the threats and vulnerabilities to assets and the potential impact of these security risks on the business.
Over recent years many standards have been published which give specifications or guidance and the key standards are given below.
BS ISO/IEC 27000:2009 – Information technology. Security techniques. Information security management systems.
This contains a general overview of the topic.
BS ISO/IEC 27001 - Specification for Information Security Management
ISO 27001 gives information about a number of different controls that should be considered when an Information Security Management System is implemented.
BS ISO/IEC 27002:2005 – Code of Practice for Information Security Management
This defines security controls structured under various major headings to enable readers to identify the safeguards that are appropriate to their business.
The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline. The scope of the standard covers all forms of information, including voice and graphics, and media such as mobile phones and fax machines.
