In early days of computer technology the data security was only precise as physical security of the device. If we go in only 20 years flashback we will remember how computers were lock in the office room and only authorized persons could enter those areas.
Later, some features were updates in several operating systems for computer safety for example password for a specific account. People were not concerned about how much their data is vulnerable or how they could be a victim of cyber theft yet they will not be aware of it.
The U.S. Department of defense realized this hidden snake and sponsored a report known as the Rand Report R-609 and broke the custom of physical and hardware security of devices and diverted the world’s attention towards data and network security.
This report also highlighted the issues emerging due to management, administrative and policy issues. It urged the technology consumers to restrict unauthorized access to their system and data. Take necessary measurements and safeguards to insure its integrity and make your about the confidentiality of your assets.
With the passage of time, people became aware of the threats of internet security and changed their organizational policies according to their needs. Often people thinks that a computer expert will be responsible for the managing computer safeguards yet a project manager (PM) is responsible for the information risk management.
The top to down approach for risk management is been voted more than down to top security management. It should be kept in mind that approach should be first managerial than technical. The Chief Information Security Officer (CISO) will be responsible for the implementation of those polices.
The question arises here is how to control these threats?
A framework known as Information Security Management System is formally followed by almost all the organizations. The key steps of this framework involves:
- Involve top executives as they decide allocation of resources and budget for defining and maintaining the management system, sets its objectives, and communicates and regulates it in the organization.
- Set your priorities, decide what would be part of the context and what should stay out of it. Choose your assists and get proper tools and techniques to secure them.
- Analyze risk on your assets and perfume risk management approaches on them.
- When all of the above steps are implemented it’s time to finally execute Information Security Management System plan which consists of roles and responsibilities, organizational polices, Train employees and also guide them Inputs and outputs, process, procedures and incase of violation certain penalties taken towards them.
- Make your ISMS is being followed by all the employees. Monitor and manage your system thoroughly. Make sure your infrastructure is implemented accurately attest before one or two months before audit report.
- Certify your Information Security Management System by performing certification audit. The audit could be comprised of two phases. First phase consist of scope assessment and the second phase comprises of verification of system implementation across the organization.
The CIA triad:
InfoSec is a way of using methods and smart techniques for dealing with the procedures, devices and approaches important to avert, distinguish, archive and counter dangers to advanced and non-computerized data. Information security duties incorporate setting up a lot of electronic forms that will ensure data resources paying little mind to how the data is organized or whether it is in travel, is being handled or is very still away. The main responsibility of the InfoSec is to secure trades of data security:
Confidentiality of information comes in the context of protecting private, sensitive information from unauthorized access. This could be achieve by implementing organizational policies, defining roles, limiting access of employs to the assets. Also certain technological measures like file encrypting, control list, firewalls and UNIX files are implemented. Common examples includes:
- Name, age, date of birth, sex and address.
- Family or guardian details
- Bank details.
- Medical history or records.
- Personal care issues.
- assessments or reports
The alphabet ‘I’ in CIA triangle stands for the data Integrity. In easy words it is defined as the data remains untouched from the unauthorized access, it should not be manipulated or intercepted, and it should remain the same as it was before. It also makes sure that if any authorized person make invalid changes then it should can be recovered back. Data integrity could be damaged by:
- Entering, making and additionally obtaining information
- Preparing and additionally determining information
- Putting away, repeating and dispersing information
- Chronicling and reviewing information
- Backup up and reestablishing information
- Erasing, evacuating and devastating information
Data availability could be explained as required data is available whenever it is need, wherever it is needed regardless of time and place to the authorized persons.Frameworks having high availability are the figuring assets that have structures that are explicitly intended to improve accessibility.
In view of the particular framework plan, it may attack equipment disappointments, updates or power blackouts to increase availability, or it could also deal with a few system associations with course around different system blackouts.
However, everything has its pons and cons sois the new technology. New technology has violated many basic human rights like unauthorized use of information, data stealing and online fraud. But IT professionals has solutions for this particular problem of the electronic era of technology.
A Chief Information Security officer is responsible for data security and looks for vulnerabilities and potentially harmful threats that can damage the main triangle i.e., Confidentiality, Integrity, and Availability of business data.