ProperGander

Security for the masses

Business Security

Information security

Information is an asset, assets need protection. Information security is about managing the risks to that asset. To do this we need to identify threats to the asset and vulnerabilities in the way the asset is handled, as well as quantifying the value of the asset. Only then can cost effective controls be implemented. Information needs to be protected from theft, loss, corruption, destruction, unauthorised access and unauthorised alteration. There are many ways to mitigate these threats by using controls. Access controls both logical and physical will mitigate most of these threats, and taking regular backups and storing them off site will help with most of the rest.

Administrative controls

An enforcable security policy and computer usage policy are administrative controls and form the basis on which to build logical control of Information systems in a businesss environment. Users and or employees need to know what they can and cannot do with company systems, they also need to know the scope of thier responsibilities with repsect to these systems. Good security policies will unambiguously inform employees of what they can and cannot do with IT resources. Administrative controls ensure that logical and physical controls are understood and properly implemented. Staff security awareness training, Employment policies (Background checks, separation of duties) Account administration, log and account monitoring are all administrative controls.

Logical controls

Software and hardware is used to implement logical controls. Preventative logical controls include such things as Access control; Passwords, biometrics, smartcards etc. Data encryption; DES, AES and remote access authentication protocols such as CHAP, RADIUS, LDAP. Detective logical controls are those controls which allow the auditing and monitoring of systems and network infrastructure.

Physical controls

Ensuring the safety and security of the physical environment in which the business processes run is another aspect of IT security. Preventative physical controls can be as simple as a locked door but it doesn't end there, fire, flooding, theft and sabotage may also present a threat. Controls need to be in place to prevent or at least mitigate these possibilities. There is no substitute for good staff training, and an appropriate response from on site staff will go a long way in preventing serious loss or damage to comany IT systems from flooding or fire. Detective physical controls are such things smoke alarms, video cameras, burgalar alarms. As for data theft, removing or disabling USB, Firewire, media card ports and CD rom drives will reduce the oportunity to copy data and install unauthorised software.