If you work for a company with ~50+ employees, you may start to wonder why your IT team is so busy and unable to respond to support requests more quickly. Well, not only are they chipping away at a mountain of user requests, but they're also working to safeguard the organization’s information from many threats.
To most organizations, private information is extremely valuable and must be secure. Some think, “Oh I’m safe, I have the most up-to-date anti-virus software on my laptop”, but this is a fallacious assumption. Protecting against internal / external threats, maintaining the integrity of information, and implementing control systems based on in-depth risk assessment requires a well-structured security program. This article will outline the different functional branches of a sound information security program, and perhaps shed some light on why your IT friends are so busy (and in some cases, angry).
Ideals of Information Security
According to NIST (National Institute of Standards and Technology), there are 8 major concepts that any well-developed information security program will follow as guidelines. Each concept addresses a different aspect of how information security policies and controls are set in place to support overall organizational operations.
A common theme can be found throughout these guidelines, a need for customization. Each program must consider threats & vulnerabilities specific to the work (field) of the organization it is designed to support.
In the world of Information Technology & Security, there exists a plethora of variable threats. For this reason, it is important to identify and understand which threats exist in your organization’s realm. A few of many possible threats to information security are explained below:
Information Security Risk Assessment/Management
Tools to Combat Threats
Information Security Policy
According to NIST SP 800-95, policies are “statements, rules or assertions that specify the correct or expected behavior of an entity”. In terms of information security, policies can have multiple meanings or roles, so to speak. Policies may range from access control rules for software components to managerial decisions that back an organization’s user policies, such as email privacy or access security. With the need for implementation of these policies, comes a need for a hierarchy of roles and responsibilities within a security program (this is further explained in the referenced NIST article). Overall, information security policies provide the framework and guidance for the program.
One of the most crucial aspects of information security, risk assessment/management allows the program to be customized based on specific threats to the organization at hand. A company with invaluable information to protect, such as a federal organization, will perform an in-depth risk assessment to assure every threat is considered, monitored & controlled at virtually any monetary cost. Looking at it another way, you aren’t going to spend thousands of dollars on advanced anti-theft software unless you have thousands more in assets to protect. The NIST provides a diagram of their procedure for organization-wide risk management below:
Encryption is a tool for information security developed from an underlying branch of mathematics called, Cryptography. These mathematical algorithms, designed for the transformation of data, are extremely useful in protection of information. Some examples of encryption/cryptography commonly utilized in information security include:
Controls are variably important and serve at different levels of an organization’s information security program. An example hierarchy of information security controls is displayed in the pyramid below:
A Group Effort
Maintaining the security and integrity of your organization’s information is a group effort shared by all users and support staff. Developing a strong information security program involves constructing/complying with policies, clearly defining roles & responsibilities, meticulous risk management, and implementing proper security controls. So just remember, not only is your IT team dealing with the day-to-day support requests, but also serving as the organization’s main defense against threats to information by building & managing a sound security program.
For a more detailed description of threats, check out the NIST document referenced by this article.