Importance of Info.Sec.Management[ZeRogue]-

Information is an asset, which is essential resource of business, a key to business growth and success. Sharing information has become a business activity. Information is valuable to organisations, which need protection and attention.

In reality there are negative elements for information usage. Threats exist; they have potential to cause loss of information. Vulnerabilities exist in information system; they can be exploited to cause loss of information, in the area of confidentiality ,integrity and availability, threats could be hacking, virus and malicious codes, denial of services, espionage, fraud, theft, nature disasters, software flaws, human errors, sabotages. As technology being developed new threats appear, if information is lost, disaster will occur (i.e. services disrupt, competitive advantages, reliability and trust disappear, business lost). Lose of information leads to reduction of staff morale, rumours, and even damage to careers. It also may cause failure to comply regulator’s requirements. Public image is affected. It is impossible to deal high transaction volume manually. The dependence on information has give rights to the need for protection. So we Aneed protection on hardware software, storage media, network, access, key people from loss or damage, whether accidentally or intentionally.

Information security protects against a wide range of threats, in order to preserve business continuity, reduce damage, maximise return on investment, reduce damage to business and insure customer loyalty. Information security used to be found only in certain organisations such as banks and some government department. Now it’s widely regarded as an important requirement for almost all areas. There are now legal and regulatory requirements.

Information security has 3 essential objectives, confidentiality protecting information from unauthorised disclosure, either to the competitor or to the press. Integrity protecting information from unauthorised modification, ensuring the information is correct. Availability ensuring the information is available when it’s required.



Information security is characterised as preservation of CIA of information, hence the continuity of adequate information. It’s achieved by complimenting suitable controls, including policy, practice, organisational structures, procedure, and software functions. It is not just about IT measures but also human interface to the information.



Information security needs management. Firstly we need effective security. The purpose is to ensure business continuity and reduce damage by preventing and minimising the impact of security incidence. Secondly we can not prevent all the risks, for business the best solution is to devise security policy with the lowest cost that will leave a manageable risk. Different organisations have different requirements. Further more, the right balance should be found between internal and at the same time allowing freedom to operate. We shall also consider of the cost of security and the cost of insecurity. Finally information systems are always dealt with people, and people need management, we shall maintain awareness through out the organisation, provide motivational skills in different levels within the organisation to maintain the security policy.



To achieve these goals, we shall make sure the top management to be aware of the importance of information security. Keep security policy updated, and change implement accordingly. Moreover, the security policy shall be maintained as the following cycle of life:

Policy > plan> implement > review >



The role of information has changed over the years and becomes more and more important ? at present the entire society functions on the basis of information. But the more important the information is, the more threats occur. They are: natural disasters (flood, fire, etc.), environmental conditions (electrical surges, etc.), technical conditions (program bugs, system crushes, etc.), human factors (lack of training and omissions, etc.), and deliberate attacks (hacking etc.) and so on. The consequential losses could be: loss of business; loss of competitive advantage; problem on system recovery; correction of files; legal or regulatory consequences; insurance investigation and renewal; stuff morale, rumours, damaged careers; negative effects on pubic image; ‘copycat’ attempts; extra security measures. These losses directly or indirectly lead to financial, reputation, production losses and even business discontinuity. Thus information security is the process to protect data from accidental or intentional misuse by person from outside or inside of an organisation, and keep it trustworthy.

There are three aspects of information security:

1. Confidentiality: protecting information from unauthorised disclosures.

2. Integrity: protecting information from unauthorised modification and ensuring that information can be relied on and is accurate and complete.

3. Availability: ensuring information is available when it is needed.

IS protects against a wide range of threats in order to preserve business continuity, reduce damage to business, maximise profit and ensure customer’s loyalty.



However, information security is not an event but a process, and it could be very difficult to achieve a reasonable level, thus information security needs management.

Information security management can be seen as a balance between risks and reliability advantage of information and it is impossible to achieve a perfect security because it cost a lot of money and decreases the convenience on operations.



In nowadays many companies do not take seriously on information security management thus have many problems. Some of the reasons are: Not taking ISM holistically but something only IT departments do; not seeing ISM as a business enabler but something makes management and operation more difficult; since the consequential losses are difficult to measure, the benefit of ISM is difficult to see, therefore people don't want to pay for something that may not be happen. Furthermore, the ISM is easily to be misdirected if it is not planned properly.



To make ISM properly, firstly, using a holistic approach instead of ad-hoc method. Let everyone inside the organisation knows IS is important and is concerned to them. Secondly, the security fronts such as hardware, software, storage media, network etc. need protection and have to be considered co-ordinately. Finally the ISM life cycle model helps to maintain effective and proper IS.

To summary these, IS is the basis of success to most of the organisations nowadays and ISM is the way to achieve it.