Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

What is Information Assurance?

InfoSecurity Europe : 04 March, 2010  (Special Report)
Martyn Smith of Logically Secure explains information assurance and how to ensure that it is correctly implemented
See our events guide listing for more details

Information Assurance is about so much more than simply placing barriers between the attacker and the target. Security is not a product, it is a managed process, and as such has no end state. Instead, procedures and controls must be woven into the fabric of an organisation; security must become part of normal business, rather than an additional set of measures surrounding it, if it is to be truly effective. Security should be a state of mind.

The problem that faces many businesses is how to ensure your daily business is as secure as possible whilst maintaining a degree of flexibility to be able to respond to changing or unforeseen circumstances. Benjamin Franklin said, "Those who would sacrifice freedom for security deserve neither," and the same can be said of business. Trading your flexibility for a set of rigid measures will neither assure your security nor necessarily enhance your business. However, to abandon security entirely for the sake of that flexibility would be reckless in the extreme. Fortunately, security need not be an all or nothing situation.

The answer is to introduce security incrementally or at least by recognising that sound security needs a basis on which complexity can be built. Enabling the foundations of security to be laid down within the business will allow a gradual development of stronger integrated processes, ensuring that the addition of technology or other complex measures are not a modern day Maginot Line; daunting in principle, but easily defeated by an unrealised weakness. These foundations can be built upon as required, with practices, procedures and technological enhancements embedded into the organisation's routine.

The trick is to recognise the point at which further measures add little value to the overall protection of the business, or at least that they extend the value of its outputs and the amount of risk it is willing or able to take. Even in organisations where some (or many) security practices are already in place, it can be beneficial to start again from the beginning, adding, refining or replacing outmoded and missing measures; an exercise that could be likened to underpinning a dilapidated house rather than let it fall into ruin. If the foundations are not in place, or are not sound, then there is a risk that the whole house of cards could tumble. A check of the measures in place can be achieved by audit against a recognised standard by a qualified individual. But, like all matters where subjectivity can be applied to the results of an activity, security often falls foul of an audit where the requirements are vague and their interpretation wide-ranging. However, it is still beneficial to have an impartial eye cast over them and this is particularly important if the organisation wishes to hold itself up as an example to others.

Similarly, an organisation wishing to out-source should be looking to its potential providers to ensure their security, or lack of it, will not undermine its own. Take the situation of a software house where security of their code is of paramount importance. Having taken strong measures to protect it during its compilation, it becomes at risk when they send it to a reproduction company to be copied in bulk for sale. So it is of paramount importance that both parties are able to understand and articulate their own and each other's position in relation to the security they provide and expect in return. Assurances between companies are one means of achieving this, but verification of the very same policies and practices being present in both companies would be significantly better.

Always remember the adage that "Trust is the absence of a control measure."

Finally, and most importantly, is the single biggest reason for systemic failure in any organisation; are the policies and procedures that make up the organisation's security measures fully supported by the executives?

This support is without doubt the critical factor. There is little value in formulating policy and procedures, and in deploying technological barriers if there is no firm commitment from the heads of the organisation to support them. Executive support must come in two forms; a formal endorsement of all policies at board level, including financing technological measures and their upgrades, and by demonstrating adherence to those policies themselves. Recent years have seen a rise in the incidence of "spear phishing" and "whaling;" the practices of specifically targeting senior members of an organisation. Successful attacks are usually as a result of senior executives ignoring the rules and procedures they impose on their staff or their insistence on having the highest level privileges on their IT system despite the fact that they rarely, if ever, need them. As was mentioned at the beginning, security is a process, and one that requires all parts of the organisation to follow it.

Logical Security is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th - 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo