Ever wondered how safe it really is when we mention names, share profile information, and tag people in photos in our social media accounts?
And if you are working in an IT company, how can your customers be assured that the data they have provided with you is safe and it can only be accessed by people who only have such authentication rights?
In this post, we ask ourselves, “Are we safe?” with regards to the Information Security in the control of handling (and mishandling) of data within an organization.
Commonly shortened as, InfoSec, it is defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Importance of Information Security
There are two major areas of concern that we have to consider when we are to learn InfoSec:
- IT Security – the company employees must be responsible for keeping all of the technology within the company to make them secure;
- Information assurance – to ensure that data is not lost when critical issues arise.
Errors on Technology or…
The security community generally agrees that the weakest link in most organizations’ security is the human factor, not technology. Technology is only a tool that helps us become more productive. But every employee needs to be aware of his or her roles and responsibilities when it comes to security since most of the value of a business is concentrated in the value of its information.
That is why we have to protect information assets regardless of how the information is formatted or whether it is in transit, is being processed or is at rest in storage, through:
- Reduce/Mitigate – implementing safeguards and countermeasures to eliminate or block threats;
- Assign/Transfer – such as purchasing interest;
- Accept – evaluate if cost of countermeasures outweigh the possible cost of loss;
- Ignore/Reject – some reported issues may not need
Regulatory Standards Compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations.
Applied to ICT and Information Security in a company, your company may also need to comply with one or more standards defined by external parties. These regulations include HIPAA or the Health Insurance Portability and Accountability Act, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and the Gramm Leach Bliley Act (GLBA) among other acts and regulations.
It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another. But regulations are in place to help a company improve information security while non-compliance can result in severe fines.
Information security is often feared as an amorphous issue that only the IT department has to deal with. But the reality is that companies need to be concerned with complying with information security from top to bottom. That is why employees’ behavior has a big impact to information security in organizations.