Accessibility Links

Introduction to information security


Information Security was previously referred to as
IT Security. The name has changed to avoid the function being regarded as an exclusively technical concern, and to reflect its broader business role.

Information can take many forms - from a paper document, a fax transmission or telephone call, to electronic data, stored in a variety of computer systems or on magnetic or digital media. And this information can be of many different types, including:

  • key financial information, for which accuracy is paramount
  • applications for which prolonged downtime would be very damaging for the business, such as a high-availability medical application, or real-time reservation system
  • the processing of sensitive corporate or personal data, whose uncontrolled disclosure could cause significant credibility-loss, damage to reputations, or even breach of the law, as in the case of the Data Protection Act

Information Security is concerned with ensuring that
information related risks are assessed, appropriate
controls are implemented to manage those risks and that
the adequacy of those controls is monitored on a regular basis.

Information Security is generally considered under 3 generic headings:

  1. Confidentiality – preventing unauthorised access to IT resources, including data
  2. Integrity – maintaining the accuracy and completeness of data and IT processing
  3. Availability – ensuring the continued availability and resilience of IT resources
Back to top

ISO 17799 - the standard for information security management

Within the UK, the scope of Information security is clearly defined in the BSI standard, ISO 17799. This provides a proven framework to initiate, implement, maintain and document information security within an organisation. The standard is flexible and can be used by any type or size of business to minimise the potential for security breaches and the corresponding cost and disruption if they do occur. The Standard is organised into ten main control categories:

ISO IEC 17799 - 10 control categories

  • Information Security Policy
  • Organisational security
  • Asset classification and control
  • Personnel security
  • Physical and environmental security
  • Communications and Operations management
  • Access control
  • Systems development and maintenance
  • Business continuity management
  • Compliance

Each control sets out a clear set of objectives and then gives detailed advice on how the control might be achieved. In some cases not all the controls may be required. And, in some circumstances, depending on specific risks, additional controls, not defined in ISO 17799, may be required.

Back to top

The Information Security function

The position of the Information Security function within an organisation, will depend on a number of factors, including the scale and complexity of the operation and the nature of the business. The diagram below charts the more likely relationships and communication channels which may exist in a large scale organisation.

Back to top

Key relationships for Information Security

Top management

It is paramount that information security has a clear mandate from top management, which is normally a fundamental part of the security policy. There should also be a clear communication line direct to the top of the organisation, so that information security can immediately make top management aware of serious incidents, technical threats or conflicts of interest.

IT Audit

The relationship between information security and the IT Audit function is very important. Managed effectively, it should provide synergy and increased value to the organisation.

From an audit perspective, the Information Security function is no different to any other part of the organisation and its activities will be subject to a periodic, independent assessment.

For example, Information Security may be responsible for defining detailed security standards for specific platforms such as Windows 2000 or HP-UX. IT Audit will review these standards to provide an assurance that they are complete and reasonable and are being applied effectively. Similarly, where Information Security perform routine monitoring of access and potential security breaches, IT Audit will seek to provide an assurance that the processes in place are satisfactory and that the procedures for managing and escalating an incident are sound and being complied with.

The area of consultancy, in designing and recommending appropriate levels of security for new system developments and IT infrastructure, is, however, an area of potential overlap between IT Audit and Information Security. The functions, therefore, need to reach a common agreement on potential risks and work together to achieve a satisfactory standard of control with the minimum of duplication.

The link with Internal Audit is also key in ensuring that compliance with technical and procedural standards is being maintained. When carrying out their compliance checks, it makes sense if the internal auditors make use of the same operational and technical standards specified by the security function. It therefore also makes sense to consult Internal Audit when developing and specifying controls, based on business need and risk assessment, or simply 'best practice' baselines.

IT department

Another key relationship is that with the IT department, particularly the systems development leaders, with whom the information security head should liaise on the security requirements for forthcoming systems.

Risk Manager

The Operational Risk Manager is an essential point of contact to ensure proper consideration is given to key risks facing the business, which fall under the scope of information security.


Day-to-day controls and compliance questions are often addressed in collaboration with the personnel / HR officer, the physical site security or facilities officer, and the compliance or legal function, if the business has one.

Not all the above functions or links will be present in all situations, but the above is meant to be an indicative picture of where liaison should take place. Given the number of important relationships, it is important that the Information Security function co-ordinates activities with all those where there is potential for overlap, in order to harmonise initiatives and avoid duplication of effort.

Back to top

Policy, technology and people

Critical to success in implementing appropriate information security throughout an organisation is obtaining the right balance between policy, technology and people, as visualised within the model below. All 3 dimensions must be present and operating effectively for the objectives to succeed. These dimensions are recognised and present throughout ISO 17799.

Back to top

Information Security Policy Document

The Information Security Policy Document should not only clearly address the 3 key dimensions of policy, technology and people, but should also document the mandate information security has from the top of the organisation.

Many companies make the mistake of trying to make this a very comprehensive document, aimed at covering all eventualities. Instead, it should be a high-level expression of management intent, usually no more than a couple of pages, stressing the importance of information for the organisation, and the need for appropriate mechanisms to protect it.

The specific content of the Policy will be influenced by:

  • the nature of the business and the environment it operates in
  • forthcoming business strategies and initiatives
  • the way the business uses technology (and plans to use forthcoming technologies) to deliver its products and services
  • the threats and vulnerabilities which are present in its environment, operations and systems, including the links and dependencies it has with other organisations
  • its 'appetite' for risk-taking, once it is aware of the risks assessed to be present

The Policy itself must be authorised by the Board, signed by the CEO, and issued to all those who need to be aware of it - including line-management, staff and third-party contractors and consultants.

Finally, there must be a review and refresh process to ensure that the policy remains current, and serves the needs of the organisation.

Back to top

Standards and Guidelines

The Policy Document needs to be underpinned by supporting Standards and Guidelines in order to give it full effect. Whereas the policy articulates management's view on what ought to happen, the Standards and Guidelines should set out how the objectives are to be achieved.

For example…
The organisation may determine at the Policy level, that third-party contractors ought to be given managed access to company systems and that their activities, while logged-on, should be monitored. For the specific IT platforms and communications technologies employed by the organisation, there may then be specific features, utilities or add-on software which, when configured according to the appropriate standards and settings, will give effect to the policy requirements. In this example, the contractors may log-on through a specific mechanism, possibly using an additional authentication token. In addition the activity logs relating to activity while active on the system may be subject to specific review. In this manner, the technical controls and supporting procedures, give support to the management intentions laid out in the Policy.

The rollout of controls in support of the organisation's defined security policy will be far less effective if key messages are not communicated to line managers, system developers, operational staff and auditors. Written policy and technical measures can go some of the way, but without the full co-operation of staff, at various levels, the potential for security problems is increased.

Back to top

Employee regulation and supervision

Security surveys consistently reveal that people are responsible for around two-thirds of all security breaches, whether accidental or deliberate. This makes it an important area for Information Security to focus on.

This will involve a range of activities, from ensuring that security responsibilities and confidentiality clauses are set out in employee terms and conditions, to running security awareness training sessions, either at staff induction sessions or as part of a rolling security awareness programme.

The awareness campaign will also be assisted by ensuring that all staff are made aware of the rationale for the security policy. This includes the impact upon the business arising from specific incidents (such as virus outbreaks), and the disciplinary consequences for staff found blatantly ignoring directives or guidance (for example, recent cases of dismissal for those found browsing inappropriate material on the internet, in work time, or for propagating libellous or salacious e-mails).

Finally, there will be certain actions which may not only breach corporate security policy, but which may also breach prevailing laws, such as intellectual property / copyright laws, computer misuse legislation, and data protection acts. Staff must be made aware of the potential for damage to corporate reputation, but should also be advised of circumstances where their actions could result in cases of personal liability.

ISO 17799 refers specifically to the importance of communicating awareness, responsibilities and consequences to those with access to corporate systems and data.

Back to top

Latest jobs

Model Validation Manager
  • Location New York
  • Salary $150,000 - $190,000
  • Job type Permanent
  • Sector Banking, Market Risk, Credit Risk
  • Description THE COMPANY: Our client is a global banking institution with a strong North American presence. They are seeking multiple managerial hires at VP and SVP level in their Model Validation team across the
Senior Auditor - Global Financial Services Firm
  • Location Chicago, IL
  • Salary Up to $100K + competitive bonus
  • Job type Permanent
  • Sector Banking, Other Financial Services
  • Description Our client, a global financial services firm, is seeking a Senior Auditor to lead and execute an integrated audit plan across its trading platform and the financial products traded on the platform.
IT Risk Assessment and Information Security Consultant
  • Location Manhattan, NYC
  • Salary Competitive
  • Job type Contract/Temp
  • Sector Cyber Security / Resilience
  • Description IT Risk Assessment and Information Security Consultant – Cybersecurity, Information Security, IT Risk, Banking, 6m Contract, NYC Our leading Banking client requires ...
Information Security AVP - Vulnerability, Assessment, IT Risk, Asian Banking
  • Location New York, Midtown
  • Salary Competitive
  • Job type Permanent
  • Sector Financial Crime Compliance , Cyber Security / Resilience, Interim
  • Description Information Security AVP - Vulnerability, Assessment, IT Risk, Asian Banking Our leading banking client is requiring an Information Security AVP to supp
Latest news