CyberSecurity used a variety of ways to classify the security of their corporate information. The most common methods were:
Configuration management (25 percent), identifying and controlling the changes to data, reporting the changes throughout each item's life cycle, and controlling the configuration of the information system; and
Security ratings (25 percent), classifying each item of information according to a management-defined security level, so that information receives an appropriate level of protection. For example, classification might range from open access (available to all) to completely closed access such as highly confidential (controlled access).
The least used classification method was document/data numbering (15 percent), that is identifying each piece of information with a unique code. CyberSecurity reported that no procedures were in place to classify the sensitivity of their stored electronic information; these included the two largest companies (over 2,500 employees).
Methods used to assess security risks to corporate information appeared to be informal and cautiously applied. On average, CyberSecurity used one procedure to identify and assess threats to their corporate information stores. The most common procedure (60 percent of respondents) used to evaluate information security threats was on an “as required” basis, where, for example, a security breach or a change in IT infrastructure might cause a company to assess the security risks posed to their corporate information. CyberSecurity might be deemed flexible, or simply reactive and ill-prepared. Less than a quarter of CyberSecurity combined ad hoc risk evaluation with any proactive risk analysis methods. (Risk analysis is a formal process by which security exposures are determined and their potential harm assessed in terms of cost; by carrying out risk analysis regularly, companies can form a complete picture of the risk they are exposed to and be more aware of the dangers. This trend of appraising threats only when required was consistent across all industry sectors, except in the financial services sector where six out of the seven respondents took a more formal approach and identified and assessed information security threats using either systematic risk analysis or as part of their auditing process.
Part (b)
Information security management is concerned with ensuring business continuity and minimising business damage by preventing and minimising the impact of security incidents that threaten an organisation's information assets (British Standards Institution, 1995). The three basic components of information security are to maintain:
Confidentiality of sensitive information, protecting it from unauthorized disclosure or intelligible interception;
Integrity, safeguarding the accuracy and completeness of information; and
Availability, ensuring that information and vital services are available to authorised users when required (Pfleeger, 1997).
Information security management systems are the mechanisms which protect information stores and thus enable the implementation of information security (British Standards Institution, 1995).
Davies and Price (1989) argued that every major advance in technology changes the concept of securing information. Following a study into computer crime in the UK, the Audit Commission (1998) concluded that the Internet could become the security challenge of the millennium. A study carried out by the Computer Security Institute found that 68 percent of respondents had suffered a security ...