PROTECTION OF INFORMATION ASSETS

Protection of information Assets

Protection of information Assets

1. Introduction

Continuity of operations and correct functioning of information systems are essential to all businesses. Threats to computerized information and processes are threats to business quality and effectiveness. The objective of IT-security is to put measures in place, which eliminate or reduce significant threats to an acceptable level. The company should have a process for protecting data files, application programs, and hardware through a combination of physical and logical security controls. Physical security involves restricting physical access to computer- and information resources, usually by limiting access to the buildings, areas and rooms where they are housed. However, physical controls cannot alone ensure that computer- and information resources are sufficient protected. For this reason, it is important to establish logical security controls that protect the integrity and confidentiality of sensitive information (Schneier, 2000).

The security function in the company should be responsible for implementing and maintaining both physical and logical controls based upon authorizations provided by the owners of the resources. Where do we start to improve the physical- and logical security? First the business needs to know what computer- and information resources that need to be protected, by recognizing the threats and judging possible impacts. Then they have to calculate the risks and decide what risks are acceptable. Basically there are some important points concerning security to keep in mind:

Keep it simple. If security is very complicated, it is unlikely to be effective and likely to be expensive.

Keep it coherent. It is better to have a minimum, coherent level of security than some system highly protected and other dependant systems wide open.

Keep to some known and well-tried standard if possible. It will make evaluation easier.

2. Physical access Exposures and control

AF19 FA27 2F94 998D FDB5

A business that is dependent on computer resources cannot be carefully enough with the computer security. But this includes more than enforcing strong passwords and using antivirus software. If the system itself is not physically secure, nothing else about the system can be considered secure. With physical access to a machine, an intruder can halt the machine, bring it back up in privileged mode, replace or alter the machine, plant Trojan horse programs, or take any number of other undesirable actions(Russell, 1991). Concern should also be given critical communication links like switches or routers. Overall a good physical security program is an organization's first line of defense. Physical security considerations in brief are an overall assessment of the security needs with regard to facility location, layout and construction of facility, access control to facility, monitoring access etc.

Physical Access Exposures

An almost unlimited number of threats can theoretically be of concern to an organizations well being. The main focus of physical security has often been on human-made disasters, such as an attack over the network from a outside hacker or plain human error from own employees. Even if these in fact are the most common threats, it is crucial not to forget that the same kind of threats ...