What is information security and why does it matter?

Why should this matter to me?

Answer this question

If all the information about you (or that you hold) became freely available to anyone or was destroyed, would you be affected?

If all the information the University had also became freely available to anyone, or was destroyed, would the part of the University business you are responsible for be affected.

If the answer to either of these is yes the information security concerns you or your business, as you are at risk.

What is information security?

Security is a process of protecting valuable assets from threats. In information security the assets are information and the services that help provide it. Those at risk are the people and processes that rely on the information,  those who the information is about, or those who have obligations to look after it.

Not all threats are equally dangerous or likely, so risks have to be assesed (risk - a source of danger, a possibility of incurring loss or damage). Risk can be reduced through suitable measures (controls). Security controls have a cost and no-one has unlimited resources, so risk management methods are used to ensure information security risks are reduced to acceptable levels at acceptable costs . Identifying and classifying risks allows the control of the highest risk threats to be addressed first.

Who is responsible for information security?

Individuals are responsible for their own information, and the computers or other devices they own and use to manage it. They are also responsible for the  security of information they may be given access to by other people and organisations.

Within an organisation responsibility may be divided up between various groups, but international standards state that responsibility for information security should be owned by the group to whom the information has greatest value, or would be most impacted by any security problem and this will be business process owners.

It is common misconception that Information Security is soley an IT department issue responsibility. Only 10% of incidents are caused by technology problems, 30% are failures of processes and 60% are human caused by human error. Also the IT service provider does not own or benefit from the data stored, and is not the group most directly impacted by security problems.

  • A good example would be  to view the security of the IT service as a place where information can be secured. The provider gives the owner of the information the means to secure the information, but it is up to the owner to use the system to 'lock' any valuable contents away securely  and control who else gets access.