Information security or IT security?

 One would think that these two terms are synonyms – after all, isn’t information security all about computers?

One would think that these two terms are synonyms – after all, isn’t information security all about computers?

Not really. The basic point is this – you might have perfect IT security measures, but only one malicious act done by, for instance, administrator can bring the whole IT system down. This risk has nothing to do with computers, it has to do with people, processes, supervision, etc.

Further, important information might not even be in digital form, it can also be in paper form – for instance, an important contract signed with the largest client, personal notes made by the managing director, or printed administrator passwords stored in a safe.

Therefore, I always like to say to my clients – IT security is 50% of information security, because information security also comprises physical security, human resources management, legal protection, organization, processes etc. The purpose of information security is to build a system which takes into account all possible risks to the security of information (IT or non-IT related), and implement comprehensive controls which reduce all kinds of unacceptable risks.

This integrated approach to the security of information is best defined in

ISO 27001

, the leading international standard for information security management. In short, it requires risk assessment to be done on all organization’s assets – including hardware, software, documentation, people, suppliers, partners etc., and to choose applicable controls for decreasing those risks.

ISO 27001 offers 133 controls in its Annex A – I have performed a brief analysis of the controls, and the results are the following:

- IT related controls : 46%
- controls related to organization / documentation: 30%
- physical security controls: 9%
- legal protection: 6%
- controls related to relationship with suppliers and buyers: 5%
- human resources management controls: 4%

What does all this mean in terms of information security / ISO 27001 implementation? This kind of project should not be viewed as an IT project, because as such it is likely that not all parts of the organization would be willing to participate in it. It should be viewed as an enterprise-wide project, where relevant people from all business units should take part – top management, IT personnel, legal experts, human resource managers, physical security staff, the business side of the organization etc. Without such an approach you will end up working on IT security, and that will not protect you from the biggest risks.


Related Categories




Related Topics



Related Articles


A Guide to IT Security Governance

This paper highlights the critical role of security governance. It answers key questions about governing IT Security in your enterprise. Very Good Read!

Audit Like a Hacker

This presentation guides you through a security audit from a different perspective - that of a hacker who focuses on "value" among other things.

Identity Lifecycle Management

This presentation discusses the security challenges facing an enterprise, the cost of breaches, the need for and cost of compliance and then proposes using identity lifecycle management as a solution to address these challenges.

Information Security Governance

This presentation provides information security governance guidance for information security managers.

Information Security Governance Assessment Tool

 This paper presents an information security governance assessment tool based upon the information security governance (ISG) framework recommended by the Corporate Governance Task Force.

IT Security Basics

An overview of information technology security - define information security, detail functional areas, discuss security standards and regulations, describe testing techniques for IT security audits, and information security organization maturity leve...

ITIL V3 and Information Security

This paper discusses the role and importance of effective Information Security Management (ISM), how it is supported by an extensive family of global standards and the way these harmonize with ITIL

Performing an Information Security Assessment

This presentation describes the steps in performing an information security assessment - what are the critical security goals and objectives? what are the documentation requirements? how to incorporate regulatory requirements? how to gather data to ...

Simple Ways to Avoid Data Breaches

This presentation provides an overview of data breaches - what is a data breach? - provides a measure of the loss suffered as a result of one, discusses the cause of data breaches, and recommends the most common/easy/obvious way to bridge data breac...

What is Information Security Governance?

 This presentation provides a definition for information security governance and how to implement it in your organization.

Why Information Security Governance?

 This presentation discusses the business need for information security governance.


Posted on 07/15/2010 by


Information security or IT security? author dkosutic

dkosutic

Signup For ThoughtLeader









Subscribe


CIO Index

Our Focus is On Your Agenda

CIO Index is the world's largest professional network for CIOs - of the CIO, for the CIO, by the CIO. 

Over 70,000 CIOs and other IT Executives use CIO Index to Learn, Network and Share.

 

Cioindex, Inc.

  • (+1) 800-309-3550
  • Mon - Fri 9:00am - 5:00 pm
  • 115 Franklin Tpke, Mahwah, NJ 07430