As additional evidence of this growing trend is sort, the Deloitte 2007 Global Security Survey of top global financial services institutions states the following and I quote “Information security is no longer a technology-focused problem. It has become the basis for business survival as much as any other issue”. The survey also found that 81% of respondents, many more than in studies of previous years, feel that the issue of security has risen to the level of the C-suite or board as an issue of critical concern.
Information Security Governance is a framework predicated on principles and accountability requirements that encourage desirable behavior in the application and use of technology. Results from the present study indicate 81% of respondents have a defined information security governance structure (e.g., defined responsibilities, policies, and procedures) while 18% are in the process of establishing one [Deloitte 2007].
The evolution of technology has had its impact on virtually every business or private aspect of our lives. From privacy to liability issues, the impact of technology on business is only limited to imagination. Unauthorized access to paper documents or phone conversations is still an information security concern, but the real challenge has become protecting the security of computer networks, especially when they are connected to the Internet.
Most large organizations have their own local computer network, or intranet, that links their computers together to share resources and support the communications of employees and others with a legitimate need for access. Almost all of these networks are connected to the Internet and allow employees to go "online."
Information technology security is controlling access to sensitive electronic information so only those with a legitimate need to access it are allowed to do so. This seemingly simple task has become a very complex process with systems that need to be continually updated and processes that need to constantly be reviewed. There are three main objectives for information technology security: confidentiality, integrity, and availability of data to the organization. Confidentiality is protecting access to sensitive data from those who don't have a legitimate need to use it. Integrity is ensuring that information is accurate and reliable and cannot be modified in unexpected ways. The availability of data ensures that it is readily available to those who need to use it (Feinman et. al., 1999).
Information technology security is often the challenge of balancing the demands of users versus the need for data confidentiality and integrity. For example, allowing employees to access a network from a remote location, like their home or a project site, can increase the value of the network and efficiency of the employee.
Unfortunately, remote access to a network also opens a number of vulnerabilities and creates difficult security challenges for a network administrator and the business as well. Unauthorized persons maybe able to hack into the system when these operations are being done. In order for the businesses to secure its information or data, it needs to put adequate security tools in place such as developing policies and procedures for staff to secure very sensitive information where the business is concern.
An effective network security policy is the foundation of an adequate information security environment which protects the business’s confidential data such as its finances and staff salary. A network security policy is the basic document that defines the expectations for network security and guides administrators and network users. A good information/network security policy should support the organization's overall goals and mission, set standards for acceptable behavior on the network, identify assets that needs to be protected, and hopefully reduce the number of security incidents that occur within the organization.
Security Polices can be written as a high-level to allow for broad interpretation, or at a low-level to provide specific guidance. A good security policy has a mixture of both, allowing for innovation in appropriate areas and providing numerous details in critical areas.
A network security policy should be easy for all users to understand and adaptable to the needs of the organization, especially as security and vulnerability assessments reveal weaknesses that need to be corrected. To be effective, a policy must be communicated to all network users, consistently enforced, and strongly supported by the organization's leadership.
On the other hand if the company’s data is not protected and everybody has access to everything, ultimately it is the business that bears the consequences of a poorly secured system. It is difficult to say that a case of internal fraud or financial misstatement is a purely IT issue. However, such incidents are preventable through well defined permission structures allocated to appropriate business users. Since the business bears the risk it is logical that they should be fully engaged in the design of the solutions to prevent the occurrences of such risks.