Information Sharing
Information Security Factsheet
This factsheet will help you to keep your business's information secure, by showing you how to assess the level of risk you face and then manage that risk.
Title: Information Security: An Introduction Factsheet
Author: Department of Trade and Industry
Date published: May 2005
Number of pages: 9
Availability: Download full report 
PDF 59Kb
Why do we need information security?
All information has value. Sometimes this might be trivial, but in many cases the value is critical. For example:
Medical records
Financial transactions
Building plans
Ex-directory phone numbers
Value is measured in different ways, depending on the nature of information.
How can Information Security be protected?
People can often perceive information security as a daunting task and a highly technical skill. In fact, the most effective steps are based on common sense and good management practice. Simply carrying out an assessment of risks to your own organisation will help you establish appropriate risk management and ensure you can respond effectively when information security is compromised.
In addition, organisations should have:
A practical approach to Policy & Standards, including an Information Security Policy, supported by realistic and workable processes and procedures
A well-informed, well-trained workforce
Appropriate (but not excessive) levels of vigilance
Risk Management
1. Understanding the risks to your organisation
The risks to information include:
Fraud
Illegal personal investigation
Industrial espionage
Terrorism
Computer viruses
A risk is normally a product of threats and vulnerabilities.
Vulnerabilities include:
Poor website design
Slack recruiting procedures
Mismanaged computer systems
Inadequate staff training
Threats include:
Deliberate manipulation of information prior to input
Impersonation of a legitimate user
Untrained staff
Loss of service
If your business is open to fraud (e.g. handles large sums of money), unmanaged vulnerabilities will provide the opportunity for a risk to manifest itself.
The aim of risk management is to reduce such risks to an acceptable level.
2. Risk Analysis
Risk Analysis is a formal process of determining risks and developing a plan to deal with them. A risk analysis process involves:
Understanding risks to the business and how they can occur
Understanding the potential cost to the business if they do occur
Identifying suitable and effective measures to:
Minimise the likelihood of occurrence
Prevent or detect the threat
Enable appropriate recovery action to be taken.
You can determine the number of risks to your business by using:
Existing research to learn about threats
Reviews, testing and audits to identify vulnerabilities
Statistical research to determine the likelihood of an event occurring
It is not realistic to be able to reduce the risk to zero but it is essential that you do not deny a risk exists when it does.
Once a measurement of risk has been agreed, the organisation must work out the impact of a security event on the successful operation of the business and apply countermeasures to address the risks.
Good Housekeeping
The full report includes good tips and effective ways of dealing with security issues. It also includes some common ways of counteracting the most common threats. These include:
Backup procedures
Software considerations
Physical security
Education
Access controls
Destruction of information
For more information see full report.
Download: Information Security: An introduction factsheet PDF 59Kb
Last update: Friday, August 01, 2008