Because information and information technology are fundamental to just about all aspects of modern life, the modern era is often referred to as the Information age. By its very nature, much information is private and confidential. Information security refers to all the procedures which are used to protect information for deliberate or accidental misuse or dissemination. Technically, it refers to the maintenance of the integrity of information. Integrity means that the information remains correct at all times and cannot be accessed by unauthorised agents.
If personal information such as health or finance status, personal or family issues and background details became available to unauthorised agents, this could lead to the standing of individuals being seriously compromised. In some cases it may have little more effect than a feeling of invasion of personal privacy, while in other cases in may lead to serious embarrassment, loss of status or job and even blackmail.
Business functions by trying to achieve a competitive edge. This is achieved by making better products and having better marketing strategies. If competitors found out the formulation of products or details of manufacturing or the marketing plans for new products, a company would lose its competitive edge. There is a whole dark area to business known as industrial espionage in which a variety of means are used to discover trade secrets and business dealings. Obviously, there is an absolute imperative to maintaining the confidentiality of all company information.
A less obvious breach of information security occurs through industrial espionage where information is either changed or deleted to sabotage the functioning of the organisation.
Protecting company information
There are a number of procedures companies can take to protect their information and these would usually be detailed in a company policy document which would be explained to the staff on appointment. Often a personal copy of this document is given to each employee for their records.
Staff employment practices
Basic to good company security are loyal and trustworthy staff. If staff are likely to have access to sensitive information, they should be thoroughly screened before they are employed. The more sensitive the information they have access to, the more vital is this process. Promotion to more sensitive positions can be based on a good history or loyalty and trust. Part of the staff induction process and on-going staff training should inculcate in staff the importance of security and an awareness of the consequences of its violation.
Information should be classified on the basis of its sensitivity. Access rights to this information should be limited to those who need to know. To access certain information, an employee might need a special security clearance. All access to sensitive information should be recorded. The question of access rights is discussed further in the next section. Where sensitive information is stored in the form of paper files, these should be kept in a secure vault. Procedures should be in place that enable staff to report breaches or suspected breaches of security. They should be able to report these without fear of reprisal. In large organisations security departments can be established specifically for the purpose of providing such channels and monitoring security on an on-going basis. This is often done in conjunction with forensic auditing. This is a special form of auditing to detect mismanagement and corruption.