Security of Information Systems

In the modern digital environment, information systems are critical to organizational success, yet they are inherently vulnerable to threats such as unauthorized modification, intrusion, misuse, and system malfunction. As organizations increasingly rely on computerized systems to store, process, and transmit data, ensuring robust information system security has become a strategic and operational necessity rather than a purely technical concern.

Information systems must therefore be protected through well-designed and continuously evolving security mechanisms. In practical terms, information assets are considered secure when the expected losses arising from potential threats over a defined period are maintained at an acceptable level. Absolute security is neither feasible nor economically justified; instead, organizations aim to manage risk within tolerable limits.

28.1 Security Issues in Information Systems

Some degree of loss is inevitable in all organizational environments. Attempting to eliminate every possible loss is either technically impossible or prohibitively expensive. Consequently, management must define acceptable levels of risk and link them to a time horizon over which such losses can be tolerated.

Threats to information systems generally fall into two broad categories:

• Physical threats: theft, fire, floods, earthquakes, power failures, and other natural or man-made disasters.
• Logical threats: unauthorized access, hacking, malware, viruses, ransomware, data leakage, and software vulnerabilities.

Examples of Intrusion

Intrusion may involve attempts to gain unauthorized access to sensitive systems, such as a bank’s financial platform, to execute fraudulent transactions. In other cases, the intent may be limited to stealing customer data, intellectual property, or confidential business information for personal or competitive advantage.

Not all threats originate externally. Insider threats pose a significant risk, particularly when employees with authorized access misuse their privileges. For example, an employee leaving an organization may attempt to manipulate or extract data unless appropriate controls are in place.

Management’s Responsibility for Information Security

Executive management bears ultimate responsibility for ensuring a secure information systems environment. Senior leadership must actively sponsor and promote information security initiatives, demonstrating their importance across the organization.

When security is visibly supported by top management, employees and system users are more likely to recognize its significance and comply with established controls. Security, therefore, should be embedded into organizational culture rather than treated as an isolated technical function.

Importance of Information System Security

Sound information system security is fundamental to building trust among stakeholders, ensuring business continuity, and protecting organizational reputation. As reliance on digital systems grows, security is universally recognized as a pervasive and critically important quality attribute.

Organizations must protect themselves against the risks inherent in using information systems while simultaneously leveraging the benefits they provide. Effective security enables innovation, operational efficiency, and regulatory compliance without exposing the organization to unacceptable risk.

28.2 Security Objectives

In 1992, the Organization for Economic Cooperation and Development (OECD) issued its Guidelines for the Security of Information Systems, defining the primary objective of information security as:

“The protection of the interests of those relying on information, and the information systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality, and integrity.”

This objective is commonly expressed through the CIA triad:

• Availability: Information systems and data must be accessible and usable when required.
• Confidentiality: Information should be disclosed only to authorized individuals or entities.
• Integrity: Data must be protected against unauthorized modification, destruction, or corruption.

The relative importance of availability, confidentiality, and integrity varies depending on the nature of the information and the business context in which it is used. For example, availability may be critical for operational systems, while confidentiality may take precedence for personal or financial data.

28.3 Scope of Information System Security

The concept of security applies to all forms of information, regardless of how they are recorded, processed, stored, transmitted, or retrieved. Security focuses on protecting valuable information assets against loss, unauthorized disclosure, damage, or misuse.

Information assets include data stored in databases, files exchanged across networks, backups, reports, application software, and even encoded or transformed data. For example, when organizations exchange encoded data, tools such as a Base64 encoder and decoder may be used for data transformation, highlighting the need to secure information at every stage of its lifecycle.

These assets must be protected from threats that could render them inaccessible, inaccurate, altered, or wrongfully disclosed.

Types of Information Assets

In manual systems, physical records are the primary assets requiring protection. In computerized environments, however, the sensitivity and value of information are significantly enhanced. Information assets typically include:

• Data and databases
• Application software
• System documentation
• Hardware and network infrastructure
• User credentials and access rights

28.4 Security Policy

Organizations committed to protecting their information assets must establish a formal security policy. This policy should be clearly documented and communicated to all employees, contractors, and other stakeholders. It should also align with and support existing organizational policies and strategic objectives.

At its core, a security policy must acknowledge the value of information and the organization’s dependence on reliable and secure information systems.

Contents of a Security Policy

A comprehensive security policy is a critical governance document and typically includes:

• The importance of information security to the organization
• A statement of support from the Chief Executive Officer or senior management
• Minimum standards and compliance requirements
• Asset classification guidelines
• Data and information security controls
• Personnel security measures
• Physical, logical, and environmental security requirements
• Communications and network security controls
• Legal, regulatory, and contractual obligations
• System development and maintenance lifecycle requirements
• Business continuity and disaster recovery planning
• Security awareness, training, and education programs
• Security breach detection, reporting, and response procedures
• Violation enforcement and disciplinary actions
• Defined roles, responsibilities, and accountability for information security

28.5 Security Program

A security policy is typically developed and maintained through a structured security program or security review. A security program consists of ongoing and periodic assessments designed to ensure that information system assets are adequately safeguarded.

The initial security review is often a comprehensive and resource-intensive exercise, forming the foundation for future security improvements.

Conducting a Security Program

Preparation of the Project Plan

The first step in a security program is the preparation of a detailed project plan. This plan defines the objectives, scope, and boundaries of the review to prevent unnecessary effort and ensure meaningful outcomes.

Major Components of the Project Plan

• Objectives of the review: Clearly defined goals, such as improving physical security or addressing new logical threats.
• Scope of the review: Identification of systems, locations, and assets to be covered.
• Tasks to be accomplished: Specific activities such as hardware and software inventory compilation.
• Project team organization: Formation of a multidisciplinary team based on review requirements.
• Resource budgeting: Allocation of financial, technical, and human resources.
• Schedule: Timelines for task completion and milestone achievement.

28.6 Identification and Ranking of Assets

Identifying information assets is a fundamental step in determining what must be protected. Without a clear understanding of assets, it is difficult to assess risks or design effective controls.

Ranking of Assets

Once identified, assets should be ranked based on their importance and criticality to the organization. Key considerations include:

• Who values the asset: Different stakeholders may assign different levels of importance.
• Impact of loss: Accidental damage, theft, or misuse may have varying consequences.
• Period of obsolescence: The timeframe after which the asset loses value if not used.

Threat Identification

A threat is any action or event that can lead to a loss. During this phase, organizations identify all potential threats that could expose, damage, destroy, or misuse information assets. Understanding these threats enables organizations to design proportionate and effective security controls.

Through systematic asset identification, threat analysis, and ongoing security programs, organizations can establish a resilient information system security framework that supports business objectives while managing risk effectively.