IT Security Doesn't Mean Information Security
Why make a distinction between IT security and the security of information? Just ask anyone whose top-notch IT security program has been tarnished by a data security breach.
Some of the most high-profile victims of data security exploits have maintained IT security programs among the most well reputed anywhere. The lesson hammered home by such incidents is simply this: Securing IT resources and access to the information they handle and communicate does not necessarily guarantee that information will be used in a secure, trustworthy manner.
|More Tech Trends on CIO Update|
Crossing the Technology Line: Strategic vs. Utility
Is Vista The Last of Windows?
The Power of Process
Software Upgrading As 'Collusion'?
The stakes have been raised considerably by sophisticated threats focused on the theft and exploit of tangible assets, as well as in the finesse with which such threats are increasingly honed.
Regulators have also shown they consider the distinction of information security to be far from trivial. The U.S. Federal Trade Commission (FTC) has imposed penalties as high as $15 million in some cases of data security breach. The enforcement of an information security program has also factored into regulatory settlements, subject in some cases to audit every other year for 20 years.
No matter how well IT may be secured, a number of questions must be answered in order to protect and defend information, such as:
Simple questions which may be extraordinarily difficult to answer. For one thing, sensitive information may appear in any number of forms that do not lend themselves to ready identification. Some information formats have structure that simplifies their recognition, such as Social Security or credit card numbers.
Databases lend structure to information that can be leveraged to classify its sensitivity. Other formats, however, do not exhibit such structure, which substantially raises the challenge, because this by far represents the lions share of sensitive information in most organizations.
What, for example, constitutes intellectual property? How can sensitive information be recognized in any format, without engaging human judgment in each case? Once recognized, how can its security be effectively enforced?
These are questions to which solutions addressing the security of information itself have arisen to answer. New technologies such as information classification and structure management, content monitoring and filtering, information leak prevention, enterprise information rights management, application and database security; and new approaches to encryption are merging with domains such as message, Web and Internet security, content and information lifecycle management, and even networks, systems and applications themselves, as businesses have become increasingly sensitive to their information risks.
Information security must be built on three key domains:
The integration of these domains represents maturity, not only in the enterprise approach to information security, but in the way the enterprise itself is managed. The more mature organization will be able to take advantage of extending solutions in each domain across its comprehensive information security challenges but only if its approach to each domain exhibits the discipline necessary to make such integration possible.
What is happening today, however, is that the events of recent months have brought the two domains even closer, with technologies emerging in IT in concert with people, process, and enterprise management as a whole that offer new solutions for enhancing the security of information itself.
Scott Crawford is a senior analyst with Enterprise Management Associates in Boulder, Colo., an industry analyst firm focused on all aspects of enterprise management systems and services. Scott is the former information security chief for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria, and has also been a systems professional with the University Corporation for Atmospheric Research as well as Emerson, HP, and other organizations in both public and private sectors. He can be reached at firstname.lastname@example.org.