IT Security Doesn't Mean Information Security

By Scott Crawford

(Back to article)

For many years, the term “information security” has been used to refer to solutions that protect and defend the network and IT systems. This is far too often misleading, because what is actually meant in such cases is IT security.

Why make a distinction between IT security and the security of information? Just ask anyone whose top-notch IT security program has been tarnished by a data security breach.

Some of the most high-profile victims of data security exploits have maintained IT security programs among the most well reputed anywhere. The lesson hammered home by such incidents is simply this: Securing IT resources and access to the information they handle and communicate does not necessarily guarantee that information will be used in a secure, trustworthy manner.

More Tech Trends on CIO Update

Crossing the Technology Line: Strategic vs. Utility

Is Vista The Last of Windows?

The Power of Process

Software Upgrading As 'Collusion'?

If you want to comment on these or any other articles you see on CIO Update, we'd like to hear from you in our IT Management Forum. Thanks for reading.

- Allen Bernard, Managing Editor.

FREE IT Management Newsletters

The stakes have been raised considerably by sophisticated threats focused on the theft and exploit of tangible assets, as well as in the finesse with which such threats are increasingly honed.

Regulators have also shown they consider the distinction of information security to be far from trivial. The U.S. Federal Trade Commission (FTC) has imposed penalties as high as $15 million in some cases of data security breach. The enforcement of an information security program has also factored into regulatory settlements, subject in some cases to audit every other year for 20 years.

No matter how well IT may be secured, a number of questions must be answered in order to protect and defend information, such as:

  • How is sensitive information recognized?
  • Who has access to this information; authorized or not?
  • How is sensitive information to be used or, more specifically, not to be used?
  • What is the response when information security risks and threats are manifested?
  • Can information security be enforced with credible resistance to subversion; and
  • Can these issues be monitored, with controls demonstrated effectively?

    Simple questions which may be extraordinarily difficult to answer. For one thing, sensitive information may appear in any number of forms that do not lend themselves to ready identification. Some information formats have structure that simplifies their recognition, such as Social Security or credit card numbers.

    Databases lend structure to information that can be leveraged to classify its sensitivity. Other formats, however, do not exhibit such structure, which substantially raises the challenge, because this by far represents the lion’s share of sensitive information in most organizations.

    What, for example, constitutes intellectual property? How can sensitive information be recognized in any format, without engaging human judgment in each case? Once recognized, how can its security be effectively enforced?

    These are questions to which solutions addressing the security of information itself have arisen to answer. New technologies such as information classification and structure management, content monitoring and filtering, information leak prevention, enterprise information rights management, application and database security; and new approaches to encryption are merging with domains such as message, Web and Internet security, content and information lifecycle management, and even networks, systems and applications themselves, as businesses have become increasingly sensitive to their information risks.

  • As these examples suggest, this not to say that IT security has little or no relevance to information security. Far from it. Without protecting and defending the resources that house, handle and manage information, an information security strategy has no foundation. Nor can it hope to be effective without taking into consideration what is arguably the most significant factor of all: what people do with information and IT resources.

    Information security must be built on three key domains:

  • A solid foundation of management that assures business priorities as well as IT security.
  • People and process involved in securing information access and use, including the resolution of information security issues and events; and
  • The security of information itself.
  • The integration of these domains represents maturity, not only in the enterprise approach to information security, but in the way the enterprise itself is managed. The more mature organization will be able to take advantage of extending solutions in each domain across its comprehensive information security challenges — but only if its approach to each domain exhibits the discipline necessary to make such integration possible.

    What is happening today, however, is that the events of recent months have brought the two domains even closer, with technologies emerging in IT — in concert with people, process, and enterprise management as a whole — that offer new solutions for enhancing the security of information itself.

    Scott Crawford is a senior analyst with Enterprise Management Associates in Boulder, Colo., an industry analyst firm focused on all aspects of enterprise management systems and services. Scott is the former information security chief for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization in Vienna, Austria, and has also been a systems professional with the University Corporation for Atmospheric Research as well as Emerson, HP, and other organizations in both public and private sectors. He can be reached at scrawford@enterprisemanagement.com.