Why make a distinction between IT security and the security of information? Just ask anyone whose top-notch IT security program has been tarnished by a data security breach.
Some of the most high-profile victims of data security exploits have maintained IT security programs among the most well reputed anywhere. The lesson hammered home by such incidents is simply this: Securing IT resources and access to the information they handle and communicate does not necessarily guarantee that information will be used in a secure, trustworthy manner.
|More Tech Trends on CIO Update|
Crossing the Technology Line: Strategic vs. Utility
Is Vista The Last of Windows?
The Power of Process
Software Upgrading As 'Collusion'?
The stakes have been raised considerably by sophisticated threats focused on the theft and exploit of tangible assets, as well as in the finesse with which such threats are increasingly honed.
Regulators have also shown they consider the distinction of information security to be far from trivial. The U.S. Federal Trade Commission (FTC) has imposed penalties as high as $15 million in some cases of data security breach. The enforcement of an information security program has also factored into regulatory settlements, subject in some cases to audit every other year for 20 years.
No matter how well IT may be secured, a number of questions must be answered in order to protect and defend information, such as:
Simple questions which may be extraordinarily difficult to answer. For one thing, sensitive information may appear in any number of forms that do not lend themselves to ready identification. Some information formats have structure that simplifies their recognition, such as Social Security or credit card numbers.
Databases lend structure to information that can be leveraged to classify its sensitivity. Other formats, however, do not exhibit such structure, which substantially raises the challenge, because this by far represents the lions share of sensitive information in most organizations.
What, for example, constitutes intellectual property? How can sensitive information be recognized in any format, without engaging human judgment in each case? Once recognized, how can its security be effectively enforced?
These are questions to which solutions addressing the security of information itself have arisen to answer. New technologies such as information classification and structure management, content monitoring and filtering, information leak prevention, enterprise information rights management, application and database security; and new approaches to encryption are merging with domains such as message, Web and Internet security, content and information lifecycle management, and even networks, systems and applications themselves, as businesses have become increasingly sensitive to their information risks.