Information security is a term that refers to the policies, common practices, and means used to maintain the confidentiality, the integrity, and the availability of data. It involves protecting yourself, your family, your employer and your customers. From stopping the destruction of vital files to countering the misuse of personal data, information security has become one of the fastest growing and most critical areas in the IT field. Everyday there are reports of identity theft, corporate systems being hacked, and government websites under siege. To combat these threats, comprehensive steps must be taken to provide for the security of information and can be accomplished through an effective four-tiered program encompassing physical security, personnel security, software security, and cryptographic security.
Physical security is simply taking the appropriate steps with a computer that you would normally take with any other valuable. Would you leave your wallet lying out on your desk when you leave the room to get a drink from the water fountain or would you donate an old pair of pants to the Goodwill store and leave your social security card in the back pocket? Of course not, but everyday computers are left logged on for anyone to use, laptops are left unattended, and old computers are thrown out or recycled with personal data on intact, usable hard drives. In this new Information Age, we must remember the sensitivity of the data that our computers handle everyday and we have to get into the habit of locking the door, putting it away, and keeping unauthorized people from getting access to it. Not all breaches of physical security are intentional; sometimes, employees can get busy and forget to lock the door or log out of the server when they’re done. When something does happen – a laptop is stolen or an unauthorized person is found trespassing in the data center – it is extremely important that it is reported and data can be checked to help maintain its confidentiality, integrity and availability. Don’t be embarrassed by accidents, make it right by reporting it. By being vigilant and following set procedures, physical security programs are the first tier of a complete information security program.
Personnel security measures are those policies and procedures taken to ensure that the people who are put in places of trust are worthy of that responsibility. Many corporations and government organizations go to great lengths and spend millions of dollars every year to make sure that the people they hire are honest and responsible because they have “customers” depending on them to do just that. Background checks and investigations have almost become commonplace in the job search process. Compromised passwords, ghost accounts, and the breaches of account restrictions are all serious offenses that can be caused by an insider, someone who has trusted access to the system, who intentionally weakens its security. While intentional misuse of responsibilities may account for a breach in security, untrained employees, those who simply don’t know any better, can also account for breaches. The FTC, Federal Trade Commission, has created a website that helps businesses protect their customers’ information by providing training for their employees. For more information on protecting personal information, check out http://www.ftc.gov/infosecurity/. The access to data in an organization must be regulated through a “need to know” policy and secured by trustworthy people. Businesses know that their people must be worthy of the responsibilities given them and they look for, and pay well, those whom they can trust.
Software security involves the programs that are running on the computers and the protection of the information handled by those programs. Firewalls, antivirus software, and monitoring programs all work at this level of security. Heuristic monitoring and memory resident tools are a part of most antivirus software programs today. While signature scanners look through the files located on your computer for matching “definitions” that have been updated, memory resident and heuristic monitoring tools watch for malicious logic events associated with viruses, worms (self-replicating programs that use networks to send themselves to other computers) or “backdoors” such as file downloading, Internet-initiated programs, the copying and unzipping of files, and remote access. When suspicious operations are detected, they are halted and reports are sent to the user indicating such activity. While often considered troublesome and the butt of comical Mac commercials on television, Microsoft’s Vista and Internet Explorer 7 security features are having a positive impact in the fight against fraud and identity theft. For more information, check out the video tutorial by Microsoft at http://www.microsoft.com/protect/videos/yourself.mspx. By providing users with allied applications that help protect the data on a computer, manufacturers are taking some of the burden for information security off the individual. Still, it is the responsibility of the user to implement these tools.
Cryptographic security is about making your information unreadable by others. Windows XP Professional and the NTFS filing system allow you to protect your files by using the Encrypting File System (EFS). When you encrypt a file, you change it to a format that can’t be read without the key; anyone who attempts to read the file without your log on or authentication will find the information unintelligible. As company intranets, privately maintained networks that are restricted to authorized users only (such as company employees), have grown in numbers, the access of data from remote computers has become a business necessity, and a curse at the same time. With encryption of these files, the management and security of these virtual files across an intranet can be more easily handled.
“Help keep your data safe.” Microsoft Help and Support. Microsoft Corporation. 7 Apr 2008. 20 Dec 2005.
Meyers, Mike. All in One CompTIA A+ Certification Exam Guide. 6th ed.. New York: McGraw-Hill, 2007.
“Protecting Personal Information: A Guide for Business.” Federal Trade Commission. Federal Trade Commission. 7 Apr 2008
“Protecting Yourself.” Microsoft Video Tutorials. Microsoft Corporation. 7 Apr 2008
White, Ron. How Computers Work. 6th ed.. Indianapolis, IN: Que Corporation, 2002.