1 Information as an asset
You’ll remember from Week 1 that, when thinking about computer security, it helps to think of information as an asset. Just like money in the bank, it is valuable, possibly irreplaceable, and crucially it can be lost or stolen.
When we think about our assets, traditionally we consider tangible things such as money, property, machinery and so on. Increasingly, it is recognised that information itself is an asset, crucial to adding value. In today’s digital world, it is increasingly apparent that information is the most important asset, for both businesses or individuals – just think of the value of music to a media company or a games program to a video game company.
Considering information as an asset allows us to create strategies for protecting information and minimising the consequences of any disaster.
Case study _unit9.1.1 Case study: San Francisco Medical Center
In October 2002, the University of California, San Francisco Medical Center received an email message from someone who claimed to be a doctor working in Pakistan and who threatened to release patient records onto the internet unless the money owed to her was paid. Several confidential medical transcripts were attached to the email.
UCSF staff were mystified, they had no dealings in Pakistan and certainly did not employ the person who sent the email. The Medical Center began an immediate investigation, concentrating on their transcription service, which had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat farmed out work to 15 sub-contractors scattered across America. One of these sub-contractors was Florida-based Sonya Newburn, who in turn employed further sub-contractors, including Tom Spires of Texas. No one at Transcription Stat realised that Spires also employed his own sub-contractors, including the sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.
Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the sender informed UCSF that she had had no intention of publicising personal information and had destroyed any records in her care. Of course, there is no way to prove that the records have actually been destroyed.
Naturally, you would not wish your own medical records to be publicised: they should be secure. This threat cost the organisation little in monetary terms, but how much in reputation? Just what is a reputation worth? Or, to put it another way, how much should you invest in information security to protect a reputation?
Information in this context is a very broad term and it applies to large and small organisations as well as to individual users. So a doctor’s surgery’s information assets would include things such as personal medical records, telephone contact lists, its emails as well as personal information about its employees. A manufacturing company will have electronic records of order books, correspondence with suppliers and customers, staff records, bank references and so on.
Information security risk management assesses the value of information assets belonging to an individual or an organisation and, if appropriate, protects them on an ongoing basis.
Information is stored, used and transmitted using various media; some information is tangible, paper for example, and it is relatively straightforward to put in place strategies to protect this information – such as locking filing cabinets, or restricting access to archives.
On the other hand, some information is intangible, such as the ideas in employees’ minds, and is much harder to protect. Companies might try to secure information by making sure their employees are happy, or by legal means such as having contracts that prevent people leaving and going to work for a rival.
Imperatives and incentives
Information security risk management considers the process in terms of two factors: imperatives or incentives. Imperatives are pressures that force you to act. Incentives are the rewards and opportunities that arise from acting.
The imperatives for information security arise from legislation and regulation. The Computer Misuse Act and the Data Protection Act, which we discussed last week, are examples of legislative imperatives. Regulatory imperatives include standards such as the Payment Card Industry Data Security Standard (PCI-DSS), which specifies how merchants should secure all card transactions.
The most important incentive is trust. People and organisations are more likely to work with other people and organisations who have secured their information. Establishing this trust requires that the parties involved examine each others’ information security practices to ensure that there are adequate safeguards to protect the information. One way of doing this is to show that the organisation has satisfied the requirements of standards such as PCI-DSS or the ISO27000 family of standards for designing and implementing information security management systems.
In the last few weeks, you have covered all of these aspects – you have learned about a range of threats that confront internet users, you have explored laws that have been drawn up to regulate information and you have seen how the internet is fundamentally underpinned by trust and how technologies such as encryption and signatures can help us feel secure. In the next section, you are invited to apply this to your own information assets.