2 Background to network security
2.2 The importance of effective network security strategies
In more recent years, security needs have intensified. Data communications and e-commerce are reshaping business practices and introducing new threats to corporate activity. National defence is also vulnerable as national infrastructure systems, for example transport and energy distribution, could be the target of terrorists or, in times of war, enemy nation states.
On a less dramatic note, reasons why organisations need to devise effective network security strategies include the following:
- Security breaches can be very expensive in terms of business disruption and the financial losses that may result.
- Increasing volumes of sensitive information are transferred across the internet or intranets connected to it.
- Networks that make use of internet links are becoming more popular because they are cheaper than dedicated leased lines. This, however, involves different users sharing internet links to transport their data.
- Directors of business organisations are increasingly required to provide effective information security.
For an organisation to achieve the level of security that is appropriate and at a cost that is acceptable, it must carry out a detailed risk assessment to determine the nature and extent of existing and potential threats. Countermeasures to the perceived threats must balance the degree of security to be achieved with their acceptability to system users and the value of the data systems to be protected.
Think of an organisation you know and the sort of information it may hold for business purposes. What are the particular responsibilities involved in keeping that information confidential?
Any sizeable organisation has information that needs to be kept secure, even if it is limited to details of the employees and the payroll. I first thought of the National Health Service and the particular responsibility to ensure patients’ medical records are kept secure. Academic institutions such as The Open University too must ensure that student-related information such as personal details and academic progress is kept confidential and cannot be altered by unauthorised people.
Box 1: Standards and legislation
There are many standards relating to how security systems should be implemented, particularly in data communication networks, but it is impractical to identify them all here. A visit to the British Standards Institution website (www.bsonline.bsi-global.com) is a suitable point of reference.
ISO/IEC 17799 (2000) Information Technology – Code of Practice for Information Security Management sets out the management responsibility for developing an appropriate security policy and the regular auditing of systems. BS 7799–2 (2002) Information Security Management Systems – Specification with Guidance for Use gives a standard specification for building, operating, maintaining and improving an information security management system, and offers certification of organisations that conform. Directors of UK businesses should report their security strategy in annual reports to shareholders and the stock market; lack of a strategy or one that is ineffective is likely to reduce the business share value.
Organisations in the UK must conform to the Data Protection Act of 1998. This requires that information about people, whether it is stored in computer memory or in paper systems, is accurate and protected from misuse and also open to legitimate inspection.