Dominic Barone, CPA, CITP, CISA, CGEIT, CRISC
Information technology security (IT security), in its most basic sense, refers to the protection of information systems from unauthorized access. The goal and purpose of IT security is to protect the confidentiality, integrity and availability of personal and/or company information and data. Confidentiality refers to ensuring that information is only accessible to those who are authorized to access the data. Integrity refers to safeguarding the completeness and accuracy of information. Availability refers to ensuring that authorized users have access to the information they need when required. As technologies and businesses evolve, security is becoming more difficult and increasingly complicated to implement. Additionally, since information and applications can reside in many areas across an organization, the responsibility for information security is blurred.
Though securing an environment may seem daunting, the best defense against intrusion or unauthorized access is setting up multiple layers of security.
Types of Security
Security can be classified into various categories. Below are the key areas:
Physical Security- Includes monitors and controls such as doors, locks, heating and air conditioning, smoke detection and fire suppression systems, cameras and security staff to limit physical access and protect data.
Access Security– Ensures only authorized users have access to the system and only have access to appropriate data required to do their job.
Remote Access Security– Refers to securing remote access via wireless networks, internet access, etc., when users access the system remotely.
- Data Backup Security– Ensures data is secured against computer malfunctions so that data is available even if the existing computer systems are damaged.
Who is Responsible?
Certainly the IT Department plays a large role in securing information, but system “owners” must also be involved. System owners are responsible for administering user access to their own systems. Additionally, system owners are more aware of the business practices and the information stored in the systems, and IT may have no knowledge of or control of certain systems. Examples of things IT cannot control include storing information such as credit card numbers, social security numbers and other private information in memo fields or as descriptions for account numbers that could be accessed.
Security Compliance Standards
Depending on how information is processed and stored, security standards may need to be developed, documented and implemented. Some of the more common industry standards that may be required are:
Payment Card Industry (PCI) Standards – These standards relate to organizations (of any size) accepting credit cards. (see recent PCI article)
“Red Flag Rules” – Requires financial institutions and creditors to maintain a written identity theft program. Water departments can potentially be considered a creditor for “Red Flag Rules” purposes. (see Red Flag Rule article)
Health Information Portability and Accountability Act (HIPAA) – Concerned with patients’ medical records.
- Health Information Technology for Economic and Clinical Health (HITECH- HIPAA) Act – Related to the electronic transmission of health information; augments HIPAA. (see HITECH HIPAA article)
Defense in Depth: Putting it all Together
The best defense for an organization is layered levels of protection that include all relevant information. Data must be secured in all areas of the organization from the time of creation or receipt to the time of destruction. If an organization is secure in all areas, a small breach in one security measure will be limited to only that area as the other defensive measures will continue to provide protection.
At the core, data should be protected. At a second level, people and employees should contribute to security (locking devices; separation of duties; authentication). Thirdly, networks should be secured (applications/wireless), and lastly the physical building should contribute to security (locks/keys/cameras). All organizations are vulnerable to security breaches and attacks, but the implementation of layers of security throughout the organization can significantly reduce and mitigate the risk.