2018-01-08
419
Information Systems Security - controlling access to systems and protecting the integrity, availability and confidentiality of information. The objective of an information system security programme is to protect an organisation's information by reducing the risk of loss of confidentiality, integrity and availability of that information to an acceptable level.A good information security programme involves two major elements, risk analysis and risk management.
In the risk analysis phase, an inventory of all information systems is taken. For each system, its value to the organisation is established and the degree to which the organisation is exposed to risk is determined. Risk management, on the other hand, involves selecting the controls and security measures that reduce the organisation's exposure to risk to an acceptable level. To be effective, efficient and reflect common sense, risk management must be done within a security framework where information security measures are complemented by computer, administrative, personnel and physical security measures (see Table I).
Risk management becomes a senior management issue. A balance has to be reached between the value of the information to the organisation on the one hand and the cost of the personnel, administrative and technological security measures on the other hand. The security measures put in place need to be less expensive than the potential damage caused by the loss of confidentiality, integrity and availability of the information.
