Any information developed by an organization is of great importance. For this reason, organizations need to protect such information from a wide range of threats including hacking, virus infection and misuse. Information security ensures that there is continuity of the business. It also ensures that the business is not damaged by insecurity incidents. Lack of controls has often led to frauds and IT abuse. Information security doesn’t mean that the information is not shared, but it means that the information is protected from fraud and abuse and other possible damages by those who can access it. (Bradley 2009)
Some of the possible damages to information include loss of data and software. This may be caused by computer viruses, computer hacking, and denial of service attacks. As time goes on and as technology increases, these sources of damage get more complicated, more ambitious and more common. This is instigated by the presence of the internet. Crime may be attributed to this damages, but not to a full extent, in fact much of this damages are caused by inadvertent misuse and human error. (Bradley 2009)
Threats like fire, system crushes and power cuts also play their role. The staff in an organization may cause security incidents if they are not well supervised. To prevent this from happening, companies will put measures. Some will lock everything-with passwords- to an extend that it is difficult to access the information even when it is legitimately accessed. This is also insecurity. On the other hand, they will permit access by all, exposing it to a high degree of risk. The greatest question here is how do we balance these things? If we must protect our information, we must set controls in form of practices, policies, procedures, organizational structures and software functions. What will determine this standards and controls? (King 2009)
The controls we use will cost the organization a lot of resources and money. Together with security of information are many other concerns. Things like security of the workers, meeting of the company’s objectives, expansion of business and many others need money. What will happen if we put all our resources behind security? what will happen if the kind of controls we are using doesn’t work? The amount of money we spend needs to be balanced against the business harm likely to result from security failures. The company should asses the risks involved. After the assessment, one can determine the actions to be taken, and the priorities to be considered. (King 2009)
This is one of the factors which should be considered when deciding on the type and nature of security implemented. The cost of implementation, in relation to its viability is the issue. Security protects from lose of income but it does not guarantee any income itself. This calls for carefulness in determining the product used for security. You must access the security risk. For example if we protect some information against virus, and virus infect the information, we will still spend money and man hours checking the situation, one may think that it could have been better if we did non spend money purchasing the security. One should be able to consider and balance these risks. “Outsourcing is an alternative to consider before purchasing an actual product to install” (Bradley 2009).
Outsourcing will be appropriate for organizations that have the full time staff and dedicated equipment to ensure that that the network remains secure. Under this factor one should also know the kind of a company you are working with. You may purchase the most expensive and secure product which works appropriately only to be surprised later when the company is bought by another company which does not care. (Bradley 2009)
For example Microsoft purchased an antivirus from Gecad, makers of RAV antivirus. The product sold very well and it was bought by many other companies. When Microsoft announced that it was discontinuing the use of the product, the company left those organizations without a solution. For such reasons one needs to ensure that the company you are dealing with is stable. (Miller, 2005)
The kind of information
There are different types of information. The kind of security taken is determined by the nature of information. Some information is confidential; another one is for the whole public. For example in a hospital, there is lots of information about patients.
The kind of sickness a patient is suffering from is confidential. Even according to the ethics of the doctors, the doctor is not supposed to disclose the information given by the patient without due permission from that patient. In this case, there is no problem if the doctor decides to keep the information for him self. He will not put the information in the web, he will not move around telling every body what the patient is suffering from, he will keep the notes and if the information gets out of order, it should be by accident or permission from the patient. In this case the use of a thousand passwords is appropriate. Information that is not personal can be left lose. (King 2009)
Size of information
The size of information is important in deciding where you keep or store the information. Information can be stored in files, computers, or other electronic gadgets. If the information is small, it can be stored in files, if it is voluminous, it can be stored in electronic gadgets, but all this will be determined by some other factors like; for how long is the information going to be in use? Who is going to use the information? And what are the risks involved in such a way of storage.
Users who are not computer literate need not to get information from the computer. Information which will be used for a long time should be stored in a variety of storage devices even though this increases the risk of fraud and misuse of the documents. The stakeholders in this case should balance between the two risks –the possibility of losing the document is stored in one place and the possibility of exposing the information to many people leading to fraud and misuse. (Miller, 2005)
Objectives of the organization
Some organizations are meant to interact with people from all parts of the world; such organizations are expected to release their information without a lot of control. If they decide to lock the information with a lot of passwords, or if they decide to keep the information in their premises, they will not meet their objective. They would rather put the information in a web site. The fact that the information is suitable for any body does not mean that it can not be tampered with. It can be changed if no good controls and if the website is not protected, it can be affected by viruses and the risks are as many as the no of people going to access it, but the risks have to be taken if the objectives have to be met. ( Miller 2005)
The type of product integrated for security should be compatible to the existing infrastructure. It would be a waste of time and resources to purchase a new security technology that is incompatible with what you have in place. You will be calling for greater losses by attempting such a thing. This can be avoided if you take time to study the products you have before bringing additional products. The factors to consider may differ from one organization to another. The activities of the organization will dictate the type of security to be applied. The underlying factor is security purchase and support from vendors. (Bradley 2009)
One last thing to note is that all stakeholders should be involved in determining the information security of an organization. If all these factors are considered, one may prevent to a large extend fraud and misuse of information. In general, there is increasing need to protect information especially personal information. A school needs to protect information from alterations by students, for some will change fees structures and exam results if they can access such information. The management should be willing to spend as much money to prevent this. (King 2009)
Banks should keep information about their customers in a secure place, this needs money, lawyers should guard their clients’ information and hospitals should maintain the confidentiality of their patients. All this is determined by how many resources are available and how many people should access the information and for how long the information is in use. We can not say that the world has a solution on safeguarding of information; there are still miles to go as far as this is concerned. All of us dream of a time when we shall be able to spend less in keeping personal information secure but achieve our objective of securing the information. (Miller 2005)
List of references
Bradley, T. (2009) “Consider every security angle”. Cover focuses articles. Vol.27. no 7. Web.
King, L (2009) Protecting security tops companies priorities. Web.
Miller, M. (2005) Computer Security: Fact forum framework. Web.