The information security objectives of an organization is a must to ensure the confidentiality, integrity, and availability of the information and data stored in the information systems. The regulators also prescribe data confidentiality, integrity, and availability requirements.
The regulatory authorities recognize that the financial industry is built around trust and the sanctity of financial transactions. Owing to the critical role of organizations and institutions and the extreme sensitivity of their information resources and assets, the seriousness of IT security and the ever-increasing threats they face cannot be overstated.
The Information Security Objectives
As more and more products and services become technology-driven and rely on technology assets, organizations have to face more risks. Organizations must protect the resources and information and safeguard them to ensure the smooth functioning of the business and operational activities.
Organizations are, therefore, required to set guidelines for IT security through the understanding and addressing of the following minimum areas:
- Commitment to IT Security
- IT Security
- IT Security Risk Management
- IT Security Policy Development
- IT Security Awareness & Training
- IT Security Team
- Contingency & Disaster Recovery Planning
The objective is to increase IT security awareness of the organizations and secondly to implement guidelines to formulate an effective institution-wide technology security framework, to protect their valuable information and resources.
The guidelines provide a starting point to set practices and procedures that will eventually reduce the likelihood of an internal or external attack on IT resources and limit the damage caused by an inadvertent or malicious incident. Commitment to data and information security, and a clear commitment and direction towards IT Security, are required from the senior management and board of directors.
Each organization should ideally set up an IT supervision committee to oversee the effective use of technology and resources, support business and operational objectives, and identify significant information security risks.
The committee guides in designing and modifying the policies to cope with the IT and information risks, documenting issues and initiatives, and monitoring the team’s performance. The committee may be a mix of personnel from the senior management, including business heads and IT senior officers, and they should meet periodically and document the minutes of the meetings.
Committee members should properly draw up and periodically present the IT Security program to the Board of Directors. Organizations usually rely heavily on information systems and understand existing internal and external threats, such as unauthorized access to critical financial data, service interruptions, impersonating clients, and theft or alteration of information. When an organization performs transactions, it is prone to data loss or misuse risks. The risk and control mechanisms and policies are evolving to restrict these information security risks to an acceptable level.
The success of an IT security program depends on its effective practices and measures around risk management. With proper security risk management, an organization can identify, assess, measure, and monitor information security risks and take appropriate actions to reduce them.
For effective risk management practices, the following vital steps are to be followed in the prescribed order:
- Identification of System or Areas
As a first step, it is recommended that the organization performs a detailed exercise to identify all its information systems and assets, including technology and related assets, that are required and involved in supporting the organization’s business activities.
Then the organization should prioritize all identified information systems and resources with a business value, in terms of the information they process and the cost associated with them, for ease of making decisions and accurate and realistic assessment.
Organizations may also consider assigning ownership within their respective organizations for identified technology and related assets with clear responsibilities to protect them.
- Risk Assessment and Re-assessment
Risk assessment should be performed to help the organization determine the potential threats and vulnerabilities and their impacts and consequences on the identified data and information systems.
Information security risks need to be assessed from all aspects of IT security, including physical, administrative, environmental, and technical aspects.
It should also identify the sources of threats and potential vulnerabilities, the likelihood of an event that will exploit that vulnerability, and the resulting adverse impact of that event. Risk re-assessment should be a continuing process.
- Risk Mitigation
Risk-reducing controls should be in place to mitigate or eliminate the identified information security risks and protect the organization’s mission at the appropriate cost, with minimal possible adverse impact, on the business purpose and its objectives.
The recommended procedural and technical security controls have to be evaluated and prioritized, considering the operational impact of the risks, the feasibility of the mitigation controls, and their cost-benefit analysis.
Organizations can protect both digital and analog data with information security. Cryptography, mobile computing, social media, as well as infrastructure and networks containing private, financial, and corporate information, are all covered by InfoSec. In contrast, cybersecurity protects both raw and meaningful data, but only from internet-based threats.
Information security is implemented by organizations for a variety of reasons. The primary goals of information security are usually concerned with ensuring the confidentiality, integrity, and availability of company information. Because information security encompasses so many domains, it frequently entails the implementation of various types of security, such as application security, infrastructure security, cryptography, incident response, vulnerability management, and disaster recovery.