Home > Guidance > Information

Information

Security relates to protection of valuable assets, in our case it is information recorded, processed, stored, and transmitted. The information must be protected from harm from threats leading to loss, non availability, alteration and wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional changes.

The objective of information security is protecting the interest of those relying on information and systems from the harm resulting from failure of availability, confidentiality and integrity. The security objective can be considered as achieved when the information is disclosed to only those who have the right to know (confidentiality), information is protected against unauthorized changes (integrity), information systems are available and usable (availability), and transactions are not disputed (Non-repudiation and authenticity).

There are laws and policies that exist which companies and local authorities need to comply with such as the latest version the Data Protection Act and PCI DSS. These polices are becoming increasingly strict and more difficult to comply with. This is not to cause frustration, but it is needed where thousands of peoples personal information is at risk.

In 2010, 90% of data breaches involved the actual theft of sensitive data, representing criminals’ effectiveness in extracting data once system access is obtained. Cybercriminals simply selected a target, accessed data from that target and harvested sensitive data with little to no resistance.

  • The MoD lost 340 laptops in the last two years, costing the taxpayer £620,000.
  • The Department for Transport lost 38 laptops, 39 PDAs, 21 mobile phones and 2 memory sticks containing sensitive information, costing the tax payer £38,318.
  • The Department for Transport lost 71 laptops and 75 mobile phones, costing the tax payer £46,350.

Risks to information include:

  • Physical damage (fire, water and natural disasters)
  • Human error (accidental / intentional)
  • Equipment mal functions (failure of systems and peripheral devices)
  • Inside and outside attacks (hacking, cracking and other attacks)
  • Misuse of data (sharing trade secrets, espionage, fraud and theft)
  • Application error (computational errors, input errors, buffer overflows)

Links:

http://nlawarp.gov.uk/
http://www.g3ctoolkit.net/
http://www.idea.gov.uk/idk/core/page.do?pageId=9040133