Why Information Security is a Business Issue
AUDIT IMPOSES A COST TO THE BUSINESS; HOWEVER NON-COMPLIANCE CAN SERIOUSLY DAMAGE THE BUSINESS.
· IT supports business processes
All organisations depend on a wide variety
of IT systems to enable and support their business processes. This includes hardware and software, and ranges from email and
instant messenger for communication, to document management systems for collaboration, to Enterprise Resource Planning systems
for performing integrated business processes.
· Involving business users in the
design of authorisations and permissions
and permissions are the gateway to data and functionality in IT systems. Treating security as something that is only carried
out by the IT techies is counter-productive. A large number of non-conformance issues is due to misunderstanding of segregation
of duties in financial systems, and can lead to horrendous problems.
· Ensuring appropriate control of
ownership of security is vital to ensure that there is adequate control placed over who can do what in business critical systems.
Can HR prove that abuse of internet is down to an individual if you have not provided a security policy or adequate access
· Clear communication and a culture of security awareness
IT systems are the lynchpin that supports
business critical functions and treating IT security as something that is 'done' by the IT department therefore misses
the point. Good communication is crucial.
· Maintaining security standards
Ensuring that a culture of security
awareness pervades throughout the organisation will also enable the business to keep its finger on the IT security pulse in
the long term. Regular review of system access and IT security requirements must therefore be built into the ongoing
· IT security is good business practice
There is no excuse for security not
to be well-understood, but both the business and technical departments must take responsibility for collaborating to address
this issue. As IT budgets remain under threat, there are some technology projects that cannot be ignored, and making
IT security a priority on a day-to-day basis should simply be regarded as good business practice.