## The Open University: "An Introduction to Information Security"

Read these sections, which introduce information security.

# Why is information security important?

This course introduces you to information security and its management.

A succinct definition of information security might run as follows:

Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure.

But why is it important to secure information? And how should its security be managed? To start thinking about these questions, consider the following statements about information:

In today's high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control.

(Nigel Turnbull, 2003, p. xi)

(Robert M Grant, 2000, p. 186)

Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders.

(Ronald Reagan, 1989)

It is vital to be worried about information security because much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the basis of competitive advantage. And in the not-for-profit sector, with increased public awareness of identity theft and the power of information, it is also, as Turnbull claims, the area of an organisation's operations that most needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and protecting information are crucial tasks for the modern organisation.

If information were easy to value and protect, however, you would be able to buy off-the-shelf information security management solutions. There are three characteristics of information security that make this impossible.

1. The collection of influences to which each organisation is exposed varies with the organisation: the information technology that it uses, its personnel, the area in which it does business, its physical location – all these have an effect on information security.

2. Information security affects every structural and behavioural aspect of an organisation: a gap in a security fence can permit information to be stolen; a virally infected computer connected to an organisation's network can destroy information; a cup of coffee spilt on a computer keyboard can prevent access to information.

3. Each individual that interacts with an organisation in any way – from the potential customer browsing the website, to the managing director; from the malicious hacker, to the information security manager – will make his or her own positive or negative contribution to the information security of the organisation.

Thus information security and its management need to be examined within an organisational context. To this end, a major aim of this course is to give you the opportunity to:

• investigate your organisation and determine the precise mix of information security issues that affect it;

• explain the links between areas of an organisation and navigate your organisation's information security web;

• identify the security contributions of each individual, and so suggest strategies to make the sum of the positive contributions greater than the sum of the negative ones.

Before you can investigate information security and its management within your organisation, we need to introduce you in more detail to the complexities of the topic. This is the purpose of this course. Section 2 discusses the meaning of the terms information, information security and information security management. Section 3 looks at information security and its imperatives and incentives. Section 4 discusses information assets. Section 5 examines the planning of an information security management system. Section 6 addresses how risks to information security can be assessed and how information assets can be identified. Section 7 describes how a system for information security management can be implemented and continually improved.

# What is information?

Information comprises the meanings and interpretations that people place upon facts, or data. The value of information springs from the ways it is interpreted and applied to make products, to provide services, and so on.

Many modern writers look at organisations in terms of the use they make of information. For instance, one particularly successful model of business is based on the assets that a firm owns. Assets have traditionally meant tangible things like money, property, plant, systems; but business analysts have increasingly recognised that information is itself an asset, crucial to adding value. As Grant said in Section 1, information underpins competitive advantage. Indeed, there are writers, such as Itami and Roehl (1987), who believe that the true value of an organisation is in the information it uses and creates.

But, of course, there is a negative side too: the use of information in both the for-profit and not-for-profit sectors is increasingly the subject of legislation and regulation, in recognition of the damage its misuse can have on individuals.

# What is information security?

Seen in the way we have just defined it, information is a valuable asset. Information security protects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organisation.

This definition of information security is adapted from that of the American National Security Telecommunications and Information Systems Security Committee (NSTISSC).

There are two important characteristics of information that determine its value to an organisation:

• the scarcity of the information outside the organisation;

• the shareability of the information within the organisation, or some part of it.

Simplifying somewhat, these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't.

Thus the value of any piece of information relates to its levels of shareability and scarcity. The aim of information security is to preserve the value of information by ensuring that these levels are correctly identified and preserved.

Threats to information influence the organisation's ability to share it within, or to preserve its scarcity outside. And threats that are carried out can cost millions in compensation and reputation, and may even jeopardise an institution's ability to survive. Here are some examples in which the making available of information that should have been kept scarce or the restricting of information that should have been shareable has damaged an organisation.

## Example 1: Softbank – theft of consumer data for extortion

Softbank of Japan offers broadband internet services across Japan through two subsidiaries – Yahoo! BB and Softbank BB. In February 2004, the bank announced that the security of 4.5 million customer records had been compromised: data from both subsidiaries had been illegally copied and disseminated. The leaked details included customer names, home phone numbers, addresses and email IDs, but did not include passwords, access logs or credit card details.

Softbank became aware of the problem only when they were approached by two groups of extortionists. The criminals produced apparently genuine customer data and threatened that all of the data would be posted to the internet if they were not paid a large sum of money.

Japanese police made three arrests but suspected that there may have been connections to organised crime and the political far-right. Amazingly, the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts against Softbank, both of them masterminded by employees of the company. All of the people accused of extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate procedures to protect against its unwarranted copying and dissemination.

The bank immediately announced a tightening of security, further restricting access to their systems and enforcing tighter security on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20 million) were paid in compensation. Furthermore, Softbank BB's president, Masayoshi Son, announced that he and other senior executives would take a 50 per cent pay cut for the next six months.

In this example, the threat was to reduce the value of an organisation by revealing information that should have been a well-kept secret – scarce-within as well as scarce-without. It cost the company £20 million in compensation and affected its reputation.

## Example 2: UCSF Medical Center

In October 2002, the University of California, San Francisco (UCSF) Medical Center received an email message from someone who claimed to be a doctor working in Pakistan and who threatened to release patient records onto the internet unless money owing to her was paid. Several confidential medical transcripts were attached to the email.

UCSF staff were mystified; they had no dealings in Pakistan and certainly did not employ the person who sent the email. The Medical Center began an immediate investigation, concentrating on their transcription service, which had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat farmed out work to some fifteen subcontractors scattered across America. One of these subcontractors was Florida-based Sonya Newburn, who in turn employed further subcontractors, including one Tom Spires of Texas. No one at Transcription Stat realised that Spires also employed his own subcontractors, including the sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.

Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the sender informed UCSF that she had had no intention of publicising personal information and had destroyed any records in her care. Of course, there is no way to prove that the records have actually been destroyed. Naturally, you would not wish your own medical records to be publicised: they should be scarce. This threat cost the organisation little in money terms, but how much in reputation? Just what is a reputation worth? Or, to put it another way, how much is it worth paying in information security to protect a reputation? ## Example 3: Logic bombs In May 2000, Timothy Lloyd was found guilty of causing between$10 million and \$12 million worth of damage to Omega Engineering, an American company specialising in precision engineering for clients, including the US Navy and NASA. Lloyd had been employed with Omega for 11 years, rising to the post of system administrator, and was responsible not only for the day-to-day operation of the company's computers but also for their disaster-recovery process.

In 1996, Lloyd became aware that he was about to be sacked and wrote a logic bomb – a six-line destructive program – which he installed on Omega's servers. Ten days later, Lloyd was dismissed and his logic bomb exploded, destroying company contracts and proprietary software used by Omega's manufacturing tools. Although Omega had instituted a backup procedure, Lloyd's account privileges had allowed him to disable these recovery systems. The damage done by his logic bomb was permanent.

When the logic bomb ‘exploded’ it wiped out information that was needed for the company to operate. As a result of lost business, Omega was forced to lay off some 80 employees and found itself rewriting the very software which had once given it a competitive edge over its rivals. In effect, what Lloyd managed to do, in the most decisive way possible, was to prevent vital information being shared.

## What is information security management?

Information security management is the process by which the value of each of an organisation's information assets is assessed and, if appropriate, protected on an ongoing basis. The information an organisation holds will be stored, used and transmitted using various media, some of which will be tangible – paper, for example – and some intangible – such as the ideas in employees' minds. Preserving the value of information is mainly a question of protecting the media in which it is contained.

Building an information security management system (as we present it in this course) is achieved through the systematic assessment of the systems, technologies and media used for information assets, the appraisal of the costs of security breaches, and the development and deployment of countermeasures to threats. Put simply, information security management recognises the most vulnerable spots in an organisation and builds armour-plating to protect them.

The diversity of the media used for an organisation's information assets is just one of the difficulties to be overcome in building an information security management system. Among other difficulties are the following.

• Effective information security measures often run counter to the mission of an organisation. For instance, the safest way to secure a computer and the information on it is to allow no access to it at all!

• The requirement to respect the needs of the users of the organisation's information, so that they can continue to do their jobs properly.

We can deduce that no single solution can address all possible security concerns. The only strategy is to engineer a fit-for-purpose solution that achieves a suitable balance between risks and protection against them.

As with all management systems, the engineering of a fit-for-purpose information security management system is achieved through hard work. Part of the hard work is, of course, an understanding of the technologies involved – we provide the necessary details in this course. Other major tasks are identifying the needs of the different stakeholders and ensuring coverage of every procedure and policy that involves the development, transformation or dissemination of sensitive information.

Thus, information security management is a development activity analogous to the development of software, and we shall present in this way throughout this course.