Information Guides, Resources & Consultations
Information Security: Essential Web Resources
Date added: 1 March 2005
This Web page has been archived. Its content will not be updated.
Information and records are valuable resources within organisations, and should be protected accordingly. Nowadays organisations focus primarily on the protection of their electronic information assets against the risks of loss, misuse, disclosure or corruption. This process is commonly referred to as information security management.
Information security management enables the sharing of information in a manner that ensures the appropriate protection of that information. Risk assessment and management, continuity planning and disaster recovery programmes should all form a part of any information security management framework. Any such framework should aim to protect information from a wide range of threats in order to:
- ensure business continuity and minimise damage in the event of an security breach
- safeguard the accuracy and completeness of information and information processing methods
- ensure that authorised users have access to information as, and when, required
- ensure that information is accessible only to those authorised to have access
- maximise return on investments and business opportunities
Information security management is a key process of corporate governance. Information governance is the leadership, organisational structures, business processes, and standards that ensure that the organisation's information assets support and enable the achievement of its strategies and objectives. An information security management system (ISMS) is required to be established asnd maintained by any organisation as a mandatory requirement of the British Standard 7799.
This article focuses on electronic information security resources, which reflects the importance currently placed on this by organisations. However, the security of hardcopy information and records remains of utmost importance, and is an aspect of information security that is frequently neglected. Traditional records management tools such as a vital records programme and retention scheduling can facilitate the security of hardcopy records. A hardcopy information security programme should be an integral part of an overall information security management system, thus ensuring a consistent approach to the protection of all information assets, regardless of format.
Legislation and Government advice and policies
One of the driving forces behind information security management is the current legislative environment. It is a legislative requirement that records containing personal information are retained in a secure manner. Schedule seven of Data Protection Act states that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Government realises the importance of ensuring the security of organisation's information assets, resulting in the introduction of a wide range of other legislation to facilitate the adequate protection of information. Such legislation includes the:
- Computer Misuse Act 1990
- Human Rights Act 1998
- Electronic Communications Act 2000
- Regulation of Investigatory Powers Act 2000
Government bodies also provide advice on information security issues, including organisations such as the Department of Trade and Industry, UK Online for Business, and the Office of the e-Envoy.
The Department of Trade and Industry's Information Security Policy Team is responsible for assisting businesses in the United Kingdom with managing their information security more effectively. Their Web site includes a wide range of documents in pdf format providing information and guidance to organisations. The documents available to download include:
- 1998 Data Protection Act and BS7799
- Guide to The Electronic Communications Act 2000
- Information Security and the Internet
- Information Security Breaches Survey 2002
- Managing Information Security - Solutions from the UK
- The Business Manager's Guide To Information Security
The DTI's Achieving Best Practice in Your Business Web site also provides guidance concerning information security for businesses in the UK. The site discusses a wide variety of information security topics, including spam, viruses, inappropriate usage, unauthorised access, theft, systems failure, and the BS7799 security standard. The site also provides links to a range of other information security resources, and an "Information Security Healthcheck". This "healthcheck" consists of a questionnaire based upon the guidance offered by the BS7799, and aims to provide an indication of an organisation's information security status.
The e-Government Unit aims to ensure that the Government, businesses and individuals derive maximum benefit from technology to assist the provision of better public services, a stronger economy, and increased productivity and opportunities. The Unit develop frameworks and policies for the development of e-Government, including a number of information security guidelines and policies, such as:
- Assurance Framework
- Network Defence
- Security Architecture
- Security Guidelines for UK Government
All frameworks and policies can be downloaded from the e-Government Unit's Web site.
The Information Systems Audit and Control Association (ISACA) is a global association for information governance, control, security and audit professionals. Its information security auditing and control standards are followed by practitioners worldwide. It offers audit and security certification, publishes the Information Systems Control Journal, and hosts a series of international conferences. The security section of their Web site contains a number of resources available to the general public, including a series of articles entitled "InfoBytes", which cover key issues such as privacy, business continuity, and information technology governance. The Standards Board of the ISACA have issued a number of standards, guidelines and procedures, all of which are freely available from the Web site. The site also contains an information management security glossary, and instructions on how to join a number of mailing lists.
The Information Systems Security Association (ISSA) is a similar not-for-profit, international organisation of information security professionals and practitioners. Its services include the provision of educational forums and publications. Although only members can access most of the content, their site includes a useful "Press Room", containing various press releases and links to news articles.
Standards and policies
The BS7799, entitled "Code of practice for information security management", is the most influential information security standard currently in use. It is divided into two parts, with part one containing guidance and explanation, and part two providing a model for organisations to establish and maintain an effective information security management system (ISMS). It has been translated into plain English by the Praxiom Research Group.
The ISMS International User Group (ISMS IUG) aims to promote the BS7799 standard world-wide, and was established to facilitate the sharing of experiences in the use and application of the standard. The ISMS IUG Web site includes answers to frequently asked questions about the BS7799, and a comprehensive information security portal. Links included in the portal concern a wide range of topics such as physical security, biometrics, risk management, business continuity, and corporate governance. The group also produces a quarterly journal, which can be downloaded from the site in pdf format. The site also contains the international register of BS7799 accredited certificates, which is a register of organisations that have successfully undertaken an accreditation process in accordance with the BS7799. A portal related to the accreditation process provides access to a range of information related to the certification of an organisation's ISMS.
ISACA has developed a standard for information security and control practices entitled COBIT. Its guidance aims to assist organisations in the implementation of effective governance over information assets. The standard consists of the following sections:
- Executive summary
- Management guidelines
- Control objectives
- Audit guidelines
- Implementation tool set
The standard can be downloaded from the ISACA Web site, with the exception of the audit guidelines, which is only available to members of ISACA. However users need to register before accessing the documents.
The Information Security Forum (ISF) have also produced an information security standard. The ISF is an international association of over 250 organisations that co-operate in the development of a practical research programme and best practices in information security. The standard is entitled The Standard of Good Practice for Information Security, and is designed to help organisations minimise risks associated with its information systems. The Standard is based on the ISF's research conducted over 14 years, and presents a target against which organisations can measure their performance.
Another useful site is provided by TaylorMaid Security, and contains a paper discussing security principles, a paper entitled "Principles to Policy", and a sample high-level policy. These documents can be used as a basis for organisations to develop their own information security policy.
Articles and news sources
Articles and white papers on a wide range of information security related topics can be obtained free of charge from a number of Web sites, including Information Security Magazine, Secure Computing Magazine, the Encyclopaedia of Information Security and Bitpipe. The latter in particular is a valuable source of information. Bitpipe is a syndicator of information technology white papers, web-casts, case studies and product literature. The Bitpipe Web site contains a comprehensive information security section, including papers on topics such as information security standards and policies, e-mail security, wireless security and biometrics.
Up-to-date information security news is available from a wide range of sources, including Information Security Magazine, Secure Computing Information Security News and the Encyclopaedia of Information Security. A number of these sites also offer newsletters, which are delivered by e-mail on a regular basis upon subscription. The Encyclopaedia of Information Security Web site also includes a security clinic offering advice on information security issues, an information security dictionary, and tutorial on topics such as security threats, access control, cryptography concerns, legal issues, information security standards, and business continuity.
Education, training and research bodies
The Information Security Institute at the Johns Hopkins University in Maryland is a centre for research and education in information security, assurance and privacy. Their Web site includes a "press room" containing links to up-to-date information security news, and information about the Institute's various research projects and a wide range of related academic papers. A similar group is based at Royal Holloway, University of London. The Information Security Group at Royal Holloway is an interdisciplinary research group comprised of computer scientists and mathematicians. Their Web site contains information about research projects, and includes research papers.
An excellent Web site is maintained by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. The centre has a multidisciplinary approach to information security issues, ranging from purely technical issues to ethical, legal, educational, communicational, linguistic and economic issues. The centre's site includes information about research projects, links to information security news articles, and a number of tools and resources, including:
- Bibtex Paper Archive: contains papers and Tech Reports concerning the application, use, and future of information security
- CERIAS Hotlist: a submission based archive of information security related websites
- FTP Archive: contains software, standards, tools, and other material related to information security
- INFORMS: an interactive tool for collaboration and partnerships for faculty, industry leaders, and students
- CERIAS Incident Response Database (CIRDB)
- Cassandra: emails details of new vulnerabilities based upon users' saved profiles of the services and applications running on their networks, typical (standard configurations) hosts or important hosts
The SANS (SysAdmin, Audit, Network, Security) Institute is a co-operative research and education organisation, and undertakes information security research, certification and education. The site includes information regarding current research projects, access to webcasts, and a number of information security newsletters, digests and forums, which allow users to discuss a variety of information security topics. The site also contains a "reading room", which contains over 1,100 papers on topics such as disaster recovery, information assurance, digital privacy, and legal issues.
A number of other resources can be accessed from the "Information and Computer Security Resources" section of the SANS site, including "The Internet Guide to Popular Resources on Information Security" and a glossary of security terms. A particularly useful resource is the SANS security policy resource page. The security policy project is a consensus research project of the SANS community, and aims to provide resources to facilitate the rapid development and implementation of information security policies. The resources provided on this page include policy templates for twenty-four security requirements.
The Open Directory (ODP) is human-edited directory of the Web, and is constructed and maintained by a global community of volunteer editors. The Computers/Security category contains approximately 3,000 links to Web resources, structured by categories such as authentication, intrusion detection systems, information security policy, and products and tools.
The InfoSysSec Web site was originally created by students for students to help locate and consolidate resources on the Internet that would assist them in their study of information security topics. However it is now a popular resource for information security professionals. The site contains numerous links to information security related Web resources, in addition to forums, chat rooms and news items.
Application Security Inc also provide an information security portal, containing links to archives of defaced Web sites, information security standards, security organisations, search engines, news bulletins, security advisories, and other security portals.
Security of hardcopy records
As discussed above, it is essential that proper security measures are in place to ensure the security of hardcopy records. The National Archives produce a records management standard entitled Storage of Semi-Current Records. This standard provides advice and guidance on the storage of semi-current records. It covers five distinct areas:
- protection against fire
- protection against water
- environmental conditions
- storage equipment
State Records New South Wales and the National Archives of Australia also produce standards for the storage of records: Physical storage of State records and the Physical storage of Commonwealth Records: Standard and Guidelines respectively. This standard outlines seven principles that should be considered when storing records, namely, location, environmental control, shelving and packaging, protection from disaster, maintenance, careful handling and accessibility.
Two modules from the Managing Public Sector Records course provided by the International Records Management Trust contain information about best practice for ensuring the security of hardcopy records. The course documentation can be downloaded free of charge from the Trust's Web site. The Preserving Records and Managing Records in Records Centres modules both contain sections on security measures.
Information security is a constantly evolving discipline, due to the ever-increasing scale and complexity of security threats in the post September 11th environment, and continuous improvements in technology. A useful method of keeping up-to-date with developments in information security is by subscribing to the comp.security.misc usenet newsgroup, which can be accessed at news:comp.security.misc or http://groups.google.co.uk/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&group=comp.security.misc.
The Society offers four types of membership, from Corporate through to Student.
If you are not already a member and would like to join the Society, or if you know anyone who would be interested in joining, please complete the application form.