Electronic Information Security Documentation During

Electronic Information Security Documentation

During the last thirty years, people have become more aware of harms coming from lack of security. Yet the problem has escalated faster than the efforts to control it. It is often not understood that security is more important than hackers and viruses. The basic need for security has to be well understood by the management. For security management it is essential that risk be controlled, and to do that first the risk has to be assessed. This involves collection of all facts concerning system risk. This is difficult if there is no proper documentation of the methods of collecting data. Thus proper methods of collecting data are the beginning of data security management.

The new standards as given in the recent security documentation methods provide some guidance, yet these methods do not guide the security officers engaged in the job. When the data is collected in the traditional formats, they may not provide good security, as most of this data will have to be regularly updated. There have been suggestions that a security officer with a database and GUIs may provide better security. This requires an improvement of the information system and the secure items have to be presented in a standard format. There are security officers even now, but they are involved with only security and their job is to check that systems are being implemented correctly. On the other hand, they should try to view the business risk due to security flaws and request for changes in the system from the point-of-view of better security.

To make this judgment, there is a requirement for assessment of risk and that is a time consuming job. Thus most of the concerned people prefer to work with more simplified models of the system and ask for estimates of risk from IT employees, which are subjective. In a complex system, this is not possible and is dangerous when the defects in information can cause harm to the organization in terms of money. This means that security officers should be ready with convincing documents to support views of their risk if the system fails due to any reason. Thus it is clear that security officers in organizations should be able to understand the importance of proper methods, but no system does that at present.

The present information security management standards like BS7799 and ISO 17799 provide some methods of information security management and methods for storing secure documents. This is difficult for the security officers to implement considering their background. When an incident takes place in a security environment the security officer had to demonstrate that the security systems being used were reasonably compatible with the true level and nature of the system risk. This is due to I.T system failures having serious consequences for the financial well being of the organization, and the system is required for compliance with regulatory and contractual obligations. The security officers should equip themselves with comprehensive security documentation, and associated risk assessment strategies, as evidence that they had acted with a high level of professional competence.

The need for security was first thought to be important for the military, then finance and banking due to electronic transfer of money, and then requirements were felt for anti-viral software. When Internet spread, there was requirement of firewalls to stop hackers, followed by software for e-commerce market. Now software is being developed for bio-technology market. In this paper there is a proposal of a model to help secure documents. The importance of effective risk analysis was realized in the early 1970s, and some governments wanted to adopt them in sensitive computing systems. Risk analysis consists of the identification of assets, threats, vulnerabilities, countermeasures and the evaluation of loss expectancy. An information security risk analysis study starts with the definition of the IT environment under consideration and recommendation of corrective actions. Risk analysis projects are relatively expensive, and were so even in the mainframe computing era, because they involved the collection and evaluation of a significant volume of data. Earlier risk studies were conducted by in house staff or consultants and the in house people did not have much experience regarding the matter and the consultants did not know much about the requirements of the organization.

Presently, the familiarization task has become more complicated with the complex, multi-site networked and client server-based technology used now. A new system has developed now and here the first description is of the security entry classification and this classification involves object identifiers which will help the security officer to work. For developing this system, the risk assessors have significant knowledge of operating systems, the documentation procedures are versatile and comprehensive enough to makes the data collection task achievable and since the basic system is ready, the cost of updates for risk assessment is minimal. At the same time, the system is fully documented and this documentation can be updated regularly, and the new system will reduce the costs and efforts for exercises in risk assessment.