Improving the ICT service: Making ICT secure

Produced by: Socitm Insight

Type: Reports

This report, the seventh in the series on improving the ICT service, describes the four critical elements for developing capability.

1 Introduction

Making ICT facilities secure will only work if the whole organisation is behind the intention - and understands the reasons why it is necessary to do so. This report sets out to assist in this understanding. For an ICT unit to be successful, it must understand the current security risks and mitigating controls and ensure that these are being effectively addressed. We highlight four interlocking themes.

2 Prevention

The first of our four key themes looks at the need to prevent information security-related incidents from occurring in the first place. Clearly, protecting public information is much less expensive than paying for clean-up after a data breach or massive records loss. Conversely, to recover from a breach in security is much more expensive than setting up the necessary prevention.

3 Detection

The second of our four key themes looks at the need to detect information security-related incidents in real time. At a technical level, your organisation's ability to fend off spyware, viruses and increasingly sophisticated attacks hinges on the strength and cohesion of your intrusion detection strategy.

4 Education

The third theme looks at the need to educate our users, thoroughly and continually. Well-educated users are our key success element in maintaining a secure organisation - or, if uneducated, they remain the key risk area. This applies as much to ICT specialists as to service users. Motivational awareness, training and educational activities and management
oversight are key to the risk reduction strategy.

5 Enforcement

The final theme looks at the need to enforce all the other elements in our holistic information security management programme. There is no point going to the effort of identifying assets, assessing the risks, implementing controls (including policies, procedures etc) and then monitoring the systems to ensure that these are effective, without the capability to enforce the controls.

6 Conclusions

We summarise by suggesting a number of key steps to be taken to formulate a robust information security management system in order to provide evidence of the resilience of ICT facilities in securing the achievement of the organisation's broad aims and objectives.

Last modified: 19th January 2010