Improving the ICT service: Making ICT secure
Produced by: Socitm Insight
This report, the seventh in the series on improving the ICT service, describes the four critical elements for developing capability.
Making ICT facilities secure will only work if the whole organisation is behind the intention - and understands the reasons why it is necessary to do so. This report sets out to assist in this understanding. For an ICT unit to be successful, it must understand the current security risks and mitigating controls and ensure that these are being effectively addressed. We highlight four interlocking themes.
The first of our four key themes looks at the need to prevent information security-related incidents from occurring in the first place. Clearly, protecting public information is much less expensive than paying for clean-up after a data breach or massive records loss. Conversely, to recover from a breach in security is much more expensive than setting up the necessary prevention.
The second of our four key themes looks at the need to detect information security-related incidents in real time. At a technical level, your organisation's ability to fend off spyware, viruses and increasingly sophisticated attacks hinges on the strength and cohesion of your intrusion detection strategy.
The third theme looks at the need to educate our users, thoroughly and continually. Well-educated users are our key success element in maintaining a secure organisation - or, if uneducated, they remain the key risk area. This applies as much to ICT specialists as to service users. Motivational awareness, training and educational activities and management oversight are key to the risk reduction strategy.
The final theme looks at the need to enforce all the other elements in our holistic information security management programme. There is no point going to the effort of identifying assets, assessing the risks, implementing controls (including policies, procedures etc) and then monitoring the systems to ensure that these are effective, without the capability to enforce the controls.
We summarise by suggesting a number of key steps to be taken to formulate a robust information security management system in order to provide evidence of the resilience of ICT facilities in securing the achievement of the organisation's broad aims and objectives.
Last modified: 19th January 2010
Improving the ICT service: Making ICT secure (263.63 KB PDF)