IT Security Doesn’t Mean Information Security

For many years, the term “information security” has been used to refer to solutions that protect and defend the network and IT systems. This is far too often misleading, because what is actually meant in such cases is IT security.

Why make a distinction between IT security and the security of information? Just ask anyone whose top-notch IT security program has been tarnished by a data security breach.

Some of the most high-profile victims of data security exploits have maintained IT security programs among the most well reputed anywhere. The lesson hammered home by such incidents is simply this: Securing IT resources and access to the information they handle and communicate does not necessarily guarantee that information will be used in a secure, trustworthy manner.

More Tech Trends on CIO Update

Crossing the Technology Line: Strategic vs. Utility

Is Vista The Last of Windows?

The Power of Process

Software Upgrading As ‘Collusion’?

If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading.

Allen Bernard, Managing Editor.

FREE IT Management Newsletters

The stakes have been raised considerably by sophisticated threats focused on the theft and exploit of tangible assets, as well as in the finesse with which such threats are increasingly honed.

Regulators have also shown they consider the distinction of information security to be far from trivial. The U.S. Federal Trade Commission (FTC) has imposed penalties as high as $15 million in some cases of data security breach. The enforcement of an information security program has also factored into regulatory settlements, subject in some cases to audit every other year for 20 years.

No matter how well IT may be secured, a number of questions must be answered in order to protect and defend information, such as:

  • How is sensitive information recognized?
  • Who has access to this information; authorized or not?
  • How is sensitive information to be used or, more specifically, not to be used?
  • What is the response when information security risks and threats are manifested?
  • Can information security be enforced with credible resistance to subversion; and
  • Can these issues be monitored, with controls demonstrated effectively?

    Simple questions which may be extraordinarily difficult to answer. For one thing, sensitive information may appear in any number of forms that do not lend themselves to ready identification. Some information formats have structure that simplifies their recognition, such as Social Security or credit card numbers.

    Databases lend structure to information that can be leveraged to classify its sensitivity. Other formats, however, do not exhibit such structure, which substantially raises the challenge, because this by far represents the lion’s share of sensitive information in most organizations.

    What, for example, constitutes intellectual property? How can sensitive information be recognized in any format, without engaging human judgment in each case? Once recognized, how can its security be effectively enforced?

    These are questions to which solutions addressing the security of information itself have arisen to answer. New technologies such as information classification and structure management, content monitoring and filtering, information leak prevention, enterprise information rights management, application and database security; and new approaches to encryption are merging with domains such as message, Web and Internet security, content and information lifecycle management, and even networks, systems and applications themselves, as businesses have become increasingly sensitive to their information risks.