|
Understanding information
security
(3/25/2008)
Information security has become a most important concept
in today’s data-driven world. A primary and vital asset,
information – about everything from clients to suppliers
to transactions – is collected, stored and maintained
by organization and is used for the growth of the company.
Organizations hold in its hands huge amounts of critical data,
upon which its survival might very well depend. Thus, implementing
information security measures is more than a requirement;
it has become a necessity.
The basic tenet of information security is the protection
of information to ensure confidentiality, integrity and availability.
These three values ensure that the information is accessible
only to those authorized to access it, that it is accurate
and complete – and cannot be modified without authorization,
and that it is available to authorized users when required.
To achieve this, an organization must put in place a system
that will establish, implement and manage information security.
The Information Security Management System (ISMS) must be
designed to meet the particular needs of the organization,
as each organization not only has different objectives and
cultures, but may also attract different types of risks. A
risk assessment allows an organization to identify threats
to and vulnerabilities of the group, and from there an ISMS
can be developed that can face those risks.
An ISMS is not only seen as answer to information security
threats. On a larger scale, a formal ISMS is also deemed necessary
in compliance terms. This is why information security does
not stop at developing an ISMS; the next step is usually to
apply for a certification underscoring that the management
system implemented by an organization was independently assessed
and found to conform to best practices.
In the field of information security, it is highly advantageous
to get an organization’s ISMS certified to ISO 27001,
the international standard for information security focused
on ISMS. First published as BS 7799, ISO 27001 serves as a
guide in the development and implementation of an ISMS, in
that it is the standard against which an ISMS is measured
against to be deemed effective.
The certification process is very rigid. An independent certification
body conducts an initial audit to examine an organization’s
ISMS documentation. The company is then expected to take action
on the results of that first audit. An onsite audit, where
the certification body is present to examine the reviewed
ISMS, is next. Organizations can correct the audit findings
and should agree to a surveillance schedule. The issuance
of a certificate can take from a few weeks to several months,
and organizations are required to get re-certified every three
years.
A successful ISMS certification can certainly differentiate
an organization from the reset of its business competitors.
For one, it is an assurance that independent evaluators audited
the ISMS and certified its adherence to the international
standard. Because of the certification, an organization can
be seen as committed to employing business practices that
boosts its ability to protect its assets. Thus, an ISO 27001
certification adds to the company prestige.
It also increases an organization’s vendor status.
Many organizations today also require the companies they deal
with to have certifications to international standards, evident
in the finance industries, as well as in the data center and
outsourcing businesses. In data center operations, in particular,
the ISO 27001 serves as the standard in measuring the dependability
and safety of its IT processes. For those who outsource their
IT requirements in a data center, knowing that the data center
is ISO 27001-certified gives that extra assurance that their
business’ critical information is in good hands –
protected through stringent procedures and best practices.
Because of the strict and arduous certification process,
it is no wonder that those who achieve an ISO 27001 certification
should be commended and can truly be worthy of a client’s
trust.
See Related Articles
The combined compliance clearly differentiates VITRO™ ™ services
in the market. VITRO™ ™ is now the preferred provider of data
center services in the country as well as international clients
in Asia, Europe and the US, and currently supports a variety
of organizations ranging from multinational companies, government
agencies, content providers and financial institutions. It
offers co-location, server hosting and management, managed
storage solutions, managed security solutions, disaster recovery
and other support solutions for consumers and enterprise markets.
. |
