HomeAbout UsOur ServicesSupportInformation SecurityLinksContact Us
Information Security

Why Information Security is a Business Issue




·        IT supports business processes

All organisations depend on a wide variety of IT systems to enable and support their business processes. This includes hardware and software, and ranges from email and instant messenger for communication, to document management systems for collaboration, to Enterprise Resource Planning systems for performing integrated business processes. 


·       Involving business users in the design of authorisations and permissions

Authorisations and permissions are the gateway to data and functionality in IT systems. Treating security as something that is only carried out by the IT techies is counter-productive. A large number of non-conformance issues is due to misunderstanding of segregation of duties in financial systems, and can lead to horrendous problems.


·        Ensuring appropriate control of user activity

Business ownership of security is vital to ensure that there is adequate control placed over who can do what in business critical systems. Can HR prove that abuse of internet is down to an individual if you have not provided a security policy or adequate access control?


·        Clear communication and a culture of security awareness

IT systems are the lynchpin that supports business critical functions and treating IT security as something that is 'done' by the IT department therefore misses the point. Good communication is crucial.


·        Maintaining security standards

Ensuring that a culture of security awareness pervades throughout the organisation will also enable the business to keep its finger on the IT security pulse in the long term.  Regular review of system access and IT security requirements must therefore be built into the ongoing business processes.


·        IT security is good business practice

There is no excuse for security not to be well-understood, but both the business and technical departments must take responsibility for collaborating to address this issue.  As IT budgets remain under threat, there are some technology projects that cannot be ignored, and making IT security a priority on a day-to-day basis should simply be regarded as good business practice.


No organisation would invest unless it could demonstrate a strong case for return on investment. Remember that it has been calculated that 65% of the cost of IT is down to poor quality procedures and security. In truth, it is difficult to prove that any of these outputs is exclusively due to IT security investment. Loss of a key asset may not put a company out of business forever, but could be enough to precipitate the loss of competitive advantage, reputation and revenue stream for some time to come. Is it really worth the risk?


ISO/IEC 27001 - Information security management