The BCS has for a long time
focused on protecting information, but primarily from a technical
perspective. The society now recognises the need to look beyond the
technology and to consider the process and human factors that
affect information.
To address these issues, the BCS has established an
Information Assurance Working Group, the aim of
which is to encourage debate and to put information across in a way
that is accessible to business managers and ordinary citizens.
Information assurance is about the protection
of information, based around what we traditionally understand as
information security. It has at its core the principles of
confidentiality, integrity and availability. However, information
assurance reaches beyond this and explicitly connects with the
concerns of the organisation by embracing the broader disciplines
of risk and business continuity management.
Charting a maturity curve from IT security to information
assurance, we can see a progression from a period when the focus
was primarily on securing IT equipment to a situation where
electronic data is protected in a more dynamic way as it flows
through the business.
Today, the value of information as a business asset has never
been higher and for this reason we are moving towards the concept
of information assurance as a management concern.
Information assurance is no longer a niche issue as we move into
a business environment that demands the controlled sharing of
information within and between organisations. It is also of
importance to the ordinary citizen, who not only wants to protect
their home PC but is worried about the protection of their personal
details.
The first task of the BCS Information Assurance Working Group is
to debate how to communicate information assurance risk to decision
makers. Part of this revolves around whether end-users should be
empowered to think about information assurance issues for
themselves.
There is a tendency sometimes to treat end-users as children who
need to be protected and, if this is the case, then it is
unsurprising that they often fail to take responsibility for
protecting information assets.
If we are going to empower end-users to act responsibly in the
information assurance space, we have to engage with them and give
them the education and training required to understand the
issues.
● Debi Ashenden is a senior research fellow in information
assurance at Cranfield University and chairman of the BCS
information assurance working group
David Lacey’s
security blogThe latest ideas, best practices, and
business issues associated with managing security
Stuart King’s
risk management blogDealing with the operational
challenges of information security and risk management
Comment on this article:
computer.weekly@rbi.co.uk