Information relates to the data that have put into a meaningful and usefu1 context. Information has been defined by Davis and Olson as ―Information is data that has been processed into a form that is meaningful to the recipient and is of real or perceived value in current or progressive decision‖.
Security relates to the protection of valuable assets against loss, disclosure or damage. Securing valuable assets from threats, sabotage or natural disaster with physical safeguards such as locks, perimeter fences and insurance is commonly understood and implemented by most organizations.
Information Security is the protection of data or information against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure and this is achieved through a layered series of technological and non technological safeguards such as physical security measures, user identifiers, passwords, smart cards, biometrics, firewalls, etc.
The information security objective is supported by eight core principals. They are:
a) Accountability – Responsibility and accountability must be explicit
Security of information requires an express and timely apportionment of responsibility and accountability among data owners, technology providers and users.
b) Awareness – Awareness of risks and security initiatives must be disseminated.
In order to foster confidence in information, data owners, process owners, technology providers, users and other parties, with a legitimate interest to learn or be informed, must be able to gain knowledge of the existence and general extent of the risks facing the organization and its systems and the organization‘s security initiatives and requirements.
c) Multidisciplinary – Security must be address taking into consideration both technological and non technological issues.
Security is more than just technology; it also covers administrative, organizational, operational and legal issues. Accordingly, technical standards should be develop with and, be reinforced by, codes of practice; audit; legislative, legal and regulatory requirements; and awareness, education and training.
d) Cost Effectiveness – Security must be cost effective.
Different levels and types of security may be required to address the risks to information. Security levels and associated costs must be compatible with the values of the information.
e) Integration – Security must be coordinated and integrated.
Measures, practices and procedures for the security of information should be coordinated and integrated with each other and with other measures, practices and procedures of the organization and third parties on whom the organization‘s business processes depend, so as to create a coherent system of security.
f) Reassessment – Security must be reassessed periodically.
The security of information systems should be reassessed periodically as information systems and the requirements for their security vary over time.
g) Timeliness – Security procedures must provide for monitoring and timely response. Organizations must establish procedures to monitor and respond to real or attempted breaches in security in a timely manner in proportion with the risk. The increasingly interconnected real time and trans-border nature of information and the potential for the damage to occur rapidly require that organizations react swiftly.
h) Societal Factors – Ethics must be promoted by respecting the rights and interests of others. Information and security of information should be provided and used in such a manner that the rights and interests of others are respected and that the level of security must be consistent with the use and flow of information that is the hallmark of a democratic society.