Infosec: Friend or Foe?
Matt Curtin, CISSP
2003/03/03 13:11:16
This article is also available in PDF.
Abstract
Information security (INFOSEC) is a critical, if highly misunderstood, aspect of the processing of information. As information is at the heart of many businesses today, INFOSEC must be successfully addressed if we are to realize the full benefits of information technology.
Successfully managing INFOSEC is not significantly different from managing other challenges in a business environment. Organizations simply need to acknowledge the risks that are present and to address those risks. Quite a bit of help is available, both in the form of helping employees to understand the domain and in the form of products and services from vendors.
In this article, we consider what information security is from a management perspective. What is information security? What are the objectives of INFOSEC? How can INFOSEC contribute to, rather than draw from, successful business operation? Finally, we consider INFOSEC from the perspective of the health care industry.
Contents
- What is Information Security?
- How Does Information Security Contribute to Success?
- How Does INFOSEC Relate to HIPAA?
Copyright ©2002 Interhack Corporation
Security practitioners can usually enumerate lists of properties that factor into security. When we're dealing with information security specifically, though, there are three issues that stand out for their clear agreement: confidentiality, integrity, and availability (CIA). Information can reasonably be called secure when these three properties are present.
Policy is really nothing more than a statement of organizational expectations.
What should be clear by now is that technology's role in INFOSEC is really one of policy enforcement.
Several issues come to the fore when considering how INFOSEC contributes to an organization's success. In a nutshell, a properly executed information security program will increase the likelihood that the organization will be able to achieve its objectives.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that charges the Department of Health and Human Services to establish regulations for the handling of certain types of health information (HI), collectively known as “protected health information.”