Sunday, May 27, 2007

IT Security V/S Information Security

IT Security and Information Security are the two different domains often misunderstood as one. Though both of them have some common areas that are to be dealt, but by large, IT Security is a subset of Information Security.

IT Security deals with the technical set of controls and revolves more around the technological deployments across the Business to store, process, generate or transmit the Information. On the contrary Information Security also covers up the additional functionalities as those of Business Operations, legal, Human Resource, Facility Management etc. i.e. the Information Security also encompasses the various departments that deal with the data/information in other than electronic format.

If we talk of the controls that make part of the IT Security, then we would have controls revolving around following heads -
  1. IT Risk Assessment
  2. IT Asset Classification and Management
  3. Logical Access Control
    1. User Management
    2. Password Guidelines
    3. Access Rights and Permissions
    4. Login Restrictions
  4. Physical Access Control
    1. To the Data Center / Server Room
    2. To End User Terminal
  5. Emanation Security - dealing with Cabling security etc
  6. Communication Security - dealing with security during electronic transmission
  7. Systems Development, Acquisition and Management
    1. In-house Development
    2. Out-Sourced Development
    3. Off the Shelf Purchase
    4. System Change Management
  8. End User Computing
    1. Access to End User Development - Usage of Scripts and Macros in documents and spreadsheets
    2. Access to Install Custom Programs and Free-wares
    3. File Sharing through Local Shares
    4. Email and Internet Usage
    5. Acceptable usage of IT Resources
  9. Disaster Recovery Planning
    1. Back and Archiving
    2. DR Site Planning
    3. Fault Tolerance and Site Redundancy Planning
  10. Network and Operations Management
    1. Network Documentation
    2. Network Controls
    3. IP Addressing and Network Zoning
    4. Network Performance Monitoring and Capacity Management
    5. Remote Connectivity and Remote Access Management
    6. Usage of Cryptographic Techniques
    7. Operations Management
    8. Malicious Content Management
    9. Incident Monitoring and Management
    10. Media Handling and Storage
    11. Audit Logging and Log Retention
    12. Segregation of Development, Test and Production Environment
The Additional Control Areas that would make part of the Information Security can be listed as -
  1. Physical and Environmental Security - Encompasses Emanation and Cabling Security along with deployment of Human Personnel, CCTV Monitoring mechanism etc.
  2. Third Party Operations
  3. Business Continuity Management
  4. Compliance Audit and Management
  5. Human Resource Security - Identifying Human resource involved in operations as a source of threat
  6. Business Threat and Risk Assessment including Business Impact Analysis
References -

ISO/IEC 17799, ISO/IEC 27001, CObIT
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)