Introduction In organization information technology generally refers to laptop and desktop computers, servers, routers, and switches that

form a computer network, although information technology also includes fax machines, phone and voice mail systems, cellular phones, and other electronic systems. A growing reliance on computers to work and communicate has made the control of computer networks an important part of information security. Unauthorized access to paper documents or phone conversations is still an information security concern, but the real challenge has become protecting the security of computer networks, especially when they are connected to the Internet. Most large organizations have their own local computer network, or intranet, that links their computers together to share resources and support the communications of employees and others with a legitimate need for access. Almost all of these networks are connected to the Internet and allow employees to go "online." Information technology security is controlling access to sensitive electronic information so only those with a legitimate need to access it are allowed to do so. This seemingly simple task has become a very complex process with systems that need to be continually updated and processes that need to constantly be reviewed. There are three main objectives for information technology security: confidentiality, integrity, and availability of data. Confidentiality is protecting access to sensitive data from those who don't have a legitimate need to use it. Integrity is ensuring that information is accurate and reliable and cannot be modified in unexpected ways. The availability of data ensures that is readily available to those who need to use it. Information technology security is often the challenge of balancing the demands of users versus the need for data confidentiality and integrity. For example, allowing employees to access a network from a remote location, like their home or a project site, can increase the value of the network and efficiency of the employee. Unfortunately, remote access to a network also opens a number of vulnerabilities and creates difficult security challenges for a network administrator. In generally we can say that the IT security is the process of protecting information. It protects its availability, privacy and integrity. Access to stored information on computer databases has increased greatly. More companies store business and individual information on computer than ever before. Much of the information stored is highly confidential and not for public viewing. Many businesses are solely based on information stored in computers. Personal staff details, client lists, salaries, bank account details, marketing and sales information may all be stored on a database. Without this information, it would often be very hard for a business to operate. Information security systems need to be implemented to protect this information. Definitions 1. The U.S. National Information Systems Security Glossary defines "Information Technology Security" as the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

2. Information security means protecting information and information systems from unauthorized access, use, disruption, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably-IT Association of America. 3. Safe-guarding an organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity- security academy of Ireland. 4. IT security generally consists in ensuring that an organizations material and software resources are used only for their intended purposes by Kioskia.net. Issues/Consideration History of IT Security Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering. Julius Caesar is credited with the invention of the Caesar cipher ca. 50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands. World War II brought about much advancement in information security and marked the beginning of the professional field of information security. The end of the 20th century and early years of the 21st century saw rapid advancements in telecommunications, computing hardware and software, and data encryption. The availability of smaller, more powerful and less expensive computing equipment made electronic data processing within the reach of small business and the home user. These computers quickly became interconnected through a network generically called the Internet. The rapid growth and widespread use of electronic data processing and electronic business conducted through the Internet, along with numerous occurrences of international terrorism, fueled the need for better methods of protecting the computers and the information they store, process and transmit. The academic disciplines of computer security, information security and information assurance emerged along with numerous professional organizations all sharing the common goals of ensuring the security and reliability of information systems. Why IT security is so important? In today's high technology environment, organizations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organizations will identify information as an area of their operation that needs to be protected as part of their system of internal control. Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders (Ronald Reagan, 1989).

It is vital to be worried about information security because much of the value of a business is concentrated in the value of its information. Information is, as Grant says, the basis of competitive advantage. And in the not-for-profit sector, with increased public awareness of identity theft and the power of information, it is also, as Turnbull claims, the area of an organizations operations that most needs control. Without information, neither businesses nor the not-for-profit sector could function. Valuing and protecting information are crucial tasks for the modern organization. If information were easy to value and protect, however, you would be able to buy off-the-shelf information security management solutions. There are three characteristics of information security that make this impossible. 1. The collection of influences to which each organization is exposed varies with the organization: the information technology that it uses, its personnel, the area in which it does business, its physical location all these have an effect on information security. 2. Information security affects every structural and behavioral aspect of an organization: a gap in a security fence can permit information to be stolen; a virally infected computer connected to an organizations network can destroy information; a cup of coffee spilt on a computer keyboard can prevent access to information. 3. Each individual that interacts with an organization in any way from the potential customer browsing the website, to the managing director; from the malicious hacker, to the information security manager will make his or her own positive or negative contribution to the information security of the organization. Thus IT security and its management need to be examined within an organizational context. To this end, a major aim of this unit is to give you the opportunity to:

Investigate your organization and determine the precise mix of IT security issues that affect it; Explain the links between areas of an organization and navigate your organizations information security web; Identify the security contributions of each individual, and so suggest strategies to make the sum of the positive contributions greater than the sum of the negative ones.

Laws and regulations Below is a partial listing of European, United Kingdom, Canadian and USA governmental laws and regulations that have, or will have, a significant effect on data processing and information security. Important industry sector regulations have also been included when they have a significant impact on information security. UK Data Protection Act 1998 makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The European Union Data Protection Directive (EUDPD) requires that all EU members must adopt national regulations to standardize the protection of data privacy for citizens throughout the EU.

The Computer Misuse Act 1990 is an Act of the UK Parliament making computer crime (e.g. cracking - sometimes incorrectly referred to as hacking) a criminal offence. The Act has become a model upon which several other countries including Canada and the Republic of Ireland have drawn inspiration when subsequently drafting their own information security laws. EU Data Retention laws requires Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years. Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. Payment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. State Security Breach Notification Laws (California and many others) require businesses, nonprofits, and state institutions to notify consumers when unencrypted "personal information" may have been compromised, lost, or stolen. Personal Information Protection and Electronics Document Act (PIPEDA) An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act. Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process.

Eight levels of IT security In a world of viruses, malware, and hackers, information security is a big deal. One single method of IT security cannot insure protection of mission-critical data. In the enterprise IT environment, layering multiple tactics and security processes can help close all of the gaps. A visual look at a data center provides us with the 8 levels of information technology security which work together to form a tight-knit and (hopefully) impenetrable web of safeness. 1. Risk management framework

2. A security policy is a written document stating how a company plans to protect its physical and information technology assets. A security policy is often considered a living document, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. 3. Logging, monitoring and reporting. 4. Virtual perimeters. 5. Environmental and physical information. 6. Platform security. 7. Information assurance or data assurance. 8. Identity and access privilege management. Potential Impact The degree to which a security failure has the potential to result in harm or loss. The impact of a potential risk may be identified by the responses to the following questions:

What are the ramifications of the loss of confidentiality, integrity, availability, or authorized use of systems? Will physical harm to any individual result? Will the strategic mission of the university be affected? Will personal information be compromised? Will large segments of the community be inconvenienced? Will the reputation of the university suffer? Who will need to resolve the security incident? What is the magnitude of resources required to resolve the security incident?

Low Impact Incidents that cause limited damage to operations or assets and that do not involve risk for individuals. These incidents require minor corrective actions or repairs within the designated custodial structure and communication is frequently required only within the affected unit. Moderate impact Incidents that cause short-term degradation or partial loss of the university's mission capability; that affect or disadvantage only subsets of the university community; or result in limited loss or damage to significant assets. These incidents require corrective actions or repairs that can normally be handled within the designated custodial structure, usually involves only internal communications, and normally will not require the involvement of high-level administration. High impact Incidents that cause an extensive loss of the university's mission capability; result in a loss of major assets; pose a significant threat to the well-being of large numbers of individuals or to human life; or damage the reputation of the university. These incidents require substantial

allocation of human resources to correct; may require communication to external agencies or law enforcement and the public; and often require the involvement of high-level administration within the university. Advantages and Disadvantages of IT security IT security is the protection of data saved to a network or hard drive. The advantages and disadvantages are listed below. Please comment based on any experience with IT security (whether it be on utilizing it or if you have been subject to cyber crime). Advantages of IT Security:

IT security is extremely easy to utilize. For protection of less sensitive material users can simply use password protect files. For the more sensitive material users can install biometric scanners, firewalls, or detection systems. As technology increases so will the crimes associated with it. Making the use of information security very worth while. It keeps vital private information out of the wrong hands. For the government it keeps top secret information and capacities out of terrorist and enemy nation's hands. IT security protects users valuable information both while in use and while it is being stored.

Disadvantages of IT Security:

Technology is always changing so users must always purchase upgraded information security. Since technology is always changing nothing will ever be completely secure. If a user miss one single area that should be protected the whole system could be compromised. It can be extremely complicated and users might not totally understand what they are dealing with. It can slow down productivity if a user constantly has to enter passwords.

IT security policy IT Security Policy a documented list of management instructions that describe in detail the proper use and management of computer and network resources with the objective to protect these Resources as well as the information stored or processed by Information Systems from any unauthorized disclosure, modifications or destruction. The purpose of this policy is to assist Government and non-government agencies to establish and maintain their Information Security Management System (ISMS). This policy is applicable to person who is accountable for the security of information assets; to people who are responsible for initiating, implementing and or monitoring risk management within their agency; and to people who are responsible for initiating, implementing and or maintaining information security within their agency.

Security risk Risk is the combination of the probability of an event and its consequences. Information Security risk is the potential that a given threat will exploit information vulnerabilities to cause loss or damage to information assets and dependent capabilities, duties and hence business objectives. Threat A threat is the potential cause of an unwanted incident, which may result in harm to a system or organizations information assets and information using capabilities. Threats can occur by natural disaster, intentional or accidental acts originating inside or outside the agency. Destruction of an asset or capability; Corruption or modification of an asset; Theft, removal or loss of an asset or capability; Disclosure of an asset; Use or acceptance of an illegal asset; Destruction of image and loss of confidence; Disruption in business process system; or Interruption of services. little support for security measures information is not classified inadequate information security policy operates lack of security awareness are there weak access control mechanisms exists no official policy and no monitoring/intrusion detection or incident response team are in place Operating procedures are not documented Employees are not identified adequately, visitors may roam unchecked The building is in an earthquake zone, where minor quakes are expected every

VULNERABILITIES Vulnerabilities are flaws or weaknesses associated with an agencys assets or capabilities. Vulnerability is merely a condition or set of conditions that may allow a threat to affect an asset. Organizational Personnel Environmental Hardware, software and network

Conclusion Broadly speaking, IT security is about keeping electronic information private and protected from falling into the hands of those without authorization to see or use that information. To implement IT security, the Institute looks at how to meet requirements of various regulations and laws relating to information protection. To ensure compliance, policies must be implemented and adhered to. IT security is about protecting the integrity, accessibility, and reliability of electronic information and with the behaviors and actions of computer users as they impact the privacy and safety of all members of the Internet community. IT security works with physical security to ensure protection of information, whether electronic or hardcopy.

Bibliography Feinman, Todd, Goldman, David, Wong, Ricky, and Cooper, Neil, PricewaterhouseCoopers LLP, Resource Protection Services, Security Basics: A White Paper, June 1, 1999. Information Security Policy (Ingrid M. Olson and Marshall D. Abrams). http://wikibon.org/blog/wp-content/uploads/2010/10/8-Levels-of-IT-Security.html Information technology security by George Sadowsky & James X. Dempsey. http://www.eastlondoncollege.com/it-courses/london-college-it-courses.aspx#bsccomputing Northern Illinois University (NIU) Information Security Policy. http://www.scmagazine.com/ http://www.wisegeek.com/what-is-information-security.htm