The main purpose of IT security is to defend information from unauthorized access. IT specialists are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems. The capabilities and complexity of IT systems keep growing. Users can access more data and systems from a multitude of entry points, such as office workstations, offsite laptops, and roaming smartphones. As IT systems are increasingly integrated into the operational fabric of individual organizations, their exposure to potential threats in turn becomes increasingly multilayered, moving beyond technological vulnerabilities alone. The ultimate goal of managing IT security is to turn an organization's security policies into security requirements that can be codified, rolled out to the organization, enforced, and measured. Perhaps the most compelling reason to do this is that good security is more about encouraging and enforcing positive behavior than it is about protecting against threats and vulnerabilities. In fact, the vast majority of network attacks are targeted at vulnerabilities for which there are known remedies. Thus, if a well-planned security policy can actually be deployed and followed, most network threats can be avoided. Turning the theory of a policy into the reality of requirements can be best realized by establishing a security mentality as the default way of doing business. In recent years, more organizations have endeavored to establish an enterprise wide framework that fosters a "security mentality." An example of such a framework is the Enterprise security Business Model created by PricewaterhouseCoopers for its clients. A related approach is the Operationally Critical Threat, Asset, and Vulnerability Evaluation risk assessment methodology created by Carnegie-Mellon University's Software Engineering Institute, which focuses on identifying an organization's most critical assets and identifying and addressing risks to those assets (Tracy). Without a doubt information security is a pervasive concern for all companies and continues to rise in importance. IT security is now considered a mainstream operational concern as companies utilize the Internet as a key driver of e-business and greater collaboration. While the exigencies of e-commerce require the Internet be safe and secure, the reality is drastically different, as the Internet continues to be the victim of recurring attacks. Various independent surveys reveal that between 36 per cent and 90 per cent of organizations reported computer security breaches in the past year. It is also concerning that the frequency of IT security incidents is on the rise at an alarming rate. The rising frequency of security incidents is driving higher spending on IT security, reaching $30.3 billion (Ashish). The growing use of on-line technology and the spread of Internet connectivity around the world, driven by globalization, has made cyber-attacks much easier today. Particularly concerning is the growing level of terrorist and criminal activity directed at communications networks and computer systems. While early use of the Internet was centered on text messaging and Web site access, today users are demanding digital transactions and remote access. Many companies and organizations claim that they have found the Holy Grail to IT security, and that they are providing exactly the type of product or service security professionals have always been looking for. Reality is not that simple; security problems can seldom be solved with products and services alone. IT security is not a product or service problem, but rather an engineering and management problem that must be approached with an appropriate IT security process. The process must start with political, strategic, and architectural considerations, and may eventually lead to security architectures that are...
Please join StudyMode to read the full document