The proliferation of technology has revolutionized the ways information resources are managed and controlled. Long gone are the days of the “glass house,” full of mainframe computers under tight centralized control. Internal controls from yesteryear are inadequate in controlling today’s decentralized information systems. Relying on poorly controlled information systems brings serious consequences, including:

• An inability of the organization to meet its objectives
• An inability to service customers
• Waste, loss, misuse, or misappropriation of scarce resources
• Loss of reputation or embarrassment to the organization

To avoid these consequences, risk management approaches are needed. Risk is an accepted part of doing business. Risk management is the process of reducing risk to an acceptable level. You can reduce or eliminate risk by modifying operations or by employing control mechanisms.

The dollars spent for security measures to control or contain losses should never be more than the estimated dollar loss if something goes wrong. Balancing reduced risk with the costs of implementing controls results in cost-effective security. The greater the value of information assets, or the more severe the consequences if something goes wrong, the greater the need for control measures to protect it.

Maintaining the confidentiality of information is critical to many organizations in the age of knowledge workers. When you consider the economic activity of the world’s more advanced nations, most of the productive output of workers is information, rather than the widgets of yesterday. Consider two examples:

• Market research companies spend thousands of dollars and countless hours gathering business intelligence for their clients. Often, the sole output of these projects is a report summarizing the results. If this got into the hands of the client’s competitors, it would destroy the competitive advantage created by the report. It could also reduce the economic value of the information to the client, and potentially jeopardize the market research firm’s client relationship.
• Manufacturing companies may now produce many of their products in overseas factories where labor is inexpensive. However, they still do the “knowledge work” of developing product plans, formulas, and other trade secrets in developed nations. If those plans got into the hands of competitors, it would be quite simple for the competitor to ship the plans to an overseas factory and produce the same product without any of the research and development expense.

The demands for timely and voluminous information are increasing. One major protection issue is the availability of information resources. In some cases, service disruptions of even a few hours are unacceptable. Think about how much revenue Amazon or eBay loses for every hour of downtime. Reliance on essential systems requires a plan for restoring systems in the event of disruption. Organizations must first assess the potential consequences of an inability to provide their services and then create a plan to assure availability.

If information is modified by any means other than the intentional actions of an authorized user or business process, it could spell disaster for the business. This underscores the importance of integrity controls, which prevent the inadvertent or malicious modification of information. Consider, for example, a product-testing firm that spends many hours testing the optimal settings for a piece of safety equipment used in factories. If a power surge alters the data stored in the testing database, the company might use the incorrect data to recommend equipment settings, jeopardizing the safety of factory workers.

In addition to unauthorized modification of information, security controls should also protect against the outright destruction of information, whether intentional or accidental. The most common control used to protect against this type of attack is the system backup. By storing copies of data on backup tapes or other media, the company has a fallback option in the event data is destroyed. Consider the case of an insurance company that stores policy information on servers in a data center. If that data center is destroyed by fire, off-site backup tapes can be used to re-create it. Without those backup tapes, the company would have no way of knowing which policies it had issued, putting the entire business in jeopardy.