CHAPTER TWENTY-SIX

Information Assets Security Management

THE ADMINISTRATION of security focusing on information as an asset is commonly problematic and may frequently be observed as a patchwork of physical and logical security techniques with little thought to the application and implementation of an integrated approach designed to lead to the achievement of specific control objectives.

This chapter examines Information Assets Security Management and covers Information Technology (IT) and security basics as well as the fundamental concepts of Information Systems (IS) security.

WHAT IS INFORMATION SYSTEMS SECURITY?

IS security may be defined as security around and within the computer and associated equipment as well as the people using it.

The U.S. Federal Information Security Management Act (FISMA) of 2002 defines information security as:

The term “information security” means protecting information and Information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;

(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;

and

(C) availability, which means ensuring timely and reliable access to and use of information.1

This includes attempts at authorized ...

Get Auditor's Guide to IT Auditing, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.