Widespread
use of information technology (IT) has necessitated an increase in
consciousness about IT security. As
persons and organizations settle for application of computer and mobile phone
to most of their activities, as use of flash drives to move data from one
computer to another within homes and offices becomes fashionable, and as more
information and communication devices are connected to the Internet nowadays
than ever before, malicious activities are on the increase to obscure the
normal functioning of these devices and to compromise the privacy and integrity
of data they contain. What users of
these IT devices do (or should do) to contend with such threats is very
important. It may not be simple, for IT security is a complex issue.
The
complexity may be associated with the diverse nature of IT and its
hub—information. Looking at the many
different devices, computer programs and networks that constitute IT and the
varied formats in which information is held and transmitted, very many people get
scared. They are confused as to what
sort and level of security to provide for, and for which item? This is so especially when there are many
competing critical expenses. The usual
stance has been to assume there will be no security issue, but if any issue
comes up, it will then be dealt with. We
may not know what is wrong with this reactive approach if we have not
understood what IT security actually is and the extent of calamities that
negligence can bring upon us. Although
IT security is wider than computer security, information security, data security, and other related terminologies that are in use, the definition of
computer security given in American National Standard Dictionaryof Information Technology (ANSDIT) (2009) is
a good representation of the meaning of IT security. ANSDIT’s definition points to taking appropriate actions to protect data and resources
from accidental or malicious acts. Data, in whatever form, are just what IT
works with, and resources encompass the devices, software and networks that
participate in the processing and communication of the data. Accidental or malicious acts may be loss or unauthorized modification,
destruction, access, disclosure,
or acquisition.
No
matter how complex it is, security of information technology must not be kept
on the reserve bench of expenditure heads, to be called up only when there is
surplus money or when attackers strike.
Security has to be thought about during planning of hardware and
software acquisition, of data generation, warehousing and transfer, and of
installation of all kinds of networks and servers. Just as policies guide human resource
management, procurement, production and other major activities for
effectiveness and efficiency in achieving organizations’ goals, there ought to
be a policy to provide direction for effective and adequate IT security, since
IT now pervades all organizational functions.
Sadowsky et al (2003) said that putting a set of effective security
policies in place was one of the critical steps you must take to ensure that
your machines and information would be secure from unauthorized access and that
you would be able to exchange that information securely with others on the
network. IT security policy is simply a plan or course of actions (conventionally written) adopted for
providing IT security.
Quite much has been written about various
aspects of IT security, which has been used interchangeably with computer security,
information security, data security and information and communication technology
(ICT) security. All works published in IT security so far are
intelligently written and incisive. They
are indeed exciting. What is not
delightful, however, is the negligence given to policy aspect. One reason for this negligence, this writer
assumes—based on practices in his environment, is that practicing IT security
without a policy has been a norm, and at times where a policy exists, it is
rarely implemented, creating the impression that security policy is needless. This explains why many organizations’
strategy is traditionally reactive. In many cases, the fire-brigade measures launched against attacks lack the
potency to restore conditions to original.
A policy prepares an
organization to tactically prevent attacks. Organizations and IT security practitioners should accord IT security
policy the attention it deserves for most effective mitigation of IT risks, especially now that war fronts are being moved into cyberspace.
REFERENCES:
American National Standard
Dictionary of Information Technology (2009). Washington, DC: InterNational
Committee for Information Technology Standards (INCITS)
About the author
Chris Prince Udochukwu Njoku (PhD) is Principal Operations Manager in Information and Communication Technology Unit of University of Nigeria.
