information security

(redirected from It security)
Also found in: Dictionary.

information security

The protection of data against unauthorized access. Programs and data can be secured by issuing passwords and digital certificates to authorized users. However, passwords only validate that a correct number has been entered, not that it is the actual person. Digital certificates and biometric techniques (fingerprints, eyes, voice, etc.) provide a more secure method (see authentication). After a user has been authenticated, sensitive data can be encrypted to prevent eavesdropping (see cryptography).

Authorized Users Can Be the Most Dangerous
Although precautions can be taken to authenticate users, it is much more difficult to determine if an authorized employee is doing something malicious. Someone may have valid access to an account for updating, but determining whether phony numbers are being entered requires a great deal more processing. The bottom line is that effective security measures are always a balance between technology and personnel management. See Parkerian hexad, information assurance, security scan, security audit, audit trail, NCSC, ICSA, access control, share-level security, user-level security and social engineering.


Face Recognition
Face recognition is one of the best ways to authenticate a person. This TrueFace system from Miros uses neural network technology to distinguish a face with different appearances, such as with and without glasses and changing hair styles. (Image courtesy of Miros, Inc.)
References in periodicals archive ?
Audit committees are beginning to see IT security as a challenge they can't ignore," says Stephen Head, CPA, senior security consultant in the enterprise security practice group of Royal & Sun Alliance Inc.
CPAs in internal audit acknowledge the importance of "stepping up to the plate" on IT security issues to assure protection of information.
Management doesn't necessarily understand the importance of this, but where there's poor IT security and no (or inadequate) auditing of it, someone can bring a company or an entire industry to its knees.
Unfortunately, internal auditors and IT security specialists say, some senior executives and board members look at these issues reactively rather than proactively--which makes it harder for IT risk management to be an ongoing and effective corporate governance tool.
Questions auditors should pose to the board include: What events will effective IT security prevent, and what would those events cost the company if unmitigated?
Sharing confirmed vulnerabilities with the audit committee is the preferred way of making IT security risk more concrete.
For companies that do not have a chief information officer, avoid a situation where IT security becomes the concern of everyone, with no one in charge.
After Murphy attended the seminar, and with the support of the company's audit committee, its internal audit and IT departments and the IIA, Comdisco held a corporate forum on IT security which featured a discussion of best practices.
Make sure IT security is on the radar screen for management and audit committees.
The upshot of that meeting was that Comdisco created an information protection group consisting of internal audit, IT and other executives which now issues a biweekly bulletin on IT security sent electronically to all employees.
Audit committees need assurances that auditors have the resources to evaluate IT security and management's responses to risks.
Internal auditors will ultimately be involved when a crisis occurs and can use their financial control skills in the planning process to establish who is responsible for and what the responses are to IT security risks.