Information Security Assurance from a Resilience Perspective White Paper
Today the global business environment is more complex and interconnected than ever before. Organisations rely on electronic data as their lifeblood, and the systems that enable the storage, transport, access and manipulation of this data have become critical. Even simple spreadsheets can become mission critical systems in their own right and this has resulted in an era where networks and the applications sitting within them have become the very backbone of every organisation regardless of their size and market sector. As a result, networks and applications are a primary channel for businesses and one that they must protect if they are to meet their businesses objectives and in the end, to survive.
For many organisations, their approach to information security results in a fortress mentality that focuses on the implementation of defences and preventing an attack. It is increasingly acknowledged however, that we cannot build sufficient defences to be 100% secure while allowing our organisations to effectively carry out their business, and as such, for many this siege based approach is no longer acceptable. A more resilient approach to the management of information security is therefore needed. This approach should not only take into account the mentality that organisations cannot be 100% secure but also acknowledge that the cost of securing our organisations can be large. A risk based approach should therefore be adopted which takes a more holistic approach to managing information security that accepts that the risks cannot be fully mitigated and adopts a resilient approach. Doing so will therefore place greater emphasis on the importance of gaining an appropriate level of assurance.