Years ago I wrote a definition of Information Security Risk that still seems to work well for me. Here it is:

Information Security Risk is a function of (a) the likelihood of a specific threat-source exploiting a specific vulnerability in a specific information system and (b) the resulting impact of that event on confidentiality, integrity, and availability.

Do you have a different definition of Information Security Risk? Please add it as a comment!

We use them all the time, but what exactly is an “Information System”? Let’s break down the words…

A System is “a collection of components organized to meet an objective.” What kind of components? What ever components are needed to meet the objective! Traditionally, that means “people, processes, and technologies.” And, what is the objective of an Information System?

The objective of an Information System is “to transfer, process, store, and manage” information. But, what is information?

Information is data that is relevant and has meaning in a context. So, the numbers 7155551212 are not information; they are data. But, if I ask you to call Linda at 715-555-1212, those numbers become information in the context of making a telephone call.

Now, our definition of an Information System is more complete. Let’s put it all together: An Information System is a collection of people, processes, and technologies organized to transfer, process, store and manage data that is relevant and has meaning in a context.

It’s quite interesting because data are only representations of aspects of the real-world and of our ideas. There really is no physical thing that is the letter “A”. “A” is just a symbol to represent something in the real-world (perhaps the sound we make when we say the letter “A”), or an idea (what ever that “A” sound represented long ago).

An Information System (such as a computer) is just a collection of components organized to transfer, process, and store relevant and meaningful representations of the real-world and our ideas. Simple enough. But, take that collection of components and make them operate very, very fast, and now you have something that can really transform our world and our ideas.

This article was originally published as on July 24, 2008, as a Google Knol. See http://knol.google.com/k/clint-laskowski/what-is-an-information-system/3v4qe269ituzc/2.

Take Care When Adding to an Employee’s Responsibilities

During a down economy, management may temporarily move employees from one role to another, or have one employee cover two or more roles. This can be an important step in reducing costs and keeping a business viable. However, as roles and responsibilities change, it is not uncommon for employees to gain new information systems privileges while still keeping their old privileges. This can create situations where employees have excessive privileges and can therefore easily commit fraud or conduct other malicious activities. When an employee is transferred to a new role or takes on new responsibilities – even temporarily – it is important to ask questions such as:

Which of the employee’s information systems privileges can be reduced or eliminated because they are no longer needed to fulfill his/her job duties?

These should be immediately reduced or eliminated.

These should be immediately segregated by transferring incompatible responsibilities and activities to other employees (but be sure to ask these same questions about those employees before transferring).

Of course, these questions should be asked when ever an employee changes roles or has changes in his/her responsibilities or his/her systems privileges.

Watch for another Security in a Down Economy tip soon!

Here’s a list of the 10 biggest (known) security breaches from lost or stolen laptops, where government agencies, corporations and colleges failed to safeguard the names, Social Security numbers and other personal info of their customers. Encryption software – which costs as little as $10 per laptop – could have prevented most of these incidents.

read more | digg story