Md. Arafat Rahman: Information is the most valuable asset of an organization. There are different types of information to consider when accessing. Some information is open and some information is confidential. There are also several stages of access to information based on the level of privacy. Some such information is open to the public without any authentication. Some data are subject to single-source authentication. Multiple authentications required for some information. Again some information is the organization`s own. Some information is highly confidential which is used by certain people in the organization.
So it is essential to have a clear idea about the information and access to an organization. For information security, it is necessary to categorize the information of the organizations through proper verification. In order to achieve the goal of “Digital Bangladesh”, all government agencies need to be brought under the e-governance framework. Various ministries, departments, directorates, and agencies are working to implement e-governance. Its purpose is to develop and facilitate government work and increase the capacity of the government.
To do this, the data needs to be digitized and all digitized information needs to be processed and stored in such a way that the data is not lost or misused. In recent times, Bangladesh has been attacked by web defamation, data crashes, data theft, distributed denial of service etc. due to various reasons including lack of information security procedures, weak and unmanaged security control system, management by low skilled staff and lack of specialized knowledge and skills. There are no adequate preventive, investigative and administrative security measures in place to protect digitalized government information resources against these attacks.
Therefore, it is essential to formulate proper security policies and implementation strategies to prevent unauthorized intrusion into digitalized government information resources. The Internet is an open source of information for all. Internet and other technologies, such as mobile, tablet PCs, and wireless technology have made information available and affordable. On the other hand, information can be used as a tool to create chaos in the country. So the company has to play a responsible role regarding the information provided on the internet.
In addition, the organization must also be aware of the information transmitted and stored in various mediums, such as information transmitted on the Internet or LAN or in the cloud or information stored on internal databases or computers. Electronic information systems process data through the use of information technology, including computer systems, servers, workstations, terminals, storage media, communication devices, network resources, and the Internet. Data security is the protection of the confidentiality, accuracy and availability of information. It may also include other features such as authenticity, accountability, disclaimer and dependency.
An information security policy is an authoritative list of management guidelines detailing the proper use and management of computer and network resources to protect against any unauthorized disclosure, alteration or loss stored or processed in information management resources. Data protection is essential to establish and maintain trust between governments, citizens and institutions. Information security is a process associated with a company`s manpower and technology through which that organization provides the protection and security of its information. Information security policies help determine policy and control strategies to protect information from attacks, threats, misuse, damage and unauthorized access.
Like other important assets of an organization, information, is an asset that is essential for the activities of the organization and which is properly protected. In the broadest sense, information refers to the basis on which an organization conducts its activities. Reliable information enhances the organization`s capacity to help make better decisions. The government stores information that is important for administrative, political, commercial or personal reasons. One of the responsibilities and legal obligations of the government is to protect this information from unauthorized or sudden changes, damage, loss or unwanted disclosure.
Ethics is also involved in the proper use of information. There can be different forms of information such as - authentic documents and papers, Electronic data, Information systems (software, hardware and networks) through which information is stored, processed and exchanged, intellectual information (knowledge or ideas) of the person, Physical materials from which ideas related to the design, or use of information can be found and images, audio or video clips.
Information is a very important resource which must be protected to ensure trust between those who use the resources and those who own them. Protection is closely linked to security risk assessment. The first task in determining security risks is to review the data resources of the organization such as: application programs stored in the computer system of the organization, stored data, reports, product design and specification, proposals, work plans, financial documents, databases and other files. The purpose of the survey is to organize the resources in order to help them know about the resources and their scope.
It is necessary to determine the right owners of the various assets and motivate them to take responsibility for determining the importance and significance of the assets. Information’s must be classified to determine who will have access to them. Once the information resources are properly identified and properly classified and their scope is determined, the next step will be to determine who will have access to the information. Information resources are information that can be precisely defined and stored through any medium that is recognized as `valuable` to the organization.
There are many types of resources such as database and data file agreement, system documentation with process, research data, usage rules, training materials, management or support methods, continuity planning of activities, implementation of special measures in case of difficulties, audit statement and ultimately stored information, application software, system software, system development tools and other emergency facilities, computer equipment, communication equipment, portable promotional equipment and other equipment, accounting and communication services, manpower, their qualifications, skills and experience and non-material resources such as the reputation and image of the organization.
The most important and valuable information for an organization is those that relate to the core or most important responsibilities, capabilities or goals of that organization. Proper confidentiality, accuracy and easy availability of information show the value of information resources in an organization. Possible losses to the organization due to violation of confidentiality include direct and indirect financial losses, revenue shortfalls, and failure to meet service delivery obligations or reputation damage. The indirect consequences of failing to provide security must also be considered. The basis for determining the value of information resources is the confidentiality, accuracy, authenticity, disclaimer and easy access to information resources.
A data protector is a person employed by a data proprietor who will protect information by following the maintenance and control measures introduced by the proprietor. If he needs to provide information to others, he will be responsible for it. The protector completes the regular backup and data acceptance verification activities in the manner prescribed by the data owner and will also be responsible for saving the data in various ways from the backup and imposing controls on access to the data. Each resource will be the responsibility of a protector. The protector is ultimately responsible for the security of the information resources. That is why he has to make sure that all the responsibilities are being fulfilled properly.
As a result of continuous storage, the data base can become huge and it can hinder the optimal use of information. For this reason, the usability-passed, multiple copies, additional and unnecessary information can be destroyed or finalized. In order to destroy the data of any organization, proper approval of the owner of the information must be obtained and the reasons for the loss must be recorded in the log book. In the case of preservation, an organization must consider the preservation system of electronic information resources, such as the preservation of paper and documents.
Considering the importance of data resources, an organization will determine the period of preservation of its data resources. The agency must follow the Information and Communication Technology Act and other relevant laws when setting deadlines. The issue of information security is an essential part of the continuity of day-to-day activities and other management processes of the organization. It includes risk identification and mitigation.
At the same time, this process will ensure general risk assessment, minimizing the harmful effects of incidents, and ensuring the availability of information necessary for day-to-day activities. The various steps in planning for the continuity of day-to-day activities are incorporating information security into the management process, continuity of activities and risk assessment, development and implementation of plan including information security, activity plan instructions and activity plan testing, error removal and correction.
Md. Arafat Rahman is Columnist & Asst. Officer of Career & Professional Development Services Department, Southeast University, E-mail: arafatrahman373@gmail.com
