Information Security: The Basics
Information security is defined as the protection of information assets (ICT systems, Networks, Data, etc.) from a wide range of threats and vulnerabilities in order to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities.
The security itself is achieved by implementing a suitable set of controls, including policies, processes, procedures, organisational structures, and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organisation are met. Of course, this should be done in conjunction with other business management processes.
Information Security is made up of a number of technical, operational and management components, in various layers, all working in coordinated and integrated processes.
Whenever, this topic is mentioned the first thing that comes into the mind of many are the Hackers, crackers or geeky underworld cyber criminals but there is more to this field than all this.
Why worry about information Security in Zimbabwe
Almost every organisation (large, medium or small) in Zimbabwe is utilising various ICT systems to carry out their day to day functions to attain their business objectives. There is also a large adaptation of the use of computers and the internet in most Zimbabwean homes and schools.
This wide use of ICT systems and internet connectivity by Zimbabwean organisations and citizens means that we also become prone to the various security threats, risks, and vulnerabilities and cyber attacks that affect the rest of the world and hence the need for Zimbabwe to worry about security especially now that there is a road map to expand IT in the country as proposed by the ICT Strategic Plan.
Therefore, in this playing field riddled with asymmetric cyber attacks, an ever changing threat landscape, there is a need for the Zimbabwe ICT industry and organisations to develop appropriate security controls and programs to protect themselves from being the victims of security breaches.
Usually a security program is only as good as its weakest link – for which this weaker link is usually the people. Therefore, the initial step for Zimbabwean organisations to step up their information drive is to invest in their people by ensuring they get the right security skills, training and general awareness of threats and basic prevention methods all staff. Organisations may invest in advanced security defence controls such as Firewalls, Intrusion detection and Prevention Systems but without the right people/personnel, technology alone will not accomplish the desired goals.
Security: Where it stands in Zimbabwean Industries
In as much as most organisations utilise ICT systems, the will and hence effort to invest in security is still minimal. This maybe attributed to lack of adequate security Governance structures, limited funds, poor legislation or shortage of skills to implement security programs.
For example there are no major information security compliance or legislation requirements to govern the implementation of security in Zimbabwe. The only major requirement around is for banks to comply with the RBZ Bank Certification (Bank Supervision IT requirements).
As a result some Zimbabwean organisations in the financial, insurance, telecom and healthcare services are operating on what I call the shoe string…….little or no security at all.
On the other hand some organisations are still running on old/outdated legacy IT systems which are either not supported anymore by the vendors or the skills to maintain them are no longer available. This also means that security patches for these legacy systems are not available increasing the possibility of these systems being attacked.
Most Zimbabwean organisation do not have viable information security awareness training programs to ensure that all levels of their staff are made aware of the various security issues and risks. As a result, most staff are just blindly following their blind leaders thus making the national IT infrastructure /environment more vulnerable to security threats.
In view of the above, Zimbabwe still lags behind some other countries worldwide especially a few fellow African economies such as South Africa, Kenya, Egypt and Namibia just to name a few.
Stepping into the Future
Moving forward, we will discuss various information security topics; the level of information security, the skills in Zimbabwe, the level of security governance and what organisations can do to invest in security and the right skills (either to retain those already in Zimbabwe or to attract back the skilled that left). We will also focus on global security trends and initiatives and how we can best adopt them in Zimbabwe .We will highlight how one can develop a career in this field often ignored by many training institutions and organisations.
Share
Home
2 comments
Information Security – It is good that we are talking about information security. We have a lot to put in place in Zimbabwe regarding information security. Obviously the basics are a starting point to ensure that everyone and especially those responsible and accountable for corporate governance and risk management fully articulate their roles and responsibilities over protection of information assets and controls over financial transactions that these are executed in accordance with management’s authorisation (based on statutes, regulations, organisational delegations, and policies) and recorded properly to allow for the preparation of financial statements in accordance with generally accepted accounting practices.
The advantage that we have as a nation is that we do have the skills and technical know how which are widespread globally and definitely require ingenuity to access and utilise for the development of sustainable corporate governance, risk management and financial frameworks that employ best practices for the protection of information assets and attainment the of business objectives.
I totally agree with the Author, Having worked in Zimbabwe as a “Network Engineer” I have learnt that Zimbabwean Service Providers are only worried about providing connectivity to clients and Security is just an issue they talk about which is nothing but an unnecessary expense to implement. The idea of a secure network in Zimbabwe is a firewall which is managed by an administrator who does not understand 95% of the default configurations on that firewall.
Most companies (Service Providers included) in Zimbabwe do not have a designated IT Security department to advice and guide the business on Info Security issues. Having a skilled Security department will ensure that security is considered at the beginning of every project and not to try to integrate it into an existing system or network, there by developing secure systems and also ensures that Security is enforced daily.
It is high time we seriously consider Info Security for survival of our organizations and to protect our valuable information to competitors and hackers.