IT Security










The Information Technology  Network 

IT Trends - Jobs - Training - Contracts - Books


   Data Security

  Every bit of information is data in an organization. Be it an email sent internally or received from a customer. The modern day office generates lot of information online and lot of processes run on computers. The purpose of the data security component of the IT security program is to reduce the risk associated with the unauthorized access, disclosure, or destruction of the controlled data in an organization. Rules for the access, storage, and dissemination of data are to be clearly defined.

  IT department or Systems department shall develop, document, and implement policies and procedures for classification of data as well as for application development process.

   Classification of data may be based on the organization's risk analysis. It may be classified as sensitive/confidential or public information. It could be internal or external. Data related to vendors and customers must be classified separately.

   Application development processes must ensure version control and currency. Only the latest version must be the live version in use. Ensure system security requirements assessment and testing during the development life cycle.

   Service Level Agreements (SLA) shall be signed if the data if data is likely to be shared with an external organization. The SLA  and  Non Disclosure Agreements  shall cover in detail about the information security and address the issues of  amount of data to be shared,  the classification of data being shared,  how it will be shared and how the same will be returned and the data protection at the external organization, etc.

Data and program back up are to be addressed in detail both in the organization or the partner’s premises.


Secure management of information and data encryption standards must be implemented to enhance the data protection. Generally the areas where data has to be encrypted are identified in risk management study.

 Encryption may be implemented in the areas related to secure file transfer, secure e-mail, and secure data storage are met.

 Secure File Transfer

 Secure exchange of information from one application or user to another requires that:, if the data is intercepted during transmission , data can not be read or understood. Only the intended recipient shall be able to receive and read the content and a confirmation may be requested when the secure data is transferred and received by the intended recipient.

 Secure E-mail

  More and more business is being done on emails. Proposals are sent through emails, purchase orders are being issued through mail. Ensure that at least the attachments are encrypted as these can not be read if and when maliciously intercepted. No one shall be able to modify and the send the mails other than the actual user. You may look into biometric enabled login systems to avoid any misuse of email systems of others.

 Secure Data Storage

 Secure data storage is the protection of data content and changes in data state from its original storage on electronic media by using encryption processes.  Secure data storage requires that: the data can be read only through an authorized process which decrypts the data after retrieving from the database. If one tries to read the data from the database directly, it may become unreadable. The organization shall also have a recovery mechanism of the encrypted data or the encrypted data that is damaged due to abuse. The organization also shall be able to measure the intent of damage due to abuse of data.

  Web Server Data Security

 Web server is a tricky issue. You need to give certain permissions to users. While you are authorizing ‘read’ or ‘write’ permissions, you must take extra care. If the confidential or sensitive data is being permitted to be used by others, the appropriate security and server and database configuration shall be put in place and documented to maintain the confidentiality and integrity of the data on the web server. Switch off the unused ports. Ensure that SMTP relay is either off, or properly observed.