IT AND ENVIRONMENTAL SECURITY

IT and environmental security involves technical, organisational, legal and human elements. To assess security, it is generally necessary to identify the threats, vulnerabilities and risks associated with IT assets, in order to protect them from possible attacks (internal or external) that could cause direct or indirect damage to an organisation, with an impact superior to an established tolerability threshold (economic, political-social, reputational, etc.). In addition to the three pillars that make up the CIA triad (confidentiality, integrity and availability), the following can also be considered: authenticity, nonrepudiation, accountability and reliability.

Since information is a company asset, and most information is today held on IT storage devices, all organisations have an interest in guaranteeing the security of their data, in a context in which IT risks caused by breaches of security systems are continually on the rise. 

Implemented alongside IT security measures are others aimed at guaranteeing environmental security, such as the sweeping of areas such as offices, communal areas and electronic devices to verify whether any recording and/or jamming devices are present.

RISK MANAGEMENT

A risk management project comprises five steps:

  • Risk context establishment 
  • Risk identification 
  • Risk analysis 
  • Risk assessment 
  • Risk control 

The “risk control” step is often divided into preparing and approving the Risk Action Plan and execution, control and amendment of the plan.

In parallel with the central process, communication and consultation skills are also required. Monitoring and reviewing are an intrinsic part of the process, to ensure it is carried out in a timely manner; identification, analysis, assessment and control are constantly updated. 

Risk management is therefore a recursive process, subject to updates, and does not end with the initial identification of risk. 

TRAINING

It is no longer conceivable to entrust IT security solely to the IT department, or to adopt a DIY approach. It is essential to prompt an awareness of the issue throughout companies and organisations, able to promote an IT security culture at all levels.  

The aim is to boost people’s level of awareness, using the many examples of information technology attacks taken from everyday experience, in order to learn how to recognise and avoid them.

To create an IT security culture, by teaching a few simple habits applied to the everyday use of technology, to the benefit of all collaborators, the company organisation and individuals with regard to their private usage.