A model for evaluating information security

Abstract

During the last few decades computing environments have advanced from single user systems to distributed, open environments we all know today. Through these Information Technology advancements, more and more role players moved into the computing arena, resulting in much more and more serious risks threatening the information resources. Information became a very important organizational asset and it needed protection in the same way all other organizational assets needed protection. A few technical controls used to be adequate to protect computing environments of the past, but the highly advanced IT environments of today require more sophisticated protection, and some proof thereof. It is important to realize that, once an organization is trading with business partners through electronic means, then the direct control over information and information resources of the organization is not in the hands of the organization alone anymore. The insecurity of the business partner may threaten the security of that organization [Von Solms, 1997, p.2 1]. Secure business partners is a prerequisite for electronic commerce. A crucial question arises: How can an organization prove adequate information security as a business partner in this age of electronic commerce? The answer to this question lies in information security evaluation and certification.