Last Updated: 12th September, 2019
Information security is the practice of securing information by mitigating information threats, occasionally abbreviated to infosec. It is a component of addressing information threat. It usually includes preventing or at least restricting the chances of fraudulent/false access, disclosure, use, disruption, deletion/demolition, bribery, deformation, verification, recording or deflation, even though it may also involve restricting incident and deleterious effects.
Information might take the form which is both tangible (e.g. paperwork) and intangible (like knowledge), e.g. electronic or physical, respectively. The key focus of information security is enhanced conservation of information confidentiality, integrity and availability (often referred as CIA triad) while retaining a focus on effective policy execution, without ever hindering security objectives of an organization as well as effectiveness of the organization.
Information is an invaluable asset with the digital transformation and big data. Information enables us to interact, execute transactions, and establish businesses, however, if it comes into the incorrect hands, sometimes it can be weaponized.
Table Of Contents
- What Is Information Security?
- Information Security Objectives Of An Organization
- Types Of Information Security
- Information Security Certifications
What Is Information Security?
Information security, sometimes abbreviated as InfoSec, encompasses the tools and processes organizations use to protect their information. This includes setting policies to ensure unauthorized persons cannot access business or personal information. InfoSec is a constantly growing and evolving field with many areas of specialization ranging from a network and infrastructure security to testing and auditing.
Information security secures the disruption, inspection, modification, recording or destruction of sensitive information like account details or biometrics. Repercussions of security incidents can include identity theft, tampering with information, or data wiping. From a business perspective, security disruptions interrupt workflow and cost money while damaging a company’s reputation.
Security objectives of an organization need to allocate funds for security and ensure that their personnel is equipped to detect and deal with threats from software attacks like phishing, malware, viruses, malicious insiders, and ransomware.
Information Security Vs Cybersecurity
In terms of scope and objectives, information security varies from cyber security. Concerning these two terms, there is often uncertainty, with several using them colloquially, as well as some establishing InfoSec as a cyber security subcategory.
However, information security is, in fact, the broader category, covering many areas including social media, mobile computing, and cryptography, as well as aspects of cybersecurity. This is also highly correlated to the assurance of information that includes securing information from risks such as natural calamities and server system failures.
Cybersecurity exclusively covers threats involving the internet, so it often overlaps with information security. It is also possible to separate information security from data security. Information could either be physical or digital, and hence the cybersecurity category only includes online data. Cybersecurity that deals with raw data or data security is not classified as information security.
Information Security Objectives Of An Organization
Information security objectives of an organization concentrates on the three strategies that are officially known as the CIA: confidentiality, integrity, and availability:
- Confidentiality – Preventing the disclosure of information to unauthorized users. This requires implementing access restrictions to protect personal privacy and proprietary information. Failure to maintain confidentiality, whether as a result of an accident or an intentional breach, can have severe consequences for businesses or individuals, who often cannot undo the damage. For example, a compromised password is a breach of confidentiality, and once it has been exposed, there is no way to make it secret again. The most publicized security incidents often involve a breach of confidentiality.
- Data Integrity – Ensuring the accuracy and authenticity of data. Only authorized persons may edit data, and they need to follow procedures to prevent former employees from retaining the ability to alter company data. A failure of integrity could, for example, allow a malicious attacker to redirect traffic from your website, or to edit or delete the content on your website.
- Availability – Authorized users should have reliable access to information when they need it. This often requires collaboration between departments, such as development teams, network operations, and management. An example of a common threat to availability is a denial of service (DDoS) attack, where an attacker overloads or crashes the server to prevent users from accessing a website.
Types Of Information Security
Application security involves protecting software applications by preventing, detecting, and fixing bugs and vulnerabilities. Software vulnerabilities often affect the web and mobile applications, as well as application programming interfaces (APIs). They provide an entry point for malicious attacks, so you need to be able to find and fix them. Specialized tools for security testing and application shielding provide protection for various aspects of your application portfolio.
Vulnerability scanning allows you to evaluate threats to coding so that code can be deployed securely. It can be static, involving code analysis at fixed points in the development pipeline; dynamic, involving analysis of running code; or interactive, which combines elements of both. App shielding tools like firewalls make it harder for hackers carry out attacks.
Much of the security process takes place during the development stage, but efforts to secure your apps must continue after deployment. Application security responsibilities should be streamlined across specific teams, from desktop operations to network and developmental environment.
Cloud security includes the protection of data, applications, and infrastructures involved in cloud computing. High-level security concerns – illegitimate exposure and leakage of information, vulnerable access controls, vulnerability to attacks, and disruptive of availability – affect both conventional IT and cloud technologies.
It can be a challenge to safely build and host your software on the cloud. Since cloud computing involves shared environments you have to make sure your process is adequately isolated. You also need to ensure that any third-party cloud applications you use are safe. However, centralization facilitates the management of your cloud security needs.
Some IT departments are reluctant to move mission-critical systems to the cloud. All cloud models have become vulnerable to threats, regardless of whether hybrid, public or private. You can apply a set of policies, controls, and tools to help protect your systems and data, maintain compliance with licenses and regulations and safeguard the privacy of your users. Authentication rules, for instance, restrict access to designated users or systems.
Your cloud provider may offer solutions for cloud security, which is the joint responsibility of your organization and provider. You need to choose the right security solution to protect your organization from threats like unauthorized access and data breaches while reaping the benefits of cloud computing.
Cryptography covers a range of techniques for communicating in a secure manner. As businesses retain, modify, and share confidential data online, cryptography and encryption are now becoming constantly essential. You can use encryption to protect the confidentiality and integrity of your data while in transit and at rest and digital signatures to validate the authenticity of your data.
Examples of cryptography include block chains and the advanced encryption standard (AES). A block chain is a ledger of records or “blocks” that helps secure, among other things, cryptocurrencies like Bitcoin. AES is a symmetric key algorithm used by the US government to protect classified information.
Traditional security perimeters protecting digital infrastructures are becoming blurred. As organizations take advantage of information technology and the internet, critical infrastructures like data centers, internal and external networks, servers, desktops, and mobile devices have become highly interconnected.
This makes them vulnerable to threats like sabotage by a disgruntled employee or cyber terrorist groups, information warfare waged by private profiteers or rival countries, and natural disasters like earthquakes or hurricanes that can damage physical structures.
The interdependence of infrastructures means that a failure or disruption in one system can spread to others. You can reduce this risk by restricting access points between networks. You should also ensure all your data are backed up, which can mitigate the damage to your infrastructure.
An incident response plan (IRP) in place allows you to prepare for breaches and mitigate the damage. This includes detecting and investigating suspicious activity so you can contain the threat and restore your system in the event of an attack. Unless you don’t respond to a security situation instantly, it may lead in more harm or breakdown of the system, and also arbitration. It is also important to notify anyone who may be affected by the breach as soon as possible.
An IRP in the form of a clear set of written instructions ensures that your computer security incident response team (CSIRT) knows how to respond to an information security breach, and lets you manage the aftermath and reduce recovery time and costs. The response team should be preselected and include information security staff as well as representatives from the legal and human resource departments.
Include a mechanism for recording evidence for forensic analysis and legal purposes in the plan. The data from previous security incidents can help you discover or prevent a recurrence.
Vulnerability management is a means of reducing the risk of flaws in code or in the design of an application. When you expand your infrastructure, provide access to new users or add new applications to your systems, you are also increasing the potential vectors for attack. You can also find new vulnerabilities in old code.
Build in a schedule to constantly scan your digital environment for potential vulnerabilities, so you can apply patches or remove defective code. Having a system in place to assess the risks associated with vulnerabilities will help you find and prioritize remediation. It is important to identify vulnerabilities early on so can save your organization the costs of a breach.
Information Security Certifications
Information security practitioners require training and certification to ensure they are equipped to deal with various IT security tasks. Certifications for cybersecurity personnel can vary. For junior IT experts, basic certificates may be enough, while your organization’s Chief Information Security Officer (CISO) or Certified Information Security Manager (CISM) must undergo more extensive training.
Generally speaking, non-profit organizations provide commonly held compliance certifications, however, some products demand product-specific training.
This certification, issued by the Computing Technology Industry Association, based in the USA, reflects the most fundamental level of training for every kind of cybersecurity expert. The exam covers the core knowledge necessary to identify and solve IT security issues. It is suitable for entry-level positions like junior auditors and penetration testers.
Certified Information Systems Security Professional (CISSP)
CISSP is a more intensive accreditation, which is designated by the International Information System Security Certification Consortium, termed as ISC. It isn’t suitable for all cybersecurity personnel and is typically reserved for senior positions like security managers.
Security objectives of an organization, including private corporations and governments, the convenience and efficiency of IT solutions such as cloud computing as well as the internet of things has already become absolutely essential, and they often expose confidential data to fraud and malicious exploits. It’s not possible to avoid the internet, but you can ensure that you have a system in place to secure your information and manage breaches when they do occur.