Information security or infosec is concerned with protecting information from unauthorized access. It's part of information risk management and involves preventing or reducing the probability of unauthorized access, use, disclosure, disruption, deletion, corruption, modification, inspect, or recording. If a security incident does occur, information security professionals are involved with reducing the negative impact of the incident. Note that information can be electronic or physical, tangible or intangible.
Information security is designed to protect the confidentiality, integrity and availability (also known as the CIA triad) of computer system and physical data from unauthorized access whether with malicious intent or not. Every information security program is concerned with the protection of the CIA triad while maintaining organizational productivity.
While the primary focus of any information security program is protecting the confidentiality, integrity and availability (the CIA triad) of information, maintaining organizational productivity is often an important consideration.
This has led the information security industry to specific best-practice standards in the following areas:
- Information security policies,
- Password strength
- Access controls
- Multi-factor authentication
- Antivirus software, firewalls
- Legal liability
- Security awareness
Information security is achieved through a structured risk management process that:
- Identifies information, related assets and the threats, vulnerability and impact of unauthorized access
- Evaluates risks
- Makes decisions about how to address or treat risks i.e. avoid, mitigate, share or accept
- When mitigated, selects, designs and implements security controls
- Monitors activities and makes adjustments to address any new issues, changes, or improvements
Who Manages Information Security?
Threats to information security come in many forms including natural disasters, server malfunction, physical theft and unpatched endpoints.
While paper-based businesses still exist, the ever-increasing reliance on information systems has cause information security to become a key consideration in cybersecurity risk management and raise a need for dedicated IT security specialists.
These information technology security professionals are concerned with data security, application security, network security, computer security, physical security and data loss prevention.
Understand that data, applications, and computers are spreading far beyond what is traditionally thought of as a computer. Smartphones, tablets and other mobile devices are as much of a computer as a server or mainframe and are susceptible to malicious cyber attacks that can facilitate access to sensitive information, critical information, or information assets.
This, paired with the increasing amount of data breaches, has led for increased demand for sophisticated data protection planning and growing demand for cybersecurity professionals (especially in healthcare) to understand information security.
A growing number of information security certifications are available and employers often prefer employees with certification that validates knowledge of best practices.
There are broad certifications like the Certified Information Systems Security Professional (CISSP), and specific ones that cover information assurance, network security, security testing, business auditing, business continuity planning, security testing, incident response planning, identity theft, risk assessments, intrusion detection systems, security breaches, and all other security measures.
Common roles that required expertise in information management include IT chief security officer (CSO), chief information security officer (CISO), security engineer, information security analyst, security systems administrator and IT security consultant.
What are Information Security Threats?
Threats can come in many forms including software attacks, identity theft, sabotage, physical theft and information extortion:
- Software attacks on information security include viruses, malware, worms, ransomware like WannaCry, trojan horses or any malicious codes that impact the availability of information.
- Phishing emails or websites are often aimed at stealing intellectual property or log-in credentials to gain unauthorized access. Social engineering is one of the largest cyber threats and is hard to protect against with traditional security measures
- Sabotage like denial of service attacks often aim to reduce the availability of key information assets, reducing confidence or organizational productivity until payment is received in exchange for returning service to the organization
- Theft of information and equipment is becoming increasingly common as most devices are now mobile in nature like smartphones or laptops. This is placing more dependance on cloud security than ever before in history.
- Information extortion involves gaining access to confidential information and then holding it at ransom until payment is made
There are many ways to protect against cyber attacks but the number one threat to any organization are its users or internal employees who are susceptible to social engineering or phishing. This is why cybersecurity awareness training should be integrated into information security management programs.
The following free resources can be used for cyber threat awareness training in the workplace:
- What is a cyber threat?
- What is a data breach?
- What is social engineering?
- What are phishing attacks?
- What is clickjacking?
- What is typosquatting?
- What is a DDoS attack?
- What is Ransomware-as-a-Service (RaaS)?
How Do You Respond to Information Security Threats?
When a threat has been identified you have a choice:
- Reduce or mitigate the risk by implementing safeguards or countermeasures to eliminate or reduce threats and vulnerabilities
- Assign or transfer the risk to another entity or organization by purchasing insurance or outsourcing
- Accept the risk when the cost of the countermeasure is more than the possible cost of loss due to a vulnerability or cyber attack
With the introduction of the General Data Protection Regulation (GDPR) by the European Parliament and Council in 2016, the need to respond to information security breaches has become a regulatory requirement for any business operating within the EU. Companies are now required to:
- Provide data breach notifications
- Appoint a data-protection officer
- Require user consent for data processing
- Anonymize data for privacy
This makes a comprehensive incident handling plan and comprehensive data leak detection a requirement for most global businesses.
To support efficient remediation efforts a clear incident response plan needs to be designed and readily accessible by all security staff.
Learn how to create a reliable disaster recovery plan.
How Do You Define Information Security?
There are many ways to define information security but both the National Institute of Standards and Technology (NIST) and the National Information Assurance (IA) Glossary define information security as "the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."
What are the Key Principles of Information Security?
Confidentiality, integrity and availability, also known as the CIA triad, are at the heart of information security. That said, there is a debate about whether or not the CIA triad sufficiently addresses the rapidly changing technology and business requirements, as well as the relationship between security and privacy. Other principles such as accountability have been proposed and non-repudiation does not fit in well with the three core concepts.
What is Confidentiality?
Confidentiality is about not making information available or disclosed to unauthorized individuals, entities or processes. While similar to privacy the words should not be used interchangeably.
Confidentiality is a component of privacy that implements security measures to protect against unauthorized viewers. User privacy has become an increasing part of confidentiality due to GDPR and other regulatory requirements.
Other examples of confidentiality include protection from laptop theft, password theft and other security management techniques.
What is Integrity?
Integrity or data integrity is concerned with the maintenance, assurance, accuracy and completeness of data over its entire lifecycle. This means implementing security controls that ensure data cannot be modified or deleted by an unauthorized person or in an undetected manner.
What is Availability?
For any information system to be useful, it must be available when needed. This means computer systems that store and process information, the security controls that protect it, and the communication channels that access it must function on demand.
Businesses and their customers increasingly rely on real-time high availability systems 24/7. This means information security professionals are increasingly concerned with ensuring availability by preventing power outages, hardware failure and denial of service attacks. Availability is often viewed as the most important part of a successful information security program as its ultimately the end-users who need to be able to use the information.
What is Non-Repudiation?
Non-repudiation is a term borrowed from law that implies one's intention to fulfil their obligations in a contract and that one party cannot deny having received or having sent a transaction.
How Does Information Security Fit in With Information Risk Management?
Information risk management is the process of identifying vulnerabilities and threats to information resources used by an organization and what if any countermeasures should be taken to reduce risk to an acceptable level based on the value of the information value to the organization.
There are two main considerations with any risk management process:
- The process of risk management is ongoing and iterative in nature, it must be repeated indefinitely as new threats and vulnerabilities emerge
- The choice of countermeasures or controls used must strike a balance between productivity, cost, effectiveness, and the information value of the asset being protected
Risk analysis and evaluation have innate limitations because when security incidents occur, they emerge in context and can come from unpredictable or unexpected threats like poorly configured S3 buckets or external attackers.
The likelihood that a threat will use a vulnerability to cause harm creates risk. In the context of information security, the impact is loss of confidentiality, integrity, or availability or all other possible losses (e.g reputational and financial damages). Note: It's not possible to identify nor mitigate all risks. This remaining risk is called residual risk.
What is a Threat?
A threat is anything (incidental or deliberate) that could cause potential harm, loss or exposure to an information asset.
What is a Vulnerability?
A vulnerability is a weakness or exploit that could cause harm, loss or exposure to an information asset.
What is Risk?
Risk is the likelihood that an event could cause harm, loss or exposure to an information asset.
What is a Risk Assessment?
Cyber risk assessments are defined by NIST as risks assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
At a high level a cyber risk assessment involves a data audit that answers:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured? Many breaches come from poorly configured S3 buckets, check your S3 permissions or someone else will
And then defines the parameters of the assessment:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should be aware of that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?