Information security or infosec is concerned with protecting information from unauthorized access. It's part of information risk management and involves preventing or reducing the probability of unauthorized access, use, disclosure, disruption, deletion, corruption, modification, inspect, or recording.
If a security incident does occur, information security professionals are involved with reducing the negative impact of the incident. Note information can be electronic or physical, tangible or intangible.
While the primary focus of any information security program is protecting the confidentiality, integrity and availability (the CIA triad) of information, maintaining organizational productivity is often an important consideration. This has led the information security industry to offer guidance, information security policies, and industry standards on passwords, antivirus software, firewalls, encryption software, legal liability and security awareness, to share best practices.
Information security is achieved through a structured risk management process that:
- Identifies information, related assets and the threats, vulnerability and impact of unauthorized access
- Evaluates risks
- Makes decisions about how to address or treat risks i.e. avoid, mitigate, share or accept
- When mitigated, selects, designs and implements security controls
- Monitors activities and makes adjustments to address any new issues, changes, or improvements
Table of contents
- Who manages information security?
- What are information security threats?
- How do you respond to information security threats?
- How do you define of information security?
- What are the key principles of information security?
- How does information security fit in with information risk management?
- How UpGuard can improve your information security program
Threats to information security come in many forms not limited to natural disasters, computer or server malfunction and physical theft. While paper-based businesses still exist, the ever increasing reliance on information systems has cause information security to become a key consideration in cybersecurity risk management and raise a need for dedicated IT security specialists.
These information technology security professionals are concerned with data security, application security, network security, computer security and physical security. Understand that data, applications and computers are spreading far beyond what is traditionally thought of as a computer. Smartphones, tables and other mobile devices are as much of a computer as a server or mainframe and are susceptible to malicious cyber attacks that can gain access to sensitive information, critical information, information assets or control of important internal computer systems.
This, paired with the increasing amount of data breaches, has led for increased demand for sophisticated data protection planning and a growing demand cybersecurity professionals to understand information security. A growing number of information security certifications are available and employers often prefer employees with certification that validates knowledge of best practices. There are broad certifications like the Certified Information Systems Security Professional (CISSP), and specific ones that cover information assurance, network security, security testing, business auditing, business continuity planning, security testing, incident response planning, identity theft, risk assessments, intrusion detection systems, security breaches, and all other security measures. Common roles that required expertise in information management include IT chief security officer (CSO), chief information security officer (CISO), security engineer, information security analyst, security systems administrator and IT security consultant.
Threats can come in many forms including software attacks, identity theft, sabotage, physical theft and information extortion:
- Software attacks on information security include viruses, malware, worms, ransomware like WannaCry or trojan horses
- Phishing emails or websites are often aimed at stealing intellectual property or log in credentials to gain unauthorized access. Social engineering is one of the largest cyber threats and is hard to protect against with traditional security measures
- Sabotage like denial of service attacks often aim to reduce the availability of key information assets, reducing confidence or organizational productivity until a payment is received in exchange for returning service to the organization
- Theft of information and equipment is becoming increasingly common as most devices are now mobile in nature like smartphones or laptops
- Information extortion involves gaining access to confidential information and then holding it at ransom until payment is made
There are many ways to protect against cyber attacks but the number one threat to any organization are its users or internal employees who are susceptible to social engineering or phishing. This is why cybersecurity awareness training and security controls are important at all levels of your organization.
When a threat has been identified you have a choice:
- Reduce or mitigate the risk by implementing safeguards or countermeasures eliminate or reduce threats and vulnerabilities
- Assign or transfer the risk to another entity or organization by purchasing insurance or outsourcing
- Accept the risk when the cost of the countermeasure is more than the possible cost of loss due to a vulnerability or cyber attack
With the introduction of the General Data Protection Regulation (GDPR) by the European Parliament and Council in 2016, the need to respond to information security breaches has become a regulatory requirement for any business operating within the EU. Companies are now required to:
- provide data breach notifications
- appoint a data-protection officer
- require user consent for data processing
- anonymize data for privacy
This makes a comprehensive incident handling plan and comprehensive data leak detection a requirement for most global businesses.
There are many ways to define information security but both the National Institute of Standards and Technology (NIST) and the National Information Assurance (IA) Glossary define information security as "the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."
Confidentiality, integrity and availability, also known as the CIA triad, are at the heart of information security. That said, there is a debate about whether or not the CIA triad sufficiently addresses the rapidly changing technology and business requirements, as well as the relationship between security and privacy. Other principles such as accountability have been proposed and non-repudiation does not fit in well with the three core concepts.
Confidentiality is about not making information available or disclosed to unauthorized individuals, entities or processes. While similar to privacy the words should not be used interchangeable.
Confidentiality is a component of privacy that implements security measures to protect against unauthorized viewers. User privacy has become an increasing part of confidentiality due to GDPR and other regulatory requirements.
Other examples of confidentiality include protection from laptop theft, password theft and other security management techniques.
Integrity or data integrity is concerned with the maintenance, assurance, accuracy and completeness of data over its entire lifecycle. This means implementing security controls that ensure data cannot be modified or deleted by an unauthorized person or in an undetected manner.
For any information system to be useful, it must be available when needed. This means computer systems that store and process information, the security controls that protect it, and the communication channels that access it must function on demand.
Businesses and their customers increasingly rely on real-time high availability systems 24/7. This means information security professionals are increasingly concerned with ensuring availability by preventing power outages, hardware failure and denial of service attacks. Availability is often viewed as the most important part of a successful information security program as its ultimately the end-users who need to be able to use the information.
Non-repudiation is a term borrowed from law that implies one's intention to fulfill their obligations in a contract and that one party cannot deny having received or having sent a transaction.
Information risk management is the process of identifying vulnerabilities and threats to information resources used by an organization and what if any countermeasures should be taken to reduce risk to an acceptable level based on the value of the information value to the organization.
There are two main considerations with any risk management process:
- The process of risk management is ongoing and iterative in nature, it must be repeated indefinitely as new threats and vulnerabilities emerge
- The choice of countermeasures or controls used must strike a balance between productivity, cost, effectiveness and the information value of the asset being protected
Risk analysis and evaluation have innate limitations because when security incidents occur, they emerge in context and can come from unpredictable or unexpected threats like poorly configured S3 buckets or external attackers.
The likelihood that a threat will use a vulnerability to cause harm creates risk. In the context of information security, the impact is loss of confidentiality, integrity, or availability or all other possible losses (e.g reputational and financial damages). Note: It's not possible to identify nor mitigate all risks. This remaining risk is called residual risk.
A threat is anything (incidental or deliberate) that could cause potential harm, loss or exposure to an information asset.
A vulnerability is a weakness or exploit that could cause harm, loss or exposure to an information asset.
Risk is the likelihood that an event could cause harm, loss or exposure to an information asset.
Cyber risk assessments are defined by NIST as risks assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
At a high level a cyber risk assessment involves a data audit that answers:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured? Many breaches come from poorly configured S3 buckets, check your S3 permissions or someone else will
And then defines the parameters of the assessment:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should be aware of that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?
Information security is designed to protect the confidentiality, integrity and availability of computer system and physical data from unauthorized access whether with malicious intent or not.
Confidentiality, integrity and availability are referred to as the CIA triad.
Every information security program is concerned with the protection off the CIA triad while maintaining organizational productivity.
UpGuard can continuously scan and discover data exposures related to all parts of your business, preventing reputational and regulatory harm that come from data leaks.
UpGuard BreachSight will alert you when employee login credentials are compromised or stolen, preventing unauthorized access of sensitive or confidential information.
Ensure data integrity with audit tails and keep records of your third-party vendor risks from identification through to remediation with UpGuard VendorRisk.