While the digital age has brought in an abundance of ease and convenience, it has also had its fair share of problems. Keeping your personal or corporate information safe and secure is the major priority for most people. Ensuring the safety of this data is key to enjoying all the benefits that the internet and technology have to offer. In this article, we will be discussing information security. What is information security and why does it matter to us now more than ever. We will also be discussing the different objectives of information security along with information security policy and other key topics surrounding the field of information security.
What is Information Security?
Information security, often shortened as InfoSec, is the protection of information by eliminating any risks and hazards.
In recent times, information security has become a priority not only for large enterprises and corporations, but also for individuals who now have greater exposure to digital threats.
As mentioned earlier, information security is the practice of mitigating threats to information.
But let’s go a bit deeper into what that really means.
While information security primarily deals with securing information from any unauthorized access, use, leakage, changes, storing, or destruction. InfoSec also deals with ensuring the physical and digital safeguarding of user data.
There are a lot of moving components when it comes to information security. Making it essential that information security professionals have experience in a variety of disciplines including cyber forensics, cryptography, social media, etc.
Not only do information security specialists need to protect data from malicious actors, but they also need to make sure that in the case of a natural calamity like a fire, storm, earthquake, etc., information remains safe and accessible.
Information security as a field has also expanded greatly.
A couple of years ago, most people would have been confused when asked what is an information security analyst. But now, the majority of people will have some idea of what these digital professionals do and how they help keep people and organizations secure.
An information security analyst makes sure that the business or organization is safe from threats. To do this, they routinely carry out safety and security checks, install firewalls, monitor internet traffic, etc.
Professionals in this field need to have a variety of skills and often need a degree along with relevant certifications to get a job.
Given the importance of digital security and privacy, recruiting the most talented and skilled technical resources has become a no brainer.
Why is Information Security Important?
Information security has always been of importance.
Even back in world war 2, the Germans used the enigma machine to securely send information back and forward. It was only years later when the Allies were able to decipher the meaning of the messages being sent and regain the tactical advantage.
In business, having a competitive advantage is of the utmost importance. With so much market saturation and difficulty in acquiring a loyal customer base, it is not uncommon for enterprises to be the target of corporate espionage and digital threats.
Information security has become a necessity nowadays.
Even in individual capacities, the need for securing personal information has grown significantly. Increased use of social media networks, more online payments, digital work, have all made information security essential for the masses.
Products that are advertised as more secure or that provide a sense of confidentiality have a much easier time securing their market share. One of Bitcoin’s selling points is that it is anonymous (more or less) meaning that user information remains private.
Its importance can be understood by the fact that the global average cost for data breaches only for small and medium businesses is around $3.9 million. This is no small sum to say the least.
What is the first step in information security?
Here are the first few considerations that you should make when you make the shift towards a more digitally considerate strategy:
- Educating your team: Information security should be seen as a collective effort. In the case of an attack, it is highly unlikely that everyone within an organization needs to be targeted. Instead, the negligence of a few individuals can be enough to do the intended damage. Organizations should conduct seminars and workshops to educate their team on the importance of information security and how they can secure their personal and organizational data.
- Asset management: Not all data is equally important. Some data is more valuable and could put the organization in harm’s way if inadequately managed. Information security professionals should make sure to conduct an inventory of all information within an organization and the current protocols and security measures used to protect it.
- Compliance: Compliance is an important issue in information security. Larger organizations will often need to involve their legal department to ensure that they are in compliance with all local and federal information security laws. The executive team is the one that decides what regulations and protocols need to be carried out to ensure information security needs.
- Threat and risk assessment: Threats come in all shapes and sizes. Information security has to deal with all manner of threats including online threats as well as physical ones. Ensuring that employee behavior and actions are monitored is vital to preventing an internal security mess. Security assessment can be conducted by examining and analyzing current software being used, its capabilities and vulnerabilities. Taking account of current information security measures is also important when you’re aiming to understand the current risks an organization faces and could face.
- Countering and neutralizing risk and threats: InfoSec professionals need to assess the likelihood of any risk that an organization is highly likely to be exposed to. Companies will need to ensure that their physical devices and the software on them is up to date. Installing a good antivirus and anti malware is also important to negate attempts from bad actors.
What Are The Objectives of Information Security?
Now that we have discussed what information security is, as well as its importance, it now gives rise to the question that what are the objectives of information security.
At its core, information security aims to protect data from breaches, leaks, along with other malicious intent. Not only does information security deal with negating risks, but it also needs to deal with countering organizational vulnerabilities.
By making sure that the organization is safe from risks and vulnerabilities, organizations will be able to benefit from increased up time, better brand image, save on costs that rise from data harm, etc.
Here are the objectives of information security:
1. Confidentiality 2. Integrity 3. Availability 4. Non-repudiation 5. Authenticity 6. Accountability
Let’s discuss each of these objectives in more detail.
Confidentiality means that information is not made available to people who are not authorized.
Within an enterprise or a business, not everyone needs to know about certain information. Even within organizational departments, data might be kept confidential.
Two internal teams might be competing for a singular goal, so keeping information confidential from each other would become a necessity.
Your information security policy should dictate how you’re going to keep data confidential within and outside the organization.
In the context of InfoSec, confidentiality is important since people with malicious intent can have unauthorized access to data. These bad actors can then use this information for themselves, sell it, extort it, etc.
It is vital for security professionals to ensure that confidential data remains confidential. At the same time, people within the organization need to make information security staff aware of any abnormalities or incidents of concern.
Integrity is another key objective in information security. It relates to making sure that the data and information is accurate and complete.
This also entails that the information needs to be safe from any unauthorized edits.
Why is integrity important in the context for information security? Well, data is valuable. The value is derived from its accuracy. If certain data is inaccurate, it’s worth will automatically be reduced or be nothing.
Information needs to be accurate. Let’s say that your organization is dealing with real time data. Since it is real time data, it needs to be accurate for the people that rely on this data to do their jobs and make decisions.
As our reliance on data grows and organizations start to move towards purely data driven decisions, maintaining the integrity of the information at hand becomes a priority.
Data should also be updated ASAP. This is because figures and numbers change all of the time in business. Updated data is accurate and accurate data has integrity, something that leaders and decision makes absolutely need to have.
Availability has to deal with the information being available to the relevant users and personnel.
Why is this an objective for information security? Think of it this way.
Your data is stored in house. Unfortunately an incident has occured, for the sake of this example, a fire. While the incident is under way, information still needs to be available to relevant users.
In this scenario, it might have been better to have your data stored on a cloud as well. That would have prevented any loss in data availability.
This might not sound like a huge problem for small and local businesses. But if you have international clients and are doing business on a large scale, you will need to keep information available.
A fairly common cyber attack is the DDoS (Distributed Denial of Service). What it basically means is that a website is visited by scripts or bots. When this happens, legitimate users are not able to access the website (and the data present on it).
DDoS attacks affect the availability of an information system. Let’s say a DDoS attack is carried out on a university’s website. Students will find that the website is not responsive and realize that important information is not available to them. The students and other concerned users will not be able to access the information when it is necessary for them.
4. Non Repudiation
Non repudiation means that information being transferred by one party cannot be denied, while the receiving party cannot deny that the information has been sent.
The prerequisites for non repudiation are authenticity (meaning that the source of the information is verified) and integrity (meaning that the information is accurate, complete and has not been maliciously altered).
Non repudiation is important because it ensures that information being transmitted is accepted by both parties.
Authenticity means that the information being made available is from a trusted source.
Information and data being generated must be generated from some source. This data source needs to be legitimate.
As mentioned before, integrity means that the data is accurate. Data accuracy relies on the fact that the data being generated and added to internal information systems is true.
Digital signatures are commonly used to verify that the information being sent from one party to another party is authentic. The receiving party then uses the digital signature to verify the source of information and the information itself is then deemed accurate.
Accountability means that actions performed by a party can be traced back to that same party.
In terms of information security, accountability is important because without it, the parties involved could not be held accountable for any actions that were taken by them.
Accountability is important since integrity relies on the data being accurate. If an unauthorized change has been made in the organization’s data, resulting in the data being inaccurate or being tampered in an unauthorized fashion, then the change should be traced back to the party that made them. They should be held responsible for their actions.
What is the CIA Triad?
No, the CIA triad has nothing to do with the Central Intelligence Agency.
The CIA triad is a security model that has been developed in order to allow security professionals to think about and develop information security.
Figure 1. CIA Triad
It stands for Confidentiality, Integrity, and Availability.
The CIA triad is used when an information security policy is being formed. As a baseline, any information security policy should meet these fundamental objectives of data security in order for the policy to hold its weight.
Confidentiality is to ensure that data is only available to users with authorized access.
Integrity ensures that the information is accurate, complete and free from any alterations from malicious actors or people that didn’t have access to it.
Availability ensures that the information is available to authorized users.
What is Difference Between Information Security and Cybersecurity?
Both share some similarities so it can be common for people outside of the security space to be a bit puzzled.
Since information security covers a broader set of objectives and has a greater role in ensuring that the security policy of a company is up to standard, it can be said that cybersecurity is a subset of information security.
Cybersecurity, as the name suggests, primarily deals with protecting data from unauthorized electronic access.
In contrast, information security primarily deals with ensuring that the information has confidentiality, integrity and availability.
What is Difference between Information Security and Network Security?
In most organizations, there is a back and forth of data. In modern times, data and information is sent through the internet. Which is why some might think that network security encompasses all things that have to do with keeping information secure.
In reality, network security and information security share their differences.
Network security is concerned with securing computer networks and data using hardware and software. Companies often are victims of attacks through computer networks, so it is vital to ensure that network security is not vulnerable.
As mentioned earlier, InfoSec primarily deals with the CIA triad and how organizations can use them to dictate their information security policy.
Like with cybersecurity, network security can also be categorized as a subset of information security.
What is Authentication in the Information Security Context?
Authentication is the process of verification of an entity before granting it access to an information system.
Authentication is important because information should not be given out to unauthorized parties. In our daily lives there are authentications in a lot of places online. From banks to social media networks, if we want access to sensitive data, we need to verify that the information being accessed is by a legitimate party.
The process of authentication to a system is often done in two steps. Firstly, identification must be done of the party attempting to access an information system. Secondly, there must be some proof that the part accessing the information system is the entity they claim to be.
What is Information Security Policy?
An information security policy is designed by security professionals in order to make sure that personnel that have access to data and information do it in a secure and efficient way.
The importance of a sound information security policy cannot be overstated.
In order to avoid malicious actors, and to counter any risks and vulnerabilities to an information system, it is important to have an information security policy that covers every base.
While every organization is different and there may be varying laws, here is what an information security policy needs to have:
- Purpose: The purpose of the InfoSec policy needs to be clear. It should take an overall look at the information security needs of an organization including data access, risk and vulnerability prevention, compliance with regulations and laws, and respecting the rights of users.
- Audience: To avoid any confusion later on, it should be made clear about who is the audience for the information security policy, as well as identify people that are beyond the scope of the information security policy.
- Information security objectives: The information security objectives need to be met. These include information confidentiality, integrity, and availability.
- Authority and access control policies: Not all information should be available to every user. Organizational hierarchy and data needs should justify the access to information. Network security should also be paid attention to, in terms of hardware, software and access to company networks and systems.
- Data classification: As mentioned previously, not all data is valued the same. Depending on the organization, the data should be classified according to factors such as relevance and clearance levels.
- Data support and operations: Data needs to be secure and transferred from one point to another only when the means of transport or in most cases networks are secure.
- Security awareness and readiness: Security awareness deals with educating the organization’s staff about the means and mindset to keep their information safe. It should also include the kind of threats that an organization might face and how individuals need to respond to it.
- Personnel responsibilities, rights and duties: Keeping information safe should be a personal responsibility. Your information security team should brief your staff and educate them on their responsibilities towards company data, their rights and duty as an employee of your organization.
Figure 2. Information Security Policy Infographic
What is Data Completeness in Information Security?
In information security, data completeness is the process of making sure that the available data is the data that was required by the information system.
If data is missing, then the data is not complete. Simple.
Data completeness ensures that the data required by a user is present. In the case that the data completeness of a system is compromised, it can be a challenge for users to extract meaning and make accurate decisions.
Not only does the data need to be complete, the information system also needs to ensure data quality and data integrity.
Data quality is the reliability of information. High quality data will yield better results, while poor data quality indicates that the information present is not valuable for the purposes and needs of the organization.
Data integrity is the assurance that the data is reliable in terms of its physical and logical validity. Data integrity is essential as it indicates that information has not been tampered with and is unchanged. In the absence of data integrity, any decisions made might be inaccurate and result in poor or unexpected outcomes.
What is Active and Passive Attacks in Information Security?
In information security, [active attacks](/docs/network-security-tutorials/what-is-active-attackare attempts) to change system information or edit their operations. Passive attacks on the other hand, are used to study a system and to identify vulnerabilities within the system.
Passive attacks usually result in two outcomes listed below.
- The first result of the passive attack is that information is leaked.
- The other result of the passive attack is traffic analysis, or in other words, understanding what sort of information and the volume of data (along with frequency and data length) for an information system.
Active attacks on the other hand include the followings:
- modification of information
- masquerading (one entity pretends to be another entity)
- DDoS (Distributed Denial of Service.)
What is the Importance of Firewall in Information Security?
A firewall is essentially software that maintains connections between different networks (internal or external) and has the power to allow, deny, or filter a connection based on particular factors.
Because this is such an important component of any business, we might think of it as our front entrance.
Wouldn't it make our house safer if we had two locks and hardened doors?
The approach is much the same for a network security perimeter.
ISO 27001 which is one of the Information Security Standard does not specify technical specifics, it necessitates the use of ISO 27002 cybersecurity controls to mitigate the risks associated with the loss of confidentiality, integrity, and availability.
As a result, you must do a risk assessment to determine the level of protection required, and then develop your own policies for managing those risks.
It is vital that you understand how to set firewall controls since they protect your firm from hazards connected to connections and networks and assist you in risk reduction.