What are the factors to be considered to maintain a secured information system within an organization?

What is information security?

Information security, often shortened to infosec, is the practice, policies and principles to protect digital data and other kinds of information. infosec responsibilities include establishing a set of business processes that will protect information assets, regardless of how that information is formatted or whether it is in transit, is being processed or is at rest in storage.

Generally, an organization applies information security to guard digital information as part of an overall cybersecurity program. infosec's three primary principles, called the CIA triad, are confidentiality, integrity and availability.

In short, infosec is how you make sure your employees can get the data they need, while keeping anyone else from accessing it. It can also be associated with risk management and legal regulations.

What are the factors to be considered to maintain a secured information system within an organization?
The CIA triad: confidentiality, integrity and availability

Principles of information security

The CIA triad

The overall goal of infosec is to let the good guys in, while keeping the bad guys out. The three primary tenants to support this are confidentiality, integrity and availability. This is called the CIA triad, or the three pillars or principles of information security.

Confidentiality is the principle that information should only be available to those with the proper authorization to that data. Integrity is the principle that information is consistent, accurate and trustworthy. Availability is the principle that information is easily accessible by those with proper authorization and will remain so in case of failure to minimize interruptions to users.

These three principles do not exist in isolation, but they inform and affect one another. Therefore, any infosec system will involve a balance of these factors. As an extreme example, information only available as a written sheet of paper stored in a vault is confidential but not easily available. Information carved into stone displayed in the lobby has a lot of integrity but is not confidential or available.

For an in-depth discussion, please see: confidentiality, integrity and availability (CIA triad).

Other infosec principles

While the CIA triad forms the basis of infosec policy and decision-making, other factors should be included in a complete infosec plan.

Because infosec involves a balance of competing factors, it is associated with risk management. The goal here is to maximize positive outcomes, while minimizing negative ones. Organizations uses risk management principles to determine the level of risk they are willing to take on when implementing a system. They can also put into place guards and mitigations to reduce risk.

Data classification should also be taken into account with infosec to give extra attention to information that needs to remain either highly confidential or data that needs to remain highly available.

Information security is not limited to digital data and computer systems. A full infosec policy will also cover physical information, printed information and other kinds of media. It may also include confidentiality agreements.

Businesses should also employ user training to protect data, as well as both computer controls and organizational policy as risk mitigation factors. For example, to limit the risk of an accounting analyst changing financial data, an organization can put in place a technical control limiting change rights and logging changes. Alternatively, an organizational policy of having a second person audit completed records can mitigate this risk as well.

Another important infosec factor is nonrepudiation, which is the ability to prove that information hasn't been tampered with. No one should tamper with data at rest or in transit, its source should be trustworthy and it shouldn't be accidentally or maliciously modified.

Business continuity and disaster recovery (BCDR) are additional considerations of infosec. Data should remain available and unchanged in the case of a software or hardware failure. Organizations can accomplish this though backups or redundant systems.

What are the factors to be considered to maintain a secured information system within an organization?
The business continuity and disaster recovery planning, as part of an overall infosec strategy, consists of multiple layers.

Consider change management an infosec policy as well. Poorly managed changes may cause outages that affect the availability of a system. System changes may also affect the overall security of stored data.

Local laws and governmental regulations also inform infosec decisions. Regulatory bodies often regulate personally identifiable information (PII) depending on region. Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for medical data, Payment Card Industry Data Security Standard (PCI DSS) for payment information or the European Union's (EU) General Data Protection Regulation (GDPR) legislation, for example, may require that some information be treated differently or have special controls in place.

Jobs in information security

Most roles working with computers involve an element of information security. Therefore, infosec jobs may vary in their titles between organizations and be cross-disciplinary or interdepartmental.

The information technology (IT) chief security officer (CSO) or chief information security officer (CISO), in collaboration with the chief information officer (CIO), is responsible for overall cybersecurity and infosec policy. A security engineer or security systems administrator (sys admin) may be responsible for implementing or evaluating infosec controls.

An information security analyst or IT security consultant may be responsible for making risk evaluations, evaluating effectiveness of controls or analyzing a failure and its impact.

What are the factors to be considered to maintain a secured information system within an organization?
infosec professionals have many paths they can take in their information security career.

Learn more about the types of infosec jobs that are available.

Information security certifications

A number of certifications are available to IT professionals who already -- or would like to -- focus on infosec and cybersecurity more broadly, including the following:

  • CompTIA Security+. This certification covers core cybersecurity knowledge and is used to qualify for entry level IT and infosec roles.
  • Certified Information Systems Auditor (CISA). ISACA, a nonprofit and independent association that advocates for professionals involved in information security, assurance, risk management and governance, offers this certification. The exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.
  • Certified Information Security Manager (CISM). CISM is an advanced certification offered by ISACA that validates individuals who have demonstrated the in-depth knowledge and experience required to develop and manage enterprise information security programs. ISACA aims this certification at information security managers, aspiring managers or IT consultants who support information security program management.
  • GIAC Security Essentials (GSEC). Created and administered by the Global Information Assurance Certification (GIAC) organization, this certification is geared toward security professionals who want to demonstrate they are qualified for hands-on roles with respect to security tasks related to IT systems. The exam requires candidates demonstrate an understanding of information security beyond simple terminology and concepts.
  • Certified Information Systems Security Professional (CISSP). CISSP is an advanced certification offered by (ISC)², an international nonprofit cybersecurity certification body. For experienced cybersecurity professionals, the exam covers the ability to design and implement an infosec program.

This was last updated in April 2021

Continue Reading About information security (infosec)

  • Managing cybersecurity during the pandemic and in the new digital age
  • Companies must train their SOC teams well to prevent breaches
  • A closer look at the Certified Information Security Manager certification
  • CISA: U.S. agencies must scan for Exchange Server attacks
  • Continuous monitoring of information security

Dig Deeper on Security operations and management

  • What are the factors to be considered to maintain a secured information system within an organization?
    confidentiality, integrity and availability (CIA triad)

    What are the factors to be considered to maintain a secured information system within an organization?

    By: Wesley Chai

  • What are the factors to be considered to maintain a secured information system within an organization?
    Hypertext Transfer Protocol Secure (HTTPS)

    What are the factors to be considered to maintain a secured information system within an organization?

    By: Rahul Awati

  • What are the factors to be considered to maintain a secured information system within an organization?
    Top infosec best practices, challenges and pain points

    What are the factors to be considered to maintain a secured information system within an organization?

    By: Isabella Harford

  • What are the factors to be considered to maintain a secured information system within an organization?
    Certified Information Security Manager (CISM)

    What are the factors to be considered to maintain a secured information system within an organization?

    By: Sharon Shea

What are the 3 key domains of information security an organization must primarily consider?

The weight given to each of the three major requirements describing needs for information security—confidentiality, integrity, and availability—depends strongly on circumstances.

What are the 3 components of information security in an organization?

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

What are factors to consider in documents and information security?

The following list offers some important considerations when developing an information security policy..
Purpose. ... .
Audience. ... .
Information security objectives. ... .
Authority and access control policy. ... .
Data classification. ... .
Data support and operations. ... .
Security awareness and behavior. ... .
Encryption policy..

How do you secure information in an Organisation?

Tips for protecting your organization's data.
Implement a data security plan. ... .
Encrypt data. ... .
Communicate data securely. ... .
Use access controls and firewalls. ... .
Use external service providers carefully. ... .
Keep some data off the network. ... .
Final thoughts..