What is information security?Information security, often shortened to infosec, is the practice, policies and principles to protect digital data and other kinds of information. infosec responsibilities include establishing a set of business processes that will protect information assets, regardless of how that information is formatted or whether it is in transit, is being processed or is at rest in storage. Show
Generally, an organization applies information security to guard digital information as part of an overall cybersecurity program. infosec's three primary principles, called the CIA triad, are confidentiality, integrity and availability. In short, infosec is how you make sure your employees can get the data they need, while keeping anyone else from accessing it. It can also be associated with risk management and legal regulations. The CIA triad: confidentiality, integrity and availabilityPrinciples of information securityThe CIA triadThe overall goal of infosec is to let the good guys in, while keeping the bad guys out. The three primary tenants to support this are confidentiality, integrity and availability. This is called the CIA triad, or the three pillars or principles of information security. Confidentiality is the principle that information should only be available to those with the proper authorization to that data. Integrity is the principle that information is consistent, accurate and trustworthy. Availability is the principle that information is easily accessible by those with proper authorization and will remain so in case of failure to minimize interruptions to users. These three principles do not exist in isolation, but they inform and affect one another. Therefore, any infosec system will involve a balance of these factors. As an extreme example, information only available as a written sheet of paper stored in a vault is confidential but not easily available. Information carved into stone displayed in the lobby has a lot of integrity but is not confidential or available.
For an in-depth discussion, please see: confidentiality, integrity and availability (CIA triad). Other infosec principlesWhile the CIA triad forms the basis of infosec policy and decision-making, other factors should be included in a complete infosec plan. Because infosec involves a balance of competing factors, it is associated with risk management. The goal here is to maximize positive outcomes, while minimizing negative ones. Organizations uses risk management principles to determine the level of risk they are willing to take on when implementing a system. They can also put into place guards and mitigations to reduce risk. Data classification should also be taken into account with infosec to give extra attention to information that needs to remain either highly confidential or data that needs to remain highly available. Information security is not limited to digital data and computer systems. A full infosec policy will also cover physical information, printed information and other kinds of media. It may also include confidentiality agreements. Businesses should also employ user training to protect data, as well as both computer controls and organizational policy as risk mitigation factors. For example, to limit the risk of an accounting analyst changing financial data, an organization can put in place a technical control limiting change rights and logging changes. Alternatively, an organizational policy of having a second person audit completed records can mitigate this risk as well. Another important infosec factor is nonrepudiation, which is the ability to prove that information hasn't been tampered with. No one should tamper with data at rest or in transit, its source should be trustworthy and it shouldn't be accidentally or maliciously modified. Business continuity and disaster recovery (BCDR) are additional considerations of infosec. Data should remain available and unchanged in the case of a software or hardware failure. Organizations can accomplish this though backups or redundant systems. The business continuity and disaster recovery planning, as part of an overall infosec strategy, consists of multiple layers.Consider change management an infosec policy as well. Poorly managed changes may cause outages that affect the availability of a system. System changes may also affect the overall security of stored data. Local laws and governmental regulations also inform infosec decisions. Regulatory bodies often regulate personally identifiable information (PII) depending on region. Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for medical data, Payment Card Industry Data Security Standard (PCI DSS) for payment information or the European Union's (EU) General Data Protection Regulation (GDPR) legislation, for example, may require that some information be treated differently or have special controls in place. Jobs in information securityMost roles working with computers involve an element of information security. Therefore, infosec jobs may vary in their titles between organizations and be cross-disciplinary or interdepartmental. The information technology (IT) chief security officer (CSO) or chief information security officer (CISO), in collaboration with the chief information officer (CIO), is responsible for overall cybersecurity and infosec policy. A security engineer or security systems administrator (sys admin) may be responsible for implementing or evaluating infosec controls. An information security analyst or IT security consultant may be responsible for making risk evaluations, evaluating effectiveness of controls or analyzing a failure and its impact. infosec professionals have many paths they can take in their information security career.Learn more about the types of infosec jobs that are available. Information security certificationsA number of certifications are available to IT professionals who already -- or would like to -- focus on infosec and cybersecurity more broadly, including the following:
This was last updated in April 2021 Continue Reading About information security (infosec)
Dig Deeper on Security operations and management
What are the 3 key domains of information security an organization must primarily consider?The weight given to each of the three major requirements describing needs for information security—confidentiality, integrity, and availability—depends strongly on circumstances.
What are the 3 components of information security in an organization?The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.
What are factors to consider in documents and information security?The following list offers some important considerations when developing an information security policy.. Purpose. ... . Audience. ... . Information security objectives. ... . Authority and access control policy. ... . Data classification. ... . Data support and operations. ... . Security awareness and behavior. ... . Encryption policy.. How do you secure information in an Organisation?Tips for protecting your organization's data. Implement a data security plan. ... . Encrypt data. ... . Communicate data securely. ... . Use access controls and firewalls. ... . Use external service providers carefully. ... . Keep some data off the network. ... . Final thoughts.. |