Concept of Information Security
Concept of Information
Security
Information Security has become increasingly
important at a time when information has been recognized as a key asset by many
organizations. The rapid advancement of Information and Communication
Technology (ICT) and the growing dependence of organizations on IT
infrastructure continuously intensify the interest in this discipline.
Organizations pay increasing attention to information protection because the
impact of security breaches today has a more tangible, often devastating effect
on business.
Information security, sometimes abbreviated to
infosec, is a set of practices intended to keep the data secure from
unauthorized access or alterations, when it is being stored and when it is
being transmitted from one machine or physical location to another. As knowledge
has become one of the 21st century's most important assets, efforts to keep
information secure have correspondingly become increasingly important. Threats
to information and information systems may be categorized and a corresponding
security goal may be defined for each category of threats. A set of security
goals, identified as a result of a threat analysis should be revised
periodically to ensure its adequacy and conformance with the evolving
environment. The currently relevant set of security goals may include
confidentiality, integrity, availability, privacy, authenticity & trustworthiness,
non-repudiation, accountability, and auditability.
POINTS TO REMEMBER
Information security
refers to the processes and methodologies which are designed and implemented to
protect print, electronic, or any other form of confidential, private and
sensitive information or data from unauthorized access, use, misuse,
disclosure, destruction, modification, or disruption.
Information security is a constantly growing
and evolving field with many areas of specialization ranging from network and
infrastructure security to testing and auditing. Information security prevents
the inspection, recording, modification, disruption, or destruction of
sensitive information like account details or biometrics. From a business
perspective, security disruptions interrupt workflow and cost money while
damaging a company's reputation. Organizations need to allocate funds for
security and ensure that their personnel are equipped to detect and deal with
the threats from different sources.
Information security performs four important
roles:
- Protects the organization's
ability to function.
- Enables the safe operation of
applications implemented on the organization's IT systems.
- Protects the data the
organization collects and uses.
- Safeguards the technology the
organization uses.
Information security
vs. Cyber security
Information security differs from cyber
security in terms of scope and objectives. There often arises confusion
regarding these two terms- many using them interchangeably, and some defining infosec
as a subcategory of cyber security. However, information security is, in fact,
the broader category covering many areas: social media, mobile computing, and
cryptography, as well as aspects of cyber security. It is also closely related
to information assurance, which involves preserving information from threats
like natural disasters and server malfunctions.
Cyber security exclusively covers threats
involving the internet; therefore, it often overlaps with information security.
Information can be either physical or digital, and only online information
falls under the category of cyber security. Cyber security that deals with raw
data is not classified as information security.
Information security
principles
The basic principles/components of information
security are CIA triad (confidentiality, integrity, and availability) and are
interchangeably referred to in the literature as security
attributes/properties, security goals, fundamental aspects, information criteria,
critical information characteristics and basic building blocks.
Confidentiality
Confidentiality refers to preventing the
disclosure of information to unauthorized users. Preserving restrictions on
access to your data is important. Doing so secures your proprietary information
and maintains your privacy, every piece of information that an individual holds
has value, especially in today's world. From bank account statements, personal
information, credit card numbers, trade secrets to legal documents, almost
everything requires proper confidentiality.
Any failure to maintain confidentiality, as a
result of an accident or an intentional breach, can have severe consequences
for businesses or individuals, who often cannot undo the damage. For example, a
compromised password is a breach of confidentiality. Once it has been exposed,
there is no way to make it secret again. Passwords, encryption, authentication,
and defense against penetration attacks are all techniques designed to ensure
confidentiality,
Integrity
Integrity refers to maintaining data in its
correct form- preventing it from improper modification either accidentally or
maliciously. In other words, in information security, data Integrity means
maintaining and assuring the accuracy and completeness of data over its entire
lifecycle. Many of the techniques that ensure confidentiality will also protect
data Integrity. In doing so, a hacker cannot ever change the data beyond their
normal access. Alongside, there are other tools that provide a defense of
integrity in depth: checksums can help you verify the data integrity and
version control software and frequent backups can similarly help you to restore
the data to a correct state.
Availability
Availability is the mirror image of
confidentiality. While you need to make sure that your data cannot be accessed
by unauthorized users, you also need to ensure that it can be accessed by those
with proper permission. Ensuring data availability means matching the network
and computing resources to the volume of the data access you expect
implementing a good backup policy for disaster recovery purposes. In other
words, availability refers to having a reliable access to information by
authorized users as and when they need it. This often requires collaboration
between departments, such as development teams, network operations and
management. An example of a common threat to availability is a denial of
service (DoS) attack, where an attacker overloads or crashes the server to
prevent the users from accessing a website.
Now, let's look at other key terms in
Information Security - Authorization, Authentication, and Non-repudiation
processes and methods- some of the main controls aimed at protecting the CIA
triad.
To make information available or accessible/modifiable
to those who need it can be trusted with it (for accessing and modification),
the organizations use authentication and authorization. Authentication is
proving that a user is the person he or she claims to be. That proof may
involve something the user knows (such as a password), something the user has
(such as a "smartcard"), or something about the user that proves the
person's identity (such as a fingerprint). Authorization is the act of
determining whether a particular user (or computer system) has the right to
carry out a certain activity, say for example, reading a file or running a
program. Users must be authenticated before carrying out the activity they are
authorized to perform. Security is strong when the means of authentication
cannot later be refuted-the user cannot later deny that he or she performed the
activity. This is known as non-repudiation.
Information security
policy
Creating an effective security policy and
taking steps to ensure compliance is a critical step to prevent and mitigate
security breaches. To make your security policy truly effective, update it in
response to changes in your company, new threats, conclusions drawn from
previous breaches, and other changes to your security posture. Make your
information security policy practical and enforceable. It should have an
exception system in place to accommodate the requirements and urgencies that
arise from different parts of the organization. Among other things, information
security policy should include:
- A statement describing the
purpose of the infosec program and your overall objectives
- Definitions of key terms used
in the document to ensure shared understanding
- An access control policy,
determining who has access to what data and how they can establish their
rights
- A password policy
- A data support and operations
plan to ensure that the data is always available to those who need it
- Roles and responsibilities of
all the concerned when it comes to safeguarding the data, including those
who is ultimately responsible for information security
One important thing to keep in mind is that,
in a world where many companies outsource some computer services or store data
in the cloud, your security policy needs to cover more than just the assets you
own.
Information security
measures
As should be clear by now, just about all the
technical measures associated with cyber security touch on information security
to a certain degree, it is worthwhile to think about infosec
measures in a big-picture way:
- Technical measures: It includes the hardware and software that protects
the data from encryption to firewalls.
- Organizational measures: It includes the creation of an internal unit dedicated
to information security, along with making infosec part of the duties of
some staff in every department.
- Human measures: It includes providing awareness training for the users
on proper infosec practices.
- Physical measures: It includes controlling access to the office locations
and, especially, data centers.
Assignment
2
1.
What do you mean by
information security? List out the major components of information
security.
2.
List out the
information security measures.
