Information Security has become increasingly important at a time when information has been recognized as a key asset by many organizations. The rapid advancement of Information and Communication Technology (ICT) and the growing dependence of organizations on IT infrastructure continuously intensify the interest in this discipline. Organizations pay increasing attention to information protection because the impact of security breaches today has a more tangible, often devastating effect on business.
Information security,
sometimes abbreviated to infosec, is a set of practices intended to keep the
data secure from unauthorized access or alterations, when it is being stored
and when it is being transmitted from one machine or physical location to
another. As knowledge has become one of the 21st century's most important
assets, efforts to keep information secure have correspondingly become
increasingly important. Threats to information and information systems may be
categorized and a corresponding security goal may be defined for each category
of threats. A set of security goals, identified as a result of a threat
analysis should be revised periodically to ensure its adequacy and conformance
with the evolving environment. The currently relevant set of security goals may
include confidentiality, integrity, availability, privacy, authenticity &
trustworthiness, non-repudiation, accountability and auditability.
POINTS TO REMEMBER
Information security
refers to the processes and methodologies which are designed and implemented to
protect print, electronic, or any other form of confidential, private and
sensitive information or data from unauthorized access, use, misuse,
disclosure, destruction, modification, or disruption.
Information security is a constantly growing and evolving field with many areas
of specialization ranging from network and infrastructure security to testing
and auditing. Information security prevents the inspection, recording,
modification, disruption, or destruction of sensitive information like account
details or biometrics. From a business perspective, security disruptions
interrupt workflow and cost money while damaging a company's reputation.
Organizations need to allocate funds for security and ensure that their
personnel are equipped to detect and deal with the threats from different
sources.
Information security performs four important roles:
·
Protects the
organization's ability to function.
·
Enables the safe
operation of applications implemented on the organization's IT systems.
·
Protects the data the
organization collects and uses.
·
Safeguards the
technology the organization uses.
Information security vs. Cyber security
Information security
differs from cyber security in terms of scope and objectives. There often
arises confusion regarding these two terms- many using them interchangeably,
and some defining infosec as a subcategory of cyber security. However,
information security is, in fact, the broader category covering many areas :
social media, mobile computing, and cryptography, as well as aspects of cyber
security. It is also closely related to information assurance, which involves
preserving information from threats like natural disasters and server
malfunctions.
Cyber security exclusively covers threats involving the internet; therefore, it
often overlaps with information security. Information can be either physical or
digital, and only online information falls under the category of cyber
security. Cyber security that deals with raw data is not classified as
information security.
Information security principles
The basic
principles/components of information security are CIA triad (confidentiality,
integrity, and availability) and are interchangeably referred to in the
literature as security attributes/properties, security goals, fundamental aspects,
information criteria, critical information characteristics and basic building
blocks.
Confidentiality
Confidentiality refers
to preventing the disclosure of information to unauthorized users. Preserving
restrictions on access to your data is important. Doing so secures your
proprietary information and maintains your privacy, Every piece of information
that an individual holds has value, especially in today's world. From bank
account statements, personal information, credit card numbers, trade secrets to
legal documents, almost everything requires proper confidentiality.
Any failure to
maintain confidentiality, as a result of an accident or an intentional breach,
can have severe consequences for businesses or individuals, who often cannot
undo the damage. For example, a compromised password is a breach of
confidentiality. Once it has been exposed, there is no way to make it secret
again. Passwords, encryption, authentication, and defence against penetration
attacks are all techniques designed to ensure confidentiality,
Integrity
Integrity refers to
maintaining data in its correct form- preventing it from improper modification
either accidentally or maliciously. In other words, in information security,
data Integrity means maintaining and assuring the accuracy and completeness of
data over its entire lifecycle. Many of the techniques that ensure confidentiality
will also protect data Integrity. In doing so, a hacker cannot ever change the
data beyond their normal access. Alongside, there are other tools that provide
a defence of integrity in depth: checksums can help you verify the data
integrity and version control software and frequent backups can similarly help
you to restore the data to a correct state.
Availability
Availability is the
mirror image of confidentiality. While you need to make sure that your data
cannot be accessed by unauthorized users, you also need to ensure that it can
be accessed by those with proper permission. Ensuring data availability means
matching the network and computing resources to the volume of the data access
you expect implementing a good backup policy for disaster recovery purposes. In
other words, availability refers to having a reliable access to information by
authorized users as and when they need it. This often requires collaboration
between departments, such as development teams, network operations and
management. An example of a common threat to availability is a denial of
service (DoS) attack, where an attacker overloads or crashes the server to
prevent the users from accessing a website.
Now, let's take a look at other key terms in Information Security - Authorization,
Authentication, and Non-repudiation processes and methods- some of the main
controls aimed at protecting the CIA triad.
To make information available or accessible/modifiable to those who need it can
be trusted with it (for accessing and modification), the organizations use
authentication and authorization. Authentication is proving that a user is the
person he or she claims to be. That proof may involve something the user knows
(such as a password), something the user has (such as a "smartcard"),
or something about the user that proves the person's identity (such as a
fingerprint). Authorization is the act of determining whether a particular user
(or computer system) has the right to carry out a certain activity, say for
example, reading a file or running a program. Users must be authenticated
before carrying out the activity they are authorized to perform. Security is
strong when the means of authentication cannot later be refuted-the user cannot
later deny that he or she performed the activity. This is known as
non-repudiation.
Information security policy
Creating an effective
security policy and taking steps to ensure compliance is a critical step to
prevent and mitigate security breaches. To make your security policy truly
effective, update it in response to changes in your company, new threats,
conclusions drawn from previous breaches, and other changes to your security
posture. Make your information security policy practical and enforceable. It
should have an exception system in place to accommodate the requirements and
urgencies that arise from different parts of the organization. Among other
things, information security policy should include:
·
A statement describing
the purpose of the infosec program and your overall objectives
·
Definitions of key
terms used in the document to ensure shared understanding
·
An access control
policy, determining who has access to what data and how they can establish
their rights
·
A password policy
·
A data support and
operations plan to ensure that the data is always available to those who need
it
·
Roles and
responsibilities of all the concerned when it comes to safeguarding the data,
including those who is ultimately responsible for information security
One important thing to
keep in mind is that, in a world where many companies outsource some computer
services or store data in the cloud, your security policy needs to cover more
than just the assets you own.
Information security measures
As should be clear by
now, just about all the technical measures associated with cyber security touch
on information security to a certain degree, it is worthwhile to think about infosec
measures in a big-picture way:
·
Technical
measures: It includes the
hardware and software that protects the data from encryption to firewalls.
·
Organizational
measures: It includes the
creation of an internal unit dedicated to information security, along with
making infosec part of the duties of some staff in every department.
·
Human
measures: It includes providing
awareness training for the users on proper infosec practices.
·
Physical
measures: It includes
controlling access to the office locations and, especially, data centers.
Assignment 2
1.
What do you mean by
information security? List out the major components of information
security.
2.
List out the
information security measures.
No comments:
Post a Comment