Information Security often abbreviated as infosec is the practice of information protection by mitigating possible risks viz. unauthorized access, disclosure, disruption, modification or destruction of information. Information, be it physical or electronic, in the form of personal profile on social media, mobile phone data, business strategies, budget planning, biometrics etc is of great value to an individual or entity and so information security is so relevant. The scope of Information Security covers topics like mobile computing, cyber forensics, online social media, cryptography etc.Â
Objectives of Information Security
Information Security programs has 3 objectives commonly known as CIA – Confidentiality, Integrity and Availability. These may be considered as the foundation of information security. It is also known as the CIA triad.
Confidentiality – That data, objects and resources are protected from unauthorized viewing and other access ensures the confidentiality of information. Confidentiality gets breached and security of the computer system is compromised leading to loss of valuable data and information unless the user is on alert. Confidentiality can be ensured by identifying who is trying to access data and block the attempts for those who are unauthorized. Passwords, encryption, authentication and defence against penetration attacks are all techniques designed to ensure confidentiality.Â
Integrity – When data is protected from unauthorized changes to ensure that it is reliable and correct we say integrity is established. Integrity is to maintain accuracy and completeness of data which in turn ensures that data cannot be altered in an unauthorized way. Integrity also covers the concept of non-repudiation.Â
Availability – Availability reflects that authorized users have access to the computer systems and the resources they need. Ensuring data availability to legitimate users corresponds to a good backup policy for disaster recovery purposes. Denial of service attack is one of the factors that can hamper the availability of information.
Apart from these there are other principles that govern information security programs. They are:
Non repudiation – This indicates none of the parties at the sending and receiving ends can deny transaction of a message. Data Integrity and Authenticity are pre-requisites for Non repudiation.
Authenticity – It means ensuring the users input arriving at a destination to be from a trusted source. This principle when practiced guarantees the valid and genuine message received from through a valid transmission.Â
Accountability – This suggests that it should be possible to trace actions of an entity uniquely to that entity. For example, every employee should not be allowed to do changes in other employee’s data. For this there is a separate department in an organization that is responsible for making such changes and when they receive request for a change then that letter must be signed by a higher authority.Â
Information Security Policy
A set of rules that guide the people who work with IT assets forms Information Security Policy (ISP). Every organization creates their own Information Security Policy to make sure that its employees and other users follow security protocols and procedures. These policies guide the organization's decisions around procuring cyber security tools and also mandate employee behavior and responsibilities.Â
Among other things, a company's information security policy should include:
a) A statement describing the purpose of the infosec program and the user’s overall objectives.
b) Definitions of key terms used in the documents to assure shared understanding.
c) An access control policy, determining who has access to what data and how they can establish their rights.Â
d) A password policy.
e) A data support and operations plan to make sure that data is always available to those who need it.Â
f) Employee’s roles and responsibilities when it comes to safeguarding data. This is the accountability for information security.
It is pertinent to note in this context that in a world where many companies outsource computer services or store data in the cloud, their security policy needs to cover more than just the assets they own. The knowledge to deal with everything from personally identifying information to third-party contractors (who need to be able to authenticate to access sensitive corporate info) comes within the scope of the information security policy.Â
Information Security Measures
The following deserves attention:
a) Technical measures – This includes the hardware and software that protects data i.e. everything from encryption to firewalls.
b) Organizational measures – This includes the creation of an internal unit that is responsible for information security, along with making it accountable to some staff in every department.
c) Human measures – This includes providing awareness training for users on proper infosec practices.
d) Physical measures – This includes controlling access to the office locations and data centres.
The central idea of Information Security is Information Assurance which implies the act of maintaining CIA of information. This in turn ensures that information is not compromised in any way when critical issues arises covering natural disasters, computer/server malfunctions etc.
The span of information security has grown and evolved significantly in recent years thereby offering many areas for specialization including securing networks, allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning etc.