Information Security (infosec) Explained
Cybercriminals are nefarious treasure hunters, and your sensitive information is the treasure they are after. The higher the sensitivity of the information they get their hands on, the greater the value. That’s why regulatory standards and security frameworks mandate or guide your business to do everything possible to ensure information security.
This comprehensive blog tells you everything you need to know about information security and how you can help your clients improve their information security.
What is information security?
Often abbreviated as infosec, information security refers to measures aimed at securing a business’ critical or sensitive information while it’s stored or being transmitted from one device or physical location to another. It safeguards the data from unauthorized access, examination, misuse or alteration (in the form of disclosure, disruption or destruction).
The National Institute of Standards and Technology (NIST) defines infosec as — “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability.”
What is the goal of information security?
The primary goal of a business’ information security strategy is to protect mission-critical and sensitive data from internal and external threats. The four most common methods used to protect information are:
- Restricting or closing access
- Crushing information into parts and storing those parts separately
- Hiding the fact of its existence
Why is information security important?
Lack of information security can lead to theft or loss of key information, damage to customer satisfaction, reputational harm and much more. Information security is needed to fulfill these key objectives:
- Securing the functionality of the business
- Ensuring applications operate safely
- Protecting the data a business collects and uses
- Safeguarding all technology assets of a business
- Complying with industry, regulatory or internal security requirements
Information security vs. cybersecurity
Information security and cybersecurity are often used synonymously and interchangeably since they are so closely linked to each other. Cybersecurity refers to a set of broader practices aimed at protecting all IT assets from any form of attack, while information security is a specific discipline (under the purview of cybersecurity) that focuses on protecting information.
These two domains can also be differentiated with respect to data and information. It’s important to note that not every piece of data is information. Data is a collection of facts, while information puts those facts into context. For example, “100798” is a piece of data that becomes information when you know that it’s the date of birth of a person. While cybersecurity focuses on protecting the data at large, information security delves a little deeper to protect information from unauthorized access or alteration.
Information security vs. information assurance
The differences between information assurance and information security are more than just semantics. Let’s break it down in terms of focus, approach and scope:
- Focus: Information assurance focuses on quality, reliability and restoration of information. Information security focuses on deploying security solutions, encryption, policies and procedures to secure information.
- Approach: Information assurance isn’t concerned with the specific technology or tools used to protect information but is centered around developing policies and standards. Information security directly deals with tools and technologies used to protect information — making it a hands-on approach to safeguarding data from threats.
- Scope: By emphasizing organizational risk management and overall information quality, information assurance tends to have a broad scope. Information security has a detailed scope since it focuses on risk control and agreement.
Information security principles
Information security programs are built with three principles in mind — the so-called “CIA Triad” — confidentiality, integrity and availability.
Confidentiality is probably the first word that would come to your mind when someone mentions information security. Sensitive information is supposed to be accessed only by authorized individuals or entities. Therefore, information security initiatives uphold the confidentiality of information by identifying who is trying to access information and blocking the attempts by those who are not authorized.
This is about maintaining the accuracy of the information and protecting it from being improperly modified, either accidentally or maliciously. While several techniques that safeguard confidentiality could also help in maintaining integrity, there are other tools that can better defend integrity.
If confidentiality refers to the data not being accessible to unauthorized users, availability is about making data accessible to those who have the appropriate permissions. Upholding this principle involves having enough network and computing resources to match the volume of data that needs to be available and a robust backup policy for disaster recovery.
Types of information security
The types of information security are determined based on the types of information and tools used to protect information and the domains where information needs to be protected.
Unsecure applications and application programming interfaces (APIs) jeopardize the security of a business’ network and information. Application security strategies are devised to prevent, detect and rectify bugs or other vulnerabilities in applications that are both used and developed by a business. Application security involves the use of specialized tools for application shielding, scanning and testing that help in detecting vulnerabilities in applications and surrounding components.
Cloud security refers to protections and tools focused on detecting and remediating vulnerabilities related to the cloud or cloud-connected components and information. It entails security teams to be aware of threats emerging from internet-facing services and shared environments such as public clouds.
Collaboration with a cloud provider or third-party service is also a significant part of a cloud security strategy since it isn’t possible for a business to fully control its environments while using cloud-hosted resources and applications.
Cryptography involves encrypting information so only users with the correct encryption key can access it. Encryption protects the confidentiality and integrity of information, whether it’s in storage or in motion. Businesses use different encryption algorithms or technologies, such as the advanced encryption standard (AES), to encrypt information.
Incident response is used to identify, investigate and respond to threats or damaging events. It essentially eliminates or reduces the damage caused to an IT environment due to malicious attacks, natural disasters, system failures or human error. This also includes any harm done to information such as loss or theft.
Businesses often use an incident response plan (IRP) that outlines the roles and responsibilities for responding to incidents. IRPs also inform security policy and formulate a path to improve protective measures using the insights gained from a particular incident.
The SANS Institute defines network security as “the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment.”
It combines multiple layers of defense installed both inside the network and at its perimeter. Each layer implements policies and controls that only let authorized users gain access to network resources.
As the name suggests, vulnerability management is meant to discover and patch vulnerabilities before they are exposed or exploited. The fewer the vulnerabilities, the more secure a business’ information is. Vulnerability management efforts rely on testing, auditing and scanning to unearth issues, preferably with the help of automation. Once detected, vulnerabilities are then evaluated, classified and remediated.
Information security threats
Threats to information security can involve software attacks, theft of intellectual property, identity theft, theft of information, sabotage and information extortion. Common threats include:
- Insider threats
- Human error
- Poor security protocols
- Social engineering attacks
- Advanced persistent threats (APT)
- Outdated security software
- Business data on personal devices
- Distributed denial of service (DDoS)
- Man-in-the-middle attack
Information security management
Information security management implies having a set of policies and procedural controls in place to secure a business’ information assets from threats and vulnerabilities. Many businesses even create a formal and documented framework called an information security management system (ISMS). An ISMS helps businesses understand the ways they could suffer data breaches or other disruptive events and the preventive steps they need to take. Often, the responsibility for overseeing and implementing the ISMS is assigned to a chief information security officer (CISO).
What does a chief information security officer (CISO) do?
The responsibilities of a CISO include managing:
- Security operations: Real-time monitoring, analysis and triage of threats
- Cyber risk: Maintaining updated knowledge of threats and keeping the business’ leadership team informed of the threats and their potential impact
- Keeping insider threats under check: Preventing data loss and fraud that could be caused by malicious or negligent insiders.
- Security infrastructure: Implementing security best practices while acquiring, integrating and operating any IT asset
- Identity and access management: Verifying proper use of authentication, authorization and privilege-granting measures
- Program management: Staying ahead of security needs by implementing programs or initiatives that mitigate threats
- Investigations and forensics: Diagnosing what went wrong during a breach, identifying internal actors responsible and devising a plan to avoid recurrence
- Governance: Ensuring all information security initiatives run smoothly, the required funding is obtained and that corporate leadership understands the importance of all initiatives
Information security controls
Information security controls are countermeasures to reduce information security risks. These include security policies, procedures, plans, devices and software intended to strengthen information security. Typically implemented after an information security risk assessment, these controls are often categorized based on their type and their end goals.
Security controls are safeguards put in place to prevent a threat from exploiting a vulnerability. For example, security awareness training for all employees of a business to minimize the risk of social engineering attacks. They can be further divided into three types:
- Administrative: These controls define the human factors of security. They involve all levels of personnel within a business and determine the resources and information to which a given user has access. Implementing administrative controls usually requires additional security controls for continuous monitoring and enforcement.
- Logical: Logical security controls restrict the access capabilities of users and prevent unauthorized users from accessing the network. These may exist either in the operating system, database management system, application program or all three.
- Physical: Such controls refer to security measures implemented in a defined structure to prevent unauthorized access to sensitive information.
Access controls guarantee users are who they claim they are and that they have the appropriate authorization to access a business’ information. These controls identify users by verifying a set of credentials such as usernames and passwords, PINs, biometric scans and security tokens. After identifying and authenticating a user, access controls authorize the appropriate level of access and actions allowed for the user. The four access control models are discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC) and attribute-based access control (ABAC). Access controls perform three actions:
- Identification: The ability to uniquely identify a user of a system or an application. In this process, it’s critical to ensure asserted credentials are unique so that users in a system can be differentiated from one another.
- Authentication: The ability to prove that a subject (user or application) is genuinely who it claims to be by verifying the provided credentials.
- Authorization: The mechanism to determine the access levels of a subject. It entails determining the subject’s privileges to access and use a business’ information.
Information security policy
An information security policy sets a documented standard for the acceptable use of a business’ information by its entire workforce. The aim is to protect the information’s confidentiality, integrity and availability. An effective information security policy also considers access to information stored on the cloud and defines the protocols applicable to third-party stakeholders.
It’s crucial for businesses of all sizes to set high-level information security controls that help in safeguarding information and complying with data protection regulations. Businesses generate data daily that needs to be protected appropriately.
What should an information security policy include?
An information security policy should typically include:
- A documented record of the purpose and overall objectives of the policy
- Thorough definitions of key terms used in the policy
- An access control policy to determine the information a given subject can access and what it can do with that information
- A password policy for ensuring appropriate password rigor
- A plan to guarantee data availability to all authorized subjects
- A detailed description of the roles and responsibilities of every employee (including leaders) for upholding information security
Information security certifications
Today’s cyberthreat landscape continues its explosive growth. As a result, business owners want only the best cybersecurity talent to help keep cybercriminals at bay. One way they select the crème de la crème is by looking at the information security and cybersecurity certifications candidates hold. Having certified professionals on their team helps businesses create a formidable cybersecurity defense. Some of the most sought-after certifications today are:
- Certified Cloud Security Professional (CCSP)
- Certified Ethical Hacker (CEH)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified Information Systems Security Professional (CISSP)
- CompTIA Advanced Security Practitioner (CASP+)
- CompTIA Cybersecurity Analyst (CySA+)
- CompTIA PenTest+
- CompTIA Security+
- Offensive Security Certified Professional (OSCP)
- SANS GIAC Security Essentials (GSEC)
Information security compliance
Governmental agencies worldwide are focusing on information security more than ever before. Hence, taking a serious look at information security compliance is critical for businesses of all sizes. Information security compliance means complying with the rules and standards set by an agency or industry for the protection of sensitive information.
Many regulations list specific security requirements for information security that businesses must follow. Not complying with them could lead to regulatory action and fines against the business, or worse, data and security breaches.
Here are some of the prominent regulations that businesses must keep a keen eye on.
CIS (Center for Internet Security) Critical Security Controls
The CIS defines critical security controls — called CIS Controls — as “a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory and policy frameworks”. The latest version of CIS Controls is aimed at keeping up with the greater need for information security due to the advancement of modern systems and software.
FERPA (Family Educational Rights and Privacy Act of 1974)
FERPA is a U.S. law that gives parents the right to access their children’s education records, seek to have the records amended and have some control over the disclosure of personally identifiable information (PII) from those records.
GDPR (General Data Protection Regulation)
GDPR is a regulation drafted and passed by the European Union . Applicable to each member of the EU, the GDPR mandates baseline standards for businesses that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.
HIPAA (Health Insurance Portability and Accountability Act of 1996)
HIPAA is another U.S. law to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The HIPAA Privacy Rule lays down national standards for the protection of individuals’ medical records and other personal health information (PHI). The HIPAA Security Rule mandates appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronically protected health information.
NIST (National Institute of Standards and Technology)
The NIST Cybersecurity Framework integrates industry standards and best practices to help businesses manage their cybersecurity risks.
PCI-DSS (Payment Card Industry Data Security Standard)
The PCI Data Security Standards define the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
Information security compliance with Compliance Manager GRC
Compliance Manager GRC is a purpose-built IT security compliance solution that empowers your MSP business to provide improved IT security and robust compliance. You will be able to streamline the assessment, remediation and documentation processes for all IT security requirements. It gives you the flexibility to manage multiple compliance standards and customized infosec programs — all at the same time and in the same place.
Compliance Manager GRC gives you greater confidence that the information security programs you’ve put into place are actually working and generates the documentation to prove it. Most importantly, you don’t need additional headcount or prior knowledge of regulatory standards. Our Rapid Baseline Assessment will help you get up to speed quickly and demonstrate the need and value of compliance to your existing customers and prospects.
Schedule a one-on-one demo now to reduce risk, complexity and costs associated with information security and information security compliance.