What is Information Security?
The discipline of information security goes beyond simply restricting access to confidential business information. Information security can be defined as the implementation and management of the set of tools and processes whose goal is to preserve the three key elements of information security in the business:
Confidentiality - information that is classified as confidential must never be made available or disclosed to unauthorized persons, parties, processes or entities
Integrity - information owned by the business should be accurate and complete. Information should be controlled to ensure that it cannot be changed or altered, either by accident or on purpose, by anyone not authorized to do so. Maintaining data integrity also means avoiding data loss.
Availability - information that the business owns must be readily accessible and usable by an authorized person. Therefore, a critical aspect of information security is maintaining streamlined access to information for authorized persons and processes while entirely restricting access to the same information for unauthorized personnel.
Information security is fundamentally a risk management process for understanding potential security threats to the organization and determining how best to respond to those threats.
How Does Information Security Work?
Organizations that wish to reduce or eliminate instances of unauthorized access to sensitive data can implement a structured risk management process to identify potential information security risks and identify strategies for mitigating them. Each organization must develop an individualized approach to information security, as individual companies have different methodologies and requirements for collecting, storing, using and transmitting data. An organization can begin its risk management initiative by:
- Identifying informational assets within the business that need to be protected. This often includes things such as the identity of customers, specific data collected about customers such as health data or payment card information, intellectual assets and internal communications or documents.
- Identifying potential threats, vulnerabilities and impacts with respect to each asset.
- A threat is the "what" of a security risk. It could be a malware attack or a wave of phishing e-mails.
- A vulnerability is the "how" of a security risk. We want to identify the possible attack vectors and ask how each identified threat could manifest itself within our environment.
- An impact is what happens when the threat is realized. Some threats might have low impacts and others might have very high impacts to the business.
- Evaluate the overall risk associated with each threat based on the business's vulnerability to the threat and the potential impact. For example, you may decide that while phishing attacks are relatively common, the potential impact would probably be small, but that in the less likely event of a deliberate hack attempt, the impact would be large.
- Once you have identified and quantified all of the known risk, the next step is determining what to do about it. There are several methods for dealing with risk in information security:
- Avoidance - Sometimes a risk can be avoided by changing business activities to eliminate the source of the vulnerability.
- Acceptance - Some risks are not very likely and even if they manifested would not cause significant harm to the business. In these cases, we may be able to simply accept the risk.
- Control - Move forward with the business activities, but implement controls to either lessen the potential impact of the threat or reduce the probability of the threat being realized.
- Transfer - In some cases, your organization may be able to transfer a risk to someone else and avoid responsibility. For example, if your organization processes health insurance claims, you would be responsible for maintaining the security of all that patient data. If you were to outsource the process, however, you could also outsource the responsibility for information security and limit the risk to your business.
- Design and implement any security processes or controls that you have identified as necessary to limiting the overall information security risk to a manageable level.
- Continue to monitor information security within your organization and adjust your information security strategy as needed to address the most current threats and vulnerabilities and impact your organization.
What are Information Security Standards?
Companies that operate within certain industries may be governed by a legally mandated information security standard, or they may choose to comply with a published information security standard that is not enforced by law. Either way, an information security standard represents a set of best practices for managing information security procedures in the applicable context. Some of the most well-known information security standards include:
Payment Card Industry Data Security Standard (PCI DDS)
The PCI DDS security standard is mandated and enforced by credit card brands to increase the controls surrounding credit cardholder data and reduce incidences of credit card fraud. Under the standard, companies that collect cardholder data must satisfy six data control objectives:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement access control measures
- Monitor and test networks on a regular basis
- Maintain and enforce an information security policy
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The HIPAA act establishes critical information security guidance for organizations that collect data in the health care and health insurance industries, specifically in the form of the HIPAA privacy rule and the HIPAA security rule.
The HIPAA privacy rule establishes administrative requirements for companies that store patient health data. These include training for employees and volunteers on privacy and security procedures, and the implementation of adequate safeguards to ensure that sensitive patient data is not disclosed to unauthorized parties.
The HIPAA security rule establishes a national standard for patient data that is transmitted or stored electronically in the United States.
ISO/IEC 27002: 2013
Written by the International Organization for Standardization (ISO), ISO 27002 provides best practices and guidance for establishing information security controls in the context of a formalized Information Security Management System (ISMS). An ISMS is a centrally managed framework for maintaining data security. It consists of policies, procedures, technical control and physical controls that collectively function to limit the risk associated with information security threats. Enterprise organizations are increasingly adopting ISMS software solutions to streamline and automate security management activities.