What is 'Information Security'?

Information security is exactly what it says, the security of information.

Typically, this is the information that you or an organisation 'own' and process.

Applying security to information is analogous to the application of security to any physical asset.

Take for example your home or car, protecting this can be summarised as follows:

· You need to have someone responsible for your car or home (you) so that this person can set the level of security required;

· If you have two homes or cars- which one do you spend more on protecting (risk assessment) or if you have only one - what level of protection do you set (risk assessment)?

· If you get burgled, how do you know what is missing from your house or car (asset register)?

· If you are going to have staff or third parties work on your car or in your house (perhaps you run a business or work from home?) then how do you select them and what protection do you need to have in place (personnel and contract security)?

· What sort of level of physical security, in terms of locks and bolts or maybe alarms do you need to have in place, including their infrastructure (physical security)?

· If you had a computer at home that is used by the family then you need to ensure that it is all working properly and that it is properly managed and maintained - such things as backups etc. (Communications and operations management);

· If you work from home then you may not want all of the family to view your work or you may need to ensure, as a responsible parent, that your children are protected from adult or inappropriate content on the internet (access control);

· If, like many people, you do some programming, then you will want to properly test the code before putting it live on the system. You may also need to ensure that if you are testing software that you ensure there is appropriate security in place and that you don't break the law (system development and maintenance);

· If your car is stolen, what fall back do you have to allow you to travel as if you still had your car (fallback planning)?

· When running your car or maintaining your house what legal or regulatory aspects do you need to take note of and how can you prove that you are complying with them (legislative and regulatory compliance).

Historically, information security has been called a number of different things such as:

· Data security;

· IT Security;

· Computer security.

But these terms (except possibly data security) ignore the fact that the information that is held on the computers is almost always and most certainly worth many times more than the computers that it runs on.

The correct term is 'information security' and typically information security comprises three component parts:

· Confidentiality. Assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner appropriate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc.;

· Integrity. Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term 'integrity' is used frequently when considering information security as it represents one of the primary indicators of information security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon;

· Availability. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.

These components have been at the root of information security since the start of computing and the growing need for information security. It has been suggested that these should be reviewed completely (Parker 1998) or that at least two more components should be added:

· Accountability. Someone is personally accountable and responsible for the protection of an asset or set of assets. The emphasis here is on the 'someone' and the 'personally accountable'. Often this does not work in the organisational setup but it still should be the goal;

· Auditability. This component has two parts, firstly that any position that a system is found in should be able to be backtracked to determine how it got into that state and secondly, that an ongoing process of management review or audit should be undertaken to ensure that the systems meet all documented requirements.

These two new components are derived from BS 7799 (BS 7799 2002), ISO 27002 (ISO 27002 2005) and ISO 27001 (ISO 27001 20005).

An Introduction To Information, Network and Internet Security
What is 'Information Security'? Information security is exactly what it says, the security of information. Typically, this is the information that you or an organisation 'own' and process. Applying security to information is analogous to the application of security to any physical asset. Take for example your home or car, protecting this can be summarised as follows: · You need to have someone responsible for your car or home (you) so that this person can set the level of security required; · If you have two homes or cars- which one do you spend more on protecting (risk assessment) or if you have only one - what level of protection do you set (risk assessment)? · If you get burgled, how do you know what is missing from your house or car (asset register)? · If you are going to have staff or third parties work on your car or in your house (perhaps you run a business or work from home?) then how do you select them and what protection do you need to have in place (personnel and contract security)? · What sort of level of physical security, in terms of locks and bolts or maybe alarms do you need to have in place, including their infrastructure (physical security)? · If you had a computer at home that is used by the family then you need to ensure that it is all working properly and that it is properly managed and maintained - such things as backups etc. (Communications and operations management); · If you work from home then you may not want all of the family to view your work or you may need to ensure, as a responsible parent, that your children are protected from adult or inappropriate content on the internet (access control); · If, like many people, you do some programming, then you will want to properly test the code before putting it live on the system. You may also need to ensure that if you are testing software that you ensure there is appropriate security in place and that you don't break the law (system development and maintenance); · If your car is stolen, what fall back do you have to allow you to travel as if you still had your car (fallback planning)? · When running your car or maintaining your house what legal or regulatory aspects do you need to take note of and how can you prove that you are complying with them (legislative and regulatory compliance). Historically, information security has been called a number of different things such as: · Data security; · IT Security; · Computer security. But these terms (except possibly data security) ignore the fact that the information that is held on the computers is almost always and most certainly worth many times more than the computers that it runs on. The correct term is 'information security' and typically information security comprises three component parts: · Confidentiality. Assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner appropriate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc.; · Integrity. Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term 'integrity' is used frequently when considering information security as it represents one of the primary indicators of information security (or lack of it). The integrity of data is not only whether the data is 'correct', but whether it can be trusted and relied upon; · Availability. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. These components have been at the root of information security since the start of computing and the growing need for information security. It has been suggested that these should be reviewed completely (Parker 1998) or that at least two more components should be added: · Accountability. Someone is personally accountable and responsible for the protection of an asset or set of assets. The emphasis here is on the 'someone' and the 'personally accountable'. Often this does not work in the organisational setup but it still should be the goal; · Auditability. This component has two parts, firstly that any position that a system is found in should be able to be backtracked to determine how it got into that state and secondly, that an ongoing process of management review or audit should be undertaken to ensure that the systems meet all documented requirements. These two new components are derived from BS 7799 (BS 7799 2002), ISO 27002 (ISO 27002 2005) and ISO 27001 (ISO 27001 20005).	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security