Information security

Information security

Information security, also called infosec, is about keeping information safe. It helps stop people from using, changing, or harming data without permission. This data can be on computers or even on paper. The goal is to make sure information stays safe, correct, and ready to use when we need it. We also need to balance this with getting work done.

To help everyone stay safe, experts have made rules and tips. These talk about important things like passwords, antivirus software, firewalls, and encryption software. Laws help companies know how to take care of data properly.

Many businesses today use technology. IT security experts work to protect computers from being attacked. They do many jobs, such as keeping networks, applications, and databases safe. They also look for weak spots and plan for unexpected problems. This work is very important for keeping important information safe in big companies.

Standards

Information security standards are rules that help keep computers, devices, and information safe from harm. They give ideas, tools, and steps to solve problems and protect systems. These rules are made by groups around the world to stop cyber-attacks and help everyone stay safe.

Some important standards are the ISO/IEC 27000 family, made by the International Organization for Standardization and the International Electrotechnical Commission. They give rules for managing information security. The NIST Cybersecurity Framework from the U.S. National Institute of Standards and Technology helps groups manage risks. Other standards, like the Payment Card Industry Data Security Standard, focus on keeping credit card information safe.

Threats

Main article: Threat (computer security)

Information security threats are dangers that can harm or take important data. Common threats include software attacks like viruses, worms, phishing attacks, and Trojan horses. Other threats can involve stealing ideas, identities, or information, or even stopping a company's website until money is paid, like with ransomware.

Many places, such as governments, military groups, corporations, financial institutions, and hospitals, keep private details about people and important work. If this information is lost or stolen, it can cause big problems. Protecting this information is very important, and it helps keep personal details safe and private.

History

For a long time, leaders and soldiers have needed ways to keep their messages private. Julius Caesar made one of the first secret codes, called the Caesar cipher, to protect his important letters. Later, governments used special labels to show which information was sensitive and needed to be kept safe.

With computers and the internet, protecting information became even more important. During World War II, complex machines like the Enigma Machine were used to hide messages. As computers became more common, new challenges appeared in keeping data safe online. Today, protecting information is a big part of keeping our world secure.

Security Goals

The "CIA triad" is an important idea in information security. It stands for confidentiality, integrity, and availability.

• Confidentiality means keeping information secret from people who shouldn’t see it.
• Integrity means making sure information stays correct and isn’t changed without permission.
• Availability means that information and the systems that store it should be ready when you need them.

Some organizations also care about goals like authenticity and accountability. These help make sure that people are responsible for what they do and that information is real. Different models and principles guide how to keep information safe, such as those from the OECD and NIST.

Risk management

Main article: Risk management

Risk management helps protect important information and things from harm. Risks happen when something bad, like a storm or a mistake, finds a weak spot in your systems. This can cause problems like losing data or money.

To manage these risks, groups look at what they have—like computers, data, and buildings. They think about what could go wrong and decide how to stay safe. They might decide the risk is small and do nothing, or add safety steps to make the risk smaller. Sometimes, they can pass the risk to another company by buying insurance. The goal is to keep risks low so they don’t cause big troubles.

Defense in depth

Main article: Defense in depth (computing)

Defense in depth is an important way to protect information. It means using many different safety steps together. If one step fails, others are still there to help. For example, a computer might use a firewall to block unwanted visitors, an antivirus program to find harmful software, and other tools to keep data safe. This way, protection comes from many layers working together, not just one thing. Keeping information safe needs everyone’s help, with good rules and careful watching.

Classification

Information security helps keep data safe by understanding its value and making rules to protect it. Not all information needs the same level of protection, so it is grouped into different classes.

For example, businesses might label information as Public, Sensitive, Private, or Confidential. Governments use labels like Unclassified, Confidential, Secret, or Top Secret.

Everyone who works with the information needs to know these labels and follow the rules for handling each type. The labels help keep important data safe and make sure the right protections are in place.

Access control

Main articles: Access control and Computer access control

Access control keeps information safe by making sure only the right people can see or use it. It works in three simple steps: identification, authentication, and authorization.

First, someone needs to show who they are, like saying their name or username. Next, they prove it with authentication. This can be something they know, like a password, something they have, like a card, or something they are, like a fingerprint. Last, authorization decides what information or actions they can access after they've been identified and proven who they are.

Cryptography

Main article: Cryptography

Information security uses cryptography to change information into a special form that only the right person can read. This is called encryption. When someone with the right permission uses a secret code, called a cryptographic key, they can change the hidden information back to its original form. This is called decryption. This helps keep information safe when it is sent or stored.

Cryptography also helps in many ways. It makes sure people are who they say they are. It checks that messages haven’t been changed. It keeps online chats private. Older ways of sending information, such as Telnet and File Transfer Protocol (FTP), are being replaced by safer methods like Secure Shell (SSH). Wireless networks can use WPA/WPA2 to keep information private. Wired networks use special codes like AES for safety. Tools like GnuPG or PGP can also hide the contents of files and emails.

Process

The U.S. Federal Sentencing Guidelines can hold company leaders responsible if they don’t carefully manage their information systems.

In information security, “due care” means taking steps to protect a company’s resources and employees. “Due diligence” involves ongoing activities to keep protection systems working well. Organizations must practice due care when applying information security. The Duty of Care Risk Analysis Standard (DoCRA) helps evaluate risks and decide if safeguards are appropriate.

Incident response plans

Main article: Computer security incident management

Computer security incident management focuses on monitoring and responding to security events. Organizations use incident response plans (IRPs) when security breaches are detected. These plans involve a team with skills in areas like testing security and analyzing networks.

Change management

Main article: Change management (ITSM)

Change management is a process for controlling changes to computers, networks, and software. It aims to reduce risks from changes and keep systems stable. Not all changes need formal management—simple ones like creating a new user account usually don’t. But important changes, like upgrading a server, require careful planning.

The change management process includes requesting, approving, planning, testing, scheduling, communicating, implementing, documenting, and reviewing changes. Good change management procedures help make changes successful by using planning, reviews, and clear communication.

ISO/IEC 20000, The Visible OPS Handbook: Implementing ITIL in 4 Practical and Auditable Steps (Full book summary), and ITIL offer guidance on creating effective change management programs.

Business continuity

Main article: Business continuity planning

Business continuity management (BCM) helps organizations keep doing their important work even when something unexpected happens. It’s a way for businesses to handle problems and keep running smoothly. BCM is part of a company’s risk analysis to protect important work from any kind of threat.

BCM includes several key steps: figuring out what’s most important to the business, planning how to handle emergencies, setting up backup systems, testing these plans, and making sure everyone knows what to do. It also involves working with different teams inside the company to keep everything running well. While BCM looks at many kinds of risks, a disaster recovery plan (DRP) focuses on getting technology and communications back up and running quickly after a disaster. This plan includes steps like assessing risks, setting priorities, and making sure the plan works well through testing.

Laws and regulations

Many countries have laws to protect information and keep it safe. For example, the Data Protection Act 1998 in the UK helps protect personal information. In the United States, laws like the Family Educational Rights and Privacy Act (FERPA) keep student records private, and the Health Insurance Portability and Accountability Act (HIPAA) protects health information. These laws help make sure that private data is handled carefully and kept secure.

Culture

Information security culture is about the shared ideas and habits in a group that affect how well information is kept safe. It includes how people feel about security, what they do to protect information, and what they know.

Researchers have found important parts of security culture, like attitudes, actions, knowledge, talking about security, following rules, normal habits, and knowing responsibilities. Making security culture better is a continuing job. It means looking at what is already done, making plans, creating training, making changes, and checking progress often.