Information security
Information security is the practice dedicated to safeguarding information from unauthorized access, use, disclosure, alteration, or destruction. This practice encompasses all forms of information and is broadly categorized into two main areas: information assurance, which focuses on protecting data from loss due to system failures or breaches, and IT security, which specifically deals with the protection of computer networks. Key stakeholders in information security include governments, military organizations, healthcare and financial institutions, corporations, and private individuals, all of whom strive to secure proprietary and sensitive data.
In the modern era, information security is particularly concerned with the protection of digital networks, although safeguarding physical documents remains essential. A robust information security framework rests on six critical components: confidentiality, integrity, authenticity, availability, utility, and possession. Risk management is a fundamental aspect of this practice, involving the identification and assessment of potential threats to information systems, along with the implementation of strategies to mitigate these risks. As technology evolves, so too do the tactics employed by those seeking to compromise security, necessitating continuous adaptation and vigilance within the field.
On this Page
Subject Terms
Information security
Information security is the practice of protecting information from unauthorized use, disclosure, access, modification, or destruction. This term is applied to all information regardless of the form it takes and is comprised of two major categories: information assurance, which is the ability to ensure data is not lost to a breakdown in system security, due to theft, natural disasters, or technological malfunction; and information technology (IT) security, which is the security applied to computer networks.
Those most commonly interested in implementing reliable and effective information security are governments, the military, health and financial institutions, corporations, and other private businesses that need to protect proprietary and confidential information specifically related to their practices and operations. Private individuals are also concerned with information security and often use password protection and privacy settings on computers, cell phones, and other electronic devices. Information security in the twenty-first century is primarily concerned with protecting computer networks, but protecting paper files and other sources still remained a priority, especially in the wake of unauthorized disclosures of government information. A good information security system is designed around six key elements: confidentiality, possession, integrity, authenticity, availability, and utility.
Brief History
The information security field has expanded significantly since the 1990s due to rapid advances in computer technology. These advances have fostered improved methods of IT security and information assurance, but they have also led to more ways to infiltrate protected systems. Many businesses and government organizations have continued to invest in specialized information security protection systems. For government organizations, this protection often covers multiple networks that are put in place to protect the information in accordance with applicable classification guidance and protected disclosure practices. However, the advancement of technology, including artificial intelligence (AI), and the relative inexpensiveness of personal computers and data processing equipment has come with an increased threat of hacking, requiring those in information security to remain agile to respond to security threats before their systems are compromised.
Impact
Implementation of best practices is the key to an information system’s success in protecting critical data. These best practices include creating a system that has several components. The first component is confidentiality, which means the system must protect the data from disclosure even when moving the data from one point to another within the system. For example, banking information should remain confidential during purchasing transactions. Data integrity is another key component, which means ensuring the data remains accurate and uncorrupted during its lifecycle. Availability of data is also key; information security programs must ensure data is available to authorized users when needed. This means maintaining proper access controls. Maintaining authenticity of the data is also critical, especially in an online environment where thousands of business transactions take place on a daily basis. Both the sender and the receiver of data during the transaction must know that the information or data is authentic and has not been modified or corrupted during the transaction. One way to do this is through the use of digital signatures, a practice of attaching a person’s digital credentials or identification to the data being transmitted.
Another essential component of information security is risk management, which is defined as the identification, assessment, and prioritization of risks, or uncertainties, and the applicable distribution of resources and information security programs to manage those risks. A risk is the level of likelihood that an information system will be breached; a threat is anything that does damage or harm as a result of the information being disclosed. This harm can be the disclosure of critical information to unauthorized users or financial losses. In broad terms, the risk management process for information security is comprised of identifying the assets associated with the information security program, conducting a threat assessment of the possibilities of intrusion, conducting vulnerability analysis on the system in place, calculating the impact of potential loss of information, identifying appropriate responses to potential intrusions, and evaluating the effectiveness of the information security measures and responses put in place as a result. All risk management programs define an acceptable level of risk and put mitigation measures in place. These levels of acceptable risk will vary according to the organization.
Information security specialists work to mitigate vulnerabilities through increased monitoring of all systems and proper training of all personnel with access to critical information.
Bibliography
Allen, Julia H. The CERT Guide to System and Network Security Practices. Addison, 2001.
Andress, Jason. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. Elsevier, 2014.
Dhillon, Gurpreet. Principles of Information Systems Security: Text and Cases. Wiley, 2007.
Grama, Joanna Lyn. Legal and Privacy Issues in Information Security. 3rd ed., Jones & Bartlett, 2022.
"Information Security Basics." DataGuard, www.dataguard.co.uk/knowledge/information-security/. Accessed 9 Oct. 2024.
Krutz, Ronald L., and Russell Dean Vines. The CISSP Prep Guide. Wiley, 2003.
Layton, Timothy P. Information Security: Design, Implementation, Measurement, and Compliance. Auerbach, 2007.
Merkow, Mark S., and Jim Breithaupt. Information Security: Principles and Practices. 2nd ed., Pearson, 2014.
Peltier, Thomas R. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. Auerbach, 2002.
Peltier, Thomas R. Information Security Risk Analysis. Auerbach, 2001.
Shoemaker, Dan, and William Arthur Conklin. CyberSecurity: The Essential Body of Knowledge. Course Technology, 2012.
"What Is Information Security (InfoSec)?" Microsoft, www.microsoft.com/en-us/security/business/security-101/what-is-information-security-infosec. Accessed 9 Oct. 2024.