What is Information Security (Infosec)? (2023)

What is information security?

Information security, often abbreviated as Infosec, is the practice, policies, and principles for protecting digital data and other types of information. Infosec responsibilities include establishing a set of business processes that protect information assets, regardless of how that information is formatted, transmitted, processed, or stored.

In general, an organization applies information security to protect digital information as part of an overall plan.internet securityProgram. The three fundamental principles of Infosec, calledCIA-triad, is it soconfidentiality,integrityyAvailability.

In short, with Infosec you ensure that your employees get the data they need and prevent others from accessing it. It can also be associatedRisk managementand legal regulations.

Information security principles

Die CIA-Triade

The overall goal of Infosec is to let the good guys in and keep the bad guys out. The three main aspects that support this are confidentiality, integrity and availability. This is called the CIA triad or the three pillars or principles of information security.

Confidentiality is the principle that information should only be accessible to those who have the appropriate authority for that data. Integrity is the principle thatInformationit is consistent, accurate and reliable. Availability is the principle that information is readily available to those with the proper authority and remains so if inconvenience to users is not minimized.

These three principles do not exist in isolation, but they inform and influence each other. Therefore, any infosec system involves a balance of these factors. As an extreme example, information stored in a vault, like a written piece of paper, is confidential but not readily available. The information set in stone displayed in the lobby has a high level of integrity, but it is not confidential or available.

For a detailed discussion see:Confidentiality, integrity and availability (CIA triad).

Other information security principles

While the CIA triad forms the basis of information security policy and decision making, other factors must be incorporated into a comprehensive information security plan.

Because infosec involves a balance of competing factors, it is associated with risk management. The goal here is to maximize the positive results and minimize the negative ones. Organizations use risk management principles to determine the level of risk they are willing to take when implementing a system. You can also configure protections and mitigations to reduce risk.

data classificationConsideration should also be given in infosec to pay special attention to information that must remain strictly confidential or data that must remain highly available.

Information security is not limited to digital data and computer systems. A comprehensive information security policy also covers physical information, printed information, and other types of media. may also includeConfidentiality agreements.

Organizations must also employ user education to protect data, as well as IT controls and corporate policies.risk mitigationfactors For example, to limit the risk of an accounting analyst changing financial data, an organization might set up a technical control that restricts change rights and records changes. Alternatively, this risk can be mitigated by having an organizational policy that requires a second person to review closed records.

Another important factor of Infosec isundeniability, that is, the ability to demonstrate that the information has not been manipulated. Data stored or transmitted must not be altered by anyone, its source must be trusted, and it must not be accidentally or maliciously altered.

Business continuity and disaster recovery (BCR) are additional considerations to infosec. The data must remain available and unaltered in the event of a software or hardware failure. However, organizations can achieve thisfusesor redundant systems.

to considerchange managementalso an infosec policy. Mismanaged changes can cause failures that affect the availability of a system. System changes can also affect the overall security of stored data.

Local laws and government regulations also influence information security decisions. Supervisory authorities often regulate personal data (personal information) depending on the region. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) for medical data, Payment Card Industry Data Security Standard (PCI-DSS) for payment information or the European Union (EU) General Data Protection Regulation (GDPR) legislation may, for example, require that certain information be treated differently or that specific controls be established.

Jobs in information security.

Most roles that work with computers include an element of information security. Therefore,Infosec-Jobsthey may vary in their titles between organizations and may be interdisciplinary or interdepartmental.

The Director of Information Technology (IT) Security (OSC) or Director of Information Security (CISO) is responsible for the general cybersecurity and information security policy in collaboration with the Chief Information Officer (CIO). A security engineer or security systems administrator (sysadmin) may be responsible for implementing or evaluating information security controls.

An information security analyst or IT security consultant may be responsible for conducting risk assessments, evaluating the effectiveness of controls, or analyzing an outage and its impact.

Learn more about theTypes of Information Security Jobsthat are present

Information security certifications.

ANumber of certificationsare available to IT professionals who already have, or want to, focus on infosec and cybersecurity more broadly, including:

• CompTIA Security+.This certification covers basic cybersecurity knowledge and is used to qualify for entry-level information security and IT roles.
• Certified Public Accountant in Information Systems (CISA). ISACA, an independent, nonprofit association dedicated to professionals in the fields of information security, assurance, risk management, and governance, offers this certification. The exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional experience in information systems auditing, control, or security.
• Certified Information Security Manager (CISM).CISM is an advanced certification offered by ISACA that validates individuals who have demonstrated the in-depth knowledge and experience necessary to develop and manage enterprise information security programs. With this certification, ISACA is aimed at information security managers, potential managers or IT consultants who support the management of information security programs.
• GIAC Security Fundamentals (GSEC).Created and maintained by the Global Information Assurance Certification (GIAC) organization, this certification is intended for security professionals who wish to demonstrate that they are qualified for practical tasks related to security tasks related to IT systems. The exam requires candidates to demonstrate an understanding of information security that goes beyond simple terminology and concepts.
• Certified Expert in Information Systems Security (CISP).CISSP is an advanced certification offered by(ISC)², an international non-profit cybersecurity certification body. For experienced cybersecurity professionals, the exam includes the ability to design and implement an infosec program.