Understanding the Fundamentals of Information Security
This article was updated in November 2021.
What is Information Security?
Think of information as data. It’s all the bits and pieces of stuff that are gathered about something or someone. This data isn’t limited to credit card information alone. It can be the details of a client project or the information stored when someone creates a user profile.
Security simply means being safe and protected from threats.
Information security, in essence, is the protection of something or someone’s data. In this article, we will look at what Information Security (Info Sec) means and the fundamental security characteristics of information.
While it may vary depending on the organization, information can be classified according to the following standard:
- Public. This is openly available to the public and does not require special handling.
- Internal.This is data shared within your organization, and should not be disclosed outside the organization. It will likely have some level of access control applied to it.
- Personal. This is information provided by users that is personal or personally identifiable. This should be limited to only the information required by an organization for a specific purpose, such as a physical address for mailing documents, and should not include information that will not be used.
- Confidential. This can constitute general information about a client and will have access control in place so that only a specific audience has access.
- Special Confidential. The information in this class is not only confidential but has a still higher degree of sensitivity around who and how it’s accessed.
Information Security Principles
There are three fundamental principles underpinning information security, or 3 lenses to look at information security through. They make up the CIA Triad of information security, and they are confidentiality, integrity and availability.
The CIA Triad is a well-known model for security policy development, used to identify problem areas and solutions for information security.
Confidentiality
Confidentiality is really about privacy. The purpose of this principle is to keep information hidden, and make it accessible only to people that are authorized to access it. For example, your medical history is something you want kept private, and only a few people, such as your doctor, should have access to it.
Typically some method of encryption and strict access control is utilized to help ensure information is kept confidential. Even with encryption, confidentiality can be easily breached. For example, a doctor calls you by your full name in the reception area of a medical clinic.
Your full name is considered confidential. So this can be a breach of confidentiality. Each employee in an organization must be aware of their responsibilities in maintaining the confidentiality of the information they have access to.
Integrity
Integrity refers to the accuracy and the reliability of data or information in your system. One of the things that hackers attempt is to make unauthorized modifications or changes to data stored in a system.
An example of this would be where a website is defaced and replaced with a message set up by the hacker which corrupts the integrity of the site. Alternatively, on an ecommerce website, the hacker modifies the shipping postal code. As a result, the integrity of the banking records have been compromised.
Corrupting data integrity isn’t limited to malicious attacks. More often, it happens accidentally. For example, a database administrator is making a bulk update to an employee registry but mistakenly updates the wrong registry. The accuracy and reliability of the information has been corrupted, and therefore, the integrity has been compromised.
Availability
Availability is the accessibility of information. This means that the people with authorization have access to information when they need it.
The most common example of when this is not the case is an interruption in an authorized user's access to information, when it’s not available or has been compromised.
One cause of disruption that most people are familiar with would be when a hacker “takes down” a website with a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack. However, like confidentiality and integrity, interruptions in availability can happen without any intention of doing harm.
For example, a cloud based service like Amazon Web Services (AWS) can experience technical outages that impact the availability of information systems using the platform. Other concerns can include downtime for upgrades, power outages and natural disasters.
Why does it matter?
InfoSec is a combination of technologies and human activity. It provides the strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information.
The CIA Triad are the lenses through which to assess threats and risks to the security of data. The model was designed to guide policies for information security within an organization.
Information security is an expansive topic, but ensuring the confidentiality, integrity, and accessibility of data is essential in planning any security system for the information you handle.