What is Information Security?

Information Security is simply the process of keeping information secure: protecting its availability, integrity, and privacy.

Information has been valuable since the dawn of mankind: e.g. where to find food, how to build shelter, etc. As access to computer stored data has increased, Information Security has become correspondingly important. In the past, most corporate assets were “hard” or physical: factories, buildings, land, raw materials, etc. Today far more assets are computer-stored information such as customer lists, proprietary formulas, marketing and sales information, and financial data. Some financial assets only exist as bits stored in various computers. Many businesses are solely based on information – the data IS the business.

Information Security is a Process:
Effective Information Security incorporates security products, technologies, policies and procedures. No collection of products alone can solve every Information Security issue faced by an organization. More than just a set of technologies and reliance on proven industry practices is required, although both are important.  Products, such as firewalls, intrusion detection systems, and vulnerability scanners alone are not sufficient to provide effective Information Security.

Information Security is a process. An information systems Security Policy is a well-defined and documented set of guidelines that describes how an organization manages, protects its information assets and makes future decisions about its information systems security infrastructure. Security Procedures document precisely how to accomplish a specific task. For example, a Policy may specify that antivirus software is updated on a daily basis, and a Procedure will state exactly how this is to be done – a list of steps.

Security is Everyone’s Responsibility:
Although some individuals may have “Security” in their title or may deal directly with security on a daily basis, security is everyone’s responsibility. A chain is only as strong as its weakest link. A workplace may have otherwise excellent security, but if a help desk worker readily gives out or resets lost passwords, or employees let others tailgate on their opening secure doors with their keycard, security can be horribly compromised. Despite the robustness of a firewall, if a single user has hardware (e.g. a modem) or software (e.g. some file sharing software) that allows bypassing the firewall, a hacker may gain access with catastrophic results. There are examples where a single firewall misconfiguration of only a few minutes allowed a hacker to gain entrance with disastrous results. Security is an issue during an application’s entire lifecycle. Applications must be designed to be secure, they must be developed with security issues in mind, and they must be deployed securely. Security cannot be an afterthought and be effective. System analysts, architects, and programmers must all understand the Information Security issues and techniques that are germane to their work.

End user awareness is critical, as hackers often directly target them. Users should be familiar with Security Policies and should know where the most recent copies can be obtained. Users must know what is expected and required of them. Typically this information should be imparted to users initially as part of the new hire process and refreshed as needed.

Information Security involves a Tradeoff between Security and Usability:
There is no such thing as a totally secure system – except perhaps one that is entirely unusable by anyone! Corporate Information Security’s goal is to provide an appropriate level of security, based on the value of an organization’s information and its business needs. The more secure a system is, the more inconvenience legitimate users experience in accessing it.

Remember, IT - and Information Security are business support functions:

Unless a companies business is IT, IT is (one of many) business support functions. Many IT professionals lose perspective - we do not!