Nowadays, security has become a priority and a necessity, hackers are strong, vulnerabilities are everywhere, enterprises are looking to protect their confidential data by implementing new strategies; Information Security strategies …
What is Information Security?
The US National Information Systems Security Glossary defines Information Security this way:
- The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.*
When thinking of IT security, three common elements define IT security.
- Confidentiality. This element defines the requirement to keep any data maintained within the enterprise is available to only those individuals that require the data. For example, data might be provided freely on the Internet or at trade shows. Confidentiality of data is critical when dealing with personal data, such as name, social security number, date and place of birth, mother‘s maiden name, or medical records. Finally, governments and other institutions have laws, regulations, and other requirements that govern the confidentiality of the data companies maintain.
- Integrity. This element refers to the maintenance of data within the enterprise. Data within the enterprise must be accurate and consistent for the entire time the enterprise stores the data. This element is a critical aspect to the design, implementation, and usage of systems that store, process, or retrieve data.
- Availability. Availability refers to the controls placed on data to provide access to that data. This term can refer to the devices on an enterprise’s network to provide instant access to data. Within IT security, this term dictates the development of security procedures to keep the systems secured. These procedures include setting various security settings on each system and the development of a patch process. The goal of availability is to keep systems secure from malicious activities that might influence access to the data stored on these systems.
IT security that meets these three elements must balance usability of the data against the costs to secure it. Consider these two scenarios:
- A company cannot afford to implement a number of security tools for the enterprise. Also, that company might not even have a dedicated employee to maintain security within the organization. This scenario places the security requirements on each user to maintain who can
have access to the data maintained by that company. Within this scenario, the associated IT security costs are low. Likewise, the user experience has fewer inhibitors such as multiple user IDs or passwords to access the enterprise’s data. In this scenario, the company accepts a high risk factor but a low IT security cost.
- A company has at least one dedicated person for maintaining and implementing security within the enterprise. This individual is responsible for securing the company’s data by implementing an Information Security program to security the company’s data. This IT security program is designed to meet the requirements for the key elements for IT security. Unlike the first scenario, the security program enforces data access controls such as user IDs, passwords, and access controls to data based on need. It is this individual’s responsibility to assign the access controls or delegates this responsibility to the data owner.
For this company, the cost for the IT security is higher than the first scenario. This company has the cost for the full-time employee along with the costs for obtaining, installing, and maintaining the security tools that are implemented within the company. Another hidden cost is the cost of creating and maintaining the Information Security program. Likewise, by implementing this security program, the user experience is not as robust. Each user is required to provide authorization from a manager or the data owner that shows the user needs to access specific stored data. Depending upon the security tools, the user might have to maintain multiple user IDs and passwords to access data across departments. In this scenario, the company accepts a lower risk to the compromise of the company’s data, while accepting a higher cost to implementing the security measures.
One of the most important concepts within Information Security is knowing that you cannot be 100% secure. The only way to achieve absolute security is to turn off every computer and securely wipe their hard disks, returning to paper documents. Obviously, this approach to security is impractical. For a company to remain competitive, it must collect data and use that data to improve the growth of the company. Also, even if you apply every patch onto each system and ensure that the systems have their security configurations set correctly, new methods for attacking systems are continually discovered. In this scenario, the key is to know the extent of this potential compromise both by the number of systems along with the location of these systems. For critical systems that must provide publicly available data, you must carefully monitor this system until a resolution is implemented.
* National Information Assurance (IA) Glossary, Committee on National Security Systems -> http://www.ncix.gov/publications/policy/docs/CNSSI_4009.pdf
Latest posts by AYOUB BAHAR (see all)
- Facebook has yet proven than user privacy isn’t a priority! - April 21, 2020
- ISIM REST API Samples - July 10, 2019
- IBM DB2 HADR: Dummy guide - April 13, 2019