Information Security

Information security has never been as important as it is today. If you don’t know anything about information security, then right now is the time to learn. All over the world, hackers are trying to steal your data. In 2019 at least 16 billion data records were illegally accessed; in the first quarter of 2020, the number was 8 million, all exposed through breaches in information security. The data includes personal credit card numbers, home addresses, phone numbers, and confidential commercial information. The security threats are rapidly increasing and evolving as criminals discover new ways to beat the defenses to get at your valuable data. This article will help you learn more about information security and how it applies to you to be prepared to meet the threats.

What is Information security (Infosec)?

Information security, often abbreviated to ‘infosec,’ is a set of risk management practices that are intended to keep data secure from unauthorized access or alterations. This applies when the data is being stored somewhere, in paper and electronic form, and when it’s being moved from one location to another. Sometimes information security is referred to as ‘Data security.’ Keeping data secure is extremely important in today’s digital world.

The purpose of information security is to prevent or at least reduce the probability of any loss, damage, viewing, use, or disclosure of data. It also includes taking action to reduce the adverse impacts of any data related incidents.

The SANS Institute provides a more detailed definition of what is information security:

‘Information security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.’

Information security governance

What information security needs in addition to this is strong governance. The IT Governance Institute defines information security governance as

‘a subset of enterprise governance that provides strategic direction, make sure objectives are achieved, manages risk and uses organizational resources responsibility and monitors the success or failure of the enterprise security program.’

Although many IT and management roles include some elements of information security activities, information security is a recognised discipline with its own roles, responsibilities, and activities. In many organizations, this discipline is seen as being strategic and key to the ongoing success of the business.

Table of Contents

Cybersecurity

Sometimes information security is confused with cybersecurity. Strictly speaking, cybersecurity is the broader practice of defending IT assets from attack, including network security and application security that focus on protecting networks and applications, respectively.

The CIA triad

Cyber Security LockThe primary focus of information security is on providing balanced protection of the Confidentiality, Integrity, and Availability of data (CIA) without adversely affecting productivity. This is done using a structured risk management process that includes:

  • Identifying information assets.
  • Identifying potential threats, vulnerabilities, and impacts.
  • Evaluating the risks, including probability.
  • Deciding how to address or treat the risks.
  • Defining and implementing appropriate security controls to mitigate the risks.
  • Monitor, adjust, and improve.

Information security system

An information security system, often abbreviated to ISS or ISMS, is a set of controls that an organization implements to protect its information assets, including data. These controls are designed and implemented to reduce the likelihood of a data breach occurring and limit the impact if there is a breach.

Any information security system should be regularly and routinely reviewed and updated as required. ISO 27001, an international standard for information security, makes this mandatory. Organizations should initially establish the ISS (Plan), implement and operate the ISS (Do), monitor and review the ISS (Check), and maintain and improve the ISS (Act). This sequence is known in quality management as the PDCA cycle. The information security system should be reviewed and updated regularly to reflect any changes to the information environment and requirements, new threats, and new best practices for data security.

What does an information security system do?

A well designed and implemented information security system will govern the policies, procedures, processes, and workflows that are chosen by an organization to protect the security of its data. In order to maximize protection, the scope of the policies defined in the information security system and their implementation must include all parts of the organization. These should be aligned with the organization’s quality management system, using the PDCA (Plan, Do, Check, Act) cycle to ensure that the ISS policies remain valid and effective.  Most quality management systems will require all parts of the information security system to be fully documented and controlled.

The information security system does not have to treat all types of data in exactly the same way. A sound information security management system will recognize that different data types and even different fields in the data have different security requirements. For example, data types such as financial records and user’s login details are likely to require higher security levels than records of menus for the staff restaurant.

The design of the information security system should balance security requirements against practicality and productivity. Staff must always be able to carry out their tasks without excessive hindrance. Excessive controls for data types that do not require high levels of security can adversely affect productivity and the profitability of the organization.

Risk based design

It is impossible to provide 100% protection against security breaches. New ways to penetrate defenses are being continually developed, and just about all IT applications have security weaknesses. Whereas most hackers worked alone in the past, it is now very common to have highly skilled teams working together. Today’s data protection products are very effective but cannot guard against an employee’s malicious acts or the determined acts of well-funded hackers.

Hence organizations should use a risk-based approach to decide which assets need to have the highest level of protection and prioritize resources on the protection of those assets. A risk-based ISS design considers the relative risks of different types of information assets when allocating resources towards protecting them against security breaches.

Man in InfoSec center

Effective ISS implementation

Creating an information security system without effective implementation adds no value and will not provide the necessary security for the organizations information. There have been many instances of organizations that designed an information security system to meet external governance requirements without ensuring that it was used by the staff, leading to subsequent costly breaches in the security of information.  Protection against data breaches only happens following the effective implementation of the policies and the integration of information security into the culture of the organization. Creating and documenting the information security system must be followed by educating all staff on its importance, combined with specific training on how to use and follow it.  This training and education should be repeated at regular intervals, for all new staff, and following any significant data breaches. Compliance with the information security system must be embedded into the organization’s working practices and activities.

Basic principles of Information Security

While organizations use different approaches to protecting data, the information security principles and practices they follow tend to be the same or very similar. Each principle of information security has the same aim: to protect data. So what are the 3 principles of information security?

Information security principles

The basic components of information security are most often summed up by what is commonly referred to as the CIA triad: Confidentiality, Integrity, and Availability.

Confidentiality. This information security principle is what most people automatically think of if you mention protecting the security of information. Confidential data is information that should only be accessed by people who are authorized to do so. Therefore to ensure confidentiality, you must identify who is trying to access the data and have a method to stop unauthorized attempts.  Techniques to ensure confidentiality include passwords, encryption, and authentication.

Integrity. This principle is concerned with maintaining data in its intended state by preventing it from being improperly modified, either maliciously or accidentally. Many of the approaches aimed at providing confidentiality can also protect data integrity by preventing unauthorized access. Other techniques can also protect integrity. For example, checksums added to numeric data can be used to indicate modification. Backups can be used to restore the integrity of data if it has been compromised. Using version control tools can restore applications to their previous state. Integrity also includes the concept of non-repudiation: you must be able to prove that you’ve maintained the integrity of your data, especially for any legal requirements.

Availability. This means ensuring timely and reliable access to and use of information. This partners with confidentiality, as it is concerned with ensuring that the data can be accessed by those who are authorized to do so. This includes having effective processes for managing lost passwords, ensuring sufficient IT capacity and performance, and establishing disaster recovery processes.

Different types of data might require more focus on one principle over the others. For example, data about the medical condition of an individual is likely to require a focus on confidentiality, whereas a holiday booking website might put more focus on maintaining the availability of the holiday information.

These three principles are so fundamental to information security that we will now look at them in more detail.

What is Confidentiality?

Confidentially is “preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.”

Maintaining confidentiality is critical to both individuals and organizations. No individual wants their private health or financial information to fall into the wrong hands. No organization wants their business plans to leak to their competitors. Governments don’t want other countries accessing their secret information. Significant amounts of money can be gained by selling data and information. All of these reasons are why confidentiality is such as important principle for maintaining the security of information.

The number of cyberattacks to access data is increasing exponentially every year. Why? There is plenty of money to be made from cybercrime. Cybercrime is lower risk, higher reward, and often much easier to accomplish than traditional criminal activities. The tools to do it are readily available via the dark web. The chances of being caught are low. There are weaknesses and plenty of opportunities ready to be exploited in the design of software applications, networks, hardware, social media, and how people view and use IT.

person using a computer

Human nature is to try and get the best return for the least effort. Taking the right information security actions to preserve confidentiality can use this trait to advantage. Implementing defenses and processes to protect data will make it harder to access and increase the chance of being caught. This can deter opportunist and amateur attacks and requires a broad range of different access controls, protection approaches, testing, monitoring, and training. For example, relying on a single firewall product will not be as effective s using several different ones.

What is Integrity?

When used in common speech, if someone has integrity, they live their life according to a code of ethics and can be trusted. Information security has a very similar meaning for integrity. Integrity is the protection of information, processes, or systems from intentional or accidental unauthorized modification. Through this, the information can be trusted.

Ensuring data integrity requires that information is changed only in specified and authorized ways. This ensures that the information remains as it is intended to be. For example, if you save a file with a briefing that you want to share with others, but someone else opens the file and changes the wording without your permission, the file has lost its integrity. The consequences of unauthorized changes can be significant.

System integrity relates to systems rather than data. This is a requirement that a system “performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.” An example of deliberate unauthorized manipulation is a virus that corrupts the files required to “boot” a computer.

Data and system integrity can also be affected by errors and omissions. These can be caused by any user who enters or changes data, including mass data entry using keyboards and automated system interfaces. It can also include the creation and amendment of computer programs. Some data entry errors can cause instant system malfunctions. Others may lie hidden for a long time before the impact is seen.  Errors and omissions in computer software can create vulnerabilities to attack.

Integrity and confidentiality are related. For example, if someone shares their username and password with another person, that person could choose to make unauthorized data amendments after accessing a system with the credentials. Integrity and confidentiality often share the same vulnerabilities. Techniques to protect against loss of integrity include:

  • Access controls such as digital signatures.
  • Process controls such as testing of code.
  • Monitoring controls such as monitoring log files.
  • Behavioral controls such as segregation of duties.

 

What is Availability?

The other two elements of the CIA triad are useless if the data isn’t available.  Availability is just as critical to data security as the confidentiality and integrity of the data itself. Availability is the assurance that systems and data can be accessed by authorized users when needed.

woman login in to her computerThreats to availability include:

  • Human error.
  • Loss of systems due to natural disasters.
  • Loss of key staff.
  • Hardware failures.
  • Programming errors.
  • Distributed denial of service (DDoS) attacks.
  • Malicious code.

Just about every organization is vulnerable to these availability threats, and in all likelihood will have already experienced some of them. Business continuity planning and disaster recovery planning can address many of these threats. Other ways include access controls, system monitoring, environmental controls, and resilient systems.

5 major goals of Information Security

           

It is important to define what is the goal of information security within an organization. This will help to maintain a focus on what is truly important. The objective of information security for any organization should include the 5 major goals of information security. These fundamental objectives of information security help when drawing up the security plan and facilitate the periodic evaluation of an ISS. Here are the five information security goals/objectives:

  1. Prevention: The first objective is to prevent the occurrence of damage to the target resource or system.
  2. Detection: Early detection is the next important objective; this will help to achieve the other 4 objectives.
  3. Mitigation: This is necessary to ensure that the amount of loss due to each incident or attack is controlled.
  4. Recovery: Once the incident or attack has happened, then recovery will allow normal operations to be restored as soon as possible.
  5. Accountability: Accountability should be established for any loss or damage. A system of reward and punishment can be defined to promote adherence to the secu­rity measures.

Each objective of information security is dependent on the others. The achievement of one objective, directly or indirectly, helps to achieve the others. All of these objectives collec­tively help to achieve the primary objective of ensuring the security of information.

Information security policy

The best way to ensure that the principles and goals are met for any organization is to create and implement an information security policy. This is a document that each organization creates based on its own specific requirements and circumstances, including what data needs to be protected and in which ways. It contains individual policies that exist to guide the decisions and behaviors of the organization and its employees and contractors necessary to ensure the security of information.

An information security policy list should include:

  • A statement describing the purpose of the information security program and the overall objectives.
  • Definitions of key terms used in the policies to aid understanding.
  • An access control policy, determining who has access to what data and how they can establish their rights.
  • password policy setting out the rules for creating passwords.
  • data support and operations plan to ensure that data is always available to those who need it.
  • Employee roles and responsibilities related to the safeguarding of data, including who is ultimately responsible for information security.

Just about every organization today is reliant on external suppliers and services. This means that your information security policy needs to cover more than just the assets you own. It also needs to consider external assets that you rely on, including requirements that you place on others.

On the web there are several freely available information security policy examples. These can give you a head start in the design of your own policies. Here is an extract from a University IT Policy, which shows the level of detail that is required. It also demonstrates the use of a governance body called the Information Security and Policy Office, who are responsible for the policy definition and application, and the role of the Chief Information Security Officer (CISO):

Introduction

This policy provides guidance for the University’s Network Vulnerability Assessment & Incident Response Program.  The program is designed to detect system vulnerabilities before they are exploited and respond to successful system exploitations in a comprehensive manner.

Regular scanning of devices attached to the network to assess potential security vulnerabilities is a best practice for managing a dynamic computing environment. For critical enterprise systems or those dealing with sensitive data, additional testing methods to look deeper for more security vulnerabilities may be a requirement for compliance with laws, regulations, and/or policies.

Additionally, this policy provides guidance in determining the proper response to a network security incident from within or outside the University. It documents where to report problems and how the University will involve leadership and legal representatives. It also documents the individuals designated for these responsibilities, and procedural details, which depend on the severity and source of the attack.

In accordance with applicable law and UI policies, the University shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information, typically maintained in an electronic format by the University.

Scope

All devices attached to the University network are subject to security vulnerability scanning and/or penetration testing.  Systems that are not properly managed can become a potential threat to the operational integrity of our systems and networks. Other systems dealing with sensitive data may be submitted for penetration testing at the request of the Data Trustee, or at the recommendation of the University Information Security and Policy Office (ISPO).

Penetration testing is a separate and distinctly different set of testing activities from vulnerability scanning. Its primary focus is the exploitation (not just observation or assessment) of security vulnerabilities and, therefore, may be disruptive of operations. Penetration testing is most beneficial when executed after an Assessment has been performed and the issues found by that Assessment have been remediated.

Attacks on University IT resources are infractions of the Acceptable Use Policy constituting misuse, or they may be vandalism or other criminal behavior. Attacks on University resources will not be tolerated, and this policy provides a method for pursuing the resolution and follow-up for incidents.

Reporting information security incidents occurring on University systems and/or on University networks to the appropriate authorities is a requirement of all persons affiliated with the University in any capacity, including staff, students, faculty, contractors, visitors, and alumni.  

Policy Statement

Network Vulnerability Assessment

Network scans are performed by ISPO authorized scanning systems only. 

Types of Network Security Scanning and Assessment

Multiple levels and types of network security scanning are utilized by the University and are managed as services offered by the Information Security and Policy Office:

  1. Routine Scan– Low-level scans for basic service-tracking and vulnerability identification purposes will be conducted on all networks in the University domain.  Routine scans are not typically advertised.
  2. Ad Hoc Scan – Before a new system is put into service; it is recommended that a network security scan be conducted for the purposes of identifying potential vulnerabilities.   In addition, specialized scans to target specific problems posing a threat to the University’s systems and networks or to correlate interrelated network-based vulnerabilities will be conducted on an ad hoc basis. Scans may be requested by system administrators at any time, as frequently as necessary to maintain confidence in the security protections being employed.  Any system identified in conjunction with a security incident, as well as any system undergoing an audit, may be subject to a network security scan without prior notification.
  3. Penetration Test – All penetration testing of University systems must be arranged by senior management/Data Trustee(s) and coordinated through the Information Security & Policy Office. Penetration testing is typically conducted over a period of several weeks, with regular feedback to the Data Trustee(s) if issues are identified.
    Due to the more intrusive nature of a penetration test, and to better manage risks associated with such tests, a signed non-disclosure agreement and confidentiality agreement is required prior to commencing the penetration test. Penetration testing may be performed by any qualified service provider approved by the ISPO.

Vulnerability Remediation

Vulnerabilities that are identified during ISPO network vulnerability assessments will be communicated to system owners.  The identification of “false positives” in scan reports is the responsibility of the system owner, and must be communicated to the ISPO.  University departments and units must work with ISPO toward vulnerability remediation, mitigation, or implementing compensating controls to reduce risks identified in vulnerability assessments.

Incident Response

Suspected or confirmed information security incidents must be reported promptly to the ISPO by sending a message to them or calling them. After normal business hours and on weekends, the ISPO can be contacted by calling the IT Help Desk.

The ISPO will investigate the report, and if a security breach may have occurred, will inform the Chief Information Officer (CIO), university and healthcare leadership, General Counsel, Critical Incident Management Team, and/or law enforcement, as appropriate.

In the event that a public notification of the security breach may be warranted, the CIO will consult with the appropriate University Vice President(s), Provost, and General Counsel to develop the response and make the final determination if a public notification of the event is warranted.  Individual departments are not authorized to perform public notification.

Incident Response Procedures

The entity responsible for support of the system or network that has been compromised or is under attack is in all cases expected to:

  1. Report the incident to their leadership and to the ISPO.
  2. Take action at the direction of the ISPO to contain the problem, and block or prevent escalation of the attack, if possible.  For systems critical to University operations, administrators may continue recovery efforts while awaiting ISPO response.
  3. Follow instructions communicated from the ISPO in order to facilitate investigation of the incident and preservation of evidence.
  4. Implement recommendations from the ISPO to remediate the system and repair resulting damage, if any.
  5. Restore service to its former level, if possible.

Internal Notifications

The Chief Information Security Officer (CISO) will report serious computer security breaches to the Chief Information Officer (CIO). The CIO will consult with appropriate officials, and decide if the Critical Incident Management Team must be convened to determine a response strategy, or if an alternate group is appropriate for the response. This determination may be made prior to completion of the investigation of the security breach. The ISPO will report the incident to the Department of Public Safety, university leadership and/or the General Counsel when, based on preliminary investigation, criminal activity has taken place and/or when the incident originated from a university computer or network.

Public Notification of Breach

To determine whether public notification is required, the CIO will consult with university leadership, including Office of the General Counsel (OGC), Office of Strategic Communication, HR and others as appropriate.  Departments may not perform public notification without CIO and OGC approval.

Individual Notification of Breach

To determine whether individual notification of a breach is necessary, the CIO, in consultation with appropriate university officials, will consider all relevant factors (such as legal or regulatory requirements, credible evidence the information was in a usable format, ability to reach the affected individuals, etc.)
If it is determined that a notification of breach to affected individuals is warranted, the following procedures will apply:

  1. The notification will be drafted by the affected department and submitted to the CIO and Office of Strategic Communication for review and approval. The cost consideration will be the decision of the CIO, Provost, General Counsel, and Vice President for Finance and Operations.
  2. Written notice will be provided to the affected individuals based on legal or regulatory requirements, which may include personal email or US Mail. 

All expenses associated with public or individual notification will be the responsibility of the department responsible for the system that experienced the security breach.

Incident Response Planning

The ISPO shall maintain an internal, standardized incident response framework that includes protection, detection, analysis, containment, recovery, and user response activities. 


The ISPO shall annually, at a minimum, test the incident response framework and associated capabilities in order to determine the framework’s effectiveness.  The results of this testing shall then be used to improve the incident response framework.

Related Policies, References, and Attachment(s)

This collection of University IT policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University policy.

They are incorporated into the University’s Operations Manual, as per the Policy on Acceptable Use of Information Technology Resources

Information security certifications

 

Information security certifications can be beneficial both to individuals and to the organization. They can provide every security professional with the same common terminology and ensure that the staff have the necessary skill level. They also verify the individuals’ capability, which the organization can use to demonstrate that they have taken the need to protect information seriously. The best certifications in information security are regularly updated, recognizing emerging best practices in the field. By taking updated certifications, the staff can stay up-to-date on the latest developments.

Information security is becoming increasingly recognized as a distinct profession, with an increasing number of formal qualifications becoming available. Many universities now offer graduate degrees for infosec. These qualifications may be best suited for those already working in the discipline who want to expand their knowledge and prove that they have what it takes to climb the information security career ladder.

At the other end of the spectrum are free and low-cost online courses. Many of these have a narrow focus on a specific infosec product or technique. These can provide useful information but may not be recognized by potential employers., many of them fairly narrowly focused. The world of online education is something of a wild west; Tripwire breaks down eleven highly regarded providers offering information security courses that may be worth your time and effort.

The popular information security certifications include:

Gaining any of these can help to get a job in information security.  More unusual routes include participation in open-source security projects or even taking part in hacking groups, ideally ethical hackers who aim to highlight vulnerabilities but not exploit them. These help to demonstrate the practical skills that are essential to success in information security.

Summary

Information security has never been as important as it is today. Organizations who neglect it are highly likely to be adversely impacted as the threats continue to increase. Individuals who want a long-term career in a challenging and exciting part of IT should seriously consider information security.