The 3 Lenses
What is Information Security?
The International Organization for Standardization (ISO) gives “…world-class specifications for products, services and systems, to ensure quality, safety and efficiency.” The International Electrotechnical Commission (IEC) is the “…leading organization producing International Standards for electrical, electronic and related technologies.” Together these two International Standards leaders published a set of standards, ISO/IEC 27001:2013, that “…specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.”
Think of information as data. It’s all the bits and pieces of stuff that is gathered about something or someone. This data isn’t limited to credit card information alone. It can be the details of a client project, or the information that is stored when someone creates an user profile. Security simply means being safe and protected from threat. Information security in essence, is the protection of something or someone’s data.
In this article we’re going to look at what Information Security (Info Sec) means and the fundamental security characteristics of information.
Classifications of Information
While it may vary depending on the organization, information can be classified according to the following standard:
Public. This is openly available to the public and does not require special handling.
Internal. This is data shared within your organization, and should not be disclosed outside the organization. It will likely have some level of access control applied to it.
Confidential. This can constitute general information about a client and will have access control in place so that only a specific audience has access.
Special Confidential. The information in this class is not only confidential, but has a still higher degree of sensitivity around who and how it’s accessed.
There are three fundamental principles unpinning information security, or 3 lenses to look at information security through. They are the CIA Triad of information security, and they are: confidentiality, integrity and availability.
The CIA Triad is a well-known model for security policy development, used to identify problem areas and solutions for information security.
Confidentiality is really about privacy. The purpose of this principle is to keep information hidden, and make it only accessible to people that are authorized to access it. For example, your medical hsitory is something you want kept private and only a few people, such as doctor should have a access to it. Typically some method of encryption and strict access control is utilized to help ensure information is kept confidential.
Even with encryption though, confidentiality can be easily breached. For example, a doctor calls you by your full name in the reception area of a medical clinic. Your full name is considered confidential. so this can be a breach of confidentiality. Each employee in an organization must be aware of their responsibilities in maintaining confidentiality of the information they have access to.
Integrity refers to the accuracy and the reliability of data or information in your system. One of the things that hackers attempt to do, is make unauthorized modifications or changes to data stored in a system. For example, a hacking attack happens on a ecommerce website and the hacker modifies the shipping postal code. The integrity of the banking records have been compromised.
Corrupting data integrity isn’t limited to malicious attacks. More often it happens very accidentally. Users of an information system can simply make a mistake. For example, a database administrator is making a bulk update to an employee registry, but mistakenly updates the wrong registry. The accuracy and reliability of the information has been corrupted and therefore the integrity has been compromised.
Availability is the accessibility of information. This means that the people with authorization have access to information when they need it. The most common example of this is an interruption in an authorized user’s access to information. One cause of interruption that most people are familiar with would be when a hacker “takes down” a website with a DDoS attack.
Like confidentiality, and integrity, interruptions in availability can happen without any intention of doing harm. For example, a cloud based service like Amazon Web Services (AWS) can experience technical outages that impact the availability of information systems using the platform. Other concerns can include power outages, and natural disasters.
Info Sec is a combination of technologies and human activity. It provides the strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. The CIA Triad are the lenses through which to assess threats and risks to the security of data. The model was designed to guide policies for information security within an organization.
Information security is a expansive topic, but ensuring the protection of the confidentiality, integrity, and accessibility are very important steps to take in planning any security system for the information you handle.