What is Information Security?

By
Dave McKay
-
Brown envelope with a top secret stamp
TayebMEZAHDIA / Pixabay

Information security and cyber security are terms that get used interchangeably, but are they really the same thing? We explain the subtle differences between these two closely allied and yet different disciplines.

Same But Different?

Cyber security is the name for the suite of behaviors, controls, and technologies that make up an organization’s response to the risk of a cyberattack. Cyber security protects data, hardware, users, and the organization itself from all types of cyberthreats.

Related: 32 Cyber Security Terms Everyone Should Know

Information security—infosec—is concerned with protecting information. That includes unauthorized access or destruction, but it also includes the unlawful use of the information, and its unauthorized disclosure, disruption or modification. And notably, the information need not be stored digitally: information security also includes physical records.

So cyber security is about protecting all of your IT and cyber-based assets and activities, whereas information security is solely concerned with information. Infosec safeguards the information and ensure that it is gathered, processed, and transmitted lawfully.

Some of your infosec objectives will be satisfied by virtue of your general cyber security efforts, but other infosec objectives are governance measures or physical controls that you must implement, maintain, and run to satisfy the organization’s needs as well as any applicable data protection legislation.

Also, information is not the same as data. Not all data is information. Data is raw values. Only when the raw data is interpreted and infused with meaning does it become information. But we’re not going to go down this philosophical rabbit hole. The information we’re discussing is private knowledge about topics such as your organization, products, staff, or business relationships whether it is stored in a digital or physical medium.

The Objectives of Information Security

Personally identifiable information (PII) in particular must be adequately protected, and information such as medical information or information relating to children should be considered special category or sensitive information. Your local data protection legislation such as the General Data Protection Regulation or the California Consumer Privacy Act will list which categories of information are classed as special category data.

Your infosec activities should be designed to ensure the integrity, confidentiality, and availability of the information.

  • Confidentiality: Controlling who has access to the information and how they may share or otherwise disclose the information will preserve the confidentiality of PII and other sensitive business information.
  • Integrity: You must safeguard and protect the information so that unauthorized modification or destruction of the information is not possible. This preserves the quality and authenticity of the information.
  • Availability: The information must be available to those who have authorization to access and use it. Unavailability can be a noncompliance under certain data protection legislations, such as GDPR.

These three principles gave rise to the well known three-letter acronym CIA. In addition to these, information security incorporates the principle of non-repudiation.

  • Non-Repudiation: Repudiation is when someone denies receiving some information that was transmitted to them, or the sender denies sending the information, or there is a suspicion that the information was altered in transit. Cryptography can help here, if digital signatures and private keys are used. The data cannot be altered in transit because of the encryption. The digital signatures prove who sent the information. Message tracking and delivery verification can prove that the information was delivered.
  • Authenticity: This requires that users are robustly identified and that it can be verified that the information received has genuinely come from a trusted sender. The digital signature is usually produced by creating a hash value of the sender’s private key and the message content. The recipient can decrypt the message with the sender’s public key which generates another hash value. If the message is hashed once more and the two new hashes match, the transmission can be considered authentic.
  • Accountability: Accountability means having the ability to audit the actions of individuals and to trace the individual who performed an action. It also requires a change request procedure for changes that are not able to be made by the average user and are managed on their behalf by an authorized team or department.

Information Security Governance

Within your IT governance framework of policies and procedures, you will have an overall IT Security Policy. Depending on the size of your organization, the needs of your organization, and the demands of local legislation you may have appointed a Chief Information Security Officer (CISO) or a Data Protection Officer (DPO). These roles are not entirely equivalent. Briefly, a CISO is concerned with security and confidential data, and a DPO is focused on privacy and personal data.

A CISO and a DPO are not directly equivalent roles. A DPO can request—straight to the highest level of management—that, for example, penetration testing takes place or that another security measure be implemented. A CISO can generally make it happen.

If you don’t have a CISO then someone else must take responsibility for infosec. This isn’t something that can be tossed at IT just because it looks like a networking and security thing. Infosec isn’t IT, although IT is involved—just as infosec isn’t cyber security but cyber security is involved. When you allocate these roles beware of conflicts of interest. In fact, Article 38, Clause 6 of the GDPR forbids a DPO from having other tasks and duties that may result in a conflict of interests. So they can’t be your head of IT.

Whoever holds the post of CISO or DPO must have input to your governance framework to ensure that the particular needs of infosec are met, as well as satisfying relevant data protection legislation. Your governance has to have provisions to ensure the integrity, confidentiality, and availability of your information, and that you are street legal. That means the information must be collected, stored, processed, transmitted, and deleted in accordance with data protection legislation or any other standards that you have adopted, and that any rights the data subjects have regarding their data are upheld by your organization.

Your general security governance should call for the following measures:

  • Technical: Technical measures include all hardware and software that protects data. Firewalls, encryption, intruder detection systems, and end-point protection suites are technical measures.
  • Organizational: Organizational measures include the infosec governance framework, and the measures and resources, including human, that are deployed to uphold the requirements laid out in the policies and procedures.
  • Human: This includes staff awareness training, education, and recruitment for suitably skilled candidates for key infosec positions.
  • Physical: These measures include controlled and restricted access to digital information stores and asset clusters such as server rooms and data centers, and also to areas where physical records are stored.

In addition to the infosec-related entries in the general IT governance documentation you need to have a dedicated Information Security Policy. This should include such sections as:

  • Purpose, Scope, and Objectives: A section describing the purpose of the infosec program, its scope within the organization—is it company-wide or site specific—and its overall objectives.
  • Access Control: A description of the access controls that are in place, and what an employee must do to apply for access.
  • Operations Plan: An operations plan is the set of active provisions that are designed to ensure that your information is always available to those who need it.
  • Responsibilities: A list of the organization’s staff roles and positions that are involved in the safeguarding, including who is ultimately responsible for infosec. Nominated individuals
  • Glossary: A glossary of key terms used in the document. Whoever reads it must understand it. Impenetrable policy documents are not impressive, they are an impediment to their own efficacy.

It’s About Handling Risk

Like cyber security, information security is about risk. Understanding the risks, using technology and other measures to mitigate the risks, and governing the use of information through policies and procedures to ensure that it is used safely and lawfully.

RELATED ARTICLESMORE FROM AUTHOR