Information security and cyber security are terms that get used interchangeably, but are they really the same thing? We explain the subtle differences between these two closely allied and yet different disciplines.<\/p>\n
Cyber security<\/a> is the name for the suite of behaviors, controls, and technologies that make up an organization\u2019s response to the risk of a cyberattack. Cyber security protects data, hardware, users, and the organization itself from all types of cyberthreats.<\/p>\n Related: 32 Cyber Security Terms Everyone Should Know<\/a><\/strong><\/p>\n Information security\u2014infosec<\/em>\u2014is concerned with protecting information. That includes unauthorized access or destruction, but it also includes the unlawful use of the information, and its unauthorized disclosure, disruption or modification. And notably, the information need not be stored digitally: information security also includes physical records.<\/p>\n So cyber security is about protecting all of your IT and cyber-based assets and activities, whereas information security is solely concerned with information. Infosec safeguards the information and ensure that it is gathered, processed, and transmitted lawfully.<\/p>\n Some of your infosec objectives will be satisfied by virtue of your general cyber security efforts, but other infosec objectives are governance measures or physical controls that you must implement, maintain, and run to satisfy the organization\u2019s needs as well as any applicable data protection legislation.<\/p>\n Also, information is not the same as data. Not all data is information. Data is raw values. Only when the raw data is interpreted and infused with meaning does it become information. But we\u2019re not going to go down this philosophical rabbit hole. The information we\u2019re discussing is private knowledge about topics such as your organization, products, staff, or business relationships whether it is stored in a digital or physical medium.<\/p>\n Personally identifiable information (PII) in particular must be adequately protected, and information such as medical information or information relating to children should be considered special category or sensitive information. Your local data protection legislation such as the\u00a0General Data Protection Regulation<\/a>\u00a0or the\u00a0California Consumer Privacy Act<\/a>\u00a0will list which categories of information are classed as special category data.<\/p>\n Your infosec activities should be designed to ensure the integrity, confidentiality, and availability of the information.<\/p>\n These three principles gave rise to the well known three-letter acronym\u00a0CIA<\/em>. In addition to these, information security incorporates the principle of non-repudiation.<\/p>\n Within your IT governance framework of policies and procedures, you will have an overall IT Security Policy. Depending on the size of your organization, the needs of your organization, and the demands of local legislation you may have appointed a Chief Information Security Officer<\/a>\u00a0(CISO) or a\u00a0Data Protection Officer<\/a>\u00a0(DPO). These roles are not entirely equivalent. Briefly, a CISO is concerned with security and confidential data, and a DPO is focused on privacy and personal data.<\/p>\n A CISO and a DPO are not directly equivalent roles. A DPO can request\u2014straight to the highest level of management\u2014that, for example, penetration testing takes place or that another security measure be implemented. A CISO can generally make it happen.<\/p>\nThe Objectives of Information Security<\/h2>\n
\n
\n
Information Security Governance<\/h2>\n