Information security refers to the security practices intended at safeguarding critical information from illegitimate access, usage, revelation, disruption, alteration, perusal, record, inspection and destruction.
At a basic level, it is concerned with keeping the information stored within a computer secure from harmful cyber attacks by fortifying the protective technologies. This will deter attempts to breach computer security and enter undetected in the internal systems.
Information security enforces checks and controls to ensure that critical data does not succumb to destructive attempts when an assault is launched on it, intentionally or inadvertently. The security aspects embrace the principles of ensuring information integrity to make the same available round the clock. This calls for systematic authentication of users into classified sections to maintain information confidentiality and protect against non-repudiation. A detailed explanation of the key concepts of information security is given below:
Data Integrity – Integrity ensures that information system remains unharmed by deterring attempts to tamper with it. This can be done by installing antivirus programs that will destroy malicious scripts, and by implementing security policies that will enable users to use systems optimally to thwart any unauthorized entry of malicious codes.
Data Availability – Data availability takes care of the fact that information is necessarily made available to genuine users by providing protection against unauthorized users, malicious scripts and the other threats that can potentially cut off access to information centers.
Authentication – Authentication crosschecks the privilege of users to use the system. Passwords, biometrics, user names, devices and tokens are used to check the credential of users. It is also used for device and data message identification.
Confidentiality – Confidentiality ensures that only legitimate users are provided access to the sensitive information. This is prominently employed in military where highly classified data is visible to users with certain clearance levels.
Non-Repudiation – Non-repudiation is aimed at conserving evidence regarding any action committed on the information system which will underpin user’s action, even though he/she tends to deny it.
Information security stresses on developing and implementing enterprise wide security techniques that will do away with any kind of unauthorized disclosure of information either willingly or inadvertently. Prominent among the security tools used by information security experts is password protection wherein the identity of a user is gauged by checking his information stored in the central server. Access to highly classified information is denied to user if his privilege rights do not tally with the rights set for accessing the information.
Cryptography services will safeguard the information while it is stored in the digital media or in transit by transforming the information into non-decipherable format using complex mathematical algorithms. A public or private key is assigned to the user who can safely decode the information at will. Breaking the key is no easy task and may consume significant computer resources and considerable time. The length and strength of the encrypting key determines the easiness with which it can be rendered useless by malicious persons.
There are numerous other security controls which can be implemented to heighten the security of information.
The risk assessment carried out for proper information security management involves vetting the following:
- Security policy in place to safeguard the network/ computer
- Information security structure and corresponding organization
- Information infrastructure or asset management
- Security of human resources
- Security for physical and environmental aspects of information
- Management of communications and operation aspects
- Authentication or access control mechanism
- Acquisition, development and maintenance of information systems
- Incident management pertaining to information security
- Business continuity management
- Compliance to rules and regulations
Risk management process will encompass:
- Information assets identification and estimation of their worth. The infrastructure will include people, constructions, software, hardware, supplies and electronic or other data.
- Conducting real time threat mapping which will include acts of nature, war, accidents, malicious conduct with the point of origin being internal or external to an organization.
- Conducting vulnerability assessment. Each vulnerability that is spotted within the information system has to be calculated for the probability of exploitation. The policies, processes, standards, user training, quality control, physical security and technical security are evaluated.
- The impact each threat can potentially have on the system is calculated using quantitative or qualitative analysis.
- Identification, selection and implementation of proper strategic controls for providing proportional response to any security breach keeping in consideration productivity, cost-efficiency and infrastructure value.
- The efficacy of the control measures are evaluated to ensure that cost-efficient protection is provided to information systems without compromising the productivity.
Information security is essentially concerned with mitigating the risk to the information assets by adopting strategic security controls. The threats are addressed by assessing the system vulnerabilities and plugging the loopholes.