Information security
Overview
Information security, also known as infosec, is the practice of protecting information by mitigating information risks. It includes procedures and measures used to protect electronic data from being accessed, used, disclosed, disrupted, modified, inspected, recorded or destroyed in an unauthorized or unintended manner. This type of security is essential to protect data which can be sensitive or valuable.
History
The history of information security begins with computer security. The need for computer security became evident with the advent of the first mainframe computers. In the early days of computing, security was not a primary concern. However, as computers became interconnected and files could be shared among users, the need for security increased.
Principles
Information security follows three main principles: Confidentiality, Integrity, and Availability (CIA). Confidentiality is the effort to keep information secret, only allowing access to people who are authorized to see it. Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire lifecycle. Availability ensures that information is both accessible and usable upon demand by an authorized party.
Threats
Information security threats come in many different forms. Some of the most common threats today are software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion. Most people have experienced software attacks of some sort. Viruses, worms, phishing attacks, and Trojan horses are a few common examples of software attacks.
Policies and Procedures
The first step in information security is the creation of an information security policy. The policy sets the standard for what is considered acceptable behavior by users, system administrators, management, and security personnel. Procedures are the specific lists of actions to take to protect information assets and to react to security incidents.
Risk Management
Risk management is the process of identifying, assessing, and controlling threats to an organization's digital assets. These threats could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents, and natural disasters. IT security risk management is considered important in corporate governance due to the proliferation of IT systems and applications in organizations.
Physical Security
Physical security is a vital aspect of information security. It involves ensuring the physical safety of electronic and physical data from all threats. This can include everything from locks and security systems to the use of biometrics and can be as complex as a multi-layered system or as simple as a locked door.
Access Control
Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data. It is a vital aspect of security compliance. This can be done physically (for example, with locks and mantraps) or it can be done with software on a network (for example, with passwords and digital certificates).
Cryptography
Cryptography is a method of protecting information by transforming it into an unreadable format. It is then only able to be read or processed after it is changed back into a readable format, a process usually referred to as decryption.
Network Security
Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware. It involves the authorization of access to data in a network, controlled by the network administrator.
Security Training
Security training is a vital method to ensure that personnel understand the importance of information security and the specific ways that they can contribute to the overall security of the organization. This can include everything from regular updates on security measures to training on specific software or hardware security features.