Article 2: Information Security Basics
This is the second installment in the three-part series “Security – Back to the Basics”. The purpose of the series is to take you from a state of confusion about information security (article #1 “You’re Not Alone, We’re All Confused”) to an understanding of information security basics (article #2 “Information Security Basics”). The third article (“Basic Security Starts Here”) will wrap the series up with some practical advice about what to do next.
Revisiting the Confusion
In our last installment, we covered some of the confusion we face when discussing and managing information security. Before moving on to understanding the basics (the purpose for this installment), I thought I would share one more real-world story to drive home the point about the sad state of affairs in our industry.
In August of this year, Boulder County (CO) issued a Request for Proposal (RFP) titled “Information Technology Security Study”. The RFP requested two primary services; 1. External/Internet Penetration Testing and 2. Internal Penetration Testing. Seems simple enough, the full text of the RFP is available here; https://www.rockymountainbidsystem.com/closed-bids/Boulder-County/Information-Technology-Security-Study.asp?tn=129470.
There were a total of fourteen (14) organizations that responded to the RFP, ranging from information security companies to CPA firms who do security. This is where it gets interesting. The prices quoted for the services requested in the RFP ranged from $29,925 to $375,000! The average price quoted by the fourteen respondents was $98,698.
|Company Name||Total Cost|
What explains the extraordinary difference in price? Confusion. Confusion amongst the responding organizations and certainly confusion for the customer. Which proposal do you think won the contract? If you guessed the low-cost proposal, you guessed right.
If you don’t agree that the information security industry is plagued with confusion, or if you have something to add, FRSecure would love to hear from you! FRSecure is dedicated to fixing our broken industry.
Which brings us to information security basics. The original purpose of this article.
Information Security Basics
We could easily write an entire book covering all information security basics, but we’ll start with just a few; the definition of information security, the definition and importance of risk, and the importance of measurement.
Definition of Information Security
When discussing or covering information security basics, we think it’s best to start with a simple definition of information security. The definition of information security is at the core of everything we do. Here’s ours:
Information security is the application of administrative, technical, and physical controls to protect the confidentiality, integrity, and availability of information. (emphasis added)
In essence, three types of controls:
- Administrative Controls – We often refer to these as “people controls”. These are things such as policies, standards, procedures, training, awareness campaigns, etc. A majority of all breaches start with a vulnerability (or lack of control) here.
- Technical Controls – This is what most people think of when they think of information security. This is also where most organizations spend the bulk of their time and money. Technical controls are things such as firewalls, intrusion prevention, anti-virus, file permissions, etc. The interesting thing about technical controls is that their use should be governed (or driven by) administrative controls.
- Physical Controls – We have a common saying around here at FRSecure; “It doesn’t matter how effective your anti-virus software is if an attacker steals your server.” Physical controls are things like door locks, camera surveillance, alarm systems, etc.
To protect three facets of information:
- Confidentiality – Most people think security is all about keeping information secret. Although this is important, it certainly isn’t (or shouldn’t be) the only focus for your information security efforts. Protecting confidentiality is ensuring that only people who are authorized to have access to information actually have access to information. The “need to know” concept is often applied here.
- Integrity – In addition to maintaining confidentiality, we also need to make sure that information is accurate and protected from unauthorized modification. Imagine the damage that would be caused if we allowed people to make unauthorized changes to their bank account balances.
- Availability – What good is the information if nobody can ever use it? It’s also important to note that information needs to be available as seamlessly as possible in order for the business to operate as efficiently as possible; there’s a strong correlation here.
Each type of control must work cohesively together to efficiently protect each of the facets of information. This is how well-run information security programs must operate.
A solid working definition of information security is critical to protecting information assets.
Definition and Importance of Risk
Let’s simplify. Risk is the likelihood of something bad happening and the impact if it did. Likelihood and impact, that’s it. Information security efforts and decisions should be based on risk; however, most information security programs are built on compliance. Compliance is not risk, compliance is doing what you’ve been told to do. Not even close to the same definition.
A risk-based decision-making process helps management determine where they should make their next most impactful and wise investment.
Importance of Measurement
How can you effectively manage something if you are not able to measure it? According to Wikipedia (experts, I know), the definition of measurement is “the assignment of a number to a characteristic of an object or event, which can be compared with other objects or events.” Let’s apply this to information security in a very basic sense.
- Choose Characteristics – Hypothetically, we may choose to define ten (10) characteristics for an acceptable use policy based on what we agree are best practices for an organization.
- Assign Metrics – Maybe we’ll choose to assign metrics for the characteristics based on importance. Each characteristic will receive an importance metric of 1 – 3 (Low, Medium, and High). We could choose to base our metric on a multitude of things from hard objective data-driven metrics to subjective semi-arbitrary metrics. It all depends on what you want to measure.
- Measure – Now apply the characteristics and metrics to the control (e.g. acceptable use policy) and derive a measurement.
Over time, many things are expected to change. Now you have a method to measure the change over time. Re-assess (or measure) the control after a specific period of time (e.g. one year) and determine if the controls are more or less effective than it was previously. Do this over hundreds (or thousands) of controls and you begin to develop a systematic information security program that can be managed over time.
Obviously this is a simple illustration, but it communicates the basics. We all need to know (or be reminded of) the basics regularly.
FRSecure is an expert-level information security management and consulting company based in Minnesota. We specialize in developing and implementing methodologies to fix our broken industry. FRSecure’s flagship offering is our information security risk assessment.