Information security can be confusing to some people. Okay, maybe most people. What is infosec, and why is information security confusing? Maybe it’s because we miss some of the basics. Understanding information security comes from gathering perspective on the five Ws of security: what, why, who, when, and where.
Understanding InfoSec Through the Five Ws
- What is infosec?
- Why do you need information security?
- Who is responsible for information security?
- When is the right time to address information security?
- Where does information security apply?
- We could also include the sixth W, which is actually an “H” for “how.” The “how” is why FRSecure exists.
What is Information Security?
The most important thing to understand when asking, “What is infosec?” is this: Fundamentally, information security is the application of administrative, physical, and technical controls in an effort to protect the confidentiality, integrity, and/or availability of information. Simplified, that’s understanding our risks and then applying the appropriate risk management and security measures.
In understanding information security, we must first gain an understanding of these well-established concepts.
Administrative Controls
Administrative controls address the human factors of information security. Typically administrative controls come in the form of management directives, policies, guidelines, standards, and/or procedures. Good examples of administrative controls are:
- Information security policies
- Incident response plans
- Training and awareness programs
- Business continuity and/or disaster recovery plans
- Hiring and termination procedures
Physical Controls
Physical controls address the physical factors of information security. Physical controls are typically the easiest type of control for people to relate to. Physical controls can usually be touched and/or seen and control physical access to information. Good examples of physical controls are:
- Locks
- Fences
- Building alarm systems
- Construction materials
Technical Controls
Technical controls address the technical factors of information security—commonly known as network security. Technical controls use technology to control access. Much of the information we use every day cannot be touched, and often times the control cannot be either. Good examples of technical controls are:
- Firewalls
- Access control lists
- File permissions
- Anti-virus software
Confidentiality, Integrity, and Availability
As mentioned previously, these concepts are what our controls aim to protect. This is how we define them:
- Confidentiality: Confidentiality is keeping information secret, allowing only authorized disclosure.
- Integrity: Data integrity is ensuring that information is accurate. Accurate data is critical to making important decisions soundly.
- Availability: Availability is making sure that information is accessible when it needs to be accessed.
Basically, we want to ensure that we limit any unauthorized access, use, and disclosure of our sensitive information.
Why Do You Need Information Security?
In addition to asking, “what is infosec?”, it’s also important to ask why your organization needs to work on understanding information security in the first place. This is sometimes tough to answer because the answer seems obvious, but it doesn’t typically present that way in most organizations.
As we know from the previous section, information security is all about protecting the confidentiality, integrity, and availability of information. So, answer these questions:
- Do you have information that needs to be kept confidential (secret)?
- Do you have information that needs to be accurate?
- Do you have information that must be available when you need it?
If you answered yes to any of these questions, then you have a need for information security.
Understanding information security and how it can reduce the risk of unauthorized information access, use, disclosure, and disruption is key. We need information security to reduce risk to a level that is acceptable to the business (management). We need information security to improve the way we do business.
Who is responsible for information security?
This is an easy one. Everyone is responsible for information security! A better question might be “Who is responsible for what?”
A top-down approach is best for understanding information security as an organization and developing a culture with information security at the forefront.
Senior Management
First off, information security must start at the top.
The “top” is senior management and the “start” is commitment.
Senior management must make a commitment to understanding information security in order for information security to be effective. This can’t be stressed enough. Senior management’s commitment to information security needs to be communicated and understood by all company personnel and third-party partners.
The communicated commitment often comes in the form of policy. Senior management demonstrates the commitment by being actively involved in the information security strategy, risk acceptance, and budget approval among other things.
Without senior management commitment, information security is a wasted effort.
Business Unit Leaders
Keep in mind that a business is in business to make money.
Making money is the primary objective, and protecting the information that drives the business is a secondary (and supporting) objective. Information security personnel need to understand how the business uses information. Failure to do so can lead to ineffective controls and process obstruction.
Arguably, nobody knows how information is used to fulfill business objectives more than employees. While it’s not practical to incorporate every employee’s opinion into an information security program, it is practical to seek the opinions of the people who represent every employee. Establish an information security steering committee comprised of business unit leaders.
Business unit leaders must see to it that information security permeates through their respective organizations within the company.
Employees
All employees are responsible for understanding and complying with all information security policies and supporting documentation (guidelines, standards, and procedures). Employees are responsible for seeking guidance when the security implications of their actions (or planned actions) are not well understood. Information security personnel need employees to participate, observe and report.
Third Parties
Third parties such as contractors and vendors must protect your business information at least as well as you do yourself. Information security requirements should be included in contractual agreements. Your right to audit the third-party’s information security controls should also be included in contracts, whenever possible. The responsibility of the third-party is to comply with the language contained in contracts.
When is the Right Time to Address Information Security?
On the surface, the answer is simple. The right time to address information security is now and always.
There are a couple of characteristics to good, effective data security that apply here.
Information security must be holistic. Information security is not an IT issue any more or less than it is an accounting or HR issue. Information security is a business issue.
A disgruntled employee is just as dangerous as a hacker from Eastern Europe. A printed account statement thrown in the garbage can cause as much damage as a lost backup tape. You get the picture. Information security needs to be integrated into the business and should be considered in most (if not all) business decisions.
This point stresses the importance of addressing information security all of the time. Information security is a lifecycle of discipline. In order to be effective, your information security program must be ever-changing, constantly evolving, and continuously improving.
Businesses and the environments they operate in are constantly changing. A business that does not adapt is dead. An information security program that does not adapt is also dead. Your information security program must adjust all of the time. Perhaps your company hasn’t designed and/or implemented an information security program yet, or maybe your company has written a few policies and that was that.
When is the right time to implement and information security program? When is the right time to update your existing program?
You have the option of being proactive or reactive. Proactive information security is always less expensive. Less expensive is important if your company is into making money.
Where Does Information Security Apply?
You may recall from our definition in “What is Information Security?” that fundamentally information security is:
The application of Administrative, Physical, and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of information.
In order to gain the most benefit from information security, it must be applied to the business as a whole. A weakness in one part of the information security program affects the entire program. Now we are starting to understand where information security applies in your organization. It applies throughout the enterprise.
Information security is NOT an IT issue.
Where does information security apply? It applies throughout your organization.
An information security assessment will help you determine where information security is sufficient and where it may be lacking in your organization. Hopefully, we cleared up some of the confusion. If you have questions about how to build a security program at your business, learn more at frsecure.com.
Should an entity have an Information Security Officer? and why?