Surely everyone knows what information security is, right? Well, not always. We often find that people think information security is just about IT security or confidentiality. As such, we thought we’d write a blog covering some of the basics and questions we often get asked about information security.
What is Information Security?
Information security involves the protection of information from unauthorised access, use, distribution, manipulation, loss or deletion. It can be any kind of information, from the personal data of customers and employees to private corporate information such as trade secrets and strategic plans.
It applies to information and information systems (which are the IT systems used to store and process data) but information doesn’t have to be on an IT system. Information security is about protecting information in all formats including information on paper and information known to people which they could disclose verbally.
This is a wide topic and good information security is as much about policies, training, supplier management, HR security and other non-technology topics as it is about IT security. It also covers availability and integrity of information, as covered below.
Increasingly ‘cyber security’ and ‘information security’ are used interchangeably, but this isn’t quite right. Cyber security is a narrower field and is focused on protecting systems, applications, data and assets from internet based threats. As such, the focus of cyber security is much more technical but policies and awareness also play a key role in good cyber security.
The CIA Triad
Information security is about the protection of the Confidentiality, Integrity and Availability of information. This is often referred to as the ‘CIA’ triad which aims to ensure the following:
Confidentiality: Means that information is not available or disclosed to unauthorised people, entities or processes.
Integrity: Means information is complete and accurate, and protected from corruption.
Availability: Means information is accessible and usable as and when authorised users require it.
In our experience, the importance of confidentiality is well known but integrity and availability are less well understood as information security concepts.
It is becoming more common to also see resilience as a core component of information security but for now the CIA (rather than CIAR) model remains the established definition for information security.
Information Security Management Systems
If you want to demonstrate mature information security management, covering planning, implementation, review and continual improvement of your security measures, then you should consider implementing an Information Security Management System (ISMS).
An ISMS is a management system that addresses process, people and technology considerations, the aim being to identify and manage security risks and have steps in place to respond to and address security incidents. You can demonstrate that your ISMS meets a globally recognised standard by certifying it against the ISO 27001: 2013 standard.
Your ISMS will cover far more than just IT or cyber security. The risks and controls it addresses include policies, organisation of information security, HR security, information asset management, supplier security, incident management, business continuity and compliance (as well as technical risks and controls). You will need to address the context of your organisation, your interested parties (customers, employees, shareholders, regulators etc.) and take a formal approach to roles, responsibilities, document management, risk identification, monitoring, auditing and continual review.
Implementing an effective ISMS can also help demonstrate compliance with laws and regulations such as the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Network and Information Systems Regulation (NIS). However, to this point I would add a cautionary note that your reason for establishing an ISMS should not be based on ensuring regulatory compliance alone. In this case it runs the ‘risk’ of becoming a box ticking exercise, rather than improving your overall information security.
If you are starting to think about improving information security, our advice is to compare your practices against best practice guidance such as Cyber Essentials or 10 Steps to Cyber Security. If you need help to assess your security practices against these we can help.
Don’t just think about IT systems though. These are obviously critically important but think also about the information you hold and it’s importance to your business – and the impact it could have on your organisation if it was shared with a competitor, fell into the public domain, became unavailable to you or was changed without authorisation and therefore became unreliable.
The chances are you can’t afford to protect all your information – you likely have ‘crown jewel’ data that warrants a higher level of protection and security investment. This might be intellectual property, customer information, personal data, price lists or source code. As such, remember to identify your information assets and their value to your organisation and/or the impact if they were stolen or corrupted. Key questions to ask include:
- What information do you have?
- Where is it stored or processed?
- Do third parties handle it for you? What are they doing with it?
- Crucially, what would happen if you lost it?
If you need help to assess your security posture, improve your controls or implement an ISMS we can help. Wherever you are in this process contact us for a friendly chat.