Information Security
Information security, or sometimes Information Systems Security (INFOSEC), deals with several different "trust" aspects of information and its protection. Another similar term is Information Assurance (IA), but INFOSEC is a subset of IA. Information security is not confined to computer systems, nor to information in an electronic or machine-readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form or media.
The U.S. Government's National Information Assurance Glossary defines INFOSEC as:
- Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.
Most definitions of information security tend to focus, sometimes exclusively on specific usages and, or, particular media; e.g., "protect electronic data from unauthorized use". In fact it is a common misconception, or misunderstanding, that information security is synonymous with computer security—in any of its guises:
- computer and network security
- information technology (IT) security
- information systems security
- information and communications technology (ICT) security.
Each of these has a different emphasis, but the common concern is the security of information in some form (electronic in these cases). Therefore all are subsets of information security. Conversely, information security covers not just information but all infrastructures that facilitate its use—processes, systems, services, technology, etc., including computers, voice and data networks, etc.
It is an important point that information security is, inherently and necessarily, neither hermetic nor watertight nor perfect. No one can ever eradicate all risk of improper or capricious use of any information. The level of information security sought in any particular situation should be commensurate with the value of the information and the loss, financial or otherwise, that might accrue from improper use—disclosure, degradation, denial, or whatever. Bruce Schneier makes this point in Secrets and Lies: information security is about risk management.
Three widely accepted elements (aims, principles, qualities, characteristics, attributes ...) of information security are:
- confidentiality
- integrity
- availability
These can be remembered by the mnemonic "CIA" and are also referred to as the CIA triad, or jokingly "the Information Security mantra".
Historically, up to about 1990, confidentiality was the most important element of information security, followed by integrity, and then availability. By 2001, changing use and expectation patterns had moved availability to the top of most versions of this priority list. The first goal of modern information security has, in effect, become to ensure that systems are predictably dependable in the face of all sorts of malice, and particularly in the face of denial of service attacks.
NIST Special Publication 800-33 Underlying Technical Models for Information Technology Security added assurance as essential. "Without it the other objectives are not met." Assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information in processes and that the other four security objectives (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation.
Some other facets of information security are:
- governance
- Security Program Development
- access control
- risk assessment
- return on information security investment
- classification
- compliance
- identification and authentication
- Information Technology Infrastructure Library
- non-repudiation
- authorization
- administration and provisioning
- auditing
- alerting
- assurance and reliability
- Business Continuity Planning
- COMSEC
Cryptography and Cryptanalysis are important tools in assuring confidentiality (in transmission or storage of information), integrity (no change can be made undetectably), and source identification (the sender can be identified and all other than that sender can be excluded). Always assuming, necessarily, that the key(s) involved have not been misused or compromised, and that the crypto systems employed have been well chosen and properly used.
Information security day is held around the world on the first Thursday of August every year.
| Access Control | |||
| In security, specifically physical security, the term access control refers to the practice of restricting... | |||
|
|
|||
| Authentication | |||
| Authentication is the act of establishing or confirming something (or someone) as authentic... | |||
|
|
|||
| Authorization | |||
| In security engineering and computer security, authorization is a part of the operating system... | |||
|
|
|||
| Confidentiality | |||
|
The Marx Brothers were a team of sibling comedians that appeared in vaudeville, stage plays, film and television... |
|||
|
|
|||
| Data Integrity | |||
| In computer science and telecommunications, the term data integrity has the following meanings... | |||
|
|
|||
| Risk Management | |||
| Generally, Risk Management is the process of measuring, or assessing risk and developing strategies to manage it... | |||
|
|
|||
