A basic understanding of Information Security is fundamental to the success of any organization. Unfortunately, this term is far too often misunderstood and misused.
If we understand information security we can use this as a competitive advantage. In fact, Information Security is not anything new, being around ever since we have had information to protect. And if we ask ten different people to define information security, we will probably get ten different answers.
Information Security is a matter of managing risks to the confidentiality, integrity, and availability of information using administrative, physical and technical controls.
Managing Risks
In the simplest of terms, risk is the likelihood of something bad happening combined with the impact of the bad thing happening.
Confidentiality
Confidentiality is keeping information secret; only allowing authorized disclosure. The opposite of confidentiality is disclosure.
Integrity
Integrity is ensuring that information is accurate. Accurate information is critical to us in making sound decisions. The opposite of integrity is alteration.
Availability
Information must be available when it’s needed. The opposite of availability is destruction.
Administrative Controls
These controls are used to manage the organization’s information security efforts and to address the people part of security. These types of controls include things like policies, standards, procedures, and training.
Physical Controls
Are the controls that you can touch. Physical controls are designed to manage physical access to information and include things like door locks, alarm systems and camera surveillance. It really doesn’t matter how good your antivirus software is, if someone can easily steal your server.
Technical Controls
This is the IT part of security. Technical controls are what most people think of when they think of information security. These controls include things like firewalls, antivirus software, passwords and permissions.
At the end of the day, good security practices come with doing the basics right. No fancy technology or software alone can get your program where it needs to be. Do the basics right first. You can’t secure what you don’t know you have, and your security measures should directly impact your most valuable assets (as well as the risk associated with them).
Last but not least
People are the weakest link in every security program. They make mistakes, they bypass technology, they ignore rules. But they can also be turned into biggest strengths, with proper training and education
