Infosec, stands for information security and this is the process of protecting a company's information assets from all types of risk. While cybersecurity focuses solely on protecting information assets from cyber attacks, information security is a superset of cybersecurity that includes physically securing information assets. What are the goals of Information Security?The ultimate goal of information security is to maintain the CIA triad within an organization. The elements of the CIA triad are: Confidentiality: This means ensuring that only the authorized users have access to information. Whenever a company suffers from a data breach or data leak and individuals’ information is accessed by criminals, the public or employee’s that don’t have the proper authorization, confidentiality has been compromised. Some of the key security controls that you can use to maintain confidentiality are:
Many companies like KFC and coca cola keep their intellectual property and trade secrets in secure vaults.
Integrity: To protect information from being modified by unauthorized people and ensures that the information is trustworthy and accurate. Anytime information is modified by someone that isn’t authorized to do so, whether it was someone inside the company or outside, it is a violation of the information’s integrity. An example would be if the CFO sends a document to be examined or reviewed by the director of finance. The director of finance may try to manipulate the information without the CFO knowing in order to make his/her department look better, launder money etc. You need to have a means of knowing whether or not a document has been modified without your knowledge so that you can trust that document’s integrity. Also, in the event data is lost, you need to be able to recover all of that data or at least most of it from a trusted source. Some controls you can use to maintain integrity are:
Secure Backups: By creating secure backups if you ever have doubts about the integrity of the data on a system you can reboot that system using the information you have in your backups. Hashes can be used with your backups to ensure that they have not been altered in any way. This way you can be confident that the information you are using to reboot your systems is accurate. A good example of when you will need this is if your company ever suffers a ransomware attack and is unable to recover your data. User access controls: By controlling what information users have edit access to, you limit the potential for users to edit information without permission.
Notice how the hash changes significantly just because of a period at the end.
Availability: To ensure that the information is accessible to authorized people whenever it is needed. An example of this would be a website like Netflix. For most companies they want availability of at least 99.99%, which means that 99.99% of the time you go to Netflix you should be able to access the services that you want. In order to do this there are several practices you can implement to ensure that your company will have a high uptime:
This an example of redundancy from Amazon Web Services resiliency recommendations
In addition to these three principles, there is a fourth principle that is very popular.
Digital Signatures Explained
The CIA triad along with non repudiation are the 4 main goals of information security. Not only are they important for the protection of the company interest’s but they also help to protect consumer’s by keeping their information out of the hands of people that shouldn’t have it. Additionally, there are many privacy laws and regulations that require companies to take reasonable steps to protect the information of their customers. It’s important that companies implement multiple security controls for each of the three elements of the triad to ensure that they are sufficiently protected. |