The 3 principles of Information Security
When we talk about Information Security, we talk about the tools and the processes that an organization uses to protect information. We talk about the policies that are set to prevent unauthorized people from accessing sensitive data and of course, we talk about the technologies that are used to protect information.
The goal of information Security is to ensure the safety and privacy of sensitive data such as clients’ details, suppliers’ details, financial information, intellectual property and other highly confidential information.
Organisations that do not have proper information security might be victims of attacks, which generally are theft of confidential information, data tampering, and deletion of information. Those attacks can disrupt operations, cause reputational damage and eventually lead to financial loss.
A good information security system will ensure that the organization is ready to detect, respond to, and proactively prevent, attacks such as phishing, malware, viruses, malicious insiders, and ransomware.
Generally, information security will follow the CIA Triad, which stand for Confidentiality, Integrity and Availabiliy. Every element of the information security program will be designed to implement one or more of these principles.
This mean that the information will remain secret or at least known by few persons. Generally, confidential information will be encrypted and will be protected by various level of security.
When there is a breach in the information system and data has leaked out of the organization, we say that the information has been compromised.
A breach of confidentiality may take place through different means, for instance hacking or social engineering.
Data integrity means that the information is not tampered or degraded.
The information should be safe from unauthorized changes, either intentional or unintentional. Usually there are some level of security to prevent such changes. For example a confirmation for changes.
Generally, data are subject to risks of integrity when there is a transfer. For example, when there is an upload from a computer to a cloud server, or when information are sent by emails.
This means that the information is available when needed.
Availability of information is a major challenge in the current socio economical context. The work from home system which was forced by the covid19 pandemic has forced organisations to find solutions. Indeed, for a system to demonstrate availability, it must have properly functioning computing systems, security controls and communication channels. These systems must be resilient against cyber threats, and have safeguards against power outages, hardware failures and other events that might impact the system availability.
If an organization follows those three principles as a guideline, it should be able to establish the base of an information security policy. At Ascentrix Consulting, we help our clients in their quest of securing their information. We help them assess the risks related to their current system and accompany them on the implementation of new procedures. If you wish to have an assessment of your information security level, please contact us.
If you would like to know more about the difference between Information Security and Cyber Security, click on the link below to know more.