With the exponential growth of businesses utilising technology in recent years, information security has increased its importance justifiably. We cover the top principles of information security, the importance of information security policies and steps to improve an organisation’s security. Cyber security is an ongoing concern, requiring constant attention towards improvements and monitoring systems’ current state. Due to the increasing speed of technologies and perimeter, fewer organisations defy the traditional boundaries and render traditional controls ineffective.
Although by trade we are a cyber security services organisation, our main job remains ensuring awareness about data protection and risk management.
What is Information security (Infosec)?
Information security is described in practices designed to protect electronic, print or any other form of confidential information from unauthorised access. It is focused on the CIA (Confidentiality, Integrity and Availability) triad. Information security is also known as infosec for short. Data can be called information in specific contexts. However, these terms have different meanings. Data is an individual unit containing raw and unorganised facts. Information is a meaningful form of data after it is structured in a particular fashion.
Information security is defined as the preservation of Confidentiality, Integrity and Availability aspects.
Information security vs cyber security
Often, information security and cyber security terms are used interchangeably. Information security definition relates to the protection of all forms of information. Cyber security is the practice of protecting electronic data from being hacked (compromised or unauthorised access). This data may reside on different assets that store or process such data, such as laptops, workstations, devices, network equipment, etc.
What is a threat?
A threat is defined as an event facilitated by a weakness that could lead to unauthorised access to an electronic system. Some of the main cyber security threats include ransomware, phishing attacks, unpatched vulnerabilities and insider attacks.
Threat responses relate to the following possible responses:
- Reducing or mitigating risks by implementing safeguards or countermeasures to remove or block threats
- Transfer of risk by moving responsibility to another party for mitencigating potential losses
- Acceptance of risks where the cost of countermeasures outweighs the cost of data loss
Technology risk is governed by calculation based on the likelihood of an attack and environmental impact.
What are the 3 Principles of Information Security?
The three core principles of information security are called the CIA triad (confidentiality, integrity and availability). Data protection risks are calculated based on the likelihood and impacts on each of these three core IT security principles.
Components of data security
The main components that explain the principles of security are:
The purpose of Confidentiality is to protect the data from unauthorised access. It is possible by implementing access restrictions to allow access to authorised entities only. Examples of data confidentiality compromise would be unauthorised disclosure, password theft or sensitive data theft.
In the past, even now, sometimes, privacy is used interchangeably with confidentiality.
Integrity means preserving the accuracy and completeness of data. This element ensures that data has not been tampered with and can be trusted. Data security is sometimes confused with data integrity. It deals with the protection of data, whereas data integrity deals with trustworthiness. An example of data integrity compromise is the altering of data during transfer due to unauthorised access. Integrity covers another concept known as non-repudiation; it refers to none of the parties’ ability to deny a transaction. This is similar to our real-life scenario where one signs a legal contract and cannot be denied once it is signed. A signature is a non-repudiation element in this scenario. An example of non-repudiation is digital signatures. Digital signatures are combined with other measures to ensure one party to a contract cannot deny their signatures’ authenticity and integrity, offering assurance to the communication or contract.
For example, a customer order emailed by a website contains the same pricing and billing information. When read by a user, it ensures the integrity of the email contents that pricing has not been tampered with.
This refers to the availability of data when authorized users require this data. Devices, systems, applications, data are of little value to any organization if their customers can’t access it when they need it. Denial of Service attacks prevention is an example of ensuring data availability.
There is a debate around ‘accountability’ that is lacked in the above CIA triad; it is non-repudiation. It is defined as below.
Sensitive data should be kept secure, meaning the protection of the three principles. Based on the business objectives, an organisation may stress security principles in information security accordingly. For example, a payroll company storing personal data and national insurance numbers would focus on confidentiality. A bank would ensure data integrity as it’s a top priority to protect against unauthorised tampering of banking data.
Keeping the above guiding principles of information security in mind, data security’s main objective is to ensure private information remains private, same from unauthorised changes and accessible for authorised users.
Other principles are based on these core principles and extend to security measures in line with data privacy. Privacy laws and regulations such as GDPR, Data Protection Act 2018 set out these principles at the heart of the data protection regime. For instance, Article 5 of GDPR sets out these seven principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
ICO recommends these principles should lie at the heart of your approach to processing personal data. You can read more about 8 principles of Data Protection.
The way by which the information security principles are implemented in an organisation is using information security policies. A security policy is a set of policies and procedures for everyone accessing organisations’ resources. It includes employees, vendors, contractors and any other staff.
What is the purpose of a security policy?
A security policy outlines how to protect the organisation from threats and what to do if such situations arise. Organisations with information security in place require updates to reflect the latest changes in infrastructure and security risks. Security attack surface keeps changing, and security policies must adhere to this change.
To gain further insight into this issue, here is an example. A security policy is designed to protect an organisation from internal and external threats. While a malicious action may be intentional (problematic insiders) or unintentional (negligent insider), implementing user education initiatives such as awareness and training would help an organisation reduce this risk. Information security policies are made easy by the enforcement of such initiatives.
How to write an information security policy?
The majority of the organisations need information security direction in their organisation, where security policies are central to this concept. Security policy writing requires a considerable investment of time required for discussions, analysis and documentation. Writing a security policy should address realistic threats to an organisation and shouldn’t be a copy/paste job from a template.
As a starting point, an organisation should think around the following questions:
- What, when and Why?
- Who accesses what?
- What are the policy violations?
- Do you have any compliance or regulatory requirements?
Many organisations follow popular information security standards such as ISO 27001 to implement an information security management system (ISMS).
What are the different types of security policies?
Although an organisation’s needs to define security policies requirements, the following are examples of information security policies.
- Information Security Policy
- Anti-virus Policy
- Acceptable Use Policy
- Access Control Policy
- Data Breach Response Policy
- Change Management Policy
- Incident Response Policy
- Remote Access Policy
- Email Policy
- Bring Your Own Device Policy
- Cloud Policy
- Business Continuity Planning Policy
- Disaster Recovery Policy
And lots of more policies based on the organisation needs.
For a more granular approach, security policies can be divided into various categories such as:
- General security policies such as Acceptable Use Policy, Data Breach Response Policy, Email Policy, Security Awareness Policy, etc., are implemented across the organisation.
- Network security policies covering Remote Access Policy, Wireless Communication Policy, Bring Your Own Device (BYOD) Policy, Access Tools Policy, Device Security Policy, etc., that are specific to the particular asset class.
The benefit of such granular policies would ensure the information security approach is more proactive and works in line with the defence in depth principle.
To measure the effectiveness of policies and underlying security controls working to implement such policies, companies consider third party validation exercises such as penetration testing or compliance-related assessments such as vulnerability assessments, GDPR penetration testing or ISO 27001 pentest.
How can we maintain effective cyber security?
It is important to learn about information security measures.
- People layer focussed on user education and enforcement of infosec processes and policies within an organisation.
- Organisation measures such as security assurance, security engineering and management teams are dedicated to maintaining the information security processes, people and technology.
- The technical layer ensures information security is baked into the ground level work such as server configurations, firewalls, encryption, hardware security features, etc.
- Physical measures involve physical controls around access, monitoring and blocking.
One of the core concepts behind maintaining effective security in an organisation is to prepare information security plans and implement to minimise risk and prepare for business continuity.
Our national authority on cyber security, NCSC, defines 10 steps to cyber security as:
- Risk Management Regime
- Malware Prevention
- Network Security
- Removable Media Controls
- Secure Configuration
- Managing User Policies
- Incident Management
- Remote Working
Hopefully, doubts around information security, its principles, along with examples and security policies know-how, added to your knowledge. Fulfilling information security principles and compliance is an ongoing process due to today’s complexities between different systems and the constant changes due to ongoing data flows and improvements.
Taking a few precautions that in your hope might be extensive work may be an understatement and false hope of achieving data security around your organisation. This must be validated by third party independent providers, the subject experts who can vouch for your measures and help you with your IT security strategy.
For practical tips around technical cyber security for small businesses, please refer to this article about improving small business security posture. Alternatively, you may want to take stock of your situation from holistic perspective – read 10 steps to cyber security advice article.
Should you require a piece of informal advice or advisory around your security concerns, get in touch.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.