Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
With exponential growth of businesses utilising technology in recent years, information security has increased its importance justifiably. We cover top principles of information security, importance of security policies and steps to improve security within an organisation. Cyber security is an ongoing concern, requiring constant attention towards improvements and monitoring the current state of systems. This is a worry due to increasing speed of technologies and perimeter less organisations defying the traditional boundaries and rendering traditional controls ineffective.
What is Information security (Infosec)?
Information security refers to practices designed to protect electronic, print or any other form of confidential information from unauthorised access. It is focused on CIA (Confidentiality, Integrity and Availability) triad. Information security is also known as infosec for short. Data can be called information in specific contexts. However, these terms have different meanings. Data is an individual unit containing raw and unorganised facts. Information is a meaningful form of data after it is structured in a particular fashion.
Information security vs cyber security
Often, information security and cyber security terms are used interchangeably. Information security deals with protection of all forms of information. Cyber security is the practice of protecting electronic data from being hacked (compromised or unauthorised access). This data may reside on different types of assets that store or process such data such as laptops, workstations, devices, network equipment, etc.
What is a threat?
A threat is defined as an event facilitated by a weakness that could lead to unauthorised access of an electronic system. Some of the main cyber security threats include ransomware, phishing attacks, unpatched vulnerabilities and insider attacks.
Threat responses relate to the following possible responses:
- Reducing or mitigating risks by implementing safeguards or countermeasures to remove or block threats
- Transfer of risk by moving responsibility to another party for mitigating potential losses
- Acceptance of risks where the cost of countermeasures outweighs the cost of data loss
Technology risk is governed by calculation based on the likelihood of an attack and environmental impact.
What are the 3 Principles of Information Security?
The three core principles of information security are called CIA triad (confidentiality, integrity and availability). Data protection risks are calculated based on likelihood and impacts on each of these three security principles.
The purpose of Confidentiality is to protect the data from unauthorised access. It is possible by implementing access restrictions to allow access to authorised entities only. Examples of data confidentiality compromise would be unauthorised disclosure, password theft or sensitive information theft.
In the past, even now sometimes, privacy is used interchangeably with confidentiality.
Integrity means preserving the accuracy and completeness of data. This element ensures that data has not been tampered with and can be trusted. Data security is sometimes confused with data integrity. It deals with the protection of data, whereas data integrity deals with trustworthiness. An example of data integrity compromise is altering of data during transfer due to unauthorised access. Integrity covers another concept known as non-repudiation, it refers to none of the parties’ ability to deny a transaction. Similar to our real life scenario where one signs a legal contract once it is signed and cannot be denied. A signature is a non-repudiation element in this scenario. An example of non-repudiation is digital signatures. Digital signatures are combined with other measures to ensure one party to a contract cannot deny authenticity and integrity of their signatures offering assurance to the communication or contract.
For example, a customer order emailed by a website contains the same pricing and billing information. When read by a user, it ensures the integrity of the email contents that pricing has not been tampered with.
This refers to availability of data when authorized users require this data. Devices, systems, applications, data are of little value to any organization if their customers can’t access it when they need it. Denial of Service attacks prevention is an example of ensuring data availability.
There is a debate around ‘accountability’ that is lacked in the above CIA triad, it is non-repudation. It is defined as below.
Discuss your concerns today
Sensitive data should be kept secure, meaning the protection of the three principles. Based on the business objectives, an organisation may stress on information security principles accordingly. For example, a payroll company storing personal data and national insurance numbers would focus on confidentiality. A bank would ensure data integrity as it’s a top priority to protect against unauthorised tampering of banking data.
Keeping the above guiding principles of information security in mind, main objective of data security is to ensure private information remains private, same from unauthorised changes and accessible for authorised users.
Other principles are based on these core principles and extend to security measures in line with data privacy. Privacy laws and regulations such as GDPR, Data Protection Act 2018 set out these principles at the heart of data protection regime. For instance, Article 5 of GDPR sets out these seven principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
ICO recommends these principles should lie at the heart of your approach to processing personal data.
The way by which the information security principles are implemented in an organisation is using security policies. A security policy is a set of policies and procedures for everyone accessing organisations’ resources. It includes employees, vendors, contractors and any other staff.
What is the purpose of a security policy?
A security policy outlines how to protect the organisation from threats and what to do if such situations arise. Organisations with information security in place require updates to reflect the latest changes in infrastructure and security risks. Security attack surface keeps changing, and security policies must adhere to this change.
To gain further insight into this issue, here is an example. A security policy is designed to protect an organisation from internal and external threats. While a malicious action may be intentional (problematic insiders) or unintentional (negligent insider), implementing user education initiatives such as awareness and training would help an organisation to reduce this risk. Enforcement of such initiatives is defined using security policies.
How to write an information security policy?
Majority of the organisations need information security direction in their organisation where security policies are central to this concept. Security policy writing requires a considerable investment of time required for discussions, analysis and documentation. Writing a security policy should address realistic threats to organisation and shouldn’t be a copy/paste job from a template.
As a starting point, an organisation should think around the following questions:
- What, when and Why?
- Who accesses what?
- What are the policy violations?
- Do you have any compliance or regulatory requirements?
Many organisation follow popular information security standards such as ISO 27001 to implement an information security management system (ISMS).
What are the different types of security policies?
Although an organisation’s needs to define security policies requirements, the following are examples of information security policies.
- Information Security Policy
- Anti-virus Policy
- Acceptable Use Policy
- Access Control Policy
- Data Breach Response Policy
- Change Management Policy
- Incident Response Policy
- Remote Access Policy
- Email Policy
- Bring Your Own Device Policy
- Cloud Policy
- Business Continuity Planning Policy
- Disaster Recovery Policy
And lots of more policies based on the organisation needs.
Discuss your concerns today
For more granular approach, security policies can be divided into various categories such as:
- General security policies such as Acceptable Use Policy, Data Breach Response Policy, Email Policy, Security Awareness Policy, etc that are implemented across the organisation.
- Network security policies covering Remote Access Policy, Wireless Communication Policy, Bring Your Own Device (BYOD) Policy, Access Tools Policy, Device Security Policy, etc that are specific to the particular asset class.
The benefit of such granular policies would ensure information security approach is more proactive and works in line with defence in depth principle.
In order to measure the effectiveness of policies and underlying controls working to implement such policies, companies consider third party validation exercises such as penetration testing or compliance related assessments such as vulnerability assessments, GDPR penetration testing or ISO 27001 pentest.
How can we maintain effective cyber security?
It is important to learn about information security measures.
- People layer focussed on user education and enforcement of infosec processes and policies within an organisation.
- Organisation measures such as security assurance, security engineering and management teams dedicated to maintain the information security processes, people and technology.
- Technical layer ensuring information security is baked into the ground level work such as server configurations, firewalls, encryption, hardware security features and so on.
- Physcal measures that involve physical controls around access, monitoring and blocking.
Our national authority on cyber security, NCSC, defines 10 steps to cyber security as:
- Risk Management Regime
- Malware Prevention
- Network Security
- Removable Media Controls
- Secure Configuration
- Managing User Policies
- Incident Management
- Remote Working
Hopefully, doubts around information security, it’s principles along with examples and security policies know-how added to your knowledge. Fulfillment of information security principles and the compliance is an ongoing process due to todays complexities between different systems and the constant changes due to ongoing data flows and improvements.
Taking a few precautions that in your hope might be extensive work may be an understatement and false hope of achieving data security around your organisation. This must be validated by third party independent providers, the subject experts who can vouch for your measures and help you with your IT security strategy.
Should you require an informal advice or advisory around your security concerns, get in touch.