Information security
From Wikipedia, the free encyclopedia
Information security, or sometimes Information Systems Security (INFOSEC), deals with several different "trust" aspects of information and its protection. Another similar term is Information Assurance (IA), but INFOSEC is a subset of IA. Information security is not confined to computer systems, nor to information in an electronic or machine-readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form or media.
The U.S. Government's National Information Assurance Glossary defines INFOSEC as:
- Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.
Most definitions of information security tend to focus, sometimes exclusively on specific usages and, or, particular media; e.g., "protect electronic data from unauthorized use". In fact it is a common misconception, or misunderstanding, that information security is synonymous with computer security—in any of its guises:
- computer and network security
- information technology (IT) security
- information systems security
- information and communications technology (ICT) security.
Each of these has a different emphasis, but the common concern is the security of information in some form (electronic in these cases). Therefore all are subsets of information security. Conversely, information security covers not just information but all infrastructures that facilitate its use—processes, systems, services, technology, etc., including computers, voice and data networks, etc.
It is an important point that information security is, inherently and necessarily, neither hermetic nor watertight nor perfect. No one can ever eradicate all risk of improper or capricious use of any information. The level of information security sought in any particular situation should be commensurate with the value of the information and the loss, financial or otherwise, that might accrue from improper use—disclosure, degradation, denial, or whatever. Bruce Schneier makes this point in Secrets and Lies: information security is about risk management.
Three widely accepted elements (aims, principles, qualities, characteristics, attributes ...) of information security are:
These can be remembered by the mnemonic "CIA" and are also referred to as the CIA triad, or jokingly "the Information Security mantra".
Historically, up to about 1990, confidentiality was the most important element of information security, followed by integrity, and then availability. By 2001, changing use and expectation patterns had moved availability to the top of most versions of this priority list. The first goal of modern information security has, in effect, become to ensure that systems are predictably dependable in the face of all sorts of malice, and particularly in the face of denial of service attacks.
NIST Special Publication 800-33 Underlying Technical Models for Information Technology Security added assurance as essential. "Without it the other objectives are not met." Assurance is the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information in processes and that the other four security objectives (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation.
Some other facets of information security are:
- governance
- Security Program Development
- access control
- risk assessment
- return on information security investment
- classification
- compliance
- identification and authentication
- Information Technology Infrastructure Library
- non-repudiation
- authorization
- administration and provisioning
- auditing
- alerting
- assurance and reliability
- Business Continuity Planning
- COMSEC
Cryptography and Cryptanalysis are important tools in assuring confidentiality (in transmission or storage of information), integrity (no change can be made undetectably), and source identification (the sender can be identified and all other than that sender can be excluded). Always assuming, necessarily, that the key(s) involved have not been misused or compromised, and that the crypto systems employed have been well chosen and properly used.
Information security day is held around the world on the first Thursday of August every year.
[edit] See also
See Category:Data security for a list of all computing and information-security related articles.
- Business continuity planning
- Common Criteria
- Computer fraud case studies
- Computer insecurity
- Computer security
- Electronic underground community
- Infamous Hacks
- ISO/IEC 27001
- ISO/IEC 17799
- Notable hackers
- Predictive analytics
- Opportunistic encryption
- Risk aversion
- Security engineering
- The Standard of Good Practice published by the Information Security Forum
[edit] External links
- National Information Assurance (IA) Glossary
- Return on Information Security Investment (ROISI)
- RFC 2828: Internet Security Glossary
- IT Security portal Online news site for the latest articles, case studies and technical analysis of IT security, network security, data security, anti-hacking, anti-spyware, authentication and encryption
- InfoSec News Longest running, well respected, human edited, mailing list that caters to the distribution of information security news.
- Online and Computer security news and articles
- Home computer security advice
- The Center for Education and Research in Information Assurance and Security
- Information Security - site in portuguese
- Information Systems Audit and Control Association
- Human and Social Elements - CFC
