The objective of information security is, in particular, protection of information and data against negative events, such as loss, theft, misuse, destruction, disruption, undeliberate changes, i.e. any violation of the integrity, confidentiality or availability of data or information. Risk of their loss or misuse is a threat coming not only from the surroundings but especially from within the organization itself.
Information security, including information handling, is one of the missions of the security management.
What are the components of the Information Security?
Information security covers areas like storage or transfer of information, whether in written, spoken or digital form, including protection against interception or disinformation. It also covers other areas:
- Data security deals solely with protection of data stored by information technology
- Computer security deals with the security of ICT (information and communication technologies).
What does information security mean in practice?
The importance of information security increases with the increasing importance of the information concerned.
Information is one of the key resources of an organization. If information is lost or it makes its way to our competitors, it can also mean the end of our business. Information can get lost from our storage (a computer, a server or a file) or from somewhere along the way before reaching us (from our computer network but also, to put is simple, from someone who is carrying it to us on a piece of paper).
What does it actually mean to lose data or information? What troublesome situations can occur? * Inaccessibility of data or information - it means that we do not have access to the data, there is no storage space available (e.g. network does not work, we lost the key); such a situation can be avoided by providing your colleagues with a reliable network or by existence of multiple paths to access the information. * Loss of data and information - it means that neither we nor anybody else has access to the data. For example, a loss of data can occur when we irreparably break our smartphone or when a data carrier is destroyed (lifetime and reliability of data carriers are limited). A regular backup can prevent such situations. Partial loss means that we lose only a part of the data, however, their integrity could have been violated which can make the remaining part of data illegible of impossible to use. * Theft of data or information - it means that someone else has your data - in the better case, your data have been backed up and thus the theft does not result in the loss of your data. Such a situation can occur when someone steals our smartphone or laptop from us. The question is whether the thief will abuse data and how. * Data or information abuse may follow a theft or an active attack. This situation is normally the most dangerous because the attacker or the worker who misuses information does so deliberately and usually has a clear idea of what they are doing, that is to say that they know exactly what information they are after and how exactly they are going to abuse it.
Information security is a virtually consistent, repetitive set of interrelated activities designed to secure information and data in an organization, thus limiting the likelihood of the above-mentioned risks. Information Security Management in an organization consists essentially of the following areas of activity:
- Laying down information handling rules that would cover a range of aspects such as categorization of data to public, confidential, etc., or setting up when, how and why is some specific data or information accessible to different people
- Managing access to data and information can be summarized into the following questions: Do I know who can access what data and information within my organization and who, by contrast, is not granted the access to it? Are we protected against fraud? These are the issues that Authorization Management tries to cope with.
- Security of end devices against loss and theft. What happens when I lose my laptop or smartphone or when somebody steal it from me? Is my data secured? Do I have my data backed up?
- Security and protection of an organization against attack or data theft. Is our corporate network adequately protected against cyber attacks? Are we sure that no one can break into it and steal our data? Are we sure that our employees cannot access any data or information that we don’t want them to?
- Security and protection of centrally stored data after a breakdown. Are we protected against accidents that destroy our servers or other information storage such as fire, flood or disk collapse? Are we able to recover our data?
In large and medium-sized organizations, the responsibility for information security is assumed by Security Manager (CSO - Chief Security Officer). Naturally, the biggest responsibility is taken by the company owner, Statutory Body and the top management who usually handle the most sensitive information. In many larger organizations, there is a post of information security manager (CISO), who is focused exclusively on information security and IT security.