Living in the information age, information, without a doubt, has become one of the most important assets of companies and organisations. One belief among individuals is that their information is completely protected and free from any threats, which is nothing but a big misconception and has the potential to put the entire company at risk. Information security, thus, has become indispensable today.
Infosec, short for Information Security, is the process of protecting information from unauthorised access, disclosure, disruption, deletion, corruption, modification, inspection, or recording. It involves formulating a set of tools, strategies and policies necessary to prevent, detect, document and counter threats to an organisation’s digital as well as non-digital information.
- Asset: Something that is of value to an individual or an organisation, whether it is information, property or personnel.
- Access control: Maintaining or controlling who has access to a service or resource.
- Authentication: Verifying that someone is who they claim to be.
- Two-factor authentication: Usage of two different factors to authenticate or identify a user, for example, possession of a credit card and also knowing the PIN.
- Vulnerability: A weakness in the system or an organisation that could be exploited by threats to gain unauthorised access to an asset.
- Threat: Something that can exploit a vulnerability, causing potential harm to the assets of an organisation.
- Risk: The potential for loss or damage due to the result of a threat exploiting a vulnerability.
Principles of Information Security – The CIA Triad
The fundamental principles of information security are Confidentiality, Integrity and Availability – also known as the CIA triad. The elements of the CIA triad are considered the three tenets or the cornerstone of information security and is a model which has been designed to guide organisations is framing policies and strategies to keep its data secure.
Confidentiality ensures that the access of information is limited only to authorised individuals, in order to prevent any unauthorised disclosure. This can be done by making sure only the individual with proper authorisation has access to the data. Authorisation determines which individual should have the right or permission to view/access or modify a particular information. This ensures that sensitive or secret information are secured at all times. Confidentiality is, thus, an important element as security breaches often cause irreparable damage.
One way to maintain confidentiality of data is through cryptography, which encrypts the data to non readable cipher text which can only be decrypted by the authorised individual possessing the key. Another example is an ATM which provides a two-factor authentication before allowing an individual to gain access to the data – the first being the physical card and the second being the PIN code of the card. The use of strong passwords is another way to maintain the confidentiality of the data.
Integrity ensures that the data is in its original form and is not altered, modified or tampered with, in any unauthorised manner. Its objective is to establish that the data is accurate, authentic, reliable and thus, can be trusted. In other words, the message/data sent by the sender should reach the recipient without being modified or altered during its transit.
Some of the measures that can be taken to maintain the integrity of the data includes encryption (since you cannot alter data which you cannot access); hash algorithms (different hash value would indicate that the original data has been altered in some way); use of digital signatures and certificates. Integrity also goes hand in hand with another principle known as Non-repudiation, which refers to the inability to deny something. For example, when using digital signatures on documents, the sender cannot deny at a later stage that the message was not from him/her.
Availability ensures that the resources and services are readily available for use to authorised users in a timely manner; after all, any resources would be of little value if they are not available when the authorised personnel requires them. Availability can be maintained by ensuring that all the systems are up and running, with regular software patching and up-to-date hardware or upgraded systems . Another way to maintain this principle is to have proper disaster recovery plans in place such as proper back up of sensitive data, with reliable secondary systems that can take charge when the primary systems go down.
One of the most common factors that can put the availability of resources and services at risk is the well known attack known as denial-of-service or DOS attack, wherein the system or application is flooded with traffic, ultimately causing the website or system to crash and thereby, making the resources and services inaccessible to its intended authorised users. Other factors include, but are not limited to power failure, system failure, natural disasters and man-made errors.