Information Security refers to the protection or the act of safeguarding information. This is commonly used by information systems that use, store and transmit information.
So? Who or what do they protect from ?
Unauthorized access, disclosures, alterations and destructions.
Why?
Information is the most critical asset in businesses and organisations. If sensitive information falls into the wrong hands, then the respective organization may suffer huge losses in terms of finances, brand reputation, customers, etc.
We can use examples such as the Singhealth Data Breach which occurred in Singapore in 2018.
A total of 1.5 million SingHealth patients’ non-medical personal data were stolen (inclusive of Singapore’s prime minister Lee Hsien Loong), while 160,000 of those had their dispensed medicines’ records taken too, according to MCI and MOH.
To answer to the various stakeholders and the public, Health Minister Gan Kim Yong apologised to patients affected. Calling the attack “unprecedented”, Mr Gan said: “I’m deeply sorry that this has happened … We must learn from this and emerge stronger and more resilient from this incident.”
These are unwanted costs to be incurred to the company.
You may read more at: https://www.channelnewsasia.com/news/singapore/singhealth-health-system-hit-serious-cyberattack-pm-lee-target-10548318
Hence, the importance to secure them is of the highest priority.
Elements of Information Security
The commonly believed elements are:
- Confidentiality
- Integrity
- Availability
However, I believe information security is a state of well-being information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low-risk or tolerable.
In which, we should look at these 5 elements, rather than the CIA Triad mentioned above.
- Confidentiality : The assurance that information is accessible only to those authorized to have access.
- Integrity : The trustworthiness of data or resources in the prevention of improper and unauthorized changes – the assurance that information is sufficiently accurate for its purpose.
- Availability : Assures that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users.
- Authenticity : This refers to the characteristic of a communication, document or any data that ensures the quality of being genuine.
- Non-Repudiation : Guarantees that the sender of a message will not deny that a message is being sent by him and the receiver of the message will not deny having received the message.
What happens if one has too much security?
In this evolution of technology, system designers often overlook vulnerabilities during the intended deployment of the system. However, adding more security mechanisms makes allocating resources, increase routine activities for system administrators. Extra time is needed to check log files, detect vulnerabilities and apply security update patches.
So what can businesses do?
This is an existing problem where there is no optimal solution for it yet.
Infoworld has came up with approaches that companies do presently.
In some organizations, there’s a battle between the CIO and CSO. For example, in a BYOD environment, the CIO would probably tout the benefits of user satisfaction, increased productivity, and reduced TCO, whereas the CSO would seek to stringently control the devices or avoid BYOD completely. Such issues make for healthy dialog to determine the right balance in each organization, but if the CIO-CSO relationship is about battling, it’s usually a lose/lose situation — for them, the company, and the users.
A layered approach is often best when dealing with security, so you can’t get rid of all obstacles to access. But you must make sure your security reduces the burden on users to the minimum required to get the security you truly need.
Information Security Laws and Standards
Laws function as a system of rules and guidelines enforced by a particular coutnry or community to govern behaviour. A standard is referred as a document established and approved by a recognized body that provides a set of rules, guidelines or characteristics for activities/results aimed at the achievement of the best degree of order in a given context.
Conclusion
At the core of Information Security is the act of maintaining CIA of information, ensuring that information is not compromised in any way when critical issues arise. This includes natural disasters, machine downtime, etc.
This field of information security has matured and evolved significantly over the years. It offers a large variety of specialisation fields. Thus, organisations should also work on how to utilise this information security effectively and optimally.