What is information security?
Information security, often shortened to infosec, is the practice, policies and principles to protect digital data and other kinds of information. infosec responsibilities include establishing a set of business processes that will protect information assets, regardless of how that information is formatted or whether it is in transit, is being processed or is at rest in storage.
Generally, an organization applies information security to guard digital information as part of an overall cybersecurity program. infosec's three primary principles, called the CIA triad, are confidentiality, integrity and availability.
In short, infosec is how you make sure your employees can get the data they need, while keeping anyone else from accessing it. It can also be associated with risk management and legal regulations.
Principles of information security
The CIA triad
The overall goal of infosec is to let the good guys in, while keeping the bad guys out. The three primary tenants to support this are confidentiality, integrity and availability. This is called the CIA triad, or the three pillars or principles of information security.
Confidentiality is the principle that information should only be available to those with the proper authorization to that data. Integrity is the principle that information is consistent, accurate and trustworthy. Availability is the principle that information is easily accessible by those with proper authorization and will remain so in case of failure to minimize interruptions to users.
These three principles do not exist in isolation, but they inform and affect one another. Therefore, any infosec system will involve a balance of these factors. As an extreme example, information only available as a written sheet of paper stored in a vault is confidential but not easily available. Information carved into stone displayed in the lobby has a lot of integrity but is not confidential or available.
For an in-depth discussion, please see: confidentiality, integrity and availability (CIA triad).
Other infosec principles
While the CIA triad forms the basis of infosec policy and decision-making, other factors should be included in a complete infosec plan.
Because infosec involves a balance of competing factors, it is associated with risk management. The goal here is to maximize positive outcomes, while minimizing negative ones. Organizations uses risk management principles to determine the level of risk they are willing to take on when implementing a system. They can also put into place guards and mitigations to reduce risk.
Data classification should also be taken into account with infosec to give extra attention to information that needs to remain either highly confidential or data that needs to remain highly available.
Information security is not limited to digital data and computer systems. A full infosec policy will also cover physical information, printed information and other kinds of media. It may also include confidentiality agreements.
Businesses should also employ user training to protect data, as well as both computer controls and organizational policy as risk mitigation factors. For example, to limit the risk of an accounting analyst changing financial data, an organization can put in place a technical control limiting change rights and logging changes. Alternatively, an organizational policy of having a second person audit completed records can mitigate this risk as well.
Another important infosec factor is nonrepudiation, which is the ability to prove that information hasn't been tampered with. No one should tamper with data at rest or in transit, its source should be trustworthy and it shouldn't be accidentally or maliciously modified.
Business continuity and disaster recovery (BCDR) are additional considerations of infosec. Data should remain available and unchanged in the case of a software or hardware failure. Organizations can accomplish this though backups or redundant systems.
Consider change management an infosec policy as well. Poorly managed changes may cause outages that affect the availability of a system. System changes may also affect the overall security of stored data.
Local laws and governmental regulations also inform infosec decisions. Regulatory bodies often regulate personally identifiable information (PII) depending on region. Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) for medical data, Payment Card Industry Data Security Standard (PCI DSS) for payment information or the European Union's (EU) General Data Protection Regulation (GDPR) legislation, for example, may require that some information be treated differently or have special controls in place.
Jobs in information security
Most roles working with computers involve an element of information security. Therefore, infosec jobs may vary in their titles between organizations and be cross-disciplinary or interdepartmental.
The information technology (IT) chief security officer (CSO) or chief information security officer (CISO), in collaboration with the chief information officer (CIO), is responsible for overall cybersecurity and infosec policy. A security engineer or security systems administrator (sys admin) may be responsible for implementing or evaluating infosec controls.
An information security analyst or IT security consultant may be responsible for making risk evaluations, evaluating effectiveness of controls or analyzing a failure and its impact.
Learn more about the types of infosec jobs that are available.
Information security certifications
A number of certifications are available to IT professionals who already -- or would like to -- focus on infosec and cybersecurity more broadly, including the following:
- CompTIA Security+. This certification covers core cybersecurity knowledge and is used to qualify for entry level IT and infosec roles.
- Certified Information Systems Auditor (CISA). ISACA, a nonprofit and independent association that advocates for professionals involved in information security, assurance, risk management and governance, offers this certification. The exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.
- Certified Information Security Manager (CISM). CISM is an advanced certification offered by ISACA that validates individuals who have demonstrated the in-depth knowledge and experience required to develop and manage enterprise information security programs. ISACA aims this certification at information security managers, aspiring managers or IT consultants who support information security program management.
- GIAC Security Essentials (GSEC). Created and administered by the Global Information Assurance Certification (GIAC) organization, this certification is geared toward security professionals who want to demonstrate they are qualified for hands-on roles with respect to security tasks related to IT systems. The exam requires candidates demonstrate an understanding of information security beyond simple terminology and concepts.
- Certified Information Systems Security Professional (CISSP). CISSP is an advanced certification offered by (ISC)², an international nonprofit cybersecurity certification body. For experienced cybersecurity professionals, the exam covers the ability to design and implement an infosec program.