Information security is the practice of protecting information by mitigating

information risks. It involves the protection of information systems and the

information processed, stored and transmitted by these systems from
unauthorized access, use, disclosure, disruption, modification or destruction.
This includes the protection of personal information, financial information, and
sensitive or confidential information stored in both digital and physical forms.
Effective information security requires a comprehensive and multi-disciplinary
approach, involving people, processes, and technology.
Information Security is not only about securing information from unauthorized
access. Information Security is basically the practice of preventing
unauthorized access, use, disclosure, disruption, modification, inspection,
recording or destruction of information. Information can be a physical or
electronic one. Information can be anything like Your details or we can say
your profile on social media, your data on mobile phone, your biometrics etc.
Thus Information Security spans so many research areas like Cryptography,
Mobile Computing, Cyber Forensics, Online Social Media, etc.
During First World War, Multi-tier Classification System was developed
keeping in mind the sensitivity of the information. With the beginning of
Second World War, formal alignment of the Classification System was done.
Alan Turing was the one who successfully decrypted Enigma Machine which
was used by Germans to encrypt warfare data.
Effective information security requires a comprehensive approach that
considers all aspects of the information environment, including technology,
policies and procedures, and people. It also requires ongoing monitoring,
assessment, and adaptation to address emerging threats and vulnerabilities.
Why we use Information Security?
We use information security to protect valuable information assets from a wide
range of threats, including theft, espionage, and cybercrime. Information
security is necessary to ensure the confidentiality, integrity, and availability of
information, whether it is stored digitally or in other forms such as paper
documents. Here are some key reasons why information security is important:
1. Protecting sensitive information: Information security helps protect
sensitive information from being accessed, disclosed, or modified by
unauthorized individuals. This includes personal information, financial data,
and trade secrets, as well as confidential government and military
information.
2. Mitigating risk: By implementing information security measures,
organizations can mitigate the risks associated with cyber threats and other
security incidents. This includes minimizing the risk of data breaches,
denial-of-service attacks, and other malicious activities.
3. Compliance with regulations: Many industries and jurisdictions have
specific regulations governing the protection of sensitive information.
Information security measures help ensure compliance with these
regulations, reducing the risk of fines and legal liability.
4. Protecting reputation: Security breaches can damage an organization’s
reputation and lead to lost business. Effective information security can help
protect an organization’s reputation by minimizing the risk of security
incidents.
5. Ensuring business continuity: Information security helps ensure that critical
business functions can continue even in the event of a security incident.
This includes maintaining access to key systems and data, and minimizing
the impact of any disruptions.
Information Security programs are build around 3 objectives, commonly
known as CIA – Confidentiality, Integrity, Availability.

1. Confidentiality – means information is not disclosed to unauthorized

individuals, entities and process. For example if we say I have a password
for my Gmail account but someone saw while I was doing a login into
Gmail account. In that case my password has been compromised and
Confidentiality has been breached.
2. Integrity – means maintaining accuracy and completeness of data. This
means data cannot be edited in an unauthorized way. For example if an
employee leaves an organisation then in that case data for that employee
in all departments like accounts, should be updated to reflect status to JOB
LEFT so that data is complete and accurate and in addition to this only
authorized person should be allowed to edit employee data.
3. Availability – means information must be available when needed. For
example if one needs to access information of a particular employee to
check whether employee has outstanded the number of leaves, in that
case it requires collaboration from different organizational teams like
network operations, development operations, incident response and
policy/change management.
Denial of service attack is one of the factor that can hamper the availability
of information.
Apart from this there is one more principle that governs information security
programs. This is Non repudiation.

● Non repudiation – means one party cannot deny receiving a message or

a transaction nor can the other party deny sending a message or a
transaction. For example in cryptography it is sufficient to show that
message matches the digital signature signed with sender’s private key
and that sender could have a sent a message and nobody else could have
altered it in transit. Data Integrity and Authenticity are pre-requisites for
Non repudiation.

● Authenticity – means verifying that users are who they say they are and
that each input arriving at destination is from a trusted source.This principle
if followed guarantees the valid and genuine message received from a
 trusted source through a valid transmission. For example if take above
example sender sends the message along with digital signature which was
generated using the hash value of message and private key. Now at the
receiver side this digital signature is decrypted using the public key
generating a hash value and message is again hashed to generate the
hash value. If the 2 value matches then it is known as valid transmission
with the authentic or we say genuine message received at the recipient
side
● Accountability – means that it should be possible to trace actions of an
entity uniquely to that entity. For example as we discussed in Integrity
section Not every employee should be allowed to do changes in other
employees data. For this there is a separate department in an organization
that is responsible for making such changes and when they receive
request for a change then that letter must be signed by higher authority for
example Director of college and person that is allotted that change will be
able to do change after verifying his bio metrics, thus timestamp with the
user(doing changes) details get recorded. Thus we can say if a change
goes like this then it will be possible to trace the actions uniquely to an
entity.
advantages to implementing an information classification system in an
organization’s information security program:
1. Improved security: By identifying and classifying sensitive information,
organizations can better protect their most critical assets from unauthorized
access or disclosure.
2. Compliance: Many regulatory and industry standards, such as HIPAA and
PCI-DSS, require organizations to implement information classification and
data protection measures.
3. Improved efficiency: By clearly identifying and labeling information,
employees can quickly and easily determine the appropriate handling and
access requirements for different types of data.
4. Better risk management: By understanding the potential impact of a data
breach or unauthorized disclosure, organizations can prioritize resources
and develop more effective incident response plans.
5. Cost savings: By implementing appropriate security controls for different
types of information, organizations can avoid unnecessary spending on
security measures that may not be needed for less sensitive data.
6. Improved incident response: By having a clear understanding of the
criticality of specific data, organizations can respond to security incidents in
a more effective and efficient manner.
There are some potential disadvantages to implementing an information
classification system in an organization’s information security program:
1. Complexity: Developing and maintaining an information classification
system can be complex and time-consuming, especially for large
organizations with a diverse range of data types.
2. Cost: Implementing and maintaining an information classification system
can be costly, especially if it requires new hardware or software.
3. Resistance to change: Some employees may resist the implementation of
an information classification system, especially if it requires them to change
their usual work habits.
4. Inaccurate classification: Information classification is often done by
human, so it is possible that some information may be misclassified, which
can lead to inadequate protection or unnecessary restrictions on access.
5. Lack of flexibility: Information classification systems can be rigid and
inflexible, making it difficult to adapt to changing business needs or new
types of data.
6. False sense of security: Implementing an information classification
system may give organizations a false sense of security, leading them to
overlook other important security controls and best practices.
7. Maintenance: Information classification should be reviewed and updated
frequently, if not it can become outdated and ineffective.
Uses of Information Security :
Information security has many uses, including:
1. Confidentiality: Keeping sensitive information confidential and protected
from unauthorized access.
2. Integrity: Maintaining the accuracy and consistency of data, even in the
presence of malicious attacks.
3. Availability: Ensuring that authorized users have access to the information
they need, when they need it.
4. Compliance: Meeting regulatory and legal requirements, such as those
related to data privacy and protection.
5. Risk management: Identifying and mitigating potential security threats to
prevent harm to the organization.
6. Disaster recovery: Developing and implementing a plan to quickly recover
from data loss or system failures.
7. Authentication: Verifying the identity of users accessing information
systems.
8. Encryption: Protecting sensitive information from unauthorized access by
encoding it into a secure format.
9. Network security: Protecting computer networks from unauthorized
access, theft, and other types of attacks.
10. Physical security: Protecting information systems and the information
they store from theft, damage, or destruction by securing the physical
facilities that house these systems.
Issues of Information Security :
Information security faces many challenges and issues, including:
1. Cyber threats: The increasing sophistication of cyber attacks, including
malware, phishing, and ransomware, makes it difficult to protect
information systems and the information they store.
2. Human error: People can inadvertently put information at risk through
actions such as losing laptops or smartphones, clicking on malicious links,
or using weak passwords.
3. Insider threats: Employees with access to sensitive information can pose
a risk if they intentionally or unintentionally cause harm to the organization.
4. Legacy systems: Older information systems may not have the security
features of newer systems, making them more vulnerable to attack.
5. Complexity: The increasing complexity of information systems and the
information they store makes it difficult to secure them effectively.
6. Mobile and IoT devices: The growing number of mobile devices and
internet of things (IoT) devices creates new security challenges as they can
be easily lost or stolen, and may have weak security controls.
7. Integration with third-party systems: Integrating information systems
with third-party systems can introduce new security risks, as the third-party
systems may have security vulnerabilities.
8. Data privacy: Protecting personal and sensitive information from
unauthorized access, use, or disclosure is becoming increasingly important
as data privacy regulations become more strict.
9. Globalization: The increasing globalization of business makes it more
difficult to secure information, as data may be stored, processed, and
transmitted across multiple countries with different security requirements.