What is Information Security?
Introduction :
Information security is the practice of protecting information by mitigating information risks. It involves the
protection of information systems and the information processed, stored and transmitted by these systems
from unauthorized access, use, disclosure, disruption, modification or destruction. This includes the
protection of personal information, financial information, and sensitive or confidential information stored in
both digital and physical forms. Effective information security requires a comprehensive and multi-
disciplinary approach, involving people, processes, and technology.
Information Security is not only about securing information from unauthorized access. Information Security
is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification,
inspection, recording or destruction of information. Information can be a physical or electronic one.
Information can be anything like Your details or we can say your profile on social media, your data on
mobile phone, your biometrics etc. Thus Information Security spans so many research areas like
Cryptography, Mobile Computing, Cyber Forensics, Online Social Media, etc.
Information Security programs are build around 3 objectives, commonly known as CIA – Confidentiality,
Integrity, Availability.
1. Confidentiality – means information is not disclosed to unauthorized individuals, entities and process.
For example if we say I have a password for my Gmail account but someone saw while I was doing a
login into Gmail account. In that case my password has been compromised and Confidentiality has been
breached.
2. Integrity – means maintaining accuracy and completeness of data. This means data cannot be edited in
an unauthorized way. For example if an employee leaves an organisation then in that case data for that
employee in all departments like accounts, should be updated to reflect status to JOB LEFT so that data
is complete and accurate and in addition to this only authorized person should be allowed to edit
employee data.
3. Availability – means information must be available when needed. For example if one needs to access
information of a particular employee to check whether employee has outstanded the number of leaves, in
that case it requires collaboration from different organizational teams like network operations,
development operations, incident response and policy/change management.
Denial of service attack is one of the factor that can hamper the availability of information.
Apart from this there is one more principle that governs information security programs. This is Non
repudiation.
Non repudiation – means one party cannot deny receiving a message or a transaction nor can the other
party deny sending a message or a transaction. For example in cryptography it is sufficient to show that
message matches the digital signature signed with sender’s private key and that sender could have a sent
a message and nobody else could have altered it in transit. Data Integrity and Authenticity are pre-
requisites for Non repudiation.
Authenticity – means verifying that users are who they say they are and that each input arriving at
destination is from a trusted source.This principle if followed guarantees the valid and genuine message
received from a trusted source through a valid transmission. For example if take above example sender
sends the message along with digital signature which was generated using the hash value of message and
private key. Now at the receiver side this digital signature is decrypted using the public key generating a
hash value and message is again hashed to generate the hash value. If the 2 value matches then it is
known as valid transmission with the authentic or we say genuine message received at the recipient side
Accountability – means that it should be possible to trace actions of an entity uniquely to that entity. For
example as we discussed in Integrity section Not every employee should be allowed to do changes in
other employees data. For this there is a separate department in an organization that is responsible for
� making such changes and when they receive request for a change then that letter must be signed by
higher authority for example Director of college and person that is allotted that change will be able to do
change after verifying his bio metrics, thus timestamp with the user(doing changes) details get recorded.
Thus we can say if a change goes like this then it will be possible to trace the actions uniquely to an
entity.
advantages to implementing an information classification system in an organization’s information security
program:
1. Improved security: By identifying and classifying sensitive information, organizations can better
protect their most critical assets from unauthorized access or disclosure.
2. Compliance: Many regulatory and industry standards, such as HIPAA and PCI-DSS, require
organizations to implement information classification and data protection measures.
3. Improved efficiency: By clearly identifying and labeling information, employees can quickly and easily
determine the appropriate handling and access requirements for different types of data.
4. Better risk management: By understanding the potential impact of a data breach or unauthorized
disclosure, organizations can prioritize resources and develop more effective incident response plans.
5. Cost savings: By implementing appropriate security controls for different types of information,
organizations can avoid unnecessary spending on security measures that may not be needed for less
sensitive data.
Uses of Information Security :
Information security has many uses, including:
1. Confidentiality: Keeping sensitive information confidential and protected from unauthorized access.
2. Integrity: Maintaining the accuracy and consistency of data, even in the presence of malicious attacks.
3. Availability: Ensuring that authorized users have access to the information they need, when they need it.
4. Compliance: Meeting regulatory and legal requirements, such as those related to data privacy and
protection.
5. Risk management: Identifying and mitigating potential security threats to prevent harm to the
organization.
6. Disaster recovery: Developing and implementing a plan to quickly recover from data loss or system
failures.
Issues of Information Security :
Information security faces many challenges and issues, including:
1. Cyber threats: The increasing sophistication of cyber attacks, including malware, phishing, and
ransomware, makes it difficult to protect information systems and the information they store.
2. Human error: People can inadvertently put information at risk through actions such as losing laptops or
smartphones, clicking on malicious links, or using weak passwords.
3. Insider threats: Employees with access to sensitive information can pose a risk if they intentionally or
unintentionally cause harm to the organization.
4. Legacy systems: Older information systems may not have the security features of newer systems,
making them more vulnerable to attack.
5. Complexity: The increasing complexity of information systems and the information they store makes it
difficult to secure them effectively.
