Information Security Overview

Information Security is defined as the "protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability" [1]. The security of information is essential for people, modern organizations, and governments, as sensitive data and systems are frequently targeted by cybercriminals, hackers, and other malicious actors.

The Personal Computer Revolution in the 1980s marked the rapid growth of the personal computer (PC) industry and this brought about a new type of crime that was not a thing yet, namely computer crime. Meanwhile, the Advanced Research Projects Agency (ARPA) of the US Department of Defense established ARPANET, which evolved into the Internet. The proliferation of the internet and the World Wide Web in the 1990s played a significant role in the popularization of computers. The ability to access information and communicate globally via the internet made computers indispensable tools.

The explosive popularity of the Internet and its Information Superhighway, the WWW, propagated, yet another type of crime that was later dubbed cybercrime. To take it further, recent advancements in Artificial Intelligence (AI) is giving rise to, you guessed it, AI crime.

The Information Age

The partnership between Information and Technology brought about the Information Age, also known as the Digital Age; a period characterized by the rise of information as an invaluable resource and the rapid growth and widespread use of information and communication technologies (ICTs), particularly computers and the internet. This age represents a significant shift from the Industrial Age, which was characterized by manufacturing and physical labor, to an era where information and knowledge have become key drivers of economic, social, and cultural development.

Before computers, information was primarily recorded and managed manually. This included handwritten documents, ledgers, books, and physical files. While relatively safe, Information was localized and often difficult to access unless it was physically stored in a specific location. Retrieving data was time-consuming and the dissemination of information over long distances was slow, relying on postal services or physical delivery methods. Moreover, reproducing and sharing information was labor-intensive, typically requiring handwritten copies or printing using mechanical devices like the printing press.

The advent of computers enabled the conversion of information into digital formats. Data could now be stored, processed, and transmitted electronically. Computers revolutionized information storage and retrieval, making it faster and more efficient. Computers also automated many tasks related to information processing, such as data entry, calculations, and sorting. Moreover, computer networks allowed for remote access to information stored on computers, enabling collaboration and data sharing among users in different locations.

The internet took remote access to a whole new level by providing a global network that connected computers and people worldwide. Information could be accessed from virtually anywhere with an internet connection. Email and other online communication tools allowed for instant exchange of information, transcending geographical boundaries and time zones. Platforms like social media and wikis empowered individuals to create and share their own content, democratizing information production. The internet also transformed commerce and services, allowing for online shopping, banking, education, and entertainment. However, with the increased digitalization and sharing of personal information, concerns about privacy and cybersecurity became prominent issues.

In order to manage and truly leverage information effectively, we need information systems. An Information System (IS) is a collection of hardware, software, data, people, and procedures that work together to provide useful information to an organization. They are used in businesses, government agencies, educational institutions, healthcare organizations, and many other sectors. Organizations must protect all the components of an information system. The components are shown in the figure below:

Why is information security important?

It is imperative that we stress the importance of information today. With the rapid advancements in technology, we are now able to collect, process, and disseminate more information than ever before. The volume of data being generated and shared is staggering and continues to grow at an unprecedented rate. This has led to the creation of a digital economy, where information is one of the most valuable resources available to individuals and organizations.

The rise of the internet, social media and cloud technology, mobile devices and the Internet of Things (IoT) has led to the creation of an interconnected digital landscape where information can be shared, stored and processed globally. This has led to the creation of new business models, new products, and new ways of working. However, with this great potential comes great responsibility. The information that we create and share, has become a target for malicious actors who wish to exploit it for financial gain or to cause harm.

Information security has become a critical concern for both individuals and organizations. Not only do we have a responsibility to protect the sensitive data and systems that we rely on, but we also have a responsibility to protect the personal information of others. Therefore, understanding the principles of information security is essential for anyone in today's digital economy. Those who understand and can apply these principles will be better equipped to protect themselves, their organizations, and others from the various threats that exist in today's digital landscape.

Information security is important because it helps to protect the confidentiality, integrity, and availability (AKA the C.I.A Triad of Information) of sensitive data and systems. Confidentiality refers to the protection of sensitive information from being accessed or disclosed to unauthorized parties. Integrity refers to the protection of information from being modified or corrupted by unauthorized parties. Availability refers to the protection of information and systems from being disrupted or unavailable to authorized parties.

In addition to the triad, other critical characteristics of information are relevant from a security viewpoint:

Accuracy: The quality or state of being free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity: The quality or state of being genuine or original, rather than a reproduction. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Utility: The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession: The quality or state of having ownership or control of some object or item. Information is said to be in possession of someone if it is obtained independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality

Data, Information, and Knowledge

We will be using data, information, and knowledge interchangeably in this course, but they have distinct meanings and characteristics.

Data refers to raw facts, figures, and observations. It is the most basic form of information and is often unprocessed or unorganized. For example, a list of customer names and addresses is data. It can be useful, but it doesn't provide much context or meaning.

Information refers to data that has been processed and organized in a way that makes it meaningful and useful. It goes beyond simply describing what happened and provides context and explanations. For example, a report that summarizes customer demographics and buying habits using data on customer names and addresses is information.

Knowledge refers to the understanding and insight gained from information. It goes beyond simply understanding what happened and why, but also encompasses the ability to apply that understanding to make informed decisions and act. For example, a marketing strategy based on the insights and understanding of customer demographics and buying habits from the report on customer names and addresses is knowledge.

Talk the Talk (Important Security Terms)

Information Security. Computer Security. Cybersecurity. Digital Security. Which is it? While people often use these closely related terms interchangeably, it is important to be able to distinguish between them. If security is the state of being protected against threats, the noun before it becomes the object we are trying to protect. In this sense, Digital Security and Computer Security are somewhat limiting. It is more common to use Information Security and Cybersecurity.

Information security focuses on protecting information and information resources. It encompasses a wide range of measures and controls like access control, data encryption, incident response, and disaster recovery. The goal of information security is to protect the confidentiality, integrity, and availability of information and information systems.

Cybersecurity, on the other hand, is the practice of protecting networks, devices, and data from cyber-attacks. It focuses specifically on protecting against unauthorized access or damage to computer systems, mainly through the Internet. It includes technologies, processes, and controls that can be used to protect networks, devices, and data from cyber threats, such as hackers, malware, and other cyber-attacks. It encompasses a wide range of activities, including threat intelligence and penetration testing, to name a few.

Before moving on, I might've mentioned several core security terms that must be defined:

Table 1.1: Cybersecurity Terms

Types of information security

Securing the information of an organization can be a difficult task for many reasons. One factor is that the constantly changing technological environment makes it more difficult to protect against threats. New vulnerabilities and attack vectors are brought about by new technologies, including as the Internet of Things (IoT) and cloud computing. Along with making it harder to keep up with the threat landscape, these technologies also tend to expand the number of endpoints that need to be secured and the volume of data that needs to be protected.

Securing information can be difficult task, as it is a multi-faceted and complex process that involves the integration of technical, administrative, and management controls and the participation of the entire organization. To illustrate this complexity, let us look at different types of information security:

• Physical Security: Often considered the first layer of security, physical security involves protecting physical assets, including buildings, equipment, and data centers, from unauthorized access, theft, vandalism, and other forms of damage. It also involves a wide range of measures and controls, such as locks, cameras, alarm systems, security guards, and access control systems.
• Personnel Security: A subset of information security that focuses on protecting the organization from security risks posed by its own employees, contractors, and other insiders. It includes a wide range of activities and policies, such as background checks, security clearance, security training, and termination procedures, that are designed to ensure that the organization's personnel are trustworthy and reliable.
• Network Security: This type of security involves protecting a computer network and its associated devices and data from unauthorized access, use, disclosure, disruption, modification, or destruction. This can include measures such as firewalls, intrusion detection and prevention systems, virtual private networks (VPNs), and encryption. It also involves identifying and mitigating vulnerabilities in the network infrastructure and devices, as well as monitoring the network for signs of security breaches.
• Application Security: Involves protecting applications and their data from external and internal threats. It also involves identifying and mitigating vulnerabilities in the application code and infrastructure, as well as testing and monitoring the application for security breaches. This can include measures such as input validation, authentication, access control, and encryption.
• Endpoint Security: Involves protecting endpoints such as laptops, desktops, and mobile devices from external and internal threats. The goal of endpoint security is to ensure that each device can be used safely and securely by authorized users, and to prevent malicious actors from exploiting weaknesses in the device to gain unauthorized access to sensitive data or disrupt the operation of the device or the network.

Due to the rapid advancements in IT, new types of security are emerging, such as:
• Cloud Security: Involves protecting data, applications, and infrastructure in a cloud computing environment from unauthorized access, use, disclosure, disruption, modification, or destruction. It also involves ensuring compliance with relevant regulations and industry standards.
• Internet of Things (IoT) Security: Involves protecting IoT devices and their data from external and internal threats. The goal of IoT security is to ensure that IoT devices can be used safely and securely by authorized users and to prevent malicious actors from exploiting weaknesses in the devices or networks to gain unauthorized access to sensitive data or disrupt the operation of the devices.

Information security threats

The types and sophistication of threats are constantly changing. Cybercriminals are becoming more organized and motivated, and their techniques and tools are becoming more advanced. This means that organizations must constantly update and adapt their security controls to protect against the latest threats. Organizations face many types of information security risks, such as:

• Data Breaches: A breach in general is unauthorized access. A physical breach, for instance, would involve unauthorized access to the server room. A data breach involves unauthorized access or disclosure of sensitive data.
• Insider Threats: Some threats originate from within an organization, such as employees or contractors who abuse their access to sensitive data or systems.
• Physical Threats: Such threats involve the physical destruction of assets, such as facilities, equipment, or data centers.
• Malware: This includes viruses, worms, Trojans, ransomware, and other malicious software that can infect and compromise information systems.
• Social Engineering: People are often considered the weakest link in security. Social Engineering include scams, fake emails, and websites that trick individuals into revealing sensitive information, such as login credentials, personal information, and financial details.
• External Threats Threat actors who are not part of the organization, are considered external. External threats are hackers or attackers who attempt to exploit vulnerabilities to gain unauthorized access or make the system unavailable or slow. External threat actors may be motivated by financial gains or other malicious reasons. Such threats include system hacking and Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. DoS and DDoS aim to make a website or system unavailable by overwhelming it with traffic.
• Advanced Persistent Threats (APTs): These are sophisticated cyber-attacks that are launched by well-funded and skilled attackers with a specific target in mind. They are often used to gain unauthorized access to sensitive information or steal sensitive data over a prolonged period.

The above is not a comprehensive list of threats to information security. In a rapidly evolving ICT domain, new technologies keep emerging (e.g., Artificial Intelligence, Blockchain, Quantum Computing, and 5G), and with them we can always expect new threats. It is important to note that not all threats are intentional. Human error is an unintentional threat but a threat nonetheless. Natural disasters which can disrupt the operations of entire data centers, for example, are also unintentional but serious threats.

References

---

[1] NIST InfoSec

Information Security Management

In general bsuiness context, management is the process of planning, organizing, leading, and controlling the resources of an organization in order to achieve its goals and objectives. Organizations must effectively manage their core business functions (e.g., Operations, Marketing and sales, Accounting and finance, Human resources, and Information Technology). Modern businesses now recognize the need for information security, which can either be a subset of the IT function or, in large organizations, a separate function.

Information security management is a process that organizations use to protect sensitive information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It is an essential aspect of modern organizations, as sensitive data and systems are frequently targeted by cybercriminals, hackers, and other malicious actors. This process includes four main steps: planning, implementing and maintaining controls, testing and evaluating controls, and managing incidents.

Planning for Information Security

If you fail to plan, you are planning to fail -Benjamin Franklin. The first step in information security management is to develop a plan that outlines the goals and objectives for information security, as well as the strategies and tactics that will be used to achieve those goals. This plan should be based on the organization's business needs, as well as the risks and vulnerabilities that the organization faces. The plan should also consider the resources that are available to the organization, including budget, personnel, and technology.

For example, a healthcare organization might have the following goals and objectives for their information security management plan:

• Protect patient data from unauthorized access, use, and disclosure
• Ensure the availability of patient data for authorized users
• Maintaining compliance with healthcare regulatory standards such as HIPAA
• Minimizing business disruption from security incidents

To achieve these goals and objectives, the healthcare organization might develop the following strategies and tactics:

• Implementing encryption for data at rest and in transit
• Implementing a multi-factor authentication for accessing patient data
• Conducting regular security awareness training for employees
• Implementing firewalls and intrusion detection systems
• Conducting regular vulnerability assessments and penetration testing

Implementing and Maintaining Information Security Controls

Once the information security plan has been developed, the next step is to implement the controls that have been identified as necessary to achieve the organization's information security goals. These controls may include technical measures such as firewalls and intrusion prevention systems, as well as non-technical measures such as employee training and awareness programs. It is important to regularly review and update these controls to ensure that they continue to meet the organization's needs and address emerging threats.

One example of implementing and maintaining information security controls is the use of firewalls. A firewall is a network security device that monitors incoming and outgoing network traffic and allows or denies access to specific network resources based on a set of security rules. Let us examine an example of how a firewall might be implemented and maintained in an organization:

1. Implementation: The organization purchases and installs firewall hardware and software at key points in the network, such as at the border between the internal network and the Internet (DMZ, or Demilitarized Zone). The IT security team configures the firewall with a set of rules that determine what types of traffic are allowed or denied access to the network. For example, they may configure the firewall to only allow incoming traffic on ports used for web browsing and email, and block all other ports (e.g., ports 80 and 443).
2. Maintenance: The IT security team regularly monitors the firewall logs to ensure that the firewall is functioning properly and to detect any suspicious activity. They may use security monitoring software to analyze logs for signs of intrusion attempts or malware. They also regularly update the firewall's software and security rules to address new threats and vulnerabilities. They also review the rule sets to verify that the security policies of the organization are being enforced.

Testing and Evaluating Information Security Controls

To ensure that the organization's information security controls are effective, it is important to regularly test and evaluate them. This can be done through methods such as penetration testing, vulnerability assessments, and security audits. Testing and evaluating information security controls can help to identify weaknesses and vulnerabilities that need to be addressed, as well as confirm that the controls are functioning as intended.

Let us see examples of testing:

1. Vulnerability Scanning: The IT security team uses specialized software to scan the organization's network and systems for known vulnerabilities. These scans look for weaknesses in systems and applications, such as missing software patches or misconfigurations, that could be exploited by attackers.
2. Penetration Testing: The IT security team also conduct regular internal or external penetration testing where they attempt to exploit vulnerabilities in the organization's systems and networks in a controlled manner. The goal of this testing is to identify any weaknesses or vulnerabilities that could be exploited by an attacker in a real-world scenario. The results of these tests are then analyzed to identify any high-risk vulnerabilities that need to be addressed.
3. Security Audits: The IT security team conduct regular internal and external security audits to assess the overall security posture of the organization. This may include network security, application security, and compliance audits, The audits identify any vulnerabilities, compliance issues, and provide recommendations for improvement
4. Compliance Testing: The IT security team also tests that the organization's information security controls meet regulatory requirements, industry standards and best practices. This may include testing controls to verify compliance with regulations such as HIPAA, PCI-DSS, SOC 2 and ISO 27001.
5. Incident Response Testing: The IT security team also conducts regular incident response drills where they practice identifying and responding to different types of security incidents, such as malware outbreaks, network intrusions and data breaches. This testing helps to identify areas where the incident response plan needs to be improved, and allows the team to refine their incident response procedures.
6. Review and Analysis: After the testing and evaluating process, the IT security team will review and analyze the results of all the tests and evaluate the overall effectiveness of the organization's information security controls. This may include identifying any gaps in coverage or areas where controls need to be strengthened or improved. They will then develop and implement a plan to address any issues that were identified, and work to implement any recommended changes.

Managing Information Security Incidents

Despite the best efforts to prevent them, information security incidents can still occur. It is important for organizations to have a plan in place to respond to and manage these incidents effectively. This plan should include procedures for identifying and containing the incident, eradicating the root cause, recovering from the incident, and performing a post-incident review and analysis. Having a well-developed incident response plan can help to minimize the impact of incidents and prevent them from escalating.

For example:

• Identification and Containment: The incident response plan should include procedures for identifying and containing an incident as quickly as possible. This might include shutting down compromised systems, disconnecting affected devices from the network, or isolating affected areas of the network.
• Eradication: The incident response plan should also include procedures for eradicating the root cause of the incident. This might include removing malware from affected systems, patching vulnerabilities, or restoring affected systems from backups.
• Recovery: The incident response plan should include procedures for recovering from the incident and restoring normal operations. This might include restoring data from backups, reinstating network connectivity, or restarting affected systems.
• Post-Incident Review: The incident response plan should also include procedures for performing a post-incident review and analysis. This might include documenting the incident, identifying what went wrong, and making recommendations for preventing similar incidents in the future.

In order for a incident response plan to be effective, it should be tested and incident response team should be established and trained, and their roles and responsibilities should be clear. Additionally, the incident response plan should be reviewed and updated regularly to reflect changes in the organization's infrastructure, technology, and security landscape.

By having a well-developed incident response plan in place, organizations can minimize the impact of incidents, reduce recovery time and costs, and improve their overall security posture.

Information Security Frameworks

An information security framework is a set of policies, procedures, and guidelines that organizations use to plan, implement, and maintain information security controls. There are several information security frameworks that organizations can choose from, each with its own set of principles, guidelines, and best practices. We will explore some of them shortly; but first, let us examine why organizations need such frameworks:

1. Guidance and structure: Information security frameworks provide guidance and structure for organizations to plan, implement, and maintain information security controls. They provide a set of policies, procedures, and guidelines that can be tailored to the organization's specific needs, which can help ensure that all critical areas are addressed and that the appropriate controls are in place.
2. Risk management: Information security frameworks help organizations to identify, assess and prioritize the various types of risks that they face. This enables organizations to make informed decisions about how to allocate resources to protect against these risks.
3. Compliance: Many information security frameworks align with legal and regulatory requirements, making it easier for organizations to comply with these requirements. By following an established framework, organizations can demonstrate due diligence and show that they have taken appropriate measures to protect sensitive data.
4. Collaboration: Information security frameworks can facilitate collaboration between different departments and stakeholders within an organization, as well as across different organizations and supply chains. This can help to ensure that the organization's security controls are integrated with the overall business strategy.
5. Continuous improvement: Information security frameworks are often based on a continuous improvement process, which requires regular review and update of the security controls. This ensures that the organization's security practices keep up with the rapidly changing threat landscape.
6. Benchmarking: Information security frameworks can be used to benchmark an organization's information security posture against its peers or industry standards. This can help organizations identify their strengths and weaknesses and prioritize areas for improvement.

ISO 27001

One widely-used information security framework is ISO 27001. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) produced ISO 27001 as a global standard that outlines the requirements for an information security management system (ISMS). The standard is reviewed and updated regularly to ensure that it remains relevant and effective in addressing the latest information security threats and challenges. ISO 27001 covers the following key areas [2]:

• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and maintenance
• Information security incident management
• Business continuity management
• Compliance

NIST Cybersecurity Framework (CSF)

Another popular information security framework is the NIST Cybersecurity Framework (CSF). The CSF is developed and maintained by the National Institute of Standards and Technology (NIST) in the United States. It provides a set of guidelines and best practices for organizations to manage cybersecurity risks [3].

Framework Core

The Framework Core provides a set of activities to achieve specific cybersecurity outcomes.The Core comprises four elements: Functions, Categories, Subcategories, and Informative References. Each function within the core has categories and subcategories. There are 5 functions, 22 categories, and 97 subcategories. Subcategories are outcome-driven statements that can be used to develop a cybersecurity program.

Those pursuing a career in Cybersecurity will find it very useful to understand these core elements. As a starting point, the Core Functions represent high-level cybersecurity activities that you will be doing as a cybersecurity expert. The functions are:

The CSF five core functions:

• Identify: identify and prioritize assets, vulnerabilities, and threats
• Protect: implement safeguards to prevent, detect, and respond to attacks
• Detect: establish and maintain continuous monitoring capabilities
• Respond: develop and implement incident response plans and procedures
• Recover: establish and maintain business continuity and disaster recovery capabilities

For more information about the IST CSF, click here »

COBIT

COBIT (Control Objectives for Information and related Technology) is another information security framework that is used by organizations to manage information and technology risks. COBIT was developed by ISACA (Information Systems Audit and Control Association). It was first published in 1996.

COBIT provides a comprehensive set of control objectives that cover the following five domains [4]:

1. Governance of IT: This domain focuses on the management of the overall IT governance structure, including the development of policies and procedures, the identification of stakeholders, and the definition of roles and responsibilities. Information security policies and procedures are an important aspect of IT governance and need to be in place in order to ensure the confidentiality, integrity, and availability of information assets.
2. Management of IT: This domain focuses on the day-to-day management of IT, including the planning and implementation of IT processes and systems, and the management of risks and issues. COBIT provides guidance on how to identify, assess and prioritize the risks associated with IT processes and systems. Information security risks, such as data breaches, are an important consideration when assessing overall IT risks and need to be included in the risk management process.
3. Acquisition and Implementation of IT: This domain focuses on the procurement and implementation of IT systems and services, including the management of vendors, contracts, and the evaluation of options. Organizations must ensure that the IT systems they acquire and implement, are secure.
4. Delivery and Support of IT: This domain focuses on the delivery and support of IT systems and services, including the management of incidents and problems, the provision of training and education, and the management of service levels. These guidelines help ensure that IT systems and services remain secure over time.
5. Monitoring of IT: This domain focuses on the monitoring and reporting of IT performance and compliance, including the measurement of key performance indicators and the management of audits and reviews. This includes guidelines for the measurement of key performance indicators and the management of audits and reviews, all of which can help organizations ensure their IT systems and services are secure.

Using an information security framework can help organizations to better understand their information security risks and implement appropriate controls to manage those risks. It is important for organizations to periodically review and update their information security frameworks to ensure that they continue to meet the organization's needs and address emerging threats.

References

---

[2] ISO 27001: 2022
[3] NIST CSF
[4] COBIT