If information security is loosely held, then an attacker can hack your secret credentials, sell your stolen information to your enemies, damage your organization’s reputation or sell your data for monetary profit to third parties.
What Is the CIA Triad in Information Security?
The foundation of information security lays on three basic tenets: confidentiality, integrity and availability (also called the CIA Triad). Let us try to understand them:
It assures that information is accessible only to the authorized one and access to all others is forbidden. Social security numbers, credit card numbers, financial statements, military communication, etc., are all examples of sensitive data that requires confidentiality. Encryption is used to achieve confidentiality so that only authorized users are able to decrypt the information.
It provides that data can be modified only by those who are authorized to change it. If there is integrity loss to data, everyone will be denied access until the integrity is restored. This will confirm that changes to the compromised data will not further propagate.
Timely availability of data is very critical for certain applications. The above two principles will be of no value if data is not provided on time. To illustrate this, consider a banking scenario where a user is waiting for a one-time password (OTP) for authenticating to a bank login. If the OTP arrives after the timer waiting time is over, it will be of no use and will be discarded by the system.
Overview of Information Security from IT Manager’s Perspective
Most organizations spend a large sum of money for managing risk and mitigating attacks. IT managers play a vital role in these organizations for creating a robust IT policy that encompasses employees, access management, organization’s technical infrastructure, etc.
Beside framing policies and solving security problems, IT managers must work to educate and train their staff about the organization’s IT policy. Internal security is more critical and sophisticated to manage. This is because people are less careful from internal threats and often overlook them. An IT manager should be responsive to all the attack vectors.
Information Security Management and Its Scope
Information security management is a way to establish confidentiality, availability and integrity for IT assets. These are the three basic tenets that lays the foundation for any information security system. Today, organizations of every size require an information security function. With the rise in security breaches and intrusion activities, an effective and reliable management is required to respond to these security risks. However, the exact need of level of management and disaster recovery plan depends on a business.
Some businesses can tolerate low to severe attacks and can continue in a normal way. Some of them may be totally paralyzed and go out of business from a short duration of attack. Even if there is an existing management system and recovery plan of an organization, chances may arise to frame a new one in critical cases like the zero-day attack.
Information Security Mechanisms
To implement information security services, several tools and techniques are used. Here, we have listed some of the common security mechanisms:
This is a very old concept whereby plain text information is converted to unreadable ciphertext.
Message Digests and Digital Signatures:
A message digest is a numeric representation of a message and is generated by a one-way hash function. Digital signatures are formed by encrypting a message digest.
Digital certificates are an electronic signature that ensures that the public key contained in a certificate is owned by its true owner. Digital certificates are issued by Certificate Authority (CA).
Public Key Infrastructure (PKI):
It is a method of distributing public keys for facilitating public key cryptography. It authenticates the users performing a transaction and helps to prevent a man-in-the-middle attack.
Jobs in Information Security Field
Security is an emerging field in the IT industry with a huge demand for certified professionals. Every organization whether big or small is concerned about securing its assets. Information Security job roles include Information Security Analyst, Information Security Manager, Information Security Operations Manager, Information Security Auditor, etc.
The exact responsibility may vary from company to company and also depends on an individual’s qualification and experience. Some positions like CISO (Chief Information Security Officer) require years of relevant experience.
Information security has become a topic of paramount importance with security professionals playing a vital role in this field. With the emergence of more sophisticated attacks, organizations need to keep pace with the latest technology. Information security field is filled with vast areas of research and possibilities.