Information Security is a complex topic that impacts everyone in some way or another. To help cut through some of the noise and to help you understand the basics of “infosec”, let’s begin at the beginning.
Most people understand at some level that the confidentiality of sensitive information is a key concern of information security. Only people with the appropriate need-to-know should have access to sensitive information. Those who do not have the need-to-know should not. This is referred to as “Confidentiality” which is the most commonly known member of the “CIA Triad” of security.
Many industries have mandates for protecting the confidentiality of information. While the medical industry is perhaps the most well-known in this way due to the US HIPAA and HITECH regulations, most all organizations are responsible for the safe-keeping of the private information of their clients that they collect. Many states are enacting regulations that create stiff penalties for failing to exercise due care in the handling of sensitive information. Due care refers to doing what you are expected and is reasonable to do.
Consider the medical example, while your doctor needs to have access to your medical history in order to provide adequate treatment, the scheduler likely does not. It is actually a HIPAA/HITECH violation for that person to access the information when they have no need to do so for you to receive care. Similarly, it can be injurious to any organization if the personal information of their clients is leaked onto the internet so that they can be exposed to identity theft or other harm.
Confidentiality is achieved or at least attempted through controls such as access restrictions, firewalls, encryption, etc…
“Integrity” is not thought of nearly as often but is equally important. This component relates to making sure that the information is accurate and complete so that when it is needed, it is reliable. Integrity can be compromised by system failures and corruption but also by malicious or accidental means. For example, a network server that isn’t resilient to utility power outages can shut down abruptly corrupting the data that is stored on it. In the cloud, a replication malfunction can copy bad data into a database corrupting the data.
“Integrity” is protected in various ways depending on the type of information and the manner in which it is transmitted or stored. Having backups of data to recover from inadvertent changes is one way to protect Integrity.
“Availability” is a favorite component of the CIA Triad for the IT group because they like to make sure that the systems stay running. If an attacker brings a cloud server down by generating a heavy enough load using stolen computer resources from across the internet, the availability of the information can be compromised. In many situations, this can mean life or death for the business or organization that needs the data. Any sort of system failure can result in a loss of availability if the system wasn’t designed to resist such failures.
In some cases, availability can be impacted in unexpected ways. An organization may use a cloud service for some part of their business only to find that the cloud service can have outages just like a local server can. Oddly, local resource outages can sometimes impact the availability of cloud resources.
While any organization can be harmed due to the loss of Availability of its information and systems, medical organizations are acutely impacted due to the regulatory requirements to ensure the availability of protected health information.
“Availability” is often protected through backup, redundancy, fault-tolerance and capacity management.
Total Data Protection
The key to protecting the CIA Triad is to identify the assets that need to be protected. In government or military applications, information labels such as Top Secret, Secret, etc… are applied as appropriate so that custodians and administrators know how to adequately protect them. In commercial or private-sector environments, the same sort of labels can apply. You may not want to dedicate the same resources to protecting public information as you would confidential information and labeling helps you to figure out what needs to be protected and how.
As mentioned above, controls are used to protect the Triad. These can be technical controls like a firewall or antivirus, they can be physical controls like a locked door or fence, and they can be administrative controls like policies and procedures.
While technical and physical controls are vitally important to protecting information, administrative controls are equally important- particularly as they relate to training and education for employees who have access to important systems and data.
Employees typically represent the biggest threat to information security since they tend to be the ones that click links that they shouldn’t, open attachments that they shouldn’t, or install software that they shouldn’t. While technical controls like firewalls and antimalware can help, ultimately anything that a user has access to modify or delete can be destroyed by the same user.
IntelliSystems offers Security Awareness Training that can help everyone understand that information security is their responsibility too, and how to be alert to detect and avoid common threats. You don’t have to be a managed IT client to get it, so contact us for more information.