Information Security – “Risk Management”
Information Security – is a phrase that actually implies 2 meanings. – First is the common notion of securing important data, and the second – the US Government’s system of protecting information “against unauthorized access or modification of information… and against the denial of service to authorized users, or… service to unauthorized users, including those [information] measures necessary to detect, document, and counter such threats.”
The above definition of Information Security comes from the US’ National Information Assurance (IA). With this, the IA’s Information Security becomes its supporting [federal] ‘subset’ most commonly called INFOSEC. The INFOSEC Information Security deals with the “trust aspects” of information and how it is protected. These aspects encompass a range of concerns since Information Security also involve protection of all machine or electronic data and not only computer system information. In point of fact, computer system and network security is just a subset of Information Security in general. Among other divisions of the INFOSEC are Information Systems Security, Information Technology (IT) Security, and Information and Communications Technology (ICT) Security – all of which secures information in an electronic media form although varying in emphasis.
To add, Information Security also takes in the safeguarding of related information processes, systems, services, and facilitating technology, computers, and all networks and communications means. As all of these information components are continually subject to risks of tampering, Information Security is better known as “Risk Management” with the aim to (approximately) calculate and minimize the risks of information loss or misuse. INFOSEC does this through its all-inclusive features as: security governance, administration and provisioning, return on security investment, IT infrastructure resources, COMSEC, auditing, classification, identification and authentication, authorization, assurance and reliability, compliance, non-repudiation, risk assessment, access control, alerting, business continuity planning, and re-rationalized security program development. These processes nonetheless revolve around the 3 vital core principles of information security – the “CIA Triad” – Confidentiality, Integrity, and Availability (+Assurance).
Confidentiality of used or stored information is one of the top priorities of modern information security – “ensuring that information is accessible only to those authorized…” (International Organization for Standardization) Data Integrity assures that “data are identically maintained during any operation… [preserved] for their intended use,… [and] can only be accessed and altered [changed detectably] by those authorized [and identified] to do so.” And, Availability keeps data safe and unpredictable by the system’s “changing use and expectation patterns” as it operates at a specific time.
However without Assurance, it would be impossible to maintain the other 3 objectives and to keep “systems predictably dependable in the face of all sorts of malice…” After all, the “Risk-Management” character of INFOSEC aims certainly to maximize its operation of minimizing the risks of all information security breach.