WHAT IS INFORMATION SECURITY?

We are sometimes asked the most basic of information security question of all: "What is
information security?". This can actually be surprisingly difficult to define. However, the
introduction to the standard itself characterizes information security as the preservation of what
is often known as CIA:

Confidentiality, Integrity and Availability

 

A key aspect of Information Security is to preserve the confidentiality, integrity and availability of an
organisation's information. It is only with this information, that it can engage in commercial activities. Loss
of one or more of these attributes, can threaten the continued existence of even the largest corporate
entities.

Confidentiality
Ensuring that information is accessible only to those authorized to have access

Assurance that information is shared only among authorised persons or organisations. Breaches of
Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality
of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-
mailing or creating documents and other data etc. The classification of the information should determine
is confidentiality and hence the appropriate safeguards.

Integrity
Safeguarding the accuracy and completeness of information and processing methods

Assurance that the information is authentic and complete. Ensuring that information can be relied upon to
be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information
Security as it is represents one of the primary indicators of security (or lack of it). The integrity of data is
not only whether the data is 'correct', but whether it can be trusted and relied upon. For example, making
copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of
the information. Why? Because, by making one or more copies, the data is then at risk of change or
modification.

Availability
Ensuring that authorized users have access to information and associated assets when required.

It further explains that "information security is achieved by implementing a suitable set of

controls", and that these need to be "established to ensure that the specific security objectives of
the organization are met".
ESTABLISHING INFORMATION CLASSIFICATION CRITERIA
It is essential to classify information according to its actual value and level of sensitivity in order
to deploy the appropriate level of security. A system of classification should ideally be:
- simple to understand and to administer
- effective in order to determine the level of protection the information is given.
- applied uniformly throughout the whole organization (note: when in any doubt, the higher,
more secure classification should be employed).

With the exception of information that is already in the public domain, information should not be
divulged to anyone who is not authorized to access it or is not specifically authorized by the
information owner. Violations of the Information Classification Policy should result in
disciplinary proceedings against the individual.

It is also sensible to restrict the number of information classification levels in your organization
to a manageable number as having too many makes maintenance and compliance difficult. The
following five levels of classification cover most eventualities:

Top Secret:
Highly sensitive internal documents and data. For example, impending mergers or acquisitions,
investment strategies, plans or designs that could seriously damage the organization if lost or
made public. Information classified as Top Secret has very restricted distribution indeed, and
must be protected at all times. Security at this level is the highest possible.

Highly Confidential:
Information which is considered critical to the organization’s ongoing operations and could
seriously impede or disrupt them if made shared internally or made public. Such information
includes accounting information, business plans, sensitive information of customers of banks
(etc), patients' medical records, and similar highly sensitive data. Such information should not be
copied or removed from the organization’s operational control without specific authority.
Security should be very high.

Proprietary:
Procedures, project plans, operational work routines, designs and specifications that define the
way in which the organization operates. Such information is usually for proprietary use by
authorized personnel only. Security at this level is high.

Internal Use Only:

Information not approved for general circulation outside the organization, where its disclosure
would inconvenience the organization or management, but is unlikely to result in financial loss
or serious damage to credibility/reputation. Examples include: internal memos, internal project
reports, minutes of meetings. Security at this level is controlled but normal.
Public Documents:
Information in the public domain: press statements, annual reports, etc. which have been
approved for public use or distribution. Security at this level is minimal.

Care should always be applied regarding a user's possible tendency to over classify their own
work. It can sometimes be erroneously surmised that the classification level can reflect directly
on the individual's own level of importance.

IT Security is the most important need of every organization. Especially effective Internet
Security has become an essential need for every small, medium or large enterprises using
information technology and other internet based services to perform their work easily and
effectively. The organization's dependency over Internet has increased the need for internet
security implementation and network monitoring inside the organization.

After the introduction of broadband internet, security risks have increased drastically. Nowadays
most of the Internet users (home users and professionals) are using broadband internet
connection. All companies from private and public sector, non-government organization,
educational institutes and financial institutions are dependent on Internet for information
exchange. Internet is also a major way of instant communication between two channels.
Therefore, chances of information leak, hacking or intrusion are more than earlier days due to
increasing dependency on internet

Security Vulnerability with the Internet connection or Intranet can result following major
security threats:

1.Unauthorized access of servers and systems in the network,

2.Unauthorized access of Internet connection for illegal or criminal purposes
3.Stealing, alteration or deletion of sensitive systems and data
4.Denial-of-service attacks, resulting in an inability by users to access systems
5.Viruses or Trojans attack on systems, Virus infections in important data
6.Destruction of websites and online systems

Above described threats are just glimpse of security threats caused by weak Internet Security
Mechanism. Information is an asset that, like other important business assets, has value to an
organization and consequently needs to be suitably protected. Failure in implementation of
proper internet security mechanism can ultimately have worse effect. An organization with no or
less effective internet security policy can have following ill effects:

1.Deterioration of organization's overall reputation

2.Reduced public confidence in the agencys online services
3.Unauthorized disclosure of company's secret information
4.Financial loss through online fraud
5.Financial loss by reducing productive work hours due to intrusion

To secure workplace from potential internet threats, an organization has to adopt proper internet
security policy, utilize best available security tools, and practice strict monitoring measures
(manual and automated both) inside office premises. With proper planning, technical expertise
and continuous efforts an organization can restrict most of the external threats related to Internet
Security.