Information security definition

The information security definition presented here covers the technical, theoretical, and regulatory context of ethical hacking applications in information security testing and IT governance at the organizational and national levels.

• Information security definition

• Understanding information security risk

• The place of information security in enterprise IT governance

You may also be interested in Canada’s cybersecurity threat landscape.

Information security definition

The terms information security, cybersecurity, Internet security, computer security, and network security have intersecting and evolving meanings, but generally refer to processes of implementing security controls including IA/IT governance frameworks to protect the confidentiality, integrity, and availability of privileged information as well as the technological infrastructure of a computer network or system against unauthorized access or manipulation (Anderson, 2003; Blakley, McDermott & Geer, 2001; Cherdantseva & Hilton, 2013; CNSS, 2010; ISACA, 2008; ISO/IEC 27000:2009; Venter & Eloff, 2003). Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. Confidentiality “refers to protecting information from being accessed by unauthorized parties.” Integrity “refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine.” Availability of information means that information is accessible by authorized users. Protection measures (security controls) tend to focus on two key areas: Mitigating known vulnerabilities and implementing the principle of least privilege whereby only the required functionality for each authorized user is granted. Information security is “a risk management discipline, whose job is to manage the cost of information risk to the business” (Blakley et al., 2001). Information security,

• “preserves the confidentiality, integrity and availability of information” (ISO/IEC 27000:2009);

• is concerned with “authenticity, accountability, non-repudiation and reliability” (ISO/IEC 27000:2009 sees CIA as properties of information);

• ensures that “only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability)” (ISACA, 2008);

• is concerned with both the protection of information as well as the of technological infrastructure or information systems (Cherdantseva & Hilton, 2013; CNSS, 2010);

• is concerned with access to information (CNSS, 201; ISACA, 2008); and

• aims to provide assurance “that information risks and controls are in balance” (Anderson, J., 2003);

Other key information security concepts include privacy, authenticity and trustworthiness, non-repudiation, accountability and auditability, and reliability (Cherdantseva & Hilton, 2013; ISO/IEC 27000:2009). The broad pragmatic goal of information security management is to reduce the probability of unauthorized access or damage to valued information assets to an acceptable risk level through risk mitigation strategies that involve management controls (e.g., security policies), technical controls (e.g., intrusion detection techniques), and operational controls (best practices/standard operating procedures).

Information security threats most commonly rated as a concern in higher education in North America are as follows. Confidentiality attacks: Exposure of confidential or sensitive information (79%), Integrity attacks: Unauthorized or accidental modification of data (29%), Availability attacks: Loss of availability or sabotage of systems (16%), mixed threat attacks: Email viruses, ransomware, or other malware (31%), and Unauthorized, malicious network/system access (27%) (EDUCAUSE Information Security Almanac, April 2019, p. 2).

Understanding information security risk

A standard definition of risk is the potential to lose something of value. Another definition involves the exposure to danger. In information security, risk is typically understood as threat times vulnerability times impact (the likelihood that a threat will exploit a vulnerability resulting in a business impact), or threat times vulnerability with an overlay of control effectiveness or velocity. The cybersecurity risk manager should determine what is the suitable definition. A key challenge is prioritizing risk for optimal investment in countermeasures. A well-understood list of risks must be matched with a list of suitable mitigations for those risks. A risk can be accepted (evaluate if the cost of the countermeasure outweighs the possible cost of loss due to the threat), mitigated (implement safeguards and countermeasures to eliminate vulnerabilities or to block threats), or transferred (place the cost of the threat to another business function or unit) (Stewart, 2012).

A risk-based approach allows an organization to prioritize the vulnerabilities identified and focus its efforts on the risks that are the most significant to its operations. The first step in identifying business risks should be to understand the business as a society, as a social system–its identity, corporate vision, social/community relations, and values. Clause 4 of ISO 22301 calls for understanding internal and external environments, including an organization’s activities, functions, services, and the organization’s risk appetite (ISO 22301 Portal: Societal security – Business continuity management system, 2015). Businesses need to evaluate information security risks for the purposes of insurance underwriting and resource allocation; or if they are attempting to comply with HIPAA, PCI, and other regulations, they will perform a risk assessment periodically. Risk assessment “identifies risks generated by the possibility of threats acting on vulnerabilities, and what can be done to mitigate each one” (PCI DSS Risk Assessment Guidelines, 2005). Several major regulatory frameworks, including HIPAA, PCI, and SSAE 16, require businesses to perform periodic risk assessment. A popular definition of risk management by ISO Guide 73:2009:

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

The place of information security in enterprise IT governance

Information security governance is the top-level enterprise business function accountable for information security under the rubric of IT governance (NCC 2005 IT Governance). The IT department is a customer of the information security governance business function or service, (e.g., HR, Finance). IT security as integrated with enterprise-wide risk management policy/framework (IT security risk management) operates within the information security governance framework. Information security is a specialized function within business organizations focused on securing an organization’s information assets against unauthorized access or damage. An information security professional from IT ensures an institution’s IT system is operating in a way that meets varied regulatory requirements. IT security is a stakeholder level concern within enterprises and is concerned with Internet access and identity and access management, and the technological infrastructure of the IT network and its smooth operation. Information security governance is concerned with defining security policy and aligning security strategy with business strategy. Information Systems are comprised of hardware, software, and communications “with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: Physical, personal and organizational” (Cherdantseva & Hilton, 2013). Areas for which central IT most commonly has primary responsibility in higher education are Network security (94%), Monitoring (88%), Communications security (86%), and Identity management (83%) (EDUCAUSE Information Security Almanac, April 2019).