Information Security Best Practice Part 1: Where to Start?
Information security is the hot topic on everyone’s lips, and it’s not going away anytime soon. In this article series, Conosco Information Security Manager Hylton Stewart will help you understand information security best practices and priorities for your business.
What is information security?
Information security is a general term that applies to the security of electronic information within Information Technology (often referred to as Cyber Security), as well as the security of physical information and physical assets. It is the practice of preventing (or mitigating against) unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of information – both electronic and physical.
It is important to remember that there is no such thing as perfect security, meaning that it’s impossible to defend against all potential threats, all of the time. The goal of information security is to mitigate the likelihood and impact of potential threats. This is done by implementing various defences (often referred to as controls), to reduce either the potential likelihood of a threat occurring, or to reduce the potential impact on the organisation.
The three corners of the Information Security Triad
There are three general areas that need to be considered when protecting information and assets, often referred to as the Information Security Triad:
- Confidentiality – information should not be available or disclosed to unauthorised individuals, processes or entities
- Integrity – information accuracy and completeness should be maintained, and cannot be modified in an unauthorised or undetected manner
- Availability – information (and the assets used to store and process it) should be available when needed
Your business’ security safeguards
There are many safeguards that can be put in place to improve the information security of an organisation, many of which depend on various factors such as the organisation’s risk appetite, the type of business, and the complexity of the organisation and its information.
These controls can be broadly categorised as:
- Management – documented policies, work procedures, standards and guidelines written by the organisation and imposed by regulatory and compliance requirements. Management also includes planning and risk assessment.
- Technical – IT-implemented controls that use software and data to monitor and control access to information and systems. These include enforced password changes, permissions on files and folders, and network firewalls.
- Operational – daily tasks related to operating the organisation, including configuration (change) management, maintenance, incident response, and personnel security.
There are many controls that can be implemented to mitigate against the risks posed by threats. In the next article, we’ll list information specific security best practices that all organisations should consider.
In the meantime, if you have any questions about the information security of your business, get in touch with one of the experts at the Conosco Security Division: email@example.com.