Information security can best be defined as the process used to protect the assets of electronic or physical data, ensuring that the confidentiality, integrity and availability (the CIA) of data is upheld. Information security establishes the strategies needed for a business to conduct their security management and to ensure information systems operate as intended. Information security is an integral part of the Data Protection Act. Therefore, organisations should comply with information security in order to prevent data breaches from occurring, which could compromise the sensitive information they store and process.
CIA and Information Security
An organisation can build upon the concept of CIA to form their information security strategy:
Confidentiality - This ensures that information held by an organisation is only made accessible to specific individuals who require access to this information. This process allows organisations to crack down on unauthorised access to sensitive or personal information and monitor where and when information is accessed. To achieve confidentiality, an access control list, user IDs, and passwords can all be used effectively.
Integrity - Integrity refers to ensuring that the information held or processed by organisations is trustworthy, i.e. that it is up-to-date and accurate. To ensure data is kept in this state, employees should be aware of the lifespan of information and the individual's right to rectify data. Records should not be amended by unauthorised personnel.
Availability - The Data Protection Act 2018 states that a data subject should be able to view their data by submitting a data access request (DAR). This means that organisations should ensure their information systems are available when required and this request can be fulfilled in a timely manner, usually one month.
To uphold information security, an organisation will need to carry out risk management audits regularly to identify where security risks are, and subsequently how to deal with and mitigate these risks
The stages of Risk Management to consider:
Identify the data which your organisation processes, whether it is personal or sensitive, and where there are areas of vulnerability in the processing chain which could allow for confidentiality, integrity or availability to be compromised. From this, think about what controls your organisation already has in place to protect information and if they are adequate or need increasing/updating.
Once you have identified any risks to your information security, a plan of action will need to be organised to decide how to mitigate them, and what to do in the event of a security breach.
Network security refers to the protection of data which is transmitted through devices within a network used by an organisation. Network security aims to protect this data, to stop it being intercepted via electronic intrusion to benefit cyber criminals. Therefore, if an organisation is going to store or transmit any data via a network, then they need to ensure their information is secure and protected as much as possible from cyberattacks. Cyberattacks can assume many forms, notably malware, spyware and hacking attacks.
If an organisation has put into place the correct hardware and software needed to detect cyberattacks, and also supplied information security awareness training to all staff members, then its information should be appropriately protected. Ultimately, to ensure information security is implemented in your organisation correctly, training and education of information security is paramount.