Keys to understanding IT security today

Fundamentals of Information Security  

In the age of digitalization, organizations of all sizes are grappling with the complex challenges of information security. The widespread integration of third-party SaaS applications, the implementation of IOT, and the emergence of AI technologies such as Bard, ChatGPT and DALL-E have transformed the landscape of business operations. While these technologies have streamlined many business processes, they have also increased the risks to the digital assets used by and exposed to these applications.

This article will explore the current information security environment with a particular focus on risk-based methods, which ensure that organizations can anticipate, prepare for, and mitigate cyber and technology risk in the digital era. In the first part of the article, we define information security, trace its evolution, explain the core principles of information security, and outline the most common cybersecurity frameworks. In the second half of the article, we look at risk as the foundation for a solid cybersecurity strategy where we discuss the value that a risk-based cyber risk management approach can bring to an information security strategy, and we consider how Cyber Risk Quantification allows companies to prioritize and justify their information security budget and strategy across business units and with all decision-makers. 

What is information security? 

In the early days of computer networks, the focus of information security was the physical safeguarding of mission critical IT systems, sensitive documents, and communications systems. Today, information security is the practice of safeguarding information in all forms to ensure its appropriate use. This discipline extends beyond the realm of IT or cybersecurity, integrating the broader aspects of protecting information in all its forms and across all areas of an organization. These measures aim to fulfill the essential requirements of confidentiality, integrity, and availability of information by reducing the frequency and impact of security incidents. 

‍

The National Institute of Standards and Technology (NIST) defines information security as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”  

A very short history of information security and cybersecurity 

In the mid-1960s, computer systems began the transition from government and corporate spheres to everyday life. Airlines were using computer reservation systems, and financial transactions could now be made as EFTs or electronic fund transfers. Universities also began offering computer science courses. Security in those early days was rather rudimentary, focusing on physical safeguards and password access. In 1969, a research agency, part of the US Defense Department, called Advanced Research Projects Agency, developed a computer network called ARPANET that allowed computers to communicate over phone lines and without a central core machine – the precursor to today’s Internet. A few years later in 1971, a computer developer named Bob Thomas wrote a program called Creeper (considered by some to be the first non-malicious computer virus) that would display a message on an ‘infected’ computer, start to print a file and before completing the task, it would jump to a new machine and continue its journey through the network. A year later, an ‘anti-virus’ program called Reaper was developed that chased down Creeper to delete it. 

‍

These developments led government agencies, business leaders, computer scientists and academics to identify the basic principles of information security. In 1977, the first conference on Audit and Security of Computer Systems held by the Institute for Computer Sciences and Technology of the National Bureau of Standards – later NIST – outlined how the US government should detect threats to the computer networks and implement effective safeguards to counter them. In the introduction to the companion paper to the conference, the president of the Institute for Computer Sciences and Technology Ruth Davis called on governmental agencies and organizations working together with auditors to conduct threat assessments specifically related to potential loss, the probability of loss and the cost to implement adequate controls. 

‍

Since then, the legal framework for data privacy reporting and the safeguarding of personal information has been updated and expanded. Notably, the General Data Protection Regulation (GDPR) in the European Union, which came into effect in 2018, represents a significant milestone in data protection and privacy. In the United States, various states have enacted their own data privacy laws, such as the California Consumer Privacy Act (CCPA). These regulations mandate that organizations implement measures to protect consumer data, report any breaches in a timely manner, and allow individuals more control over their personal information. The conversation around data privacy and security continues to evolve as technology becomes increasingly integrated into our daily lives presenting new challenges and requiring continuous updates to security protocols and legislation to protect users and data from growing threats. 

Core Concepts of Information Security 

The CIA Triad is used as the basis for all information security and cybersecurity frameworks which use this as a guide. They use the CIA Triad as a guide for implementing security practices, controls, and standards. The triad is not specific to an industry or sector but includes all information. Whenever data is created, transmitted, used, and reused, the triad plays a role: 

‍

• Confidentiality – This aspect of information security ensures that sensitive information is not disclosed to unauthorized individuals or systems.  
• Integrity – This component ensures that data is authentic, accurate, and reliable, and it has not been tampered with or altered. 
• Availability – This ensures that information is consistently and readily accessible and available for authorized parties. 

‍

A breach of the confidentiality of personally identifiable information (PII) could cause harm if the person associated with the data is denied benefits or is financially, physically, or socially harmed as a result. Businesses without robust detection and response mechanisms are increasingly exposed to cyber incidents that compromise data integrity such as through ransomware attacks. DDOS attacks can result in the complete unavailability of a server or network. An information security and cyber security strategy is not a nice-to-have but a necessary-to-have to keep information secure and your systems running.  

Types of Information security measures 

For a business or organization to implement the high-level concept of the CIA Triad, there are some basic types of information security measures that can be taken. 

• Organizational measures ensure that an internal department is created to develop policies and strategy for improved security. 

• Human measures focus on awareness training, such as knowing how to create strong passwords, phishing awareness, and other ways to improve the CIA Triad. 

• Physical measures  are implemented to control access to the office location, data centers and physical machines that are part of the network. 

• Technological measures  are concerned with the use and configuration of hardware, software, encryption, and firewalls to improve security controls, for example those covering intrusion detection and authentication. 

Each of these measures can be further expanded into specific controls that form the basis of the InfoSec and Cybersecurity frameworks used today. 

Information security risk management frameworks 

Information security and cybersecurity frameworks provide organizations with a structured approach to managing information security risks. These frameworks typically codify the CIA triad (confidentiality, integrity, and availability) into various control families and controls. Some of the most widely implemented frameworks include: 

The NIST Cybersecurity Framework (CSF) is a widely adopted framework that provides a comprehensive set of guidelines and best practices to help organizations manage and reduce cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST) and first published in 2014, the CSF was initially designed for critical infrastructure organizations but has since proven to be valuable across various sectors, regardless of size or maturity. 

The CSF is structured around five core functions: 

• Identify 
• Protect 
• Detect 
• Respond 
• Recover 

An additional function, Govern, has been proposed to emphasize the importance of continuous oversight and improvement of the organization's cybersecurity posture. These core functions provide a high-level view of an organization's approach to managing cybersecurity risk. 

‍

The framework's flexibility and adaptability make it suitable for organizations of all sizes and industries. In addition, the CSF's alignment with other cybersecurity frameworks, such as ISO 27000 and COBIT, facilitates their integration into existing risk management processes. 

The NIST 800 series provides detailed guidance on a wide range of topics, including risk management, incident response, and physical security. It is considered the gold standard for cybersecurity and is influential in shaping cybersecurity policies and practices globally. While primarily developed for US federal organizations, the NIST 800 series has become widely adopted by private companies worldwide. 

‍

The framework includes guidelines, recommendations, and technical specifications for organizations that handle sensitive data, including controlled unclassified information (CUI). It defines 20 control families, such as Access Control, Incident Response, Awareness and Training, and Risk Assessment and includes over 1,000 specific controls. 

‍

Due to its comprehensiveness and alignment with industry best practices, the NIST 800 series is often used by private organizations to achieve compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the General Data Protection Regulation (GDPR). 

COBIT 5 is a framework for the governance and management of enterprise IT. Created by ISACA, an international professional association focused on IT governance, COBIT is used to help organizations create value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 is based on five principles:  

1. Meeting stakeholder needs.  

2. Covering the enterprise end to end 

3. Applying a single integrated framework 

4. Enabling a holistic approach 

5. Separating governance from management 

COBIT 5 can be implemented in any organization of any size and ensures the quality, control, and reliability of information systems. 

‍

ISO 27000 series – This family of standards addresses three pillars of information security: people, processes, and technology. Each standard within the series describes best practices for managing information risk by implementing security controls within the framework of an Information Security Management System (ISMS). They can be used by organizations of any size to secure their information assets and mitigate risk.