Information security definition

Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or alterations, both when it's being stored and when it's being transmitted from one machine or physical location to another. You might sometimes see it referred to as data security. As knowledge has become one of the 21st century's most important assets, efforts to keep information secure have correspondingly become increasingly important.

Information security vs. cybersecurity

Because information technology has become the accepted corporate buzzphrase that means, basically, "computers and related stuff," you will sometimes see information security and cybersecurity used interchangeably. Strictly speaking, cybersecurity is the broader practice of defending IT assets from attack, and information security is a specific discipline under the cybersecurity umbrella. Network security and application security are sister practices to infosec, focusing on networks and app code, respectively.

Obviously, there's some overlap here. You can't secure data transmitted across an insecure network or manipulated by a leaky application. As well, there is plenty of information that isn't stored electronically that also needs to be protected. Thus, the infosec pro's remit is necessarily broad.

Information security principles

The basic components of information security are most often summed up by the so-called CIA triad: confidentiality, integrity, and availability.

• Confidentiality
• Integrity
• Availability

In an ideal world, your data should always be kept confidential, in its correct state, and available; in practice, of course, you often need to make choices about which information security principles to emphasize, and that requires assessing your data. If you're storing sensitive medical information, for instance, you'll focus on confidentiality, whereas a financial institution might emphasize data integrity to ensure that nobody's bank account is credited or debited incorrectly.

Find out more about CIA here

Information security policy

The means by which these principles are applied to an organization take the form of a security policy. This isn't a piece of security hardware or software; rather, it's a document that an enterprise draws up, based on its own specific needs and quirks, to establish what data needs to be protected and in what ways. These policies guide the organization's decisions around procuring cybersecurity tools, and also mandate employee behavior and responsibilities.

Among other things, your company's information security policy should include:

• A statement describing the purpose of the infosec program and your overall objectives
• Definitions of key terms used in the document to ensure shared understanding
• An access control policy, determining who has access to what data and how they can establish their rights
• A password policy
• A data support and operations plan to ensure that data is always available to those who need it
• Employee roles and responsibilities when it comes to safeguarding data, including who is ultimately responsible for information security

One important thing to keep in mind is that, in a world where many companies outsource some computer services or store data in the cloud, your security policy needs to cover more than just the assets you own. You need to know how you'll deal with everything from personally identifying information stored on AWS instances to third-party contractors who need to be able to authenticate to access sensitive corporate info.

Information security measures

As should be clear by now, just about all the technical measures associated with cybersecurity touch on information security to a certain degree, but there it is worthwhile to think about infosec measures in a big-picture way:

• Technical measures include the hardware and software that protects data — everything from encryption to firewalls
• Organizational measures include the creation of an internal unit dedicated to information security, along with making infosec part of the duties of some staff in every department
• Human measures include providing awareness training for users on proper infosec practices
• Physical measures include controlling access to the office locations and, especially, data centers