The course is part of this learning path
What is information security?
Welcome to this Course on Information Security Management Principles.
To begin with, it’s important to understand some of the history of this field. Going back 30 or 40 years, the industry was referred to as Computer Security. This described the technology used to secure products and applications, in particular operating systems. Much later, the term Information Security was introduced. Information security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The IT community recognised that it is just as important to protect information and data, as it is to protect the systems themselves. This is made more challenging by the fact that information isn’t just stored on computers; it can be printed out, saved to removable media, or stored on a multitude of devices, both current and legacy (do you remember CDs or zip disks?).
From the early days of information security, IT communities have since developed robust security standards, leading to all-round better protection of assets. Information assurance (IA) is having confidence in the protection of the confidentiality, integrity, availability, authenticity and nonrepudiation of important data. It’s achieved by combining information protection measures, and managing risks related to its use, processing, storage, and transmission of information. Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. It aims to reduce the risk of cyber-attacks and protect against the unauthorised exploitation of systems, networks and technologies.
Information assurance is tightly coupled with many aspects of business management, including ITIL (Information Technology Infrastructure Library). As IA impacts many areas of a business, it’s important that assurance professionals use language that is accessible and understandable to the wider business. Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation's computers or information networks through, for example, malware or denial-of-service attacks.
Essential standards and frameworks
Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. It aims to reduce the risk of cyber-attacks and protect against the unauthorised exploitation of systems, networks and technologies. Throughout this Course, there will be references to specific IT standards and frameworks, published by the following:
- International Organisation for Standardisation (ISO)
- International Electrotechnical Commission (IEC)
- National Institute of Standards and Technology (US) (NIST)
Most of the vocabulary used today in information assurance circles is derived from the following international standards documents:
- ISO/IEC 27000:2018 – Overview and vocabulary
- ISO/IEC 27001:2013 – - Internationally recognised specification for an Information Security Management System (ISMS)
An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes and technology. Informed by regular information security risk assessments, an ISMS is an efficient, risk-based and technology-neutral approach to keeping your information assets secure.
- ISO/IEC 27005:2018 – Information security risk management
- ISO Guide 73:2009 – Risk management'
Take note of these standards, as you’ll want to familiarise yourself with them independently to build up your knowledge of best practice IT security.
Figure 1: Information security
What is security?
Having looked at the main principles of information security, it’s now time to focus on what we’re trying to protect - assets. An asset is usually defined as 'anything that has value to the organisation'. Mission-critical information assets are often referred to as 'crown jewels'.
There are many different asset types, such as:
- Information: This refers to information stored on paper (e.g. contracts, correspondence, user manuals, and training manuals) or electronically (e.g. information on hard drives, USB sticks, video, mobile phones, and databases), or any other information - even conversations are information assets.
- Physical, such as a computer. Physical assets and hardware: These refer to any asset that can manipulate information, such as computers, mobile devices, server rooms, copper cables and fibre circuits.
- Services: This refers to the services that the computer systems depend upon, such as heating, cooling, power, lighting, etc.
- People, along with their qualifications, skills, and experience: People are the employees, owners and managers who carry with them all the skills and information regarding how the company operates.
- Intangibles, such as reputation, brand loyalty, and software: This includes operating systems, applications, and development tools. According to various accounting standards, if software is used to deliver goods and services, it can be classified as a tangible asset. An example would be the software that companies like Snapfish or Shutterfly use for their customers to generate various photo products that result in revenue for their businesses; this would be considered an example of intellectual property (IP).
Examples of crown jewels would include:
- The secret plans for a new product
- The reputation of the company in providing a high-availability communications service
- Customer data
Protection of information assets
There are also other assets to take care of. These include: analogue – paper or microfiche, and digital.
As well as the information itself, you’ll need to protect:
- The media it’s stored on, for example paper, magnetic disk or optical disk
- The devices that process it, like PCs, tablets, readers and printers
- How it’s transported, for example through wired networks, wireless networks and courier companies
- The places and people involved in processing, storing and handling it, like data centres, offices and key members of staff
Note: Most information is now digital and stored on computer systems.
Now that you know what information security is, you will look at some principles of information security.
In this course, you’ll be looking at numerous aspects of the risk matrix including the risk and threats involved in big data, the Internet of Things (IoT), the dark web and social media. You'll also be exploring threat intelligence, unified threat management (UTM), and security risk. You'll also see how you can use open-source intelligence (OSINT) and Dark Web Threat Intelligence to help you establish, improve and refine your risk treatment. All of this ensures that your organisation is protected from and alert to the constantly evolving series of information security threats.
However, before you go on to threat management, let's first review risk and see how it relates to cyber security.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.