Getting Started with Information Security
What is Information Security?

This course introduces you to the fundamentals of information security. You'll learn what information security is, the difference between information security and information assurance, as well as the fundamentals of information security.

Learning Objectives

  • Get a foundational understanding of information security
  • Understand the difference between information security and information assurance
  • Learn the fundamentals of information security

Intended Audience

This course is intended for anyone who wants to improve their knowledge of risk management in an information security context.


We recommend taking this course as part of the IT Security Fundamentals learning path.


Hello and welcome. In this course, I will provide an introduction to the concept of Information Security. We will cover the basic concepts that pertain to Information Security.

So first and foremost, what is information security and why do we need it? 

Information security is the practice of protecting information by mitigating information risks.

It typically involves preventing or at least reducing the probability of unauthorised/inappropriate access, use, disclosure, disruption, deletion/destruction, corruption, modification, inspection, recording or devaluation of information.  

Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data -  while maintaining a focus on efficient policy implementation, all without hampering organization productivity.

 This is largely achieved through a structured risk management process. 

Looking at the list on the screen, which of these concepts stands out to you the most as being the really important thing for Information Security? That allows an organization to function in the most optimal way?

So when we look at these, these are the things that we say give up the importance of Information Security. You know then protecting the company data. Data is the key. It's what all companies have. It's what all organizations have. They all have data. If that data goes missing, and it's unable to be retrieved, that could be an organization's ability to continue trading full stop. You can't just build back data sets. Once they're gone, they're gone. Especially if they're talking about ransomware and you're not paying the money.

Then obviously protecting the corporate systems that house that data. Maintaining the data availability. And we'll look at some of these concepts in more detail.

Reputation. Market Reputation is an important one. Very important. 

We have the protecting customer data. This one is really important in this day and age, especially now that GDPR's come into play. It's far more important for us to protect customer data. It can have huge implications, as it pertains to meeting our legal requirements and also general compliance - and then obviously the payments and fines in that type of area as well. So there will always be customer data to be protected.

And then obviously if we do this right we're able to prepare for problems. And preparing for problems means that we can actually see stuff before it's about to happen, or be prepared for it before it's about to happen. And then we're able to respond, which enables us to stay in business. 

So here's our definition of Information Security. This model is by Cherdantseva and Hilton. It's concerned with the development and implementation of security countermeasures of all available types, technical, organizational, human-oriented, and legal, in order to keep information, and all its locations within and without the organization's perimeter, and consequently information systems where information is created, processed, stored, transmitted, and destructed, free from threats.

So there's a lot in that one little paragraph about what Information Security actually is. But the bits that really jump out to me right there are the fact that it's at the same time technical, organizational, human-oriented, legal. It's about where the data is created, where it's processed, the machines that it's processed in, and how we store it, how it's transmitted, what format it's actually in. And then how ultimately we get rid of the things.

A common security situation occurs when a business wants to retire and remove redundant computer hardware. To ensure proper destruction of data, companies engage specialists to remove the hardware and certify that all data has been removed from the storage medium.  

A company will often receive a certificate that says, "Hey we've done what you've asked us to do." Now, you don't actually know that they've done whatever you’ve asked you to do. So that certificate is supposed to be your assurance that that's been the case, i.e. that they’ve removed all the data from the storage medium. So we take the certificate on trust. Unless we go and audit them and find out exactly how it's done. Which is what we can do.

If the company is untrustworthy, we can see situations when your hard drives and your information systems and data is resold. These situations have happened in the past. So we have to be very, very careful as to how we take care of our data. When it's on hard drives we have to think about situations where people have laptops. This is the reason why a business might use a service like BitLocker, and those other types of encryption technologies. 


About the Author
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.

Covered Topics