Hello and welcome. In this course, I will provide an introduction to the concept of Information Security. We will cover the basic concepts that pertain to Information Security.

So first and foremost, what is information security and why do we need it? 

Information security is the practice of protecting information by mitigating information risks.

It typically involves preventing or at least reducing the probability of unauthorised/inappropriate access, use, disclosure, disruption, deletion/destruction, corruption, modification, inspection, recording or devaluation of information.  

Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data -  while maintaining a focus on efficient policy implementation, all without hampering organization productivity.

 This is largely achieved through a structured risk management process. 

Looking at the list on the screen, which of these concepts stands out to you the most as being the really important thing for Information Security? That allows an organization to function in the most optimal way?

So when we look at these, these are the things that we say give up the importance of Information Security. You know then protecting the company data. Data is the key. It's what all companies have. It's what all organizations have. They all have data. If that data goes missing, and it's unable to be retrieved, that could be an organization's ability to continue trading full stop. You can't just build back data sets. Once they're gone, they're gone. Especially if they're talking about ransomware and you're not paying the money.

Then obviously protecting the corporate systems that house that data. Maintaining the data availability. And we'll look at some of these concepts in more detail.

Reputation. Market Reputation is an important one. Very important. 

We have the protecting customer data. This one is really important in this day and age, especially now that GDPR's come into play. It's far more important for us to protect customer data. It can have huge implications, as it pertains to meeting our legal requirements and also general compliance - and then obviously the payments and fines in that type of area as well. So there will always be customer data to be protected.

And then obviously if we do this right we're able to prepare for problems. And preparing for problems means that we can actually see stuff before it's about to happen, or be prepared for it before it's about to happen. And then we're able to respond, which enables us to stay in business. 

So here's our definition of Information Security. This model is by Cherdantseva and Hilton. It's concerned with the development and implementation of security countermeasures of all available types, technical, organizational, human-oriented, and legal, in order to keep information, and all its locations within and without the organization's perimeter, and consequently information systems where information is created, processed, stored, transmitted, and destructed, free from threats.

So there's a lot in that one little paragraph about what Information Security actually is. But the bits that really jump out to me right there are the fact that it's at the same time technical, organizational, human-oriented, legal. It's about where the data is created, where it's processed, the machines that it's processed in, and how we store it, how it's transmitted, what format it's actually in. And then how ultimately we get rid of the things.

A common security situation occurs when a business wants to retire and remove redundant computer hardware. To ensure proper destruction of data, companies engage specialists to remove the hardware and certify that all data has been removed from the storage medium.  

A company will often receive a certificate that says, "Hey we've done what you've asked us to do." Now, you don't actually know that they've done whatever you’ve asked you to do. So that certificate is supposed to be your assurance that that's been the case, i.e. that they’ve removed all the data from the storage medium. So we take the certificate on trust. Unless we go and audit them and find out exactly how it's done. Which is what we can do.

If the company is untrustworthy, we can see situations when your hard drives and your information systems and data is resold. These situations have happened in the past. So we have to be very, very careful as to how we take care of our data. When it's on hard drives we have to think about situations where people have laptops. This is the reason why a business might use a service like BitLocker, and those other types of encryption technologies.