Information Security vs Information Assurance
Please note: this course has now been refactored into a learning path, which you can find here.
This is a beginner-level course designed to provide you with an introduction to Information technology security concepts. The course will suit anyone interested in understanding the fundamentals of security concepts from a business and technology perspective.
In this course we will provide:
- An introduction to the concept of Information Security
- We will cover the basic concepts that pertain to Information Security
- We then begin to answer the question - what is information security and why do we need it?
- We then explore some of the frameworks, controls and activities we can implement to control information security
This course is intended for anyone who wants to learn the fundamentals of IT security.
This is a beginner level course where having a basic understanding of computing concepts will be useful
Please reach out to us at firstname.lastname@example.org with any questions, comments or feedback.
Information Security and Information Assurance. What do we understand about these terms?
Assurance is more the overall strategy for a company. Whereas security is how we're going to go about the strategy. Assurance is definitely more strategy-focused.
So we see cyber security as the bottom rung of the ladder. When we talk to people, they think that cyber security is information security, but it's not. It's different. Cyber security is technical security. It's the antiviruses, it's the intrusion detection systems, it's your firewalls. It's all of that type of stuff. Just technically focused. It doesn't deal with some of the other stuff we're going to talk about when we get to information security, which consequently is the second rung of the ladder.
Our information security is now where we get to talk about things that are not just technical, but things that are physical. We're talking about not just digital transformation, we're talking about analog information as well, for example, paper-based documents.
But we're now dealing with people as well. And buildings. And physical security. And all these different areas of security now. So it's not just technical, as we had before, because down in the first rung of the ladder it was all technical.
But we’re now looking at physical. We are looking at digital and analog. We're looking at people. And all the rest. So, essentially, information in all its different forms. People. Buildings. And all the rest.
It doesn't separate itself from cyber security, it encompasses it. And that's what we're trying to say. We're then building up something that has to give us reason for actually using those things. That is what we would call our risk assessments and our risk management, which is the third rung of the ladder.
So, risk assessments and risk management. This is the area where we're now beginning to really think about the company itself and not just, "Oh we need some antivirus. Ah, we should probably have some CCTV.” Instead now we're doing risk assessments to see what the risks are for our organization and we're then applying the information security and cyber security controls in place as it pertains to our organization. Some things that are risks for you aren't risks for me. Some things that we both recognise as risks don't have the same impacts so the controls that we put in place won't be the same.
For example, we could have two businesses - A and B. The impact for business A is 500,000 pounds. The impact for business B is 500,000 pounds as well. 500,000 pounds will cripple business A. Whereas 500,000 pounds won't cripple business B. So that's when we begin to put controls in place depending on how we react—or wish to react—to the risk.
Here in the fourth rung of the ladder, we have information assurance, and its cousin, information governance: IA and IG. They are two sides of the same coin. Very closely connected.
One is focused on compliance, feeding the information governance: compliance, records management, all of that type of stuff.
One is focused on the assurance that everything we're doing down here is correct, and also that we're in line with the things that our business needs to be in line with. So that's why they can't be separated because information assurance is almost information governance. In fact, the information that we get out of information assurance we feed into information governance to make sure we're compliant, and up to date with all our standards and all the rest.
Here with information assurance, we will do audits. We will do our ISO 27001 frameworks, and get certified through those things.
Compliance. Are we compliant with our contracts? How does this plan in with our SLAs? So, they all come together. But assurance is the idea that what we're doing here under risk management is actually working. So there has to be a framework or a matrix to feed that information back, so that we get that assurance.
And that's the business side of information security.
At this area here we are now strategic. So these are the board-level decisions. The decisions that are also being made by the board. Not so much risk assessments but the risk management overall, because they'll be responsible for managing risk.
And then this area here, these are gold, if you will... These are silver. And these are our bronze… in terms of the functions that are being served in the organization.
So we find our employees in different sections. So we find this being like middle management. And this is very much our executives. And our C suites.
Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.