What is information security?
As the use of IT systems increases, so does the risk of cyberattacks or unauthorised access to company information and data. Information security should protect this data and ensure its confidentiality, integrity and availability.
The topic of information security is closely linked to IT security, data security and data protection and is operationally implemented in most companies by an information security officer. During implementation, this officer is guided by guidelines such as basic IT protection and standards such as ISMS certification in accordance with ISO 27001. The requirements of the guidelines and standards are integrated by the information security officer into an information security management system and continuously monitored and optimised. For this task, companies appoint an internal ISO or appoint an external information security officer.
In the following article you will learn what exactly information security is, what protection goals there are and how they can be integrated in the company.
Key information about information security
- Information security means the protection of information and data
- This protection is guaranteed by technical and organisational measures within the framework of the so-called protection goals.
- The most important protection goals are availability, integrity and confidentiality.
- The most important german requirements for information security are defined in the "IT-Grundschutz" by the Federal Office for Information Security. These are not legal requirements. This gives companies a certain degree of freedom in implementing information security concepts.
- The Information Security Officer supports companies in the implementation of information security.
- Information security measures are controlled via an Information Security Management System (ISMS)
Content on the topic of information security:
What does information security mean?
Information security means the protection of information and data. This includes protection against threats such as the decryption of data, access or changes to data by unauthorised third parties, as well as general protection during the transfer and storage of data from one location to another. In order to achieve these information security objectives companies must implement the protection goals of information security. This implementation takes place through the implementation of appropriate measures, which are carried out by an information security officer and are integrated, for example, in the ISO/IEC 27000 series of standards. The guideline for information securityThe so-called "IT-Grundschutz" is published by the Federal Office for Information Security. Those responsible for information security, such as the information security officer, establish and manage information security measures via an Information Security Management System (ISMS).
What does information security cover?
The term "Information Security" includes all technical and organisational measures that ensure the protection goals of confidentiality, availability and integrity.
Information security examples of organisational measures
- spatial backup of data and IT components
- software updates
- virus software
- authentication methods
Information security examples of organisational measures
- staff trainings
- guidelines for handling sensitive data (e.g. passwords)
In addition, there are personnel measures, which deal with the sensitisation of users with regard to information security, as well as local measures, which include physical measures. This means controlling access to office locations and especially to data centres.
What is the difference between IT security, information security and data security?
The difference between IT security and information security lies IT security is only one aspect of information security. While IT security is primarily concerned with protecting IT systems in a company from damage and threats, information security includes all technical and non-technical information of a company. In addition to the data of the IT systems, paper archives or the company premises also fall under the protection of information security.
Data security is also subordinate to information security, as information security is more comprehensive. However, data security and information security both have the goal of minimising security risks and establishing measures to protect data.
What distinguishes data protection from information security?
The essential difference between Data protection and information security lies in the fact that data protection focuses on the right to informational self-determination and the protection of personal data, whereas information security aims to secure data in systems. Data protection thus protects data of citizens and information security protects data of companies. However, since personal data is also processed in companies, there is often an overlap between data protection and information security.
Another important difference is that the implementation of data protection is legally regulated by the General Data Protection Regulation (GDPR). For the implementation of information security, there is the guideline for information security of the BSI, but it is not a legal basis. This means that companies can introduce different concepts.
The protection goals of information security
The most important protection goals of information security are confidentiality, integrity and availability of information. Data is considered confidential if only authorised persons have access to this information. It must be possible to identify all persons who access the data. This protection goal can be achieved, for example, by means of 2-fold authentication, passwords or encryption. The integrity of data describes that data is kept in its correct and complete state and that it is protected against intended/accidental changes. This includes that unauthorised persons, such as hackers, have no access and thus no possibility to change the data. Availability of information means the guarantee of access to the information in an assured manner for users with the appropriate authorisation. The following are the Definition of the protection goals of information security according to the IT basic protection of the BSI listed.
Definition of the protection goals of information security according to the BSI:
Confidentiality is the protection against unauthorised disclosure of information. Confidential data and information may only be accessible to authorised persons in the permitted manner.
Integrity refers to ensuring the correctness (integrity) of data and the correct functioning of systems. When the term integrity is applied to "data", it expresses that the data is complete and unchanged. In information technology, however, it is usually defined more broadly and applied to "information". In this context, the term "information" is used to refer to "data" which, depending on the context, can be assigned certain attributes such as author or time of creation. The loss of integrity of information can therefore mean that it has been altered without permission, that details of the author have been falsified or that the time at which it was created has been manipulated.
The availability of services, functions of an IT system, IT applications or IT networks or also of information is present if these can always be used by the users as intended.
In the case of non-repudiation, the focus is on provability vis-à-vis third parties. The aim is to ensure that the sending and receiving of data and information cannot be denied. A distinction is made between
- Non-repudiation of origin: It should be impossible for a sender of a message to subsequently dispute the sending of a particular message.
- Non-repudiation of receipt: It should be impossible for a recipient of a message to subsequently dispute receipt of a message sent
The security goals of authenticity and non-repudiation are summarised under bindingness. In the transmission of information, this means that the source of the information has proven its identity and the receipt of the message cannot be denied
The implementation of an information security concept
An information security concept (ISC) is the systematic implementation of information security objectives through both technical and organisational measures. The information security concept ensures the long-term protection of information, even in the event of changing technical, organisational, personnel or legal requirements. Like the data protection management system, the information security concept is continuously reviewed and optimised. This is done using the Plan-Do-Check-Act cycle / PDCA cycle in the following four recurring steps:
- Identify vulnerabilities via a stocktaking
- Rating the identified vulnerabilities, by describing the risks and proposing solutions
- Planning and implementation of the measures
- Review the effectiveness of the measures and reaction to changes
Content of the information security concept
These steps of the information security concept contain the following procedures and measures:
- Identification of new and existing risks
- Planning of measures to eliminate or minimise risks
- Continuous development of the safety culture in the organisation
- Establishment of persons responsible for the operation and implementation of the information security concept (e.g. information security officer)
- Development of guidelines for the implementation of the ISK and introduction into the organisation
- Organisation of regular sensitisation of employees for information security
Information Security Policy: Content and Structure
The Information Security Policy is part of the information security concept and describes all technical and non-technical systems used in data processing as well as the associated security requirements. This guideline is drafted by the company management and contains measures and regulations to be complied with, which must be observed by all employees of the company as well as by the company management.
The Federal Office for Information Technology recommends the following as a guideline for information security Structure of the Information Security Policy:
- Scope and application
- Importance of information technology and information security
- Company goals
- Organisation of the information security management system
- IT management
- Information security officer
- Data protection officer
- Other responsibilities
- Consequences of infringements
- Further measures
- Entry into force
Information security: examples of implementation in the workplace
The best technical precautions to protect data are of little use if employees are not adequately trained. Employees should lock their workstation every time they leave, especially if they have access to data that needs to be protected. Otherwise, third parties can simply access the data.
But also the Password security plays a crucial role in ensuring information security in the workplace. Passwords should never be openly visible in the workplace, such as on a notepad. Typical hiding places for passwords, such as under the keyboard, should also be avoided. In addition, strong passwords should be used. These are characterised by a sufficient length of at least 8 characters using alphanumeric characters (upper and lower case, numbers, special characters). A separate password should be used for each application, which should be changed regularly. In addition, the computer password should not be used on the Internet. Otherwise it is easier to spy out the password and the protection of the computer and the data on it can be less guaranteed. All passwords should be changed regularly. Caution should be exercised on the Internet anyway, dubious sites can cause a virus attack and allow hackers to access the computer.
Employees should also be trained in Dealing with spam and suspicious and dangerous e-mails. Often viruses are sent in the form of links or attachments, which are then downloaded onto the computer. Accordingly, employees should watch out for suspicious emails and not open any links or attachments in them. If a virus is downloaded, employees should be instructed on how to proceed. For example, remove the computer from the network and inform IT immediately.
If confidential documents are printed out, care must be taken not to print them out inadvertently in the printer or copying in the scanner. Missing copies should also never simply be disposed of in the wastepaper basket, but should always be destroyed using a document shredder.
However, the following must also be taken into account mobile devices and data carrierswhich are used at the storage location and also represent a risk. These are lost more often than computers at work, but often contain the same data.
The Information Security Officer
An information security officer (also referred to as "CISO" Chief Information Security Officer or "ISM" Information Security Manager) supports companies in the implementation of and compliance with information security. In this way, they simultaneously represents a relief for the company. For questions regarding IT security and the protection of any data, they are the central contact person for the company management. Nevertheless, the responsibility for information security remains with the company management.
What does an information security officer do?
Information security officers ensure that the desired level of information security is maintained. In this context, the scope of duties is very extensive. These include:
- Employee training (on-site or online),
- Advice to the management,
- Contact person for problems and questions,
- Elaboration of safety concepts,
- Review of data backup and firewalls,
- Internal audits and audit support,
- Documentation of information security measures,
- Development of safety targets
Who may be an information security officer?
In principle, there is no obligation for companies to employ an information security officer (except for CRITIS companies). If you decide to work with an information security officer, you have two options. For example, a specialist with the relevant expertise and experience can act as an external information security officer supervise your company. But an internal solution is also possible by having your company train an existing employee as an information security officer.
If you choose an internal security officer, make sure that there is no conflict of interest. Therefore, neither employees of the management nor employees of the management of the IT department can act as information security officers.
How to become an information security officer?
Persons who have specialist knowledge and professional experience in the area of information security qualify as information security officers. Specialist knowledge can be acquired through training or further education. There is no legal regulation for training as an information security officer. If you want to have an employee trained or further trained, you can do this with training courses. The contents of the training courses are mostly based on the internationally recognised ISO 27001. The costs for trainings vary depending on the provider and the degree/certificate and amount to between 2500 and 3500€ net per training participant.
What is an Information Security Management System (ISMS)?
An information security management system or "ISMS" defines rules and methods for ensuring, reviewing and improving information security. Information security officers use the ISMS to control technical and organisational IT security measures and regularly monitor the implementation of the planned measures in accordance with the requirements of ISO 27001. Since the data protection management system is not a special form of the information security management system, it cannot be replaced by an ISMS; rather, these two systems complement each other and are often technically implemented through software-as-a-service (SaaS) solutions.