The most important things in a nutshell.
- What is Information Security?
- Information Security Management Systems (ISMS)
Importance of information security.
The information security aims to protect information from theft, unauthorized modification or destruction. Information can exist either digitally in IT systems or, for example, in paper form.
What information is worth protecting?
Information worth protecting is often success-relevant and confidential company data such as customer inventories, company strategies, in-house developments or know-how. Due to strict legal requirements, the protection of personal data is particularly important. This includes, for example, the purchasing behavior of the company's own customers or the personal data of its employees.
Protection goals information security.
- Protection of confidentiality (engl. confidentiality; no access to sensitive data for unauthorized third parties),
- Protection of integrity (engl. integrity; no falsification).
- Protection of availability (Engl. availabilty; data are available when they are needed).
Depending on the use case, other protection goals of information security can be included in the consideration.
Protection goal confidentiality of information.
In information security, confidentiality means that data is accessible only to authorized individuals.
Protection goal integrity of information.
Integrity of data and information means that no unauthorized modification has been made.
Protection goal availability of information.
Availability of information means that all retrieved information can be used in a timely manner and can be used in accordance with expectations.
Attacks on availability:
Do you need reliable experts to help you protect your IT systems ?
Let's talk about it today!
Other information security protection goals.
Depending on the use case, in addition to the protection goals of confidentiality, integrity and availability, other protection goals are considered.
Authenticity protection goal
Authenticity refers to both ensuring the identity of the communication partner and ensuring the originator of data. Authenticity is often considered the overriding protection goal. Other protection goals are worthless if it is not possible to determine whether communication is taking place with the desired communication partner.
The purpose of a username/password login is to ensure that the correct communication partner is on the other end of the line. This simple example also illustrates that in order to achieve the three primary protection goals of information security.
Protection goal of non-repudiation
Non-repudiation is intended to ensure that a communication cannot be subsequently denied to third parties by a party involved. (English: non-repudiation).
- For digital signatures, non-repudiation, along with authenticity, is critical.
- If contracts (online) are concluded, non-repudiation is important for the service provider.
Protection goal bindingness
When authenticity and non-repudiation of a communication are ensured, it is also called binding.
Threats to information security protection goals.
There are hundreds of categories of threats that threaten information security protection goals in one way or another. Below, we cover some of the most important modern threats to protection goals that are current priorities for enterprise security teams.
Inadequately secured or unpatched systems.
The speed and evolution of technology often leads to compromises in security measures. In other cases, systems are developed without regard to security and remain in operation as legacy systems within an organization. Organizations need to identify these poorly secured systems and mitigate the threat by securing, patching, decommissioning or isolating them.
Attacks involving use of social media.
Many people have accounts on social media where they often inadvertently disclose information. Attackers can exploit this type of information to launch attacks.
In social engineering, attackers manipulate IT system users through psychological triggers such as curiosity or fear to achieve a desired response.
Because the source of a social engineering message usually appears trustworthy, users often click on a link that installs malware on the computer they are using. This exposes personal information, login credentials and other corporate data that the user has access to to the attacker.
Companies can mitigate social engineering by training users to recognize suspicious social engineering messages and forward them to the security team. But technical systems such as email filtering systems can also play a role.
Malware on clients.
Enterprise users work with a variety of endpoints, including mobile devices such as laptops, tablets and smartphones. A key threat to all of these endpoints is malware, which can be transmitted in a variety of ways. It can lead to the compromise of the client itself as well as the extension of privileges to other clients and servers.
Missing mobile device encryption.
Encryption methods encrypt data so that it can only be decrypted by users with secret keys. Using cryptography for encryption is very effective in preventing data loss or corruption when devices are lost or stolen.
Inaccurate or inadequate security configuration of cloud services.
Modern enterprises often use a variety of platforms and cloud services. Almost all of these services have sophisticated built-out security features, but they must be configured and customized by the enterprise to meet its needs. Incorrect or negligent security configuration, or even human error, can easily lead to a serious security incident.
Information security protection goals - what measures can be used to achieve them?
Achieving the protection goals relevant to information security involves both organizational and technical measures.
An Information Security Management System (ISMS) is regularly used for the holistic management of information security in the company. In this context, responsibility for information security and the ongoing operation of the ISMS is delegated to an information security officer (ISO).
Have we sparked your interest?
Just give us a call or write us a message!