What is Information Security (InfoSec)?

Three Principles of Information Security

The “CIA Triad” describes the three principles of information security or the goals that an information security solution may be designed to achieve.

• Confidentiality: Confidentiality refers to protecting information from unauthorized access or potential disclosure. Encryption, access controls, and similar solutions are designed to protect confidentiality.
• Integrity: Integrity refers to ensuring that unauthorized modifications to data can’t be performed without detection. Hashes, checksums, and digital signatures are examples of solutions designed to ensure information integrity.
• Availability: Availability measures whether systems or data are available to legitimate users. Backups, load balancing, and similar solutions are designed to ensure availability.

Information Security Threats

An organization’s data can be leaked, breached, destroyed, or otherwise impacted in a variety of ways. Some common information security threats include the following:

• Vulnerable Systems: Most modern organizations store and process their data on computer systems. If these systems contain vulnerabilities, an attacker may be able to exploit these vulnerabilities to gain access to the data that they contain.
• Social Engineering: Social engineering is one of the most common information security threats that companies face. It involves the use of deception, manipulation, or coercion to get a user to take some action, such as installing malware or handing over sensitive data.
• Malware: Many types of malware — such as information stealers and ransomware — are designed to target an organization’s data. If an attacker can install malware on an organization’s systems, they can use the malware to steal, encrypt, or destroy data.
• Missing Encryption: Encryption is one of the most effective ways to protect data against unauthorized access and potential leakage. Failing to encrypt data leaves it vulnerable to potential breaches.
• Security Misconfigurations: Systems and applications have various configuration options that can impact their security. If these configurations are set improperly, they may leave data vulnerable to unauthorized access.

Data Protection Laws and Information Security

Information security is a core area of focus for data protection laws such as:

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• California Consumer Privacy Act (CCPA)
• Federal Trade Commission Act
• Children’s Online Privacy Protection Act (COPPA)
• Gramm Leach Bliley Act (GLBA)
• Fair Credit Reporting Act

These and other data protection laws commonly mandate that an organization have security controls in place to protect sensitive data. A robust information security program is essential to meeting these compliance requirements.