Overview of Information Security and IT Solutions
What Information Do We Need to Protect?
Different types of information require different levels of protection. Personally identifiable information, trade secrets, government classified information, medical records and financial information are more sensitive than blog posts and general web search results.
This is why here are laws setting minimum standards for protecting personally identifiable information and financial records than less important records.
Medical records are protected because of the potential embarrassment revelations would cause, and because making this information public could lead people to avoid treatment for issues like mental illness, sexually transmitted diseases and injuries that occurred in unusual circumstances.
Governments require protection of sensitive information to protect their soldiers and maintain an advantage over their competitors. Governments mandate severe punishments for sharing information to be kept secret as well as punish intellectual property theft to improve the economic success (and tax revenue) of companies in their jurisdiction.
Trade secrets are kept secret so that companies can retain their advantage in the marketplace. Pricing information, bids and customers lists are kept secret so that competitors cannot use this information against the company. The theft of software code and product designs are cheap ways for other companies or countries to avoid the time and cost of doing the work themselves.
What is Personally Identifiable Information?
What is PII, also called personally identifiable information? Personally identifiable information includes someone’s Social Security Number, driver’s license number or financial account number in combination with his or her name and address.
Personally identifiable information or PII must be protected to prevent identity theft and the financial theft identity theft allows. Personally identifiable information protection is legally mandated by several different sets of laws.
Types of Information Security Violations
There are generally thought to be three levels of security violations. The first level is an inadvertent security violation in which there was no loss of highly restricted information. These are near-misses or near-spills. The second level is an inadvertent loss of restricted information. These inadvertent losses of information are called data spills.
The most severe type of information security violation is a deliberate violation of information security or repeated, inadvertent spills. A deliberate violation is considered a “data leak”. A data leak greater threat than inadvertent losses because someone chose to break the rules.
Multiple inadvertent leaks indicate someone who is careless with what should be treated with the utmost care or a broken set of procedures. Imagine someone carrying fine china on a serving tray. Whether the server does not bother to stay balanced and drops many items or the floor is constantly wet, leading to repeated falls and broken dishes, there is a broader or larger problem that must be addressed than a single, inadvertent mistake.
Information Security Solutions
Information security violations are limited by access controls, periodic audits and supervision of user activities. Information security violations are often tied to information security policies. Information security polices tell users what is allowed and actions that are not allowed. These polices are tied to Human Resource polices that give the information security policies teeth.
Many inadvertent information security losses or violations of IT security policies are mistakes. New employees were not aware of company policies. Someone forgot that it is against the rules to give someone’s Social Security Number over the phone to anyone else. An engineer had a momentary lapse and emailed a file on a restricted project to someone not cleared on the project. A purchaser sent proprietary company drawings to supplier for bid along with the technical data package for the one component the supplier was supposed to quote.
This is why companies should try to build in access control limits and external controls; minimizing the possible mistakes people can make reduces the possible harm that can occur when people do make mistakes. These rules are enforced by monitoring of IT systems and HR policies that cause others to want to follow them, despite the inconvenience.
For example, an information security policy that says you should not give out your login information or let others log in as you could be enforced by punishing those who share accounts as well as those who use the accounts of others to view information they should not. Someone who shares personnel files for the sake of gossip can be identified through audit logs reviewed per IT security polices, but they are fired for their actions due to Human Resources policies. Information security polices may forbid the installation of software onto the network without explicit IT department permission. IT security staff monitor the software installation or the software is found in a review of the software applications found on the machine when it is serviced by help desk staff. The employee is then reprimanded in accordance with HR polices.
IT files will record the violations that occur and why commits them. IT can look for patterns such as work groups with higher rates of accidental information leaks or individuals who appear to be circumventing IT controls. It is HR policy that leads to the firing of those who deliberately leak information by emailing proprietary files to journalists or a competitor. An IT solution could involve the blocking of access to external email websites while information security polices state that it is a serious offense to email work files to a personal email account, whether the intent is to work from home or send the files to a company the person wishes to work for later.
Access control limits also help companies maintain control of their message. Limiting access to the company website ensures that only approved webmasters alter it and make it harder for casual hackers to deface it. Restricting access to the company's online portal and requiring that the information be reviewed and approved before posting prevents incorrect information from being published, whether it is on the company's blog or digital press releases.
For example, public relations intern may get to write draft tweets, but the account should have access controls so that the intern does not accidentally send out a message that is contrary to the company's desired image. With proper access controls in place, nor would a teenager on "take your kids to work day" be able to casually access the system and peruse the parent's performance review or patient medical records.
In short, well designed and properly maintained access control limits will prevent many data spills (inadvertent access to what one should not see) but will not stop as many data leaks (deliberate attempts to access information against the rules).
Relationship between Different Types of Information Security
Application security relates to the security of software applications. Do you have a unique user account for each person to control access for each person and track their activities? Do you limit information viewing rights to only what individuals need to know?
Physical security is relevant to information security. Someone with access to a restricted area could view classified data simply by reading the screen while standing behind someone with access to the data. Or a thief could copy data on a hard drive to disk of someone logged into the machine or simply steal the whole computer. Monitoring and controlling access to restricted areas helps ensure the security of information in those areas.
Human resources security is tied to information security. Do you turn off accounts when people leave the company? Do you strip users of access to restricted projects when they no longer work on those projects? Do you limit administrative access to those who have IT administrative job titles? Do you perform background checks on contractors before allowing them into the facility to ensure that they are not foreign nationals or work for your competitors, and thus have a reason to steal your information?
Information security can relate to the protection of information or limiting access to it. For example, access to personally identifiable information or PII should only be available to those who need it to do their jobs, such as Human Resources personnel who perform background checks based on Social Security Numbers or payroll staff who use SSNs in preparing paychecks and updating tax records.
Access control limits or access controls also relate to the ability to view, access and edit information. Assemblers on the shop floor need to be able to see documents but should not have the right to alter them. Engineers should be able to view and review drawings, but the ability to edit drawings may be limited to configuration managers or approved drafters.
Managers may need the ability to view the access levels of other employees, but they should not be able to view access lists for projects on which they do not work. The ability to add new users and manage user permissions should be limited to system administrators or database administrators, though the ability to add new users with view only permissions can be granted to project managers.
IT access control limits put limits on what users can do, such as viewing certain types of information, editing files, deleting files or creating new objects. A common access control IT groups use is the division of administrative accounts and general user accounts even for system administrators. The system administrator can query general documents as a user but must then log in as an administrator to delete the file; this limits the mistakes that could be made by an administrator such as deleting the wrong file or editing an object still checked out by a user.
Balancing Information Security with User Needs
Information systems like databases need to be accessible to users when required. Adding access control limits so tight that users can almost never get the information they need is a problem in and of itself. There is a delicate balancing act between preventing access to potential hackers and ensuring rapid service to legitimate, high demand users. Information systems like databases must have high reliability; they must almost always be operational and available. Constant system scans for possible intruders slows down system performance for legitimate users.
Databases and information technology systems must be secure; only authorized users should be able to see information, while those who do not have permission cannot access restricted information. Complex layers of access control limits could make it impossible for users to access information without multiple sets of permissions that are a hassle for system administrators to manage.
Information systems must have high integrity; the information cannot be easily changed by unauthorized parties, be they hackers or general users who only intended to search for an entry, not change it. However, adding strict limits on who can access information and when could cause users frustration when they need to correct errors in the database, be they misspelled names or incorrect part serial numbers.
Industry Standards for IT Security
There are several major industry standards in IT security set by the ISO. ISO 27001 and ISO 27002 are two of the most significant information security standards by the International Organization for Standardization. ISO 27001 gives the basic requirements for information security. ISO 27002 gives the ISO’s recommended practices for meeting the requirements in ISO 27001.
ISO 27003 gives recommendations on how to implement an information security management system as described in ISO 27001. ISO 27004 outlines information security metrics recognized by the ISO.
ISO 27005 describes the process for information security risk management, the process of identifying threats to your information and information technology security, determining the odds and cost of each risk.
These standards are called the ISO 27000 series. They originate from the ISO standard 17799, much of which was incorporated into ISO 27002.