ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Overview of Information Security and IT Solutions

Updated on January 9, 2018
tamarawilhite profile image

Tamara Wilhite is a technical writer, an industrial engineer, a mother of two, and a published sci-fi and horror author.

What Information Do We Need to Protect?

Different types of information require different levels of protection. Personally identifiable information, trade secrets, government classified information, medical records and financial information are more sensitive than blog posts and general web search results.

This is why here are laws setting minimum standards for protecting personally identifiable information and financial records than less important records.

Medical records are protected because of the potential embarrassment revelations would cause, and because making this information public could lead people to avoid treatment for issues like mental illness, sexually transmitted diseases and injuries that occurred in unusual circumstances.

Governments require protection of sensitive information to protect their soldiers and maintain an advantage over their competitors. Governments mandate severe punishments for sharing information to be kept secret as well as punish intellectual property theft to improve the economic success (and tax revenue) of companies in their jurisdiction.

Trade secrets are kept secret so that companies can retain their advantage in the marketplace. Pricing information, bids and customers lists are kept secret so that competitors cannot use this information against the company. The theft of software code and product designs are cheap ways for other companies or countries to avoid the time and cost of doing the work themselves.

What is Personally Identifiable Information?

What is PII, also called personally identifiable information? Personally identifiable information includes someone’s Social Security Number, driver’s license number or financial account number in combination with his or her name and address.

Personally identifiable information or PII must be protected to prevent identity theft and the financial theft identity theft allows. Personally identifiable information protection is legally mandated by several different sets of laws.

Types of Information Security Violations

There are generally thought to be three levels of security violations. The first level is an inadvertent security violation in which there was no loss of highly restricted information. These are near-misses or near-spills. The second level is an inadvertent loss of restricted information. These inadvertent losses of information are called data spills.

The most severe type of information security violation is a deliberate violation of information security or repeated, inadvertent spills. A deliberate violation is considered a “data leak”. A data leak greater threat than inadvertent losses because someone chose to break the rules.

Multiple inadvertent leaks indicate someone who is careless with what should be treated with the utmost care or a broken set of procedures. Imagine someone carrying fine china on a serving tray. Whether the server does not bother to stay balanced and drops many items or the floor is constantly wet, leading to repeated falls and broken dishes, there is a broader or larger problem that must be addressed than a single, inadvertent mistake.

Information security polices such as requiring the log off of machines at the end of the day or use of biometric sensors prevent others from accessing data they should not.
Information security polices such as requiring the log off of machines at the end of the day or use of biometric sensors prevent others from accessing data they should not. | Source

Information Security Solutions

Information security violations are limited by access controls, periodic audits and supervision of user activities. Information security violations are often tied to information security policies. Information security polices tell users what is allowed and actions that are not allowed. These polices are tied to Human Resource polices that give the information security policies teeth.

Many inadvertent information security losses or violations of IT security policies are mistakes. New employees were not aware of company policies. Someone forgot that it is against the rules to give someone’s Social Security Number over the phone to anyone else. An engineer had a momentary lapse and emailed a file on a restricted project to someone not cleared on the project. A purchaser sent proprietary company drawings to supplier for bid along with the technical data package for the one component the supplier was supposed to quote.

This is why companies should try to build in access control limits and external controls; minimizing the possible mistakes people can make reduces the possible harm that can occur when people do make mistakes. These rules are enforced by monitoring of IT systems and HR policies that cause others to want to follow them, despite the inconvenience.

For example, an information security policy that says you should not give out your login information or let others log in as you could be enforced by punishing those who share accounts as well as those who use the accounts of others to view information they should not. Someone who shares personnel files for the sake of gossip can be identified through audit logs reviewed per IT security polices, but they are fired for their actions due to Human Resources policies. Information security polices may forbid the installation of software onto the network without explicit IT department permission. IT security staff monitor the software installation or the software is found in a review of the software applications found on the machine when it is serviced by help desk staff. The employee is then reprimanded in accordance with HR polices.

IT files will record the violations that occur and why commits them. IT can look for patterns such as work groups with higher rates of accidental information leaks or individuals who appear to be circumventing IT controls. It is HR policy that leads to the firing of those who deliberately leak information by emailing proprietary files to journalists or a competitor. An IT solution could involve the blocking of access to external email websites while information security polices state that it is a serious offense to email work files to a personal email account, whether the intent is to work from home or send the files to a company the person wishes to work for later.

Access control limits also help companies maintain control of their message. Limiting access to the company website ensures that only approved webmasters alter it and make it harder for casual hackers to deface it. Restricting access to the company's online portal and requiring that the information be reviewed and approved before posting prevents incorrect information from being published, whether it is on the company's blog or digital press releases.

For example, public relations intern may get to write draft tweets, but the account should have access controls so that the intern does not accidentally send out a message that is contrary to the company's desired image. With proper access controls in place, nor would a teenager on "take your kids to work day" be able to casually access the system and peruse the parent's performance review or patient medical records.

In short, well designed and properly maintained access control limits will prevent many data spills (inadvertent access to what one should not see) but will not stop as many data leaks (deliberate attempts to access information against the rules).

If you do not have strong network security, your data can be intercepted as it is transmitted over the network.
If you do not have strong network security, your data can be intercepted as it is transmitted over the network. | Source

Relationship between Different Types of Information Security

Application security relates to the security of software applications. Do you have a unique user account for each person to control access for each person and track their activities? Do you limit information viewing rights to only what individuals need to know?

Physical security is relevant to information security. Someone with access to a restricted area could view classified data simply by reading the screen while standing behind someone with access to the data. Or a thief could copy data on a hard drive to disk of someone logged into the machine or simply steal the whole computer. Monitoring and controlling access to restricted areas helps ensure the security of information in those areas.

Human resources security is tied to information security. Do you turn off accounts when people leave the company? Do you strip users of access to restricted projects when they no longer work on those projects? Do you limit administrative access to those who have IT administrative job titles? Do you perform background checks on contractors before allowing them into the facility to ensure that they are not foreign nationals or work for your competitors, and thus have a reason to steal your information?

Information security can relate to the protection of information or limiting access to it. For example, access to personally identifiable information or PII should only be available to those who need it to do their jobs, such as Human Resources personnel who perform background checks based on Social Security Numbers or payroll staff who use SSNs in preparing paychecks and updating tax records.

Access control limits or access controls also relate to the ability to view, access and edit information. Assemblers on the shop floor need to be able to see documents but should not have the right to alter them. Engineers should be able to view and review drawings, but the ability to edit drawings may be limited to configuration managers or approved drafters.

Managers may need the ability to view the access levels of other employees, but they should not be able to view access lists for projects on which they do not work. The ability to add new users and manage user permissions should be limited to system administrators or database administrators, though the ability to add new users with view only permissions can be granted to project managers.

IT access control limits put limits on what users can do, such as viewing certain types of information, editing files, deleting files or creating new objects. A common access control IT groups use is the division of administrative accounts and general user accounts even for system administrators. The system administrator can query general documents as a user but must then log in as an administrator to delete the file; this limits the mistakes that could be made by an administrator such as deleting the wrong file or editing an object still checked out by a user.

Balancing Information Security with User Needs

Information systems like databases need to be accessible to users when required. Adding access control limits so tight that users can almost never get the information they need is a problem in and of itself. There is a delicate balancing act between preventing access to potential hackers and ensuring rapid service to legitimate, high demand users. Information systems like databases must have high reliability; they must almost always be operational and available. Constant system scans for possible intruders slows down system performance for legitimate users.

Databases and information technology systems must be secure; only authorized users should be able to see information, while those who do not have permission cannot access restricted information. Complex layers of access control limits could make it impossible for users to access information without multiple sets of permissions that are a hassle for system administrators to manage.

Information systems must have high integrity; the information cannot be easily changed by unauthorized parties, be they hackers or general users who only intended to search for an entry, not change it. However, adding strict limits on who can access information and when could cause users frustration when they need to correct errors in the database, be they misspelled names or incorrect part serial numbers.

Industry Standards for IT Security

There are several major industry standards in IT security set by the ISO. ISO 27001 and ISO 27002 are two of the most significant information security standards by the International Organization for Standardization. ISO 27001 gives the basic requirements for information security. ISO 27002 gives the ISO’s recommended practices for meeting the requirements in ISO 27001.

ISO 27003 gives recommendations on how to implement an information security management system as described in ISO 27001. ISO 27004 outlines information security metrics recognized by the ISO.

ISO 27005 describes the process for information security risk management, the process of identifying threats to your information and information technology security, determining the odds and cost of each risk.

These standards are called the ISO 27000 series. They originate from the ISO standard 17799, much of which was incorporated into ISO 27002.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)