Information Security (infosec) is the collective processes and methodologies that are designed and implemented to protect all forms of confidential information within a company. This includes print, electronic or any other form of information. Cybersecurity, which is often used interchangeably with information security is a subset that focuses solely on the threats that occur over electronic means, such as attempted hacks against a company’s computer network. For information security there are 10 core domains:
The 10 information security domains
Physical Security: Physical security are the security measures that deny unauthorized access to a company’s facilities, equipment and other resources. It’s also meant to defend against physical damage, theft or espionage. Some common examples of physical security measures include guard dogs, locks, CCTV surveillance and fire protection.
Identity and Access Management: This area focuses on creating policies and processes that ensure that only the right people get access to company resources. This is done through the AAA framework. AAA stands for authentication, authorization and accounting. Authentication is the process of confirming that a user is who they claim to be. For example when you give a website your username and password, that confirms to the website that you are the account holder for that account. Authorization is the second step, once your identity is confirmed authorization is the process of determining what actions that user is allowed to perform. For example, is the account an administrator account, a regular user or a guest account. Each one has a different level of permissions, an admin account may be allowed to create new accounts while the other two types are not. This is all determined through authorization. Lastly, accounting is the process of measuring what a user does with their access. For example, did they create a file, delete some files, send data over the network etc. This is important for auditing, billing, resource utilization etc.
Disaster Recovery and Business Continuity Planning: These activities focus on planning for unexpected disasters like hurricanes, earthquakes, building fires etc. Business continuity comes first and focuses on how the company can maintain as much operational capacity as possible during a disaster situation. While disaster recovery is the second step and focuses on bringing a business back to 100% capacity once the initial emergency situation has passed.
Security Architecture: Security Architecture focuses on how hardware, software and operating system components can be used together to create secure computer systems. This can be electronic using things like firewalls or it can be the physical layout of a building. In both cases this means having multiple layers of security controls around each company asset to ensure if one element fails, there are other controls to prevent a security breach. Below is an example of an AWS computer network. You can see how there are multiple layers of security for each instance including the security groups, access control lists, isolated subnets and a separate gateway for the internet.
Information Security Governance:
Governance is about creating policies, standards, procedures and guidelines that govern how the company’s information security program will be run. You can think of this as the overall strategy and direction that the company is moving towards. It’s generally about long term goals and objectives. For example a long term goal may be to build out a dedicated team of 10 people that handle all of the company’s computer forensics. This long term plan would include things like onboarding, training and awareness and procuring software tools for them to use.
Security Assessment and Testing:
This is all about identifying any deficiencies in your company’s security posture. This is done by performing assessments, where there is a formal review of the company’s security controls or through tests that simulate common attacks against different company assets. The information gathered during the test or assessment are then used to fix any weaknesses that were found.
Legal, Regulations & Compliance:
This area focuses on maintaining compliance with the regulations and laws that govern a company’s information security program. Typically, these laws will mandate that the company have certain security controls in place for any computer system that holds consumer information. Also, it will require specific actions around obtaining consumer consent, the use of consumer information within the company, disposal of consumer information and notification requirements in the event of a data breach.
Software Development Security:
Most vulnerabilities in software are introduced during the software development lifecycle (SDLC). Software development security focuses on producing secure applications and maintaining secure development environments. This is done through several methods including source code reviews, static code scans, fuzzing and penetration testing.
Image @ synotive.com
Cryptography:
Within computer science cryptography refers to secure information and communication techniques. Within security this usually refers to encryption and hash functions. Encryption protects information from being read by unintended third parties by requiring that the reader has access to the correct key to decrypt the message. A hash function is used to determine if a message has been modified by an unintended third party. Encryption algorithms combined with hash functions are used for secure communications between two parties.
Operations Security (OPSEC):
This focuses on looking at your own company’s operations or projects from the perspective of your competitors. For example, if you can look at your company’s operations from the outside and easily piece together what is going based on that information, then it’s likely that your competitors can too. This can lead to loss of intellectual property and other competitive advantages if other companies can anticipate what your company will do based on it’s operations. To prevent this many companies release subtle misinformation and keep certain information private. Another example would be employees posting about upcoming product releases on social media, this is an easy way for competitors to get information on your company’s future plans.