Data Protection Academy » Data Protection Wiki » Information Security
Information security: definition, objectives, protection goals and implementation
As the use of IT systems increases, so does the risk of cyberattacks or unauthorised access to company information and data. Information security should protect this data and ensure its confidentiality, integrity and availability.
The topic of information security is closely linked to IT security, data security and data protection and is operationally implemented in most companies by an information security officer. This person is guided in the implementation by guidelines such as basic IT protection and standards such as ISMS certification according to ISO 27001. The requirements of the guidelines and standards are integrated by the information security officer into an information security management system and continuously controlled and optimised. For this task, companies designate an internal ISB or appoint an external information security officer.
In the following article you will learn what exactly information security is, what protection goals there are and how they can be integrated in the company.
Key information about information security
- Information security means the protection of information and data
- This protection is guaranteed by technical and organisational measures within the framework of the so-called protection goals.
- The most important protection goals are availability, integrity and confidentiality.
- The most important German requirements for information security are defined in the "IT-Grundschutz" by the Federal Office for Information Security. These are not legal requirements. This gives companies a certain degree of freedom in implementing information security concepts.
- The Information Security Officer supports companies in the implementation of information security.
- Information security measures are controlled via an information security management system (ISMS)
Content on the topic of information security:
Whitepaper Guide to Managing the Compliance Field of Information Security
In the Guide to Managing the Compliance Field of Information Security, you will find:
- Get information on the Compliance management and to the Information Security
- Learn who is responsible for the information security of your company is responsible.
- Learn which Norms and standards are relevant for information security
- Including step-by-step explanation the implementation of an information security management system
Information security definition
Information security refers to the protection of information from unauthorised access, modification, disclosure or destruction. It includes measures, policies and technologies designed to ensure the confidentiality, integrity and availability of information. The main objective of information security is to ensure that information is protected from threats such as hacking, data loss, theft or misuse. This also includes ensuring that information is used lawfully and that it is handled in accordance with applicable laws and regulations. Information security is of great importance in today's interconnected world as dependency on digital information and systems continues to increase.
What is information security?
Information security is the protection of information and data. This includes protection against threats such as the decryption of data, access or changes to data by unauthorised third parties, as well as general protection during the transfer and storage of data from one location to another. In order to achieve these information security objectives companies must implement the protection goals of information security. This implementation takes place through the implementation of appropriate measures, which are carried out by an information security officer and are integrated, for example, in the ISO/IEC 27000 series of standards. The guideline for information securityThe so-called "IT-Grundschutz" is published by the Federal Office for Information Security. Those responsible for information security, such as the information security officer, establish and manage information security measures via an Information Security Management System (ISMS).
What does information security cover?
The term "Information Security" includes all technical and organisational measures that ensure the protection goals of confidentiality, availability and integrity.
Information security examples of organisational measures
- Spatial protection of data and IT components
- Encryptions
- Software updates
- Virus software
- Firewalls
- Backups
- Authentication methods
Information security Examples of organisational measures
- Staff training
- Guidelines for handling sensitive data (e.g. passwords)
In addition, there are personnel measures, which deal with the sensitisation of users with regard to information security, as well as local measures, which include physical measures. This means controlling access to office locations and especially to data centres.
What is the difference between IT security, information security and data security?
The difference between IT security and information security is that IT security is only one aspect of information security. While IT security is primarily concerned with protecting IT systems in a company from damage and threats, information security includes all technical and non-technical information of a company. In addition to the data of the IT systems, paper archives or the company premises also fall under the protection of information security.
Data security is also subordinate to information security, as information security is more comprehensive. However, data security and information security both have the goal of minimising security risks and establishing measures to protect data.
Difference between data protection and information security
The essential difference between Data protection and information security lies in the fact that data protection focuses on the right to informational self-determination and the protection of personal data, whereas information security aims to secure data in systems. Data protection thus protects data of citizens and information security protects data of companies. However, since personal data is also processed in companies, there is often an overlap between data protection and information security.
Another important difference is that the implementation of data protection is legally regulated by the General Data Protection Regulation (GDPR). For the implementation of information security, there is the guideline for information security of the BSI, but it is not a legal basis. This means that companies can introduce different concepts.
Protection goals Information security
The most important protection goals of information security are confidentiality, integrity and availability of information. Data is considered confidential if only authorised persons have access to this information. It must be possible to identify all persons who access the data. This protection goal can be achieved, for example, by means of 2-fold authentication, passwords or encryption. The integrity of data describes that data is kept in its correct and complete state and that it is protected against intended/accidental changes. This includes that unauthorised persons, such as hackers, have no access and thus no possibility to change the data. Availability of information means the guarantee of access to the information in an assured manner for users with the appropriate authorisation. The following are the definition of the protection goals of information security according to the IT basic protection of the BSI listed.
Definition of the protection goals of information security according to the BSI:
Confidentiality
Confidentiality is the protection against unauthorised disclosure of information. Confidential data and information may only be accessible to authorised persons in the permitted manner.
Integrity
Integrity refers to ensuring the correctness (integrity) of data and the correct functioning of systems. When the term integrity is applied to "data", it expresses that the data is complete and unchanged. In information technology, however, it is usually defined more broadly and applied to "information". In this context, the term "information" is used to refer to "data" which, depending on the context, can be assigned certain attributes such as author or time of creation. The loss of integrity of information can therefore mean that it has been altered without permission, that details of the author have been falsified or that the time at which it was created has been manipulated.
Availability
The availability of services, functions of an IT system, IT applications or IT networks or also of information is present if these can always be used by the users as intended.
Authenticity
The term authenticity refers to the property that ensures that a communication partner is actually who he claims to be. Authentic information ensures that it was created by the specified source. The term is not only used when checking the identity of persons, but also for IT components or applications.
Non-repudiation
In the case of non-repudiation, the focus is on provability vis-à-vis third parties. The aim is to ensure that the sending and receiving of data and information cannot be denied. A distinction is made between
- Non-repudiation of origin: It should be impossible for a sender of a message to subsequently dispute the sending of a particular message.
- Non-repudiation of receipt: It should be impossible for a recipient of a message to subsequently dispute receipt of a message sent
Binding
The security goals of authenticity and non-repudiation are summarised under bindingness. In the transmission of information, this means that the source of the information has proven its identity and the receipt of the message cannot be denied
Reliability
The protection goal of reliability refers to the technical functionality of IT systems and components and can therefore be considered in scenarios of high dependency on IT systems in addition to the protection goal of availability.
The implementation of an information security concept
An information security concept (ISC) is the systematic implementation of information security objectives through both technical and organisational measures. The information security concept ensures the long-term protection of information, even in the event of changing technical, organisational, personnel or legal requirements. Like the data protection management system, the information security concept is continuously reviewed and optimised. This is done using the Plan-Do-Check-Act cycle / PDCA cycle in the following four recurring steps:
- Identify vulnerabilities via a stocktaking identify
- Rating the identified vulnerabilities, by describing the risks and proposing solutions
- Planning and implementation of the measures
- Review the effectiveness of the measures and reaction to changes
Content of the information security concept
These steps of the information security concept contain the following procedures and measures:
- Identification of new and existing risks
- Planning of measures to eliminate or minimise risks
- Continuous development of the safety culture in the organisation
- Establishment of persons responsible for the operation and implementation of the information security concept (e.g. information security officer)
- Development of guidelines for the implementation of the ISK and introduction into the organisation
- Organisation of regular sensitisation of employees for information security
Information Security Policy: Content and Structure
The Information Security Policy is part of the information security concept and describes all technical and non-technical systems used in data processing as well as the associated security requirements. This guideline is drafted by the company management and contains measures and regulations to be complied with, which must be observed by all employees of the company as well as by the company management.
The Federal Office for Information Technology recommends the following as a guideline for information security Structure of the Information Security Policy:
- Context
- Introduction
- Scope and application
- Contact
- Responsibilities
- Importance of information technology and information security
- Company goals
- Organisation of the information security management system
- Management
- IT management
- Information security officer
- Data protection officer
- ISMS-Team
- Employees
- Other responsibilities
- Consequences of infringements
- Further measures
- Entry into force
Examples for implementation in the workplace
The best technical precautions to protect data are of little use if employees are not adequately trained. Employees should lock their workstation every time they leave, especially if they have access to data that needs to be protected. Otherwise, third parties can simply access the data.
But also the password security plays a crucial role in ensuring information security in the workplace. Passwords should never be openly visible in the workplace, such as on a notepad. Typical hiding places for passwords, such as under the keyboard, should also be avoided. In addition, strong passwords should be used. These are characterised by a sufficient length of at least 8 characters using alphanumeric characters (upper and lower case, numbers, special characters). A separate password should be used for each application and should be changed regularly. In addition, the computer password should not be used on the Internet. Otherwise it is easier to spy out the password and the protection of the computer and the data on it can be less guaranteed. All passwords should be changed regularly. Caution is advised on the Internet anyway, dubious sites can cause a virus attack and allow hackers to access the computer.
Employees should also be trained in dealing with spam and suspicious and dangerous e-mails. Often viruses are sent in the form of links or attachments, which are then downloaded onto the computer. Accordingly, employees should watch out for suspicious emails and not open any links or attachments in them. If a virus is downloaded, employees should be instructed on how to proceed. For example, remove the computer from the network and inform IT immediately.
If confidential documents are printed out, care must be taken not to print them out inadvertently in the printer or copying in the scanner. Missing copies should also never simply be disposed of in the wastepaper basket, but should always be destroyed using a document shredder.
However, the following must also be taken into account mobile devices and data carrierswhich are used at the storage location and also represent a risk. These are lost more often than computers at work, but often contain the same data.
The Information Security Officer
An information security officer (also referred to as "CISO" Chief Information Security Officer or "ISM" Information Security Manager) supports companies in the implementation of and compliance with information security. In this way, they simultaneously represents a relief for the company. For questions regarding IT security and the protection of any data, they are the central contact person for the company management. Nevertheless, the responsibility for information security remains with the company management.
What does an information security officer do?
Information security officers ensure that the desired level of information security is maintained. In this context, the scope of duties of an ISO is very extensive. These include:
- Employee training (on-site or online),
- Advice to the management,
- Contact person for problems and questions,
- Elaboration of safety concepts,
- Review of data backup and firewalls,
- Internal audits and audit support,
- Documentation of information security measures,
- Development of safety targets
Who may be an information security officer?
In principle, there is no obligation for companies to employ an information security officer (except for CRITIS companies). If you decide to work with an information security officer, you have two options. For example, a specialist with the relevant expertise and experience can act as an external information security officer supervise your company. But an internal solution is also possible by having your company train an existing employee as an information security officer.
If you choose an internal security officer, make sure that there is no conflict of interest. Therefore, neither employees of the management nor employees of the management of the IT department can act as information security officers.
How to become an information security officer?
Persons who have specialist knowledge and professional experience in the area of information security qualify as information security officers. Specialist knowledge can be acquired through training or further education. There is no legal regulation for training as an information security officer. If you want to have an employee trained or further trained, you can do this with training courses. The contents of the training courses are mostly based on the internationally recognised ISO 27001. The costs for trainings vary depending on the provider and the degree/certificate and amount to between 2500 and 3500€ net per training participant.
Appoint the experts from Robin Data as your external ISB
Designation of our external information security officers: vulnerability audit, definition and implementation of action plan, determination of protection needs. Reduce your liability risks!
What is an Information Security Management System (ISMS)?
An information security management system or "ISMS" defines rules and methods for guaranteeing, checking and improving information security. Information security officers use the ISMS to control technical and organisational IT security measures and regularly monitor the implementation of the planned measures in accordance with the requirements of ISO 27001. Since the data protection management system is not a special form of the information security management system, it cannot be replaced by an ISMS; rather, these two systems complement each other and are often technically implemented through software-as-a-service (SaaS) solutions.
Robin Data ComplianceOS® Field Information Security
With Robin Data ComplianceOS® you can flexibly implement your company's information security requirements. Import programmes such as ISO 27001, BSI Grundschutz and other programmes and implement their requirements step by step and with guidance. From implementation to documentation, Robin Data always provides you with the right tool. In this way, you save valuable time and involve all stakeholders in the implementation of the information security management system in an uncomplicated way.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023