What is InfoSec?

As our lives have become increasingly digital, and more of our data is handled on the Internet, protecting personal and confidential data has become an entire industry. Which industry? InfoSec. If you work in IT or consider yourself a tech person in general, you’ve probably heard of InfoSec. “InfoSec” is an abbreviation of Information Security.

If you don’t work in IT, do you still need to know what InfoSec is? Definitely. If you go online and share your private data at all you should have a basic understanding of InfoSec. This guide covers what InfoSec is, what kind of work InfoSec professionals do, types of InfoSec cyber attacks, and how InfoSec tools and programs are keeping you safe every day.

What is InfoSec?

According to the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, InfoSec is “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”

Put more simply, it’s protecting information.

What does information need protecting from? The obvious answer is: from thieves who want to steal it. Some information, like your personal data, is so valuable that people want to steal it and use it for themselves.

Getting stolen isn’t the only thing that can happen to information, however — especially if it’s digital. Information can also be corrupted or modified. Information security helps ensure that data stays not only confidential, but also intact.

What is InfoSec vs cybersecurity?

People sometimes use the terms “InfoSec” and “cybersecurity” interchangeably. Many people think they’re the same thing. They’re closely related, but not exactly the same. InfoSec is broader than cybersecurity — it’s concerned with protecting all information. Cybersecurity focuses more on digital information systems and networks, a specific subset of InfoSec.

You could say that cybersecurity fits under the wider umbrella of InfoSec.

The two also differ in the types of attacks they handle. InfoSec is more concerned with data theft, data leakage, and unauthorized access, whereas cybersecurity aims to protect against threats to networked systems and computers like hacking, malware, phishing, and DDoS attacks.

The three elements of InfoSec

In InfoSec, there are three principles that guide everything: confidentiality, integrity, and availability. This is often referred to as the CIA triad. Each piece of this triad is one of the fundamental goals of information security.

1. Confidentiality

It’s important to keep data private, secret, and secure. Only people who have the right authorization or permission should be able to be access it. A tool often used to keep information confidential is encryption.

Example: If someone sends you a confidential message, nobody else should know what the message is.

2. Integrity

Data must remain reliable, consistent, and accurate. InfoSec professionals take measures to prevent data from being modified, corrupted, or destroyed. Hashing (such as MD5 hashing) digital signatures are tools for ensuring information integrity.

Example: If someone sends you a message, you should receive exactly what they sent you without any modification.

3. Availability

Data, systems, and applications must remain available and accessible to those who have the authorization. The only exception is when there is an incident or attack. Backups and redundant systems can help ensure data is available.

Example: If someone sends you a message, you should be able to receive it (i.e. not have it blocked or intercepted by someone else).

What is the work of InfoSec?

The CIA triad is crucial for InfoSec work, but these three principles aren’t the only objectives of InfoSec. Other factors that play a part in InfoSec processes and policies include:

• Risk management: Minimize negative outcomes by evaluating risks.
  
• Data classification: Pay closer attention to information that is highly confidential or that needs to stay easily available.
  
• Media and confidentiality agreements: Consider the security of information that isn’t digital, such as printed information.
  
• User training: Train employees and users on basic security practices.
  
• Nonrepudiation: Use security measures to prove that information hasn’t been tampered with.
  
• Business continuity and disaster recovery: Make sure data is still available and unchanged during a failure or breach.
  
• Change management: Make sure changes to processes, systems, or policies go smoothly.
  
• Local laws and regulations: Take laws and regulations about data and information into account and ensure your organization is compliant.

Types of information security

InfoSec can be broken down into several smaller categories, such as application security and cloud security. Each deals with the security of a particular spot that houses important information or data.

Application security

Application security (also referred to as AppSec) is just what it sounds like: making applications more secure. Applications are any software or programs you have downloaded and installed on your device, like Microsoft Word, Adobe Photoshop, or TikTok.

Application security focuses a lot on authentication (logins). Whenever you’re signing into your account for an application — that’s when most breaches happen.

Cloud security

Cloud security is protecting data hosted in the cloud. Many businesses and individuals are moving their data into the cloud to save physical storage space, but securing data and processes in the cloud can be tricky.

Cloud service providers have some built-in security tools, but it’s often up to InfoSec professionals to shore up cloud security with other programs, methods, and tools.

Network security

A network is any group of two or more computers that are linked together to share resources, files, and send other electronic data and communications. Networks are everywhere; you probably have a wireless network in your home that lets you connect to the Internet (which is also just a big network).

Network security aims to protect networks and the infrastructure that networks run on from theft, misuse, or unauthorized access. Some examples of network security are configuring rules for firewalls, managing routers, and making sure internal networks are protected as well as external ones.

Infrastructure security

All the hardware, software, devices, databases, operating systems, and other components that technology runs on is called “infrastructure”. Infrastructure security is ensuring that all these components are secure.

Securing infrastructure can include:

• Restricting access to administrative or privileged accounts
• Monitoring account activity
• Regular scans of infrastructure
• Applying patches when there’s a problem or an update is needed

Incident response

In InfoSec and IT, an “incident” is any unauthorized access, use, or breach of information. It can also refer to attempts to modify, disclose, or destroy information that is confidential privileged. An attempt to get access doesn’t necessarily have to be successful for it to be considered an “incident.” Unsuccessful attempts or even suspicions of a breach are incidents as well.

One of the primary goals of InfoSec professionals is to quickly and effectively respond to security incidents. The longer an incident goes unaddressed, the greater the risk for the company or organization.

The importance of InfoSec

Even if you never plan to work in InfoSec, it’s still important to know what it is. Now you can understand a bit better why all of your online accounts ask you to enable two-factor authentication, or why it’s crucial to use a password manager.

Thanks to the hard work of InfoSec professionals, our digital world is a little bit safer. If you’re looking to learn more about security, check out our list of cybersecurity resources.