What is information security? Definition, principles, and jobs (2024)

Feature

Information security is a set of practices intended to keep data secure from unauthorized access or alterations. Here's a broad look at the policies, principles, and people used to protect data.

By Josh Fruhlinger

Contributing writer, CSO |

Information security definition

Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or alterations, both when it's being stored and when it's being transmitted from one machine or physical location to another. You might sometimes see it referred to as data security. As knowledge has become one of the 21st century's most important assets, efforts to keep information secure have correspondingly become increasingly important.

The SANS Institute offers a somewhat more expansive definition:

Information security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.

Information security vs. cybersecurity

Because information technology has become the accepted corporate buzzphrase that means, basically, "computers and related stuff," you will sometimes see information security and cybersecurity used interchangeably. Strictly speaking, cybersecurity is the broader practice of defending IT assets from attack, and information security is a specific discipline under the cybersecurity umbrella. Network security and application security are sister practices to infosec, focusing on networks and app code, respectively.

Obviously, there's some overlap here. You can't secure data transmitted across an insecure network or manipulated by a leaky application. As well, there is plenty of information that isn't stored electronically that also needs to be protected. Thus, the infosec pro's remit is necessarily broad.

Information security principles

The basic components of information security are most often summed up by the so-called CIA triad: confidentiality, integrity, and availability.

  • Confidentiality is perhaps the element of the triad that most immediately comes to mind when you think of information security. Data is confidential when only those people who are authorized to access it can do so; to ensure confidentiality, you need to be able to identify who is trying to access data and block attempts by those without authorization. Passwords, encryption, authentication, and defense against penetration attacks are all techniques designed to ensure confidentiality.
  • Integrity means maintaining data in its correct state and preventing it from being improperly modified, either by accident or maliciously. Many of the techniques that ensure confidentiality will also protect data integrity—after all, a hacker can't change data they can't access—but there are other tools that help provide a defense of integrity in depth: checksums can help you verify data integrity, for instance, and version control software and frequent backups can help you restore data to a correct state if need be. Integrity also covers the concept of non-repudiation: you must be able to prove that you've maintained the integrity of your data, especially in legal contexts.
  • Availability is the mirror image of confidentiality: while you need to make sure that your data can't be accessed by unauthorized users, you also need to ensure that it can be accessed by those who have the proper permissions. Ensuring data availability means matching network and computing resources to the volume of data access you expect and implementing a good backup policy for disaster recovery purposes.

In an ideal world, your data should always be kept confidential, in its correct state, and available; in practice, of course, you often need to make choices about which information security principles to emphasize, and that requires assessing your data. If you're storing sensitive medical information, for instance, you'll focus on confidentiality, whereas a financial institution might emphasize data integrity to ensure that nobody's bank account is credited or debited incorrectly.

Information security policy

The means by which these principles are applied to an organization take the form of a security policy. This isn't a piece of security hardware or software; rather, it's a document that an enterprise draws up, based on its own specific needs and quirks, to establish what data needs to be protected and in what ways. These policies guide the organization's decisions around procuring cybersecurity tools, and also mandate employee behavior and responsibilities.

Among other things, your company's information security policy should include:

  • A statement describing the purpose of the infosec program and your overall objectives
  • Definitions of key terms used in the document to ensure shared understanding
  • An access control policy, determining who has access to what data and how they can establish their rights
  • A password policy
  • A data support and operations plan to ensure that data is always available to those who need it
  • Employee roles and responsibilities when it comes to safeguarding data, including who is ultimately responsible for information security

One important thing to keep in mind is that, in a world where many companies outsource some computer services or store data in the cloud, your security policy needs to cover more than just the assets you own. You need to know how you'll deal with everything from personally identifying information stored on AWS instances to third-party contractors who need to be able to authenticate to access sensitive corporate info.

Information security measures

As should be clear by now, just about all the technical measures associated with cybersecurity touch on information security to a certain degree, but there it is worthwhile to think about infosec measures in a big-picture way:

  • Technical measures include the hardware and software that protects data — everything from encryption to firewalls
  • Organizational measures include the creation of an internal unit dedicated to information security, along with making infosec part of the duties of some staff in every department
  • Human measures include providing awareness training for users on proper infosec practices
  • Physical measures include controlling access to the office locations and, especially, data centers

Information security jobs

It's no secret that cybersecurity jobs are in high demand, and in 2019 information security was at the top of every CIO's hiring wishlist, according to Mondo's IT Security Guide. There are two major motivations: There have been many high-profile security breaches that have resulted in damage to corporate finances and reputation, and most companies are continuing to stockpile customer data and give more and more departments access to it, increasing their potential attack surface and making it more and more likely they'll be the next victim.

There are a variety of different job titles in the infosec world. The same job title can mean different things in different companies, and you should also keep in mind our caveat from up top: a lot of people use "information" just to mean "computer-y stuff," so some of these roles aren't restricted to just information security in the strict sense. But there are general conclusions one can draw.

Information security analyst: Duties and salary
Let's take a look at one such job: information security analyst, which is generally towards the entry level of an infosec career path. CSO's Christina Wood describes the job as follows:

Security analysts typically deal with information protection (data loss protection [DLP] and data classification) and threat protection, which includes security information and event management (SIEM), user and entity behavior analytics [UEBA], intrusion detection system/intrusion prevention system (IDS/IPS), and penetration testing. Key duties include managing security measures and controls, monitoring security access, doing internal and external security audits, analyzing security breaches, recommending tools and processes, installing software, teaching security awareness, and coordinating security with outside vendors.

Information security analysts are definitely one of those infosec roles where there aren't enough candidates to meet the demand for them: in 2017 and 2018, there were more than 100,000 information security analyst jobs that were unfilled in the United States. This means that infosec analyst is a lucrative gig: the Bureau of Labor Statistics pegged the median salary at $95,510 (PayScale.com has it a bit lower, at $71,398).

Information security training and courses

How does one get a job in information security? An undergraduate degree in computer science certainly doesn't hurt, although it's by no means the only way in; tech remains an industry where, for instance, participation in open source projects or hacking collectives can serve as a valuable calling card.

Still, infosec is becoming increasingly professionalized, which means that institutions are offering more by way of formal credentials. Many universities now offer graduate degrees focusing on information security. These programs may be best suited for those already in the field looking to expand their knowledge and prove that they have what it takes to climb the ladder.

At the other end of the spectrum are free and low-cost online courses in infosec, many of them fairly narrowly focused. The world of online education is something of a wild west; Tripwire breaks down eleven highly regarded providers offering information security courses that may be worth your time and effort.

Information security certifications

If you're already in the field and are looking to stay up-to-date on the latest developments—both for your own sake and as a signal to potential employers—you might want to look into an information security certification. Among the top certifications for information security analysts are:

Many of the online courses listed by Tripwire are designed to prepare you for these certification exams. Best of luck in your exploration!

Related:

  • Data and Information Security
  • Security

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Follow

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)

What is information security? Definition, principles, and jobs (2024)

FAQs

What is information security and its principles? ›

What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad.

What is information security simple definition? ›

Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be physical or electronic one.

What is the job description of information security? ›

Information security analysts typically do the following: Monitor their organization's networks for security breaches and investigate when one occurs. Use and maintain software, such as firewalls and data encryption programs, to protect sensitive information. Check for vulnerabilities in computer and network systems.

What are the 3 principles of information security? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

What are the 5 basic principles of security? ›

The Principles of Security can be classified as follows:
  • Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
  • Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
  • Integrity: ...
  • Non-Repudiation: ...
  • Access control: ...
  • Availability:
5 Jun 2022

What are the 12 principles of information security? ›

Multiple Choice Questions
  • Confidentiality, integrity, and availability.
  • Prevention, detection, and response.
  • People controls, process controls, and technology controls.
  • Network security, PC security, and mainframe security.
17 Jun 2019

What is the full definition of security? ›

1. the state of being or feeling secure; freedom from fear, anxiety, danger, doubt, etc.; state or sense of safety or certainty. 2. something that gives or assures safety, tranquillity, certainty, etc.; protection; safeguard.

What are 4 types of information security? ›

Types of IT security
  • Network security. Network security is used to prevent unauthorized or malicious users from getting inside your network. ...
  • Internet security. ...
  • Endpoint security. ...
  • Cloud security. ...
  • Application security.

What is security full answer? ›

Definition of security

1 : the quality or state of being secure: such as. a : freedom from danger : safety. b : freedom from fear or anxiety. c : freedom from the prospect of being laid off job security.

Is information security a good career? ›

You'll be doing something good

Besides protecting organizations, information security professionals are the ones who help protect critical infrastructure as well as the privacy of the everyday consumer. If you've always wanted to be in a respectable and valuable profession, this one fits the bill.

What is the main job of cyber security? ›

Cyber Security Specialists are responsible for discovering vulnerabilities and risks in networks, software systems and data centers with ongoing vulnerability scans, monitoring network data, and ensuring hardware and software applications are updated.

What is information security examples? ›

Passwords, network and host-based firewalls, network intrusion detection systems, access control lists, and data encryption are examples of logical controls.

Why do we need information security? ›

Information security ensures the protection of both data in motion as well as data in rest. Safeguarding technology assets in organizations: The organization must add intrastate services based on the size and scope of the organization.

What are the 7 tips to stay secure the information? ›

Cybersecurity 101: 7 Basic Internet Safety Tips
  • Protect Your Personal Information With Strong Passwords. ...
  • Keep Personal Information Private. ...
  • Make Sure Your Devices Are Secure. ...
  • Pay Attention to Software Updates. ...
  • Be Careful About Wifi. ...
  • Set Up Two-Factor Authentication. ...
  • Back Up Your Personal Data.

What are the 6 types of security? ›

What are the 6 types of security infrastructure systems?
  • Access Controls. The act of restricting access to sensitive data or systems enables your enterprise to mitigate the potential risks associated with data exposure. ...
  • Application Security. ...
  • Behavioral Analytics. ...
  • Firewalls. ...
  • Virtual Private Networks. ...
  • Wireless Security.
22 Feb 2022

What are the 10 principles of cybersecurity? ›

10 steps to an effective approach to cyber security
  • Risk management regime. ...
  • Secure configuration. ...
  • Network security. ...
  • Managing user privileges. ...
  • User education and awareness. ...
  • Incident management. ...
  • Malware prevention. ...
  • Monitoring.

What are the 7 domains of information security? ›

They are as follows: User Domain, Workstation Domain, LAN Domain, LAN-to-WAN Domain, Remote Access Domain, WAN Domain, and System/Application Domain. Each of these domains is viewed as portals for attackers if countermeasures are missing or fail.

What are the three 3 threats to information security? ›

Information Security threats can be many like Software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion.

What are the 14 principles of security management? ›

The 14 NCSC cloud security principles
  • Data in transit protection. User data which is transitioning between networks should be protected against any interference.
  • Asset protection and resilience. ...
  • Separation between users. ...
  • Governance framework. ...
  • Operational security. ...
  • Personnel security. ...
  • Secure development. ...
  • Supply chain security.

Why is IT called security? ›

The original meaning of "security," which dates back to the mid-15th century, was property pledged to guarantee some debt or promise of the owner. Starting in the 17th century, the word came to be used for a document evidencing a debt, and eventually for any document representing a financial investment.

What is security definition PDF? ›

refers to tranquility and freedom from care” (Liotta & Owen 2006). Security is then a condition, and since it is not an absolute value, the perception of security depends on how we balance it. against other values, such as liberty. In consequence, security could be defined and valorized only by the threats which.

What are the three types of security? ›

There are three primary areas or classifications of security controls. These include management security, operational security, and physical security controls.

What are the 5 types of information? ›

Types of Information
  • Factual. Factual information is information that solely deals with facts. ...
  • Analytical. Analytical information is the interpretation of factual information. ...
  • Subjective. Subjective information is information from only one point of view. ...
  • Objective.
27 Sept 2022

WHAT IS IT security risk? ›

The term “information security risk” refers to the damage that attacks against IT systems can cause. IT risk encompasses a wide range of potential events, including data breaches, regulatory enforcement actions, financial costs, reputational damage, and more.

What is security short form? ›

SEC. (redirected from security)

Is security a stressful job? ›

The job of defending against increasingly advanced threats on a daily and hourly basis is causing more problems than ever as 46% of respondents felt their stress had measurably increased over the last 12 months.

Is security a hard job? ›

While a security officer does not pay well, it is a relatively stress-free job with a good work-life balance and requires very little training to begin. It may be difficult to sustain yourself on a security officer salary, which is why many security officers work a full-time job or are full-time students.

Is information security a stressful job? ›

Cybersecurity staff are feeling burnout and stressed to the extent that many are considering leaving their jobs. According to research by VMware, 47% of cybersecurity incident responders say they've experienced burnout or extreme stress over the past 12 months.

What type of job is cyber security? ›

Cyber security professionals, or information security analysts, have a wide range of responsibilities, but the crux of their job is to protect online data from being compromised.

Is cyber security hard to study? ›

Learning cybersecurity can be challenging, but it doesn't have to be difficult, especially if you're passionate about technology. Nurture a curiosity for the technologies you're working with, and you might find that challenging skills become easier.

What are types of information security? ›

There are many types of information security, such as application security, cloud security, disaster recovery, cryptography, infrastructure security, etc.

How do you protect information? ›

5 simple steps to protect your personal information online
  1. Stop giving away your personal information.
  2. Check your mobile app permissions.
  3. Review your security and privacy settings.
  4. Use passphrases.
  5. Use Antivirus software and install the latest software patches.

How can you protect data? ›

Here are some practical steps you can take today to tighten up your data security.
  1. Back up your data. ...
  2. Use strong passwords. ...
  3. Take care when working remotely. ...
  4. Be wary of suspicious emails. ...
  5. Install anti-virus and malware protection. ...
  6. Don't leave paperwork or laptops unattended. ...
  7. Make sure your Wi-Fi is secure.
8 Aug 2022

What are top 5 key elements of an information security? ›

It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.

› blog › why-is-informati... ›

RedTeam ensures the quality of your cybersecurity with our penetration testing services to protect you agains threats facing your organization.
Confidentiality is one of the basic elements of information security. Data is confidential when only authorized people access it. To ensure confidentiality one ...
For example, IT security would encompass securing keypads that allow access to a room full of data files. Cybersecurity tends to focus on criminal activity faci...

What are 4 types of information security? ›

Types of IT security
  • Network security. Network security is used to prevent unauthorized or malicious users from getting inside your network. ...
  • Internet security. ...
  • Endpoint security. ...
  • Cloud security. ...
  • Application security.

What are the six principles of information security management? ›

The Six Principles of Cyber Security
  • Security beyond Firewall. Network security used to be achieved by scanning network traffic on various OSI layers. ...
  • Advanced Access Management. ...
  • Enhanced Application Security. ...
  • Trusted Attack Simulation. ...
  • Data Encryption. ...
  • Compliance Business Framework.

What are the 7 principles of data protection? ›

At a glance
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

What is information security with example? ›

Information security is designed and implemented to protect the print, electronic and other private, sensitive and personal data from unauthorized persons. It is used to protect data from being misused, disclosure, destruction, modification, and disruption.

IS IT security a good career? ›

There's lots of entry-level work

One of the entry-level jobs that many people land, information security analyst, is practically guaranteed to keep you employed. The U.S. Bureau of Labor Statistics (BLS) ranks it No. 16 out of the fastest-growing occupations across all industries.

WHY IS IT security important? ›

Reducing the risk of data breaches and attacks in IT systems. Applying security controls to prevent unauthorized access to sensitive information. Preventing disruption of services, e.g., denial-of-service attacks. Protecting IT systems and networks from exploitation by outsiders.

What are the 5 types of information? ›

Types of Information
  • Factual. Factual information is information that solely deals with facts. ...
  • Analytical. Analytical information is the interpretation of factual information. ...
  • Subjective. Subjective information is information from only one point of view. ...
  • Objective.
27 Sept 2022

What are the 14 principles of security management? ›

The 14 NCSC cloud security principles
  • Data in transit protection. User data which is transitioning between networks should be protected against any interference.
  • Asset protection and resilience. ...
  • Separation between users. ...
  • Governance framework. ...
  • Operational security. ...
  • Personnel security. ...
  • Secure development. ...
  • Supply chain security.

What are the 10 principles of cybersecurity? ›

10 steps to an effective approach to cyber security
  • Risk management regime. ...
  • Secure configuration. ...
  • Network security. ...
  • Managing user privileges. ...
  • User education and awareness. ...
  • Incident management. ...
  • Malware prevention. ...
  • Monitoring.

What is the main purpose of security management? ›

Purpose of Security Management

The goal of security management procedures is to provide a foundation for an organization's cybersecurity strategy. The information and procedures developed as part of security management processes will be used for data classification, risk management, and threat detection and response.

What are the 8 data principles? ›

What are the Eight Principles of the Data Protection Act?
1998 ActGDPR
Principle 2 – purposesPrinciple (b) – purpose limitation
Principle 3 – adequacyPrinciple (c) – data minimisation
Principle 4 – accuracyPrinciple (d) – accuracy
Principle 5 - retentionPrinciple (e) – storage limitation
5 more rows

What are the 8 main principles of data protection? ›

What Are the Eight Principles of the Data Protection Act?
  • Fair and Lawful Use, Transparency. The principle of this first clause is simple. ...
  • Specific for Intended Purpose. ...
  • Minimum Data Requirement. ...
  • Need for Accuracy. ...
  • Data Retention Time Limit. ...
  • The right to be forgotten. ...
  • Ensuring Data Security. ...
  • Accountability.
12 Oct 2020

What are the three 3 data principles? ›

Principles of Transparency, Legitimate Purpose and Proportionality. The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.

What is security full answer? ›

Definition of security

1 : the quality or state of being secure: such as. a : freedom from danger : safety. b : freedom from fear or anxiety. c : freedom from the prospect of being laid off job security.

What is information security and types? ›

Types of Information Security

While Information Security can be of numerous types, the most commonly used in the IT sector include: Application Security. Infrastructure Security. Cloud Security. Cryptography.

Top Articles
Latest Posts
Article information

Author: Merrill Bechtelar CPA

Last Updated:

Views: 6586

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.