Welcome!

Security Authors: Liz McMillan, Yeshim Deniz, Peter Silva, Pat Romanski, Hollis Tibbetts

Related Topics: Security

Security: Blog Feed Post

Definition of Information Security

Some organisations are concerned more with confidentiality than with availability of information

Security Track at Cloud Expo

According to wikipedia, information security means „protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction“.

Another definition could be  – „managing the process of mitigating (transfering, reducing, avoiding) unacceptable information security risks“.

And yet another – „the implementation of programs and practices that protect the integrity and safety of computer programs and information“.

Of course, there are variations on the common theme. And this theme without any doubt is – how to protect the most valuable asset of modern organisations, that is – how to combat various threats that affect information confidentiality, integrity, availability etc.

ISO 27001 and other standards suggest that every organisation should in their security policy adopt their own definition of information security and this for sure is the only right path.

Some organisations are concerned more with confidentiality than with availability of information and vice versa.

Definition of information security in security policy document should not be generic for every organisation, copy-pasted from wiki or other similar source. It should be tailored to organisation’s mission and business objectives. Takegoogle.com for example.

Search engine’s information security priorities should be availability and integrity of information in the first place. If it (the service) is not available or if the search results are of no use (integrity) then no one will use it. Information confidentiality here is not of vital importance – service is public-oriented after all.

Gmail.com then deserves another and different definition of information security, that will greatly impact definition of it’s information security objectives.

Information Security Wordle: FFIEC IT Examiner's Handbook by purpleslog.

Why is information security definition important?

Proper definition of information security is the key for developing SMART information security objectives (it will be the subject of my next post). Information security definition should drive definition of information security objectives. Information security definition affects how you develop your information security programm, how you conduct risk assessment, how you mitigate risks, which controls you select etc.

Who should define information security in organisation?

Obviously, that should be the role of chief information security manager / officer. Definition should be filtered through information security management forum and approved by the top management (board).

What should one consider when developing definition of information security?

One should consider stakeholders expectations from information security programm, legal / regulatory requirements, management direction (business and ICT strategy) and of course  - information profile (what is organisation’s information profile?).

How detailed should one’s definition of information security be?

My advice – one sentence. So that every employee can remember it.

Where should one define information security (where should one put the definition)?

In information security policy (or ISMS policy if there’s one) and information security strategy (or ICT strategy) document.

Read the original blog entry...