Kenny Natiss is the Founder of The LCO Group, a NYC-based IT solutions and support company with clients ranging from law firms to finance companies. Mr. Natiss is a frequent contributor in news segments on data security and how companies can do a better job securing your personal information. He explains below everything a layperson needs to understand about Information Security today.
Kenny Natiss reports that IT security in general is more critical than ever in the modern digital landscape. Many organizations utilize a set of practices that keep information away from unauthorized access. This overriding concept, also known as Information Security, covers a number of key principles.
What Is the Definition of Information Security?
Sometimes abbreviated as InfoSec, it is a set of protocols that keeps data safe from corruption or unauthorized access and is also referred to as data security. InfoSec protects sensitive information from any unauthorized activity. Kenneth Natiss says this could include inspection, recording, or another form of disruption. The purpose is to ensure the privacy and integrity of the data itself, such as financial information, intellectual property, and account details. The consequences of any security incidents can obviously disrupt work processes, damage a company’s reputation, and incur costly damages.
What Is the Difference Between Information Security and Cyber Security?
Generally speaking, “Information Technology” is often used as an umbrella term for all things computers, and many think Information Security and cybersecurity are interchangeable. However, cybersecurity is the practice of defending IT assets from any external attack (locking bad guys out of your system entirely), and Information Security is the discipline of protecting stored data from leaks, chain-of-custody/access issues, and corruption. While there is some overlap between the two, Information Security is definitely its own thing.
What Are the Three Principles of Information Security?
Also known as the “CIA Triad,” Kenny Natiss reports that the top components of Information Security are confidentiality, integrity, and availability.
Confidentiality of Information
The first principle of Information Security is the confidentiality of information. Closely related to privacy, as it demands that the information is only available to a specific set of users. Confidentiality refers to using the data, as well as viewing or accessing it. One component of cybersecurity is to define who has access to specific data and assets. One area in which confidentiality is critical is regulatory compliance. Depending on the industry using the principles, they may need to follow different frameworks each with its own set of confidentiality rules.
Integrity of Information
This primary purpose is to ensure that any information stored within a framework is intact and unaltered, apart from authorized changes to the data by the owners or those who have the right to alter it. This focuses less on baseline access, and more on restricting the use of information. Additionally, it ensures that data is not deleted, lost, or destroyed. An effective way to ensure this condition is to implement an MDR (Managed Detection and Response program) that looks for threats to integrity. Maintaining the integrity of the information may demand a number of practices, including analytics in addition to MDR. While an MDR program detects the threat through continuous monitoring, stops the breach, while also looking for the root cause analysis, complex analytical processes may be necessary because the potential threats may be from within the organization, according to Mr. Natiss.
Availability of Information
The final aspect of Information Security is availability. Kenny Natiss says this ensures that any protected information is available to those who have the right to access it. This tenet ensures that the parties can access it at all times but under specially defined conditions. This is the ultimate goal of the integrity of information. The information should not be modified or deleted for the simple reason that the owners or the representatives have the right to access it. Companies find this tenet a challenge because they need to incorporate a systematic approach to third-party risk management. Because the availability of information needs to span the framework, including across third parties, this is where third-party risk management can improve visibility across the framework.
It is important to remember that data must be kept confidential, and this means that the owner of the data will need to make key choices about which Information Security principles to focus on. This means assessing the data. It depends on the industry, for example in a medical scenario, confidentiality will be the key focus. In the financial industry, data integrity might be a key focus.
These principles are not technical in nature. It is a common oversight that companies and any individuals looking to protect their assets look at a piece of security hardware or rely on software to solve their problems. However, Kenny Natiss notes that an Information Security policy is a document that is created by an organization based on its own specific needs to establish what data needs to be protected, and how. Using an Information Security policy allows an organization to decide the appropriate IT solutions and tools, while also ensuring that the responsibilities of the company are strictly enforced.