WHAT DEFINES EFFECTIVE INFORMATION SECURITY?
Information is valuable to both organizations and individuals. It is therefore important that the information does not end up in the wrong hands being abused, but instead available to the right people and at the right time.
Effective security work is largely about minimizing and managing risks to ensure that the information is not leaked, corrupted or destroyed. In addition, the information must be available when needed. By managing risk levels, effective information security is ensured, where the cost of protecting the information is weighed against the value of the information.
FUNDAMENTALS OF INFORMATION SECURITY
Information security applies regardless of whether the information is printed on paper, stored electronically, mentioned in a conversation or transmitted by email. Information security is thus a broad concept that includes:
- Legal – privacy protection for personal data through the means of, for example, requirements for registers of processing activities, personal data assistant agreements and a DPO
- Administrative protection– for example, the creation of rules and procedures to assist in, among other things, business continuity management
- Technical IT Security– technical controls in the IT environment such as fire walls, protection against malicious code and the maintenance of logs
- Education and awareness– increase knowledge and awareness in security matters, through the means of, for example, traditional education, webinars or awareness tools
Therefore, comprehensive information security work requires both a mix of controls involving people, processes and technologies, as well as expertise within matters concerning IT security, administrative duties and legal issues. Additionally, all knowledge and regulations must be communicated in a simple and clear manner. The entire organization and each individual must understand what is required from them and the significance of information security and its importance to the business. Security is never stronger than its weakest link, and therefore requires the organization to have a functioning security culture.
Information Security Standards
What security risks and threats your organization needs to protect against varies depending on the value of your information and complexity of your business. However, the end result should always be adequate protection that is good enough but at the same time not too complicated or too expensive.
With such a flexible goal, it is no wonder that there exists several different standards, methods and best practice in the field of information security that aims to achieve this goal. Some common examples of such standards are the ISO 27000 Series, Critical Security Controls (CIS Top 20) and the NIST Framework for Cyber Security. There is also a wide range of laws and regulations that govern information security, such as the General Data Protection Regulation (GDPR) and the NIS Directive.
SS-EN ISO / IEC 27001 Information Security Management System is an international multi-level standard in the area of management of information security work. In 2011, MSB launched the first methodological support for systematic information security work, then called method support for ISMS (information security management system). The method support is based on the 27000 standard.
The Center for Internet Security (CIS) has created a package of actions consisting of 20 control points designed to assist organizations and businesses prioritize between different security measures and create a secure cyber environment for both themselves and their co-workers.
The National Institute of Standards and Technology (NIST) has divided cyber security into five core processes which aims to provide a strategic picture of an organization’s risk management and its lifecycle in terms of cyber security.
The General Data Protection Regulation, also known as GDPR, can be described as information security concerning personal data only, while information security is about protecting all information that is worth protecting. Unlike many other standards, the requirements of GDPR are mandatory and also require organizations to be transparent about their processing activities, meaning the data subjects know who processes their personal data and why.