Information Security
What is Information Security about?
Information is hard currency. Information security is about protecting your valuable information so that it is not destroyed, lost or falls into the wrong hands. It is about all types of information, figures, text, sound, images or film. The information can be stored and processed on paper or in computer files and can be communicated via e-mail or human speech.
Three basic concepts
Confidentiality: To prevent information from being disclosed to unauthorised persons.
Accuracy: That we can trust that the information we use in our business is correct and complete and not manipulated.
Accessibility: To ensure that the information is accessible and useful when we need it.
In general, it is not possible to rank these three principles. However, the requirements and needs vary between different types of information and the current situations that exist when it comes to information processing.
Threat images
In today's digitalised world where almost all computers are connected via the internet, the information is exposed to completely different threats than before. Threats can come from individuals, but they can also come from organised crime, government or terrorists. Attackers try to break into organisations' computer systems to steal or destroy data for their own gain. There is a constant battle between threats from attackers and data protection.
Extended concept
Due to digitalisation, the concept of information security has been extended to include IT-security (IT = information technology) and cyber security.
Information security is about security for information that can be both physical and digital (handwritten papers or information in computer systems).
IT-security is about security for information in computer systems and their interconnections.
Cyber security can in principle be equated with IT-security or security in cyberspace (internet).
Information security is thus the collective name. IT-security / cyber security are parts of information security.
Tools in information security work
There are a number of good standard tools to lean on when it comes to information security work. Some that are well proven and used all over the world are:
CIS Controls which is a comprehensive package of measures for IT security with a number of control points.
NIST – CSF (Cyber Security Framework) which regulates how to structure risk work, measure risk, select security measures and perform security work in an organisation.
The ISO 27000-series, which is a management system for information and cyber security that is based on a business-adapted risk analysis and where the security work follows a clear process.
Information security is a complex area
The person responsible for the work with information security in an organisation needs to have a number of skills and abilities to be able to communicate with various actors within and outside the organisation.
In addition to IT-oriented subjects such as computer technology and informatics, social science and behavioural science subjects such as business administration, psychology and law are also included.
The responsibility of management and employees
Management has the overall responsibility for information security within the organisation and is ultimately responsible in the event of incidents. It is the management's task to organise the information security work so that damage can be minimised in the event of a cyber attack.
In the organisational hierarchy, the managers of the various parts of the business are then responsible for the information security in their parts. The individual employee is responsible for information security in their own tasks.
The unintentional mistakes of your own employees can also give rise to incidents. Education and the creation of an information security culture throughout the organisation are therefore also important measures for information security.