The Goal of Information SecurityInformation security follows three overarching principles:
- Confidentiality: This means that information is only being seen or used by people who are authorized to access it.
- Integrity: This means that any changes to the information by an unauthorized user are impossible (or at least detected), and changes by authorized users are tracked.
- Availability: This means that the information is accessible when authorized users need it.
IT Security Best PracticesThere are many best practices in IT security that are specific to certain industries or businesses, but some apply broadly.
- Balance Protection With Utility
Computers in an office could be completely protected if all the modems were torn out and everyone was kicked out of the room - but then they wouldn’t be of use to anyone. This is why one of the biggest challenges in IT security is finding a balance between resource availability and the confidentiality and integrity of the resources.
Rather than trying to protect against all kinds of threats, most IT departments focus on insulating the most vital systems first and then finding acceptable ways to protect the rest without making them useless. Some of the lower-priority systems may be candidates for automated analysis, so that the most important systems remain the focus.
- Split up the Users and Resources
For an information security system to work, it must know who is allowed to see and do particular things. Someone in accounting, for example, doesn’t need to see all the names in a client database, but he might need to see the figures coming out of sales. This means that a system administrator needs to assign access by a person’s job type, and may need to further refine those limits according to organizational separations. This will ensure that the chief financial officer will ideally be able to access more data and resources than a junior accountant.
That said, rank doesn’t mean full access. A company's CEO may need to see more data than other individuals, but he doesn’t automatically need full access to the system. This brings us to the next point.
- Assign Minimum Privileges
An individual should be assigned the minimum privileges needed to carry out his or her responsibilities. If a person’s responsibilities change, so will the privileges. Assigning minimum privileges reduces the chances that Joe from design will walk out the door with all the marketing data.
- Use Independent Defenses
This is a military principle as much as an IT security one. Using one really good defense, such as authentication protocols, is only good until someone breaches it. When several independent defenses are employed, an attacker must use several different strategies to get through them. Introducing this type of complexity doesn’t provide 100 percent protection against attacks, but it does reduce the chances of a successful attack.
- Plan for Failure
Planning for failure will help minimize its actual consequences should it occur. Having backup systems in place beforehand allows the IT department to constantly monitor security measures and react quickly to a breach. If the breach is not serious, the business or organization can keep operating on backup while the problem is addressed. IT security is as much about limiting the damage from breaches as it is about preventing them.
- Record, Record, Record
Ideally, a security system will never be breached, but when a security breach does take place, the event should be recorded. In fact, IT staff often record as much as they can, even when a breach isn't happening. Sometimes the causes of breaches aren’t apparent after the fact, so it's important to have data to track backwards. Data from breaches will eventually help to improve the system and prevent future attacks - even if it doesn’t initially make sense.
- Run Frequent Tests
Hackers are constantly improving their craft, which means information security must evolve to keep up. IT professionals run tests, conduct risk assessments, reread the disaster recovery plan, check the business continuity plan in case of attack, and then do it all over again.