Information Security vs. IT Security
The terms Information Security and IT Security are often interchanged. This is because both disciplines have similar goals—to protect your information assets and the business operations that rely on them. These assets include both the intangible value of your intellectual property, and your Information Technology systems.
However, business managers who do not understand the distinction often leave information security to the IT manager alone without engaging upper management, as is required to ensure that information security is properly integrated into operations. For a business that does not require a robust information security program, this may be appropriate. But for a business that should have one, this can be an expensive and even disastrous mistake.
Below are detailed descriptions of IT Security and Information Security, followed by some examples of where each type of program best applies.
Information Technology (IT) refers to your hardware, software, and data: servers, storage devices, removable media (like tapes and disks), computers, laptops, tablets, conventional and IP-based telephony, mobile phones, routers, switches, Wi-Fi access points, printers, scanners, operating system software, server applications, user applications, unstructured data files, and databases. This includes platforms, applications, and data in the cloud as well as on-premises.
IT Security implements best practices for technical configuration of the system. For routine IT system operations, this includes:
- Password complexity and aging requirements;
- Authentication mechanisms;
- User account privilege management;
- File and folder permissions;
- Implementation of encryption for privacy and digital signatures for authenticity;
- High availability configurations (redundancy and replication);
- Data and configuration backups;
- Network segmentation and firewall configuration management;
- Destruction of disused data storage devices;
- Audit logging and event correlation;
- Software patch process or vulnerability management plan;
- Anti-malware software;
- Physical access control for servers, storage, and network equipment;
- Control of storage media handling;
- Equipment, software, and data inventory;
- Baseline metrics and anomaly detection systems.
For custom (in-house) software and database development, IT Security can oversee vulnerability management systems integrated with the software development process, and a whole slew of design considerations for databases to prevent information leakage through inference.
All of this is handled by Information Technology professionals.
Information Security includes all aspects of IT Security, but links management objectives and risk tolerance determinations to guide the IT Security policy, and other operational policies and procedures to support Information Security. The resulting Information Security Program implements:
- Information Security strategy, heavily derived from the Risk Management process, which defines the desired state of security, based on the assessed likelihood and impact of threats to information assets, and an action plan to reach it;
- Information Security Policy, which directs IT Security and coordinates it with non-IT operational and administrative policies;
- Security architecture, either as a general goal, or with certification and/or accreditation, which guides the overall design of the IT system;
- Desgnated roles and responsibilities;
- Data classification system;
- Designated data owners and custodians;
- Incident management and response program, with after-action reviews;
- Training and awareness programs for users;
- Change control procedures;
- Formal process for requesting user access;
- Risk management program;
- Employee screening, on-boarding, and termination policies and practices;
- Job assignments: separation of duties and job rotation;
- Negotiated contracts with third-party service providers and suppliers to establish information security standards;
- Sharing of security intelligence with business partners and other key stakeholders;
- Defined performance metrics and a plan to collect data to monitor the implementation and maintenance of the Information Security Program, and identify areas that need improvement.
The exact title can differ, of course, but the Chief Information Security Officer (CISO) will manage the Information Security Program. In a large organization, this can be a full-time job. In a smaller organization, it may be an assigned task of another executive, or an outsourced professional service provider.
Both disciplines have the same goal, and that is to ensure the following for your applications and data:
- Confidentiality—protecting information from being disclosed to parties not authorized to view or possess it, whether by accidental exposure or deliberate infiltration.
- Integrity—protecting applications and information from being corrupted, modified, encrypted, deleted, or forged by malicious actors, hardware or software failure, human error, or poorly-defined procedures.
- Availability—ensuring applications and supporting systems are running properly, and that servers, files, and databases are accessible.
Here are a few use case examples for IT Security vs. an Information Security Program.
- Your company has twenty employees. Your IT system is comprised of a single server that handles user accounts and stores shared documents. Your company issues laptops, and you have an IT manager who configures them according to his IT security plan, including anti-malware software, and limited privileges for users. Changes to user accounts and passwords are handled by IT, and either of two managers with knowledge of the entire company's operations approve any requests for permissions to restricted files. Data is backed up nightly to local storage, as well as weekly to an Internet-based backup provider. In this case, so long as the IT manager keeps management informed of security breaches and makes recommendations for improvement, and so long as management performs risk assessments and guides the IT manager as to business requirements (such as the MTD and RPO of criticial equipment and data), then the business can maintain its Information Security informally, through the application of IT Security.
- Your company is the same as above, except you have been without an IT systems manager for over a year. Users have administrator privileges to install and configure software on their own, which isn't a good security practice. No one has been monitoring data backups, performing updates on the server, reviewing anti-malware alerts, or installing software patches on workstations. In this case, you may choose to hire an IT systems manager and throw him into the mess to fix it. But, because of the obvious large gap between your current Information Security position and where it should be, you should develop a formal Information Security Program, especially if you were without an IT systems manager because the business owner doesn't think your company needs to have that position permanently filled.
- Your company has twenty employees, and most of them are software developers, including outsourced foreigners who connect to your on-site development web servers remotely. You have a high-profile website that generates a tremendous amount of advertising revenue, hosted with a public cloud services provider. Although you have a competent and capable IT systems manager, because of the unusual complexity of your system and high-value assets, your company should develop a formal Information Security Program.
Whichever use case applies to your business, J.D. Fox Exec can help, from developing a simple Information Security Program, to the full process including Enterprise Risk Management for Information Security, Disaster Recovery, and Business Continuity. And we'll develop all of it in stages, so we will have a roadmap to achieve the value you expect for every phase of investment in money, time, and operational changes to reach your security and continuity objectives.
To get started, contact J.D. Fox Exec today.