Kenny Natiss discusses InfoSec principles you should know
Kenny Natiss is the founder of The LCO Group, a New York-based IT solutions and support company with clients ranging from law firms to finance companies. Mr. Natiss frequently contributes to news segments on data security and how businesses can better secure your personal information. It explains below everything a layman should understand about information security today.
Kenny Natiss reports that IT security in general is more critical than ever in the modern digital landscape. Many organizations use a set of practices that protect information from unauthorized access. This overarching concept, also known as information security, covers a number of key principles.
What is the definition of information security?
Sometimes abbreviated as InfoSec, this is a set of protocols that protects data against corruption or unauthorized access and is also called data security. InfoSec protects sensitive information from unauthorized activity. Kenneth Natiss says this could include inspection, recording or some other form of disruption. The goal is to ensure the confidentiality and integrity of the data itself, such as financial information, intellectual property, and account details. The consequences of any security incident can obviously disrupt work processes, damage a company’s reputation and lead to costly damage.
What is the difference between information security and cybersecurity?
Generally speaking, “information technology” is often used as a generic term for anything related to computers, and many believe that information security and cybersecurity are interchangeable. However, cybersecurity is all about defending IT assets against anything external attack (completely locking down the bad guys from your system), and information security is the discipline of protecting stored data from leaks, chain of custody / access issues, and corruption. While there is some overlap between the two, information security is definitely its own business.
What are the three principles of information security?
Also known as the “CIA Triad,” Kenny Natiss reports that the main components of information security are confidentiality, integrity, and availablity.
Confidentiality of information
The first principle of information security is the confidentiality of information. Closely linked to privacy, as it requires that information be only available for a specific set of users. Privacy refers to how data is used, as well as how it is viewed or accessed. One of the components of cybersecurity is defining who has access to specific data and assets. One area where confidentiality is essential is regulatory compliance. Depending on the industry that uses the principles, they may need to follow different frameworks, each with their own set of privacy rules.
Integrity of information
This main purpose is to ensure that any information stored in a frame is intact and not altered, except for authorized modifications of the data by the owners or those who have the right to modify it. It focuses less on basic access, and more on restricting the use of information. Moreover, it ensures that the data is not deleted, lost or destroyed. An effective way to ensure this condition is to implement a Managed Detection and Response Program (MDR) that searches for threats to integrity. Maintaining the integrity of information may require a number of practices, including analysis in addition to the MDR. While an MDR program detects the threat through continuous monitoring, stops the breach, while researching root cause analysis, complex analytical processes may be required as potential threats can originate from within the organization , according to Natiss.
Availability of information
The last aspect of information security is availability. Kenny Natiss says this ensures that any protected information is available to those who have the right to access it. This principle guarantees that the parties can access it at any time but under specially defined conditions. This is the ultimate goal of information integrity. Information should not be changed or deleted for the simple reason that owners or representatives have the right to access it. Companies find this principle difficult because they need to incorporate a systematic approach to third party risk management. Since the availability of information must extend to the framework, including to third parties, this is where third party risk management can improve visibility across the framework.
It’s important to remember that data must be kept confidential, which means the data owner will have to make key choices about which information security principles to focus on. It means evaluating the data. It depends on the industry, for example in a medical scenario privacy will be the key goal. In the financial industry, data integrity can be a key goal.
These principles are not of a technical nature. It’s a common oversight that businesses and anyone looking to protect their assets look at security hardware or rely on software to solve their problems. However, Kenny Natiss notes that an information security policy is a document created by an organization based on its own specific needs to establish what data should be protected and how. Using an information security policy enables an organization to decide on the appropriate IT solutions and tools, while ensuring that corporate responsibilities are strictly enforced.