Information securityWhat is the difference between information security and IT security?
What is information security - Definition
What is information security anyway?
In brief, the definition of information security is the protection of a company's information, regardless of its nature or origin. This includes information of both technical and non-technical nature. This means that the focus of information security is on information on paper, that in people's pockets, but of course also on IT. Information security strives for compliance with established security objectives.
Information Security - Objectives
Information security thus aims to protect all a company's sensitive information, on the one hand against unauthorised intentional acts, such as access or manipulation, and on the other hand against force majeure, such as fire, water, etc., and thus ultimately against possible major economic or reputational damage.
To ensure effective protection of information, information security should be organised within the framework of a management system with processes defined accordingly.
What is the difference between information security and IT security?
Now, mere technical protection through firewall systems, for example, is no longer sufficient to protect companies and must be accompanied by comprehensive organisational measures. Corresponding measures include setting up an organisational structure, determining the desired security level and security objectives. In addition, other measures include the creation of a security strategy and the security concept, as well as the definition of processes for threat analysis, for testing and monitoring, for auditing, for continuous improvement, and so on.
Distinction between information security and IT security.
In many companies, a distinction is made between information security and IT security (also cyber security, cyber resilience). This is partly due to the technical requirements for employees. IT security focuses on protecting all IT infrastructures, IT systems and applications that process information. All information handling here takes place at a purely technical level. IT security should therefore be considered a subfield of information security. Information security, on the other hand, übergeordneter, by definition, works with both technical and non-technical information and is also concerned with the organisation.
What does technical/non-technical actually mean?
Although it sounds complicated at first glance, the definition behind it is simple:
Information today can exist in very different forms. Information can exist as a digital file on a computer or serve the purpose of, say, network or computer security. This is the technical or IT area. Information security and data protection are also a topic here.
But at the same time, information can also exist in another form. For example, in the form of a paper archive in which important data is recorded. Moreover, important information can also be transmitted verbally, from person to person. A company's premises are also such a non-technical or non-digital system and part of information security.
The protection objectives of information security are thus not limited to IT systems and digital data. Rather, information security serves to secure all relevant data in technical and non-technical areas.
Objectives of information security - definition of protection objectives.
The classic security objectives/protection goals of information security are:
- The confidentiality - protection of information from unauthorised knowledge
- The integrity - prevention of unauthorised modification of data, or at least it must be possible to detect that modifications have been made
- The availability - concerns both information technology systems and the data processed therein and includes ensuring that the systems are operational at all times and that the data are accessible as intended.
- The authenticity - data must be uniquely identifiable to a sender. Care must be taken to ensure that the information is genuine and credible (source acknowledgement) or that IT systems and IT applications are tamper-free and inviolate. The sender can be a person, a system or an application of information.
Other possible security objectives/protection goals of information security are.
- Not traceable,
- Pseudonymity (protection against identification by name, e.g. according to § 3 para 6a BDSG), imperceptibility (ensures that it cannot be determined who is sending or receiving data),
- Concealment (no one except the communication partners knows that communication is taking place),
- Anonymity (protection against identification. It is also a consequence of unlinkability),
- Auditability (verifiability and traceability through recording and documentation of actions),
- Continuity (ability to establish that „something could be different than it appears“. In contrast, the protection target „Integrität“ allows only the determination that „something is as it is“),
- Reliability (preventing systems from assuming impermissible or undefined states and guaranteeing that the specified function is performed reliably),
- credible deniability.
To achieve these goals, information security management measures are taken.
Data protection and information security - inextricably linked!
The topics of data protection and information security are inseparable. Since much of the data today is in digital form, IT security also comes around the corner again, as it ensures the protection of sensitive data. Only through IT security, as a subfield of information security, is data protection überhaupt possible. Data protection and information security are thus closely linked.
Simplified, it can also be expressed as follows: A company's data protection combined with IT security results in holistic information security. The interplay of data protection and information security only works this way - but is all the better for that.
My threats as a guideline for information security.
Because information can exist in many different ways, the possible threats to data loss or damage are also multifaceted. So again, threats naturally operate on both technical and non-technical levels, and the following information security guideline makes sense:
- Threats at the technical level include attacks by hackers, espionage, as well as computer viruses or the modification or decryption of data by unauthorised persons.
- Possible threats at the non-technical level include vandalism, but also natural disasters due to flooding, fire or storms.
Information security measures
All these possible threats must be prevented and information of any kind must be protected in this way.
The measures are organised within the framework of a security concept and - like the information itself - take place on a technical and organisational level. The respective management is responsible for planning and organising all measures.
Thereby, information security management is taken in hand, with the help of the information security management system (ISMS). If we now look at the measures taken in the respective technical and non-technical areas, the distinction between the technical and non-technical areas becomes even clearer:
Technical measures of information security are, for example:Ensure that software, virus protection programmes, backup systems and firewalls are available and up-to-date. In addition, this includes ensuring that encryption and authentication procedures always function correctly. IT components such as computers and all important data are stored and kept safe through technical measures.
In contrast, examples of organisational measures are:This is about organisation. According to the definition, such information security measures are, for example: thematic further education and training of employees, which also serve to make them aware of the issue of information security. Moreover, employees may be trained on correct documentation or given guidelines on how to handle passwords and similar sensitive data responsibly.