In summary, we can understand information security as protection against unauthorized use or access to information.
Considering that information is one of the most valuable assets of an institution or company, it is essential to reduce as much as possible the risks of leaks or loss of data, file or database fraud, human or operational errors, misuse of systems due to lack of training, network or service outages, information theft or any other threat that could harm the company.
Information security is not limited to computing systems, nor to information in digital format. Because the concept applies to all aspects of information or data protection, in the various possible forms. The level of protection must correspond to the value/importance of this information and the losses that could result from improper use of the data. It is also necessary to remember that information security covers all infrastructure that allows its use, such as processes, equipment, systems, services, technologies, and others.
In security, we have three principles that underlie and guide the analysis, planning and implementation of security in companies that wish to protect their information, which are: Confidentiality , Integrity and Availability . In addition, other important attributes are irreversibility , authenticity and conformity. Privacy also demands great concern, considering the evolution of electronic commerce and the information society.
Confidentiality
It consists of ensuring that the information will only be accessible to people/entities with authorization defined by the person responsible. At the same time, information must be protected from any form of unauthorized access. Loss of confidentiality occurs when someone unauthorized gains access to resources/information.
Integrity
There must be a guarantee that the information maintains all the original characteristics defined by the information owner, including actions throughout the data life cycle (creation, maintenance, editing and destruction). We have a loss of integrity when information is altered unduly or when it cannot be guaranteed that the data is up to date, for example.
Availability
It is the guarantee that information is available for access at the desired time. It corresponds to the effectiveness of the system, the correct functioning of the network so that when information is needed it can be accessed. Lack of availability occurs when access is desired and the expected access is not possible.
Other important concepts in information security are:
- Authenticity : guarantee of identification of the source declared as coming from the information and that the data has not changed throughout a process.
- Irrevocability : must guarantee the impossibility of denying authorship in relation to a transaction carried out.
- Compliance : ensures that the system complies with laws and regulations associated with the type of process.
- Privacy : the exposure and availability of information must be controlled according to the content and importance of the data
We can see that the concepts that underlie information security are broad and complement each other. Therefore, companies need to seek actions in their security policy that meet all these concepts, as vulnerabilities and threats to information security are directly related to the loss of any of the three main security characteristics.
To develop a security policy, the risks associated with a lack of security ; the benefits and advantages and costs of implementing the mechanisms . The investment can be high, but the risk and the occurrence of security problems can cost companies much more.
1 comment
Comments closed