Table of Contents
In this article we will deal with a series of general aspects related to the concept of Information Security, also with reference to the discipline of personal data protection. Those who follow this blog know that this is not a new topic, having previously been treated by a series of articles that deal with specific aspects (find here those available in italian and here those written in english).
In this additional article we will try to set up the discussion starting from a more general approach, which can find an area of application - in the founding principles and in the consequent good practice of implementation - in almost all the information systems being defined. The hope, as always, is that the article will be useful to those who are in the process of creating a project design and who are interested in deepening their knowledge of an area that, day after day, becomes more and more important.
As always, before starting to talk about a topic, we consider it useful to start from its definition: with the term Information Security (or InfoSec) we mean the set of studies, research and knowledge of theoretical and practical order that deal with the protection of information, in whatever form it is stored and transmitted.
The CIA Triad
In turn, the meaning of protection can be defined (ISO / IEC 27000) as the preservation of the confidentiality, integrity and availability of information.
- Confidentiality: ownership of information that is accessible only to authorized individuals, entities or processes.
- Integrity: property of information to remain complete and accurate, without the possibility of alteration by external events.
- Availability: the property of information to be accessible and usable (within the expected timeframe) at the request of an authorized individual, entity or process.
In the context of Information Security it is common to refer to these three properties as CIA parameters or CIA triad: such acronym is also used by most IT companies that offer industrial and OT cybersecurity solutions worldwide.
InfoSec and Information Security
In recent years, thanks to the exponential spread of digital technological tools, the field of action of Information Security is increasingly directly attributable to the IT sector: this has led to a progressive extension of the field of action of Information Security, which today it extends not only to mere information intended as "organized and significant data", but also to technologies and processes enslaved for this purpose: in other words, to Information Security.
This progressive approach has led to a certain confusion, exacerbated in Italy by the fact that the term Information Security is often improperly translated as Information Security, thus exchanging the purpose (information) with the means, indeed with one of the means of processing (information technology ); a real metonymy, which often finds partial justification due to the fact that the two contexts have numerous points of contact when the aforementioned information is or transits on computer systems.
At the same time, however, it is important to underline that the two terms are not interchangeable, as they relate to different fields of action that may well not coincide. Let's try to understand the difference with a couple of examples:
- when information is not found and / or does not pass through an IT system, their protection calls into question Information Security but has nothing to do with IT Security;
- when a group of hackers carries out an attack on a computer system that does not contain information and / or does not impact the RID parameters of any information (think for example of a temperature controller), the attack constitutes an IT Security problem but it does not impact Information Security in the least.
The keywords of IT Security are Resilience, Robustness and Reactivity (RRR or R3), corresponding to the characteristics that a technology must possess to face attacks aimed at compromising its functioning.
InfoSec, Cybersecurity and Data Security
Still remaining within the scope of definitions, let's try to explain the relationships that exist between Information Security (or InfoSec) and the other security areas mentioned in the title of this article: what is the relationship between InfoSec, Cybersecurity and Data Security? Are these different ways of saying the same concept or are there real differences as in the case of cyber security?
These are perfectly legitimate questions, as the definitions used in numerous texts, insights and sector publications tend to overlap or confuse each other, also due to the need to orient oneself within a series of highly situational translations made in different times which is not always appropriate to understand in their literal meaning.
On closer inspection, even if the above definitions are certainly related to each other, using them as synonyms is imprecise. Wanting to try to make the appropriate differentiations, we could say that:
- Information Security (or InfoSec), as we have already said, deals with the protection of the data contained within the information systems in any form they are stored and transmitted: consequently, it does not only deal with technological countermeasures but also with aspects purely organizational, legal and human.
- Cybersecurity is nothing more than a synonym for IT Security, which we have already talked about in the previous paragraph: a sort of "subset" of Information Security that concerns information stored or provided accessible from computer systems, but which can also have its own autonomous and independent dimension. The term "cybersecurity" derives from Cyberspace, a word invented in 1986 by the writer William Gibson in the context of Cyberpunk literature. The prefix Cyber, by admission of Gibson himself, was chosen without worrying too much about its real meaning ("rudder", from which also the term cybernetics originates, which however has no correlation with cybersecurity): the translation "cyber security" , which is sometimes "risky" by non-experts, is therefore completely wrong and leads greatly astray.
- Data Security, is also a subset of Information Security and refers to all protection measures aimed at preventing unauthorized processing of data, with particular emphasis on data stored digitally. (computers, databases, websites, storage devices such as Hard-Disk and PenDrive, etc.). Data Security also includes techniques aimed at preventing the destruction and / or loss of data (backup, disaster recovery) and data encryption technologies in transit, at-rest and end-to-end. Not infrequently the term Data Security is used as a synonym for Data Protection (in Italian Data Protection), even if in reality this second term has a more general meaning, also referring to the legal and regulatory aspects placed to protect data and correct use. It is therefore correct to think of Data Security as a series of methodologies aimed at applying some key aspects of Data Protection - specifically, those relating to data processing - to a specific context.
Beyond these evident specificities, the reason for the terminological confusion between the various definitions is quite easy to explain: by virtue of the progressive digitization of every type of information made possible by the technological evolution in progress, this definition aims to extend to the world of 'automation, artificial intelligence, and the Internet of Things (IoT): in this way, both the technological specificity of Cybersecurity and the purely "digital" declination of Data Security inevitably tend to reduce, or rather to combine in increasingly interdependent with a set of other social and cultural processes and systems, fully falling within the global context of Information Security (InfoSec).
This process, far from being a simplification, forces project managers, functional analysts and all the figures most involved in modern risk analysis procedures to adopt a similar point of view, without limiting themselves to the purely IT field and addressing the set of problems that can be determined throughout the data processing and storage process: from physical access to logical ones, from in-transit activities to those carried out at-rest, from information stored on clients to those accessible from servers, and so on.
Information Security and Risk Management
We underlined the absolute importance of following the flow of data, without just imagining them in a static position in time or space: the information is in fact in continuous movement, and to protect it adequately it is necessary to keep track of this path through a detailed and punctual tracking system (mapping).
To manage these aspects of analysis correctly, both tools born in a context of Data Protection are indispensable, such as the Register of Treatments (provided for in art.30 of the General Data Protection Regulation, better known as RGPD, GDPR or EU 2016 / 679), which tools borrowed from Risk Management, such as the Risk Register (described by the UNI ISO 31000: 2010 guidelines, then introduced in the latest formulation of ISO 9001: 2015 and further confirmed in UNI ISO 31000: 2018) and, more generally, the concept of risk based thinking, also deriving from the aforementioned ISOs.
From an Information Security perspective, the risk management process aims to identify, calculate and manage the risks that may compromise the Confidentiality, Integrity and Availability of information, depending on the characteristics of the format (paper / digital) of the headquarters archiving, access and transmission methods, etc .: these risks, once identified, must therefore be appropriately measured using an assessment scale that takes into account the probability (which they have of occurring) and the impact (i.e. the level of compromise of the data attributable to them).
These risks require appropriate countermeasures, in the case of potential and not yet effective risks, or remediations, if they are determined by systems, tools or processes already introduced and active within the organization: the objective, of course, is to ensure that information is treated and protected with suitable strategies and tools.