In our business we talk a lot about cyber security, IT security, information risk and information assurance and but what do the terms really mean?
We want you to fully get to grips with Information risk management (there’s another one!) and what it’s all about and so have outlined the core terms below.
Information Risks. Information risks are the threats and vulnerabilities every organisation faces today. When it comes to the information you rely on there is a growing need for protection from loss, damage or malicious attack.
Protection means three things:
- Confidentiality – your information should only be accessible to those with a genuine business need.
- Integrity – your information needs protection from unauthorised changes.
- Availability – your information needs to be available to the right people at the right time.
IT or Computer Security. The technical security controls used to protect the functionality of IT systems or the information they store. These controls are developed to protect the confidentiality, integrity or availability of information.
“Modern IT security: at the basic end of the spectrum, this means keeping all software patched, minimising exposure to attack via un-trusted networks and auditing for unusual behaviour.
At the more complex end, it is about broad and comprehensive monitoring to quickly detect and respond to intrusions.
At both ends, it’s about ensuring you know when an attacker has got into your network, minimising the (temporary) access they enjoy, ensuring you know what they’ve done, knowing you can kick them out quickly, and being sure they can’t get back in the same way.”
Dr Ian Levy, Head of CESG, quoted in the Guardian Government Computing, 25 October 2011.
Information Security. All controls (physical, procedural, personnel and technical) that are used to protect the confidentiality, integrity and availability of information, regardless of form (on IT systems, hardcopy prints, telephone lines etc.) Information security is the term used in the commercial world (for government sectors see IA). It is the result we all want – adequate protection for valued information.
Information Assurance (IA). Information Assurance (IA) expands on Information Security to highlight the need for formal assurance requirements. IA is the term used by most western governments.
“The confidence that information systems will protect the information they handle; function as they need to, when they need to; and be under the control of legitimate users.”
Cyber Security. Expands on Information Assurance or Information Risk Management to include the ability to proactively respond to the threats. Cyber security involves protecting information by preventing, detecting and responding to attacks.
Information Risk Management (IRM). The solution. The process of identifying, understanding and managing the risks to your information within the context of an organisation’s business needs. It is what we do here at Ascentor (see:Information Risk Management the Ascentor Way).
“The systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, treating and monitoring information related risks.”
Please let us know of any jargon we’ve missed and that you’d like a definition for. We will add it to our jargon buster.