Definition of information security
Information Security (Information Security) means protecting information and information systems from unauthorized activities . These activities include access, use, disclosure, reading, copying or recording, tampering, modification, manipulation.
Main Concepts of Information Security
When it comes to information security, we unconsciously recall the computer, password, password, hardware and software locks, firewall software, and so on. But this is just one aspect of information security. Information in its scientific definition refers to a set of data that has meaning and purpose. We see that there is no talk of computers or digital or electronic data in this definition. Therefore, information can be transmitted to any type of meaningful data such as print, paper, electronic, audio and video information, and even our oral statements will cover each other. Triple cases are the preservation of integrity , confidentiality and accessibility of the main concepts of information security.
Integrity means preventing unauthorized alteration of data and detecting changes in case of unauthorized manipulation of information.
Confidentiality means preventing disclosure of information to unauthorized persons.
Information should be available when required by authorized persons.
Information Security Control
Security control refers to actions that lead to protection, prevention, response / response, and to minimize the scope of security threats if it occurs. These actions can be divided into three categories.
Management control (procedural control) includes policies, procedures, standards and written guidelines approved by the responsible authorities.
Logical control (technical control) is the use of software, hardware and data to monitor and control access to information and computer systems.
Physical control is the physical protection and control of the work environment and computer equipment and how they are accessed. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire extinguishing systems, cameras, barriers, enclosures, protective forces and so on.
Initial information security measures
- Identify the information you want
- Identify the application of identified information
- Identification of authorized and unauthorized works on that information according to identified uses
Information Security Policy
According to this standard, after identifying the types of information and applications and their purposes, they should be assigned the security policy of the organization. The policy tells us:
- What kind of organizational information is important to us to protect?
- What risks should we prepare for ourselves?
- What are the risks of the accuracy, confidentiality and availability of our organization's information?
- What are our proposed actions to prevent or respond to these dangers?
Information Security Structure
Creating a structure for information security helps us to find the answers to the following questions.
- What organizational structure is necessary for the management of information security practices?
- What committees should be formed and who should be appointed?
- Are advisers and experts used to assist in specialized affairs?
- Periodic reviews to ensure the correct methods of information security by whom and at what periods?
- What are the organization's policies for dealing with outsiders and contractors in communication with the organization's information?
Security related issues related to human resources
One of the major challenges in the security of information security in any company or organization, in this regard, should control the following.
- Do people know the authorized and unauthorized security work and are aware of their consequences?
- Do they learn about reporting on information security events (such as software errors, security flaws, viruses, etc.)?
- Are employees accepted in terms of information security?
- What level of selection is required for each job?
- Is there a special training for information security for new and experienced staff?
Physical and environmental security
Do you consider the following issues in the organization?
- Define levels of physical security in an organization
- Attention to spaces, walls, control mechanisms, guard, fence and guard, alarm systems, locks and …
- Attention to protection against natural disasters such as floods and earthquakes …
- Attention to other incidents such as fire, pipe burst and …
- Inbound and outbound controls in the organization
- Working conditions in safe environments
- Define routes and locations for transport and loading
- Installation and protection of important equipment
- Power supplies and energy sources, uninterruptible power supply
- Security of cabling (computer network, telephone, CCTV, fire alarm system, alarm system …)
- Repair and maintenance of equipment
- Security of portable equipment (such as a laptop) outside the organization
- Clear Desk and Clear Display policies.
- How to withdraw property from the company and return the property to the company
Communication and operations management
Are the following predictions made and appropriate methods worked out?
- Software Error Controls
- Backup information
- Provide performance records of individuals
- Provide error records
- Information and software exchange agreements
- Media security in displacement mode
- Security in e-commerce
- Email Security
- Security of electronic office systems
- Public Security System Security
Access to information can always lead to security problems, so the following should be clearly defined:
- Register users
- Manage user access levels
- Manage and use password codes
- Review user access rights
- Security of user equipment in the absence of the user
- Control of network paths
- Validate users in offline connection
- Validation of machine tools
- Protect remote access ports
- Separation of networks
- Control network connections
- Network routing control
- Network Services Security
- Logon mode
- Identification and validation of the user
- Limitation on the time and duration of user connection to the network
- Isolation of sensitive systems
Certification ( Certified Information Systems Security Professional ) certificate for security professionals and business is the degree steps. This certification is independent of any kind of hardware and software of a particular company and is recognized as a key element in the evaluation of labor market volunteers in Enterprise and Enterprise Systems. Individuals who hold this degree can provide information for managing their small and large post.
In 1989, several organizations active in the field of information security established a consortium under the name of ISC², aimed at providing standards for information and education along with the provision of evidence for trained people.
In 1992, the consortium launched a certificate called CISSP, aimed at creating a level of professional and practical information security for those interested in it.