Approaches to Information Security Implementation

Introduction

Information security protects information from disruption, misuse, destruction, disclosure, modification, or unauthorized access. The goal of information security is to protect critical data and privacy both digitally and physically. Information security is abbreviated as InfoSec.

The information security adheres to Confidentiality, Integrity, and Availability.

• Confidentiality − Protect information from unauthorized disclosure of sensitive information.

• Integrity − The data is to be protected from modification or tampering data by intruders which ensures information is accurate.

• Availability − The information must be accessible in need of any entity, organization, etc.

Other characteristics of Information security are authenticity, accountability, and nonrepudiation i.e. one cannot deny the sending or receiving of the transaction or message. Information security uses risk management to prevent threats to an organization and compliances with legal requirements for data privacy.

The information security implementation is through two approaches −

Bottom-up and Top-down

These approaches help data from theft or loss, modification, and unauthorized access which ensures integrity. Also, sensitive information is encrypted to safeguard the data.

Overview

Definition

Information security is the set of procedures to protect information from disruption, misuse, destruction, disclosure, modification, or unauthorized access.

There are two approaches discussed as follows −

Bottom-Up Approach

The responsibility of the system administrator, cyber engineer, or network security professional does not include top-level management positions. The main duty of such individuals is to secure the information system by using their expertise, knowledge, education, and training to build a highly secure model.

Advantages of the Bottom-up Approach

The individual or team addresses the intricate security of the information system using their expertise. The company threat is identified to mitigate the possible potential threat.

The existing team or individual is assigned instead of new hire which is a way to save time, and money in a complex plan. It is a great way to use available valuable resources.

Advantages of the Bottom-up Approach

The strategies are not assisted by top-level management or expert and also incorporation would have thoroughness or longevity.

The top-level management collaboration gives a wide vantage point using company standards, concerns, resources, etc.

Top-Up Approach

The approach is created, initiated, or implemented by top-level management. This approach implements data security by instruction procedures, creating an information security policy, and following procedures. The priority and liability of project activities are taken by top-level management. The top-level managers take help from other professionals in the infosec system.

Advantages of the Top-up Approach

• The top-up approach is more efficient than the bottom-up approach.

• The company’s management level is more powerful for protecting data than an individual or team considering company-wide priority.

• Each problem is unique and vulnerabilities exist in every department or office. To resolve the problem a top-up approach is important.

Steps for an information security program

• The security team is building a framework according to the current situation.

• To understand the source of the threat.

• Risk assessment.

• Manage and Remediate the threat.

• Develop an action plan to evaluate any damage.

• Acknowledge third parties.

• Security controls to mitigate risk.

• Awareness regarding security and training.

• Audit and monitor to assess the vulnerability.

Layers in Information Security Approach

The Infosec implementing protection includes cybersecurity, security based on web, application, device, network, physical, or software. The data recovery and backup during the disaster were also included.

The approach of integrating concerns into smaller parts to assure protection to each layer and manage it easily. Let's discuss each layer approach −

Device security

Security in the smartphone, app system is as follows −

• The software or device is up-to-date.

• The user credentials are secured with a password and changing it on regular intervals.

• Maintenance of the system is important.

• Intrusion detection is required as also detect possible threats.

• Patch Management is also essential to ensure the security of the system.

Network and Web security

The security covering Infosec policies in networks, and browsers such as follows −

• The authentication for each person like a manager, third parties, or employees.

• Antivirus, Firewalls, intrusion detection, and antimalware system.

• Protecting from phishing attacks using mail, attachments in the mail, etc.

• Lock the pop-up messages.

• Access to the legitimate user.

• VPN and analyzing traffic, IP network security.

• Devices such as Smartphones, tablets, etc security.

• Data loss of messages and files.

• Segmentation of the network.

Disadvantages of InfoSec

• The system is complex and time-consuming for a large organization.

• It is costly to maintain and implement the requirements.

• InfoSec system is difficult to change the usual system.

• Lack of adapting to new changing systems and rigid.

• Security may give false alerts causing them to overlook control access.

Conclusion

The companies use a bottom-level approach with employees and then results are passed to the upper management as per policy. But the top level management lacks the threat information possibly causing sudden collapse.

If the top-level approach is used to secure information then a wide view of the issue can be tackled. The top level can initiate the process by collecting information from cyber engineer personnel to resolve the issues.

Information security is designed to protect from malicious attacks and ensure legitimate access.