What is Information Security?
You would think the answer to this question would be simple, but as with much of information security there is little agreement. For example, if you look up the definition of “Information Security” on the Web, you will find a host of different interpretations (see below), many of them with questionable foundations. Stragely enough, the US Code probably contains the best definition:
This definition is based on the concept that a person, business or government will suffer harm if there is a loss of confidentiality, integrity or availability of information and that it is the role of information security to minimize the possibility that such harm will occur. Other commentators have tried to expand on this approach and argued that other elements should be added (see CERT and Donn Parker). These expansive approaches tend to create a confusing definition that detracts the user from focusing on harm or risk. In effect, they over complicate the issue.
The diversity of definitions is symptomatic of the conflicting interests in Information Security and the resulting confusion that has ensued. What is needed is an approach that simplifies the complex attributes into a definition that can be commonly understood, while not oversimplifying the approach to the point where there is no sound foundation. It is not as important that the definition be perfect as that it be useable and reliable. For that reason, I support the definition of Information Security as the process of ensuring the confidentiality, integrity and availability of data. While it does not incorporate all of the issues around Information Security, it is a simple, workable approach.
Before we address the first step in the Information Security Process (Assess), we need to address several high level issues.
©2009 ISRMC, LLC