What is Information Security?

You would think the answer to this question would be simple, but as with much of information security there is little agreement. For example, if you look up the definition of “Information Security” on the Web, you will find a host of different interpretations (see below), many of them with questionable foundations. Stragely enough, the US Code probably contains the best definition:

US Code Title 44,  Chapter 35, Subchapter III, § 3542

(1) The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable access to and use of information.

This definition is based on the concept that a person, business or government will suffer harm if there is a loss of confidentiality, integrity or availability of information and that it is the role of information security to minimize the possibility that such harm will occur. Other commentators have tried to expand on this approach and argued that other elements should be added (see CERT and Donn Parker). These expansive approaches tend to create a confusing definition that detracts the user from focusing on harm or risk. In effect, they over complicate the issue.

Conversely, other sources use a more simplistic approach to defining Information Security. For example, ISO 17799 states, “Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.” Another commonly used definition is, “The protection of data against unauthorized access.” PC Magazine

The diversity of definitions is symptomatic of the conflicting interests in Information Security and the resulting confusion that has ensued. What is needed is an approach that simplifies the complex attributes into a definition that can be commonly understood, while not oversimplifying the approach to the point where there is no sound foundation. It is not as important that the definition be perfect as that it be useable and reliable. For that reason, I support the definition of Information Security as the process of ensuring the confidentiality, integrity and availability of data. While it does not incorporate all of the issues around Information Security, it is a simple, workable approach.

Before we address the first step in the Information Security Process (Assess), we need to address several high level issues.

©2009 ISRMC, LLC