Information Security Is the Process by Which an Organization Protects Information and Critical Elements Such as Systems

Information security is the process by which an organization protects information and critical elements such as systems, media, facilities and workers that process, store and transmit that information. As an information security professional our job is to create, manage and support organizational cyber system and infrastructure that can resist attack or different disaster scenarios, without interrupting the working process. The three primary security goals for a security professional are confidentiality, integrity, and availability which are the security fundamentals principles in which information security is build on. These principles forming a security model called CIA triangle. Confidentiality means keeping information protected and only available for an authorized user. A good example of confidentiality is online banking transactions. By using the encrypted connection between the user host system and bank servers, guarantee that transmitted data is safe and is still confident, which means that sensitive information can be used only by the owner of the bank account and the bank institution. Integrity is ensuring that data is real, accurate and protected from unauthorized user modification. A very good example of integrity is “checksum” for example, when you downloading a fresh copy of Kali Linux you get a checksum number based on algorithm which you can check after downloading the .iso file, if the number is same as at the beginning that means you got the correct data without any modification or manipulations during downloading from the remote server. Availability means that the information and the system are available when we need them. For example, the fault tolerance and redundancies in hard drives. Some hard drives using RAID-1 which is a mirror of two drives, if one drive fails, the other drive still holds all the data available. Which of these three principles is more important from the others depends on the objectives, requirements or mission of the current organization. For example, if the organization work with public information can prioritize availability than confidentiality or vice versa.

Security Governance Roles and Responsibilities:

Security requires responsibility, and responsibility is based on a well-defined division of roles with a hierarchical structure. At the top of the Information Security Ecosystem are the

executive or senior managers, for example, owners managing partners or government officials, which means the top level of decision-making body of the organization.  Senior Manager is responsible for authorizing security policies and programs, and oversight everything in the organization. They also have legal and regulatory responsibilities. The National Association of Corporate Directors (NACD), which is a leading membership organization for boards and directors in the US recommend four essential practices:

Place information security on the priorities of the organization.

Identify information security leaders, hold them accountable, and ensure support for them.

Ensure the effectiveness of the corporation`s information security policy through review and approval.

Assign information security to a key committee and ensure adequate support for that committee.

The second level in the hierarchy is for the Security professional. Some information security management titles include InfoSec – Information Security Officer, CISO – Chief Information Security Officer, ISO – Information Security Officer, IAO – Information Assurance Officer or Manager (IAM). The titles depend on the structure, objectives, missions or size of the organization. The most important duty of the ISO is to make tactical decisions and allowed security programs to be successfully implemented. Information Security Management personnel should report as high as possible to maintain visibility, limit distortion, and minimize conflict of interest. They are also accountable for the strategic and tactical failure of the information security program.

...