What is information security?
When talking about information security most people are unaware of the exact meaning and furthermore what it implies..
It is important that one can differentiate between the four terms privacy protection, data security, IT security and information security.
Schreiben Sie uns...
Information security, IT-Security, Data security or Privacy protection?
Information security
Information security is a term used primarily in the BSI’s basic protection catalogues or in ISO 27001. As with data security, the aim here is to protect information from manipulation, loss or unauthorized access, but the rules of information security are somewhat more comprehensive than those of data security, which is why the latter is often seen as part of information security.
IT-Security
IT security is also a point of information security, but only refers to the protection of electronically stored information or IT systems. However, this does not only mean the protection of data, but also the reliability and functional safety of the systems.
mn]
Data security
Unlike privacy protection, the principle of data security not only protects personal data, but also includes the security of all data, such as company or administrative data. Data security is designed to protect the data from manipulation, loss or unauthorized access. This is not about the conditions under which data may be collected, but mainly about how the protection of the data collected is realised. With regard to the BDSG (§9), data security means the implementation of technical and organisational measures that guarantee this protection.
Privacy protection
Data protection is about the protection of personal data and the fundamental privacy of a person. The Privacy Protection Act guarantees the right to informational self-determination and protects people against misuse of this data. The regulations of the Federal Privacy Protection Act (BDSG), which mainly deal with the question of the conditions under which personal data may be collected and processed, are of primary importance here. [read more…]
Information security requirements
Information security is assessed according to the following three important criteria:
1. Availability
Availability means that an authorized user has access to the information or function of an IT system at any time. In order to fulfil this criterion, it is therefore not sufficient to guarantee the existence of an information, it must also be usable.
For example if you have some information saved on a CD but an authorized user does not have a CD drive the criterion of availability is not sufficiently fulfiled.
2. Confidentiality
Confidentiality means that any information remains „secret“ and is only accessible to authorised users. The temporal aspect also plays a role here, an employee may only have access to company data as long as he/she is also actively working for the company.
The regulations for access and admission control are crucial here.
3. Integrity
Integrity means that all information must be complete and correct, changes must be excluded, or at least traceable. If it is not possible to exclude them, a lack of availability may arise if the correct, unaltered information is not obtainable from other sources (e. g. a Backup).
Checksums are often used to verify and reconstruct the integrity of information.
Technical measures for information security
These requirements must be ensured either by technical measures or by organisational regulations.
Entrance, admission, access restrictions are usually used for this purpose.
1. Entrance control
Restrictions on admission are primarily meant as spatial separations, i. e. only authorized persons can enter the building, office or server room. This can usually be easily regulated by assigning keys.
2. Admission control
Admission restrictions denote the restrictions on login, i. e. that only those persons can log on to a system who also have a user account and the associated password.
3. Access control
Restrictions on access are primarily regulations for the use of individual directories or files. This can be achieved, for example, by an authorization structure within the Active Directory.
In principle, none of these restrictions must be subject to a technical regulation. Still this is recommended for many points because it is usually easier and safer. However, if it is not possible to technically meet the information security requirements, an organizational measure MUST be taken instead. It is important to note that responsibility remains with the management if an employee does not comply with these regulations.
Free IT-Security Check
With the IT security check, you can check and close critical IT security leaks in your company in just a few minutes.
Register now and request it for free!
Business IT-Alignment incomparably better qualified!
Business Transformation Designer
As a Masters of Business Transformation Management we support you in time to identify which changes (transformation processes) are necessary in your company.
Change starts with a visionary leader who inspires people to follow!
Privacy Protection Experts
As certified privacy protection specialists we analyze and optimize your work processes so that the IT structures of your company fulfill all the requirements of the EU Data Protection Code and the Federal Data Protection Act.
Privacy protection is more than a necessary compulsory subject. It protects people from their own frivolity.
Information-Security Officer
As TÜV-audited information security officers we plan and support the implementation of security guidelines and prepare IT security audits according to official standards ISO-27001, VDA, etc.
Information security is probably the most essential issue for any company.
Marketing, Webdesign & SEO
Unlike advertising and Internet agencies we determine the growth objectives of your company. We bring together online and offline communication channels in a marketing strategy.
Online marketing analyzes are the most efficient way to learn everything about your potential new customers.