Information Security
Frequently Asked Questions

What is information security?

Information security (typically abbreviated to ‘infosec’) is the practice of protecting information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.  Infosec usually requires the consideration of threats to the confidentiality, integrity and availability (known as the information security triad or CIA) aspects of information.  Organisations often implement an information security management system (ISMS) to assist in the management of infosec.  ISO 27001 is an international standard which specifies the key components in developing, implementing and maintaining an ISMS.

URM can offer your organisation full lifecycle of information security services.

What are 4 types of information security?

If we look to guidance from Annex A of ISO 27001, then the answer is organisational, people, physical and technological.  The International Standard groups information security into these 4 categories.  The ‘organisational’ category requires the creation of policies, roles and responsibilities and day-to-day business activities.  The ‘people’ category ensures that the most appropriate staff are employed, and that they understand what is expected of them in relation to the business’ approach to infosec.  ‘Physical’ controls relate to the security of business premises, clear desk policies etc, whilst, ‘technological’ controls relate to measures that may be adopted by organisations to assist in securing information through the use of technology such as capacity management, configuration management, change management, network security, firewalls, cryptography etc.

What are the 3 principles of information security?

The three aspects that information security (infosec) seeks to protect are ‘confidentiality’, ‘integrity’ and ‘availability’. Confidentiality ensures that information is not made available or disclosed to unauthorised entities.  Integrity protects the accuracy and completeness of assets, whilst Availability ensures that information is accessible and usable on demand by authorised individuals.tc.

What are information security examples?

Examples of information security include encryption, firewalls, antivirus software, multi-factor authentication (MFA), vetting of individuals, controlling access to premises / information and providing staff awareness training.

What are 5 information security policies?

Policies provide direction on your organisation’s approach to different aspects of information security management. Policies may relate to the classification of data, password management, acceptable use of assets, authentication procedures and incident response - these are five examples, but your organisation  may choose to formulate a policy relating to any aspect of information security (infosec) management.

What should an information security policy include?

The policy should indicate your organisation’s overall direction and approach to protecting the confidentiality, integrity and availability of information and set out the requirements for compliance with all information security policies, standards, processes, guidelines, and applicable laws and regulations.  Your information security policy should have an ‘owner’ who ensures that it and supporting policies maintain currency with any changes to your organisation.  It is common within information security management that a high-level policy will state the business intent clearly and unambiguously.  Your information security policy should be supported by individual policies addressing specific practices and areas of your organisation.  ISO 27001 provides guidance on the content of policies and also suggestions on areas where supporting policies may be appropriate.  Policies should be regularly reviewed as well as being endorsed and signed off by senior management.

URM can assist you in the development of your information security policy, along with all the supporting policies and processes.

What is an information security policy and what are some of the supporting policies?

At the highest level, the organisational information security policy should establish the strategic intent of the organisation and its commitment to the preservation of confidentiality, integrity and availability of information.  This intent is then supported by subordinate, topic-specific policies, examples of which could include password management policy (complexity requirements, frequency of change etc) acceptable use of assets, authentication methods (two factor or multi factor authentication (2FA/MFA) clear desk / clear screen policies.  Policies must be clearly written and unambiguous to staff - they are enforceable, and a breach of policy may result in disciplinary action

URM can assist you in the development of your IS Policy, along with all the supporting policies and processes.

What are the principal methods of managing passwords?

The methods of password management include using strong passwords, with complex characters and non-dictionary words, using two-factor or multi-factor authentication (2FA/MFA) a requirement to change passwords regularly.  Dedicated password management software may also be used.

What are the four password management features?

The four password management features are: password strength, password expiration, two-factor authentication, and password history.

How can password managers protect information?

Password managers can protect information by encrypting data, storing passwords securely, and providing additional security features such as two-factor authentication and password expiration.

What is two-factor authentication?

Two-factor authentication, or 2FA, is a security measure that requires two different forms of authentication to access an account or system. This could include a combination of a password and a one-time code sent to a user's phone or email address.
Learn how to improve your password management.

How you can tell if the password is strong or weak?

A strong password is one that is difficult to guess or crack. Guidance differs on password length, but currently passwords with at least 12 characters are recommended.  ISO 27001 advocates the use of ‘quality passwords’ and provides guidance on what form that should take, typically however, passwords should contain a combination of upper and lower case characters and numbers, and should include special characters (!”£$% etc).

What is password expiration?

Password expiration is a security measure that requires users to change their passwords periodically. This helps to ensure that passwords remain secure and are not in use for extended periods of time.

What is the information security triad?

The information security triad refers to the protection of the confidentiality, integrity and availability of information.

What does confidentiality actually mean in information security and how can I protect it?

Confidentiality effectively means limiting the access to information to only the people that need to know or see the information.  Organisations will have various levels of confidentiality within their own structure, such as management in confidence, or HR records.  Overall though, with the implementation of an information security management system, organisations will aim to extend that overall protection so that the information they hold can only be accessed by those who need to see it.

What does integrity actually mean in information security and how can I protect it?

Integrity is defined as the protection of the accuracy and completeness of assets, i.e., protecting your information from corruption (such as water leakage into a filing cabinet, and damaging paperwork, or from an air conditioning leak having the same effect on servers in the server room).  In a more sinister vein, we have the threat from malware / ransomware which may be introduced onto information security systems to deliberately corrupt data and where monetary demands are made for its restoration.  The protection of integrity can be a simplistic as locating your paperwork away from any water threats or other hazards.  Other measures may include firewalls and measures to detect any illicit attempt to introduce malicious software onto your systems.  Backups can help mitigate the consequences of such activity.  An example whereby the integrity of data was compromised was during the ‘wannacry’ and similar attacks of 2017, when the UK’s NHS system health data was corrupted, pending payment of a sum of money.

What does availability actually mean in information security and how can I protect it?

Availability is the property of being accessible and usable upon demand by authorised individuals.  This effectively means, that whilst we have a need to protect information / data and safeguard it from unwanted attention, your staff, and the people that need to access the data should be able to do so in order to carry out necessary business activities.  There are various means of securing information; controlled access into buildings for example through locks, swipe cards and physical security barriers/personnel etc.  Various technical means can also be used.  The use of authentication verification (multi factor authentication / two factor authentication) MFA / 2FA for example, biometric (fingerprint/retinal) scanning can also be used.

What is the difference between having a ‘certified’ managementsystem for information security and being ‘accredited’?

Information security management systems (ISMS’) are developed and maintained to protect your information.  Many organisations seek to certify their ISMS against ISO 27001, the International Information Security Management Standard.  This involves a third-party certification body conducting a 2 stage audit (followed by regular continual assessment visits and recertification audits) of your ISMS to assess the robustness of your management system.  Achieving certification will provide external validation and an additional level of credibility.  Some, but not all, of these certification bodies are also ‘accredited’, i.e.,  their activities are overseen by an accreditation body.  In the UK, that accreditation body is the United Kingdom Accreditation Service (UKAS).  Certification bodies are assessed by UKAS to ensure that they are conducting their activities with the appropriate amount of diligence.  

In summary, your management system may conform to a management system standard (typically ISO 27001), but in order to provide a greater degree of reassurance to customers and stakeholders, your organisation may seek to certify your ISMS against ISO 27001 using a certification body and even more meaningfully by an accredited certification body such as BSI.

If you are not certified, now has never been a better time to develop an information security management system and achieve certification. If you would like to understand more about the benefits and what’s involved in implementing ISO 27001, please register your interest and we will be in touch.