Author: Joseph Jachimiec, Security Administrator
When I ask any normal, non-security person, “What is information security?” I get answers like this:
- “Information security is protecting information,” or
- “It’s when you defend data from hackers,” or even
- “Oh, that’s IT stuff.”
None of these answers are wrong. Well, maybe “that’s IT stuff.” A little.
The best definition of information security comes from my friend and security evangelist Evan Francen, and it’s my favorite.
In his book, UNSECURITY: Information security is failing. Breaches are epidemic. How can we fix this broken industry? he writes:
“Information security is managing risks to the confidentiality, integrity, and availability of information using administrative, physical, and technical controls.”
I like this because it’s clear, complete, and best of all, actionable.
Let’s unpack his definition.
Risk management is a pretty big topic, so we’ll save that discussion for another day. For now, notice that Evan didn’t say eliminating risks. He said managing risks.
It’s impossible to eliminate 100% of risks. There’s always some risk potential with information security, like in life. The key is awareness of the actual risks involved so you can intelligently manage, reduce, and accept your risk exposure.
Confidentiality, Integrity, and Availability
The Confidentiality, Integrity, and Availability Triad (aka the CIA Triad) is a foundational security model for protecting and working with information. Use it as a guide when building your information security programs, policies, and procedures.
Confidentiality means keeping the information secret from unauthorized disclosure. Only authorized parties should have access to the information.
Integrity means that the information is accurate and hasn’t been altered by unauthorized methods.
Availability means the information is accessible to authorized users when it’s needed.
To make this CIA concept work, create security harmony based on your business objectives. If you keep the information locked up, the right people won’t have access to the data they need. If you mess with the integrity of the data, who cares if it’s available? It’s no longer accurate or trustworthy at that point. And if the data is open to everyone, confidentiality goes out the window.
The best approach is to balance the push and pull of your business needs when working with the confidentiality, integrity, and availability of data. How? By using controls.
Administrative, Physical, and Technical Controls
Our favorite definition of information security continues with controls, namely the administrative, physical, and technical controls used to manage risk to information.
Administrative controls are the policies, procedures, standards, and training relating to information security. Here’s a shortcut to remember this: think documentation.
Physical controls are the easiest to understand because we use them every day at home, in the car, and at work or school. These are the door locks, keys/access cards, surveillance cameras, and alarm systems that protect people, property, and data.
Technical controls are what we first think of when it comes to information security. Passwords, firewalls, and anti-virus software fit into this category. Those are great, but many businesses fall into the trap of relying only on technical controls. Not only is this an expensive mistake, but as we saw with the CIA Triad, it’s a balance of the three controls that works best.
Why does all this information security stuff matter? Because Nahan cares about your data as much as you do.
We have administrative, physical, and technical controls in place to protect the confidentiality, integrity, and availability of your data, and we’re always improving. To learn more about our information security processes see our security section and contact us today about your next print project’s security needs.
Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.