principles of information security and policies.

0
245
principles-of-information-security

Principles of information security are preventive methods against unauthorized access to information and including electronic data in the organization.

Besides, the physical security staff must aware of information security threats, risks, and consequences of failing to follow the good security practices to protect the classified data.

Threats for information security?

When information security is compromised not only it halts the security operation but also a larger part of the organization and its business network around the world. These following things most likely effects from the infosec threats;

  • Trade secrets
  • Personal data
  • Financial records

If you understand how the information can access from unauthorized people it helps you to fight against it. People can access sensitive information through 2 ways means;

  1. Physical access;
        • Visual expose
        • Computer screens
        • Desks
        • Notice boards
        • Printer tray
      • Theft
        • Opportunity
        • Forced entry
      • Copying
      • Photography and recording
  2. Digital access;
      • The wrong recipient on emails
      • Unsecured computer networks
      • Social media

Information storage and destruction;

A company should employ the data storage and destruction policy. If any information requires storage need to keep them securely and requires to destroy should do immediately. The information that needs storage and destroys including;

  •  Can compromise personal data Any information that could reveal this type of detail must be securely stored.
  • Exposes vulnerabilities of an organization, premises or services
  • Can lead to financial loss
  • Can embarrass an individual or organization

What is an information security policy?

It is the processing procedure of sensitive and confidential information in an organization. The company management team is responsible for preparing and implementing it. The following things should include;

  • Classifying information
      • Classify the documents and mark according to the impact of the disclose.
  • Access privileges
      • Allow only the necessary staff to access and view the information.
      • List of the staff who have the authority to handle the information and check them through ID.
      • Maintain the record for those who have access to the security classified information.
  • Storage requirements
      • Each classification of information must be stored securely.
  • Destruction requirements
      • Each classification of information should dispose of immediately and completely
      • Keep the record of disposable documents and when
      •  Authorize the disposal of classified information e.g. Line manager, security manager, board members, etc?

Methods of physical information storage

physical-information-storage

  • Kept in a folder while out of secure storage
  • Locked filing cabinet
  • A safe
  • Access controlled archive room

Methods of physical information destruction;

physical-information-destruction

  • Burning: The document should control until burning into ash and remove the ashes.
  • Pulping: Mixing with water and reduced to pulp
  • Shredding: Cut the document into strips using the machine and Cross-shredding.

Digital information storage

The information which keeps in the digital format is called digital information storage. The impact of the discloser should consider before storing them securely.

  1. Computer-based storage
      • Password-protected files
      • Password-protected computers
      • Cloud-based storage
      • Intranet (internal network) storage
      • Printing restrictions
  2. External media storage
      • Encrypted USB Flash drive
      • Racked mass storage drives
      • CD/DVD These

information security

Note: Every method has its strengths and weakness, so, it is important to consider the sensitivity and impact of the discloser before choosing the method for storing digital information.

There are two systems are available in the private security industry to store the CCTV camera recording and they also have strengths and weaknesses as following.

  1. DVR: Digital video recording stores the mass camera feeds into the mass storage drive locally in the security control room.

Strengths;

  • To retrieve the information physically access requires
  • Someone needs to access the control room to remove the information

Weaknesses: 

  • inability to share recorded footage across remote locations
  • Maybe corrupted or damaged by local disaster

2. NVR system: Network Video Recorder records the video through the internet.

Strengths; 

  • Ability to record images over an internet network
  • Can scale the size of the CCTV network easily
  • Recorded images can be accessed remotely

Weaknesses

  • Vulnerable to unauthorized remote access(Hacking)
  • Network outages may result in lost recording time

Digital information destruction

A variety of the methods are there for disposing of the digital information but it depends on the company because sometimes the cost and regularity can consider; Here are the common methods;

  1. Granulation: Grinding down physical storage media into fine particles
  2. Degaussing:  Removing magnetic information from media storage devices such as Storage tapes and Hard drives

I.T and Cybersecurity

Although the organization has specified the IT department to protect the data from the intrusion the security staff also must be familiar with the cybersecurity, hence, they also take the preventive method before using the system.

Basic precautions

  • Allow computer systems and software to run updates
  • Ensure virus scanning software is installed and running
  • Use strong passwords for online systems including a combination of letters, numbers and special characters
  • Do not open emails received from suspicious senders – report to the I.T department
  • Restrict physical access to computer workstations
  • Report any unusual behavior by computer systems

Principles of information security

There are several principles of information security but the core principles are CIA Triad.

Confidentiality:

Confidentiality is the concept used to avoid exposure of information to unauthorized individuals or systems. In the principles of information security, it comes first and the most important element for the Infosec. The policy should implement in an organization.

In many cases the data leak to the public or competitor occurred from the employees, so, it is important to practice the following things;

  • Allowing only the authorized person to access the information.
  • Don’t allow the other person to look over the computer screen if an authorized person seeing the sensitive data.
  • Use the security measure a laptop computer containing classified information about employees of a business from being stolen.
  • Be aware of the employees who can Give confidential information over the phone to others.

Integrity:

Integrity in information security is ensuring the data can not be changed without authorization. Only the qualified and authorized person should alter the data.

The policy must clarify that if the employees accidentally or intentionally deleted or edited the data physically or use the malicious software to do so, it is an abuse of the system.

Availability:

The information must be accessible when it is required. This means while the computer system store the data and processes the information, strong security measures should use to secure it.

High availability systems are designed to remain functional at all times, avoiding service interruption due to power outages, equipment failures, and system upgrades. Ensuring availability also includes stopping denial of service attacks.

Conclusion: Although the security staff does not consider much play the protective roles against the information security they help to implement the company’s principles of information security result for that many data breaching activities from the employees can be discouraged.

Advance Security Course

Basic security course

Leave a Reply