Defining Information Security

Author: Cody J., Inflow Software Engineer

People outside the federal government may have never heard about information assurance. They may be more familiar with the term “information security” or, more popular nowadays, “cyber security”. So what’s the difference, if any, between these terms?

As defined by Wikipedia, information assurance (IA) is:

“[T]he practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes... While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form...

Information security (InfoSec) is much easier to define:

“[T]he practice of defending information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).”

Cyber security is very similar:

“[T]he protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.”

I like to think of these terms as building on one another, like a pyramid. IA is the foundation, since it builds upon InfoSec by including the business side of security operations. It focuses more on strategic risk management and the administrative side of security, such as compliance, auditing, continuity of operations, etc.

The comprehensive nature of IA is beneficial because it provides a methodology for security systems and networks. Numerous checklists and supporting documentation is available from NIST (National Institute for Standards and Technology), such as the NIST Special Publication 800-53 : Security and Privacy Controls for Federal Information Systems and Organizations.

By using NIST, CoBIT, PCI DSS, and other standards frameworks, companies don’t have to make their own security policies and procedures; they can simply take what has already been created and modify them for their own purposes. This alleviates a lot of redundant work, as well as ensuring that critical pieces aren’t missed.

The key piece of IA is the security triad: Confidentiality, Integrity, and Availability. 

  • Confidentiality is ensuring data is kept away from unauthorized users.
  • Integrity is ensuring the data isn't maliciously or accidentally changed.
  • Availability is simply ensuring the information is available when needed.

Other aspects are non-repudiation (the person who appears to have generated the data is, indeed, the actual author), and authentication (verifying that a user is actually allowed to access the data they are trying to reach).

If IA is considered the strategic, administrative side of security, than InfoSec can be considered the technical, tactical side. InfoSec generally covers the more day-to-day security operations that a company may perform: vulnerability scanning and patching, firewall and ACL configurations, deployment of IDS and IPS, etc.

You could almost consider IA to be like having a Ph.D. in Computer Science, whereas InfoSec is an MS degree. IA doesn’t necessarily play a factor in day-to-day operations, but is looking at the “big picture”, looking at changes in the different fields that support information security and coming up with “research” that leads to evolutionary changes in security practices. InfoSec is more “hands-on”, taking the knowledge generated by IA and figuring out how to put it into practice.

While IA may say a good strategy is to establish and comply with company security policies, InfoSec is responsible for figuring out what that means. It could be the development of daily, weekly, and monthly security checks, including daily checks of system logs, weekly software patching, monthly audits of user accounts, and annual penetration testing.

Moving onto cyber security, it is a more focused aspect of InfoSec, as it deals with networked information systems, especially if they have access to the Internet. While InfoSec also considers physical security and portable devices, like thumb drives, that can pose threats to information systems, cyber security is more concerned with network-based threats.

With the interconnected nature of most computing devices nowadays, cyber security is the “new hotness” in terms of academic degrees and certifications. Realistically, however, it's nothing new; it’s just a new face on InfoSec. The threats haven’t really changed, and counteracting them is much as it always has been.

One of the reasons why “cyber” is the new buzzword is because of the establishment of military cyber commands and the federal government’s creation of a number of “Cyber Czars” and continuous talk of cyber warfare. While Internet-based attacks from foreign countries is on the rise, little has changed in how security is implemented over a network connection.

In short, Information Assurance is a high level view of security, looking at administrative policies and guidelines for security implementation. Information security takes the ideas generated by IA and develops operational security capabilities that can be put into standard operating procedures for routine and emergency work. Cyber security is basically information security that focuses on networked equipment. While cyber security still encompasses the principles of IA and InfoSec, it really isn’t too concerned with things that are outside the computer case. Most of the security aspects covered are related to web-based attacks, denial of service, authentication attacks, etc.

Despite that there is in fact a difference between each of these, most people consider all of these terms to be synonymous with the other. Most people don’t have significant experience with information system security to understand the difference, so they will use whatever term comes to mind, which, nowadays, is “cyber security.”

 

At Inflow we solve complex terror and criminal issues for the United States Government and their partners, by providing high quality and innovative solutions at the right price through the cultivation of a corporate culture dedicated to being #1 in employee and customer engagement. We Make it Matter, by putting people first! If you are interested in working for Inflow or partnering with us on future projects, contact us here