By Piotr T Zbiegiel, Adjunct Faculty for the Master of Science in Information Security Program at Lewis University
At the most basic level, information security refers to the practice of protecting information from unauthorized access, modification and destruction. In today’s increasingly technology-driven world a company’s information assets are often key to their business and the bad guys know it. Whether their aim is to steal account information, gain access to secured areas, or simply deface a company’s website attackers are constantly “upping the ante” by using more advanced malware and tactics to compromise networks and systems. As an information security professional it is your job to identify the assets that are at risk, quantify those risks and develop protections to mitigate them. All this must be done while also considering the needs of the business. After all, if security controls are preventing business from proceeding you may find yourself having a very difficult conversation with management.
The CIA Triad
The CIA triad refers to Confidentiality, Integrity, and Availability. This refers to the three properties of information that we strive to protect.
- Confidentiality refers to protecting information from disclosure to unauthorized parties both while stored and in transit. The news is full of high-profile data breaches which are a direct compromise of this facet of information security.
- Integrity refers to ensuring that data is not modified or corrupted by an attacker. Preventing and/or detecting such modification are key to maintaining data integrity.
- Availability refers to preventing an attacker from disrupting access to an information asset. For instance, a denial-of-service (DoS) attack could cause a service offline.
The CIA triad gives security professionals a common way to evaluate how attacks or security controls can affect an information asset.
The practice of information security is all about managing risk. An information security professional must be able to evaluate the potential threats to a system and then decide what countermeasures should be applied to reduce that risk. It is impossible to remove all risk from a system, the key is to implement controls that reduce the risk to an acceptable level based on the value of the information asset being considered.
Not only must an information security professional identify vulnerabilities and potential threats to a system, they must also gauge the likelihood that a given event will take place. By combining these elements they can start to prioritize which risks require more immediate attention or more stringent controls. Risk management is an iterative process requiring a cycle of identifying risks, implementing controls, testing the effectiveness of those controls and then returning to the beginning of the cycle to identify additional risks.
The information security industry has expanded greatly since the fledgling days of computing when the only way to hack a system was to sit down in front of it and write assembly code. Today the Internet has connected computers (and humans) together in ways that were never dreamed of. Communicating with someone on the other side of the planet is trivial. But that same connectivity also brings malicious actors from around the globe to our virtual doorsteps. The use of technology continues to accelerate and the need for securing those systems grows right along with it. New challenges appear daily in the world of Information Security, are you prepared to face them?
Business demand for specialized knowledge in a growing digital world will continue to expand as new technology security concerns arise. Lewis University’s online M.S. in Computer Science with a concentration in Cyber Security teaches students how to identify cyber threats, design combative software systems against an attack and investigate the aftermath using digital forensics tools. To learn more about the master’s degree call (866) 967-7046 to speak with a Graduate Admissions Counselor or request for more information.