Few years back, I was presenting my three year Information and Cyber Security Program, to my surprise – not all Information Technology (IT) executives understood Information Security (INFOSEC), much more Cyber Security (CYBERSEC). What are the possible relations between these two fields of security?.
What is INFOSEC?
Let’s find out the definition from widely accepted international standard (ISO:IEC27000 series) of INFOSEC.
ISO:IEC 27000:2009 definition:
2.33 Information security – preservation of confidentiality, integrity and availability of information. Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
SANS Institute, Information Security refers to:
the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
What about CYBERSEC?
“Cybersecurity” or “Cyberspace security” [is], defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”
The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
Extended Definition: Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.
Adapted from: CNSSI 4009, NIST SP 800-53 Rev 4, NIPP, DHS National Preparedness Goal; White House Cyberspace Policy Review, May 2009
International Telecommunication Union – ITU Publications X.1205 : Overview of cybersecurity (2008)
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability, Integrity, which may include authenticity and non-repudiation, and Confidentiality
Cyber security is a broad practice as some perceives, demanding mastery of a number of unique technical skills and practice from its most effective practitioners. Ensuring that servers, network devices, intranets, and channels built for data transfer remain protected and accessible to only those authorized.
Information security commonly defined as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” Any point of data storage and transfer is considered to be an “information system”, which means this practice can apply to a wide variety of different environments, including those outside cyberspace sphere.
- NATO Cooperative Cyber Defense Center of Excellence
- SANS Institute
- International Organization for Standardization (ISO)
- Center for Cyber and Information Security