Information security

Defending against cyber risks and threats in the ever-evolving hyperconnected world.

Talk to a security expert
Introduction
What is InfoSec?
About Us
Four Phases of InfoSec
Features and Benefits
FAQ
Contact Us

Introduction

Information security encompasses the techniques and controls used to protect digital assets. These digital assets may be business data, such as a new car design, the plans to a nuclear plant, or a new piece of pharmaceutical drug research.

Alternatively, digital assets could mean personal information. There are many regulations or standards that require organisations to protect this category of information, such as the EU GDPR, the UK DPA 2018, PCI DSS etc.

The EU GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Whilst this definition specifically relates to personal data, the same definition of a breach could equally be applied to non-personal data. In order to prevent a breach, organisations must first complete a data mapping exercise (discovery). This identifies what data they have, where it is located and who/what resources have access to it.

What is Information Security (InfoSec)?

Information security (sometimes referred to as InfoSec) covers the tools and processes that organisations use to protect information. This includes policy settings that prevent unauthorized people from accessing business or personal information. InfoSec is a growing and evolving field that covers a wide range of fields, from network and infrastructure security to testing and auditing.

Information security protects sensitive information from unauthorised activities, including inspection, modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of critical data such as customer account details, financial data or intellectual property.

The consequences of security incidents include theft of private information, data tampering, and data deletion. Attacks can disrupt work processes and damage a company’s reputation, and also have a tangible cost.

Organisations must allocate funds for security and ensure that they are ready to detect, respond to, and proactively prevent, attacks such as phishing, malware, viruses, malicious insiders, and ransomware.

Information Security vs Cybersecurity
Information security differs from cybersecurity in both scope and purpose. The two terms are often used interchangeably, but more accurately, cybersecurity is a subcategory of information security. Information security is a broad field that covers many areas such as physical security, endpoint security, data encryption, and network security. It is also closely related to information assurance, which protects information from threats such as natural disasters and server failures.

Cybersecurity primarily addresses technology-related threats, with practices and tools that can prevent or mitigate them. Another related category is data security, which focuses on protecting an organisation’s data from accidental or malicious exposure to unauthorized parties.

Why choose SR Cloud Solutions?

SR Cloud Solutions has a 25-year track record of supplying managed security services to many organisations in different industries. 

  • The best technology – highest levels of accreditation with the world’s leading vendors such as Cisco, Fortinet, and Palo Alto.
  • Skills and expertise with a UK-based 24/7 Security Operations Centre (SOC).
  • We are a Joscar accredited business which means we are certified to work with leading defense companies who require the highest standards of cyber security.
  • We are experts in Cloud infrastructures such as Microsoft Azure so we can provide expert security consultancy on hybrid cloud environments and how best to secure and monitor those environments including Cloud Governance.

Book a meeting with one of our consultants to learn more or read on more below to find out more about our Information Security Solutions and Services. 

Four Phases of Information Security Explained

1.) Data Discovery

Data Discovery helps businesses understand:

  • What data they have
  • Where the data is stored
  • What access and protection levels are needed

Discovery can be a manual or automated process. The manual method involves interviewing a broad range of staff in all business areas. You can alternatively require employees to complete questionnaires. Given an adequate amount of time and resources, this can be quite accurate as it is these people who are accessing and processing the data on a daily basis. However, it will not deliver a granular understanding or inventory of all the data assets that you own/control.

Larger enterprises are more likely to use an eDiscovery tool. Such solutions will scan your entire environment, on-premises or in the cloud, to find all your data. This data will then be collated into an index where various functions can be performed. This is clearly a much quicker method but can be costly. However, such tools do bring added longer-term benefits such as:

  • Efficiency when complying with data subjects’ rights, such as those mandated in The EU GDPR (right of access, right to be forgotten etc).
  • Complying with legal eDiscovery requirements are simplified

2.) Classification

Classification should be designed to ensure that data is marked in a way that allows only people with appropriate permission to access it. Classification levels and determinations must be well documented and communicated to all people creating, accessing, moving or deleting the data.

How the classification is determined is down to the creating organisation, however, consideration should be paid to the following:

  • Value
  • Sensitivity to unauthorised disclosure
  • Legal requirements
  • Criticality

Classification of data can be done manually (through the application of watermarks, digital stamps, headers/footers, email signatures etc) more suitably, through a tool that the user must interact with. Such tools mark the metadata with the assigned classification. This classification can then be used to apply handling rules based on company policy.

3.) Risk assessment

Assessing risks is vitally important in order to understand where you should focus your attention when considering applying controls. During a risk assessment process, there are four stages that require careful attention:

  1. Prepare
  2. Conduct
  3. Communicate results
  4. Maintain assessment (continually review)

At SR Cloud Solutions we offer a number of risk assessments and include: 

  • Security Assessments
  • Audit & Assessment Services
  • Network Assessments
  • Cloud Assessments
  • Wireless Network Assessments
  • Microsoft 365 Assessments

4.) Controls

With our digital society’s ever-growing reliance on data and interconnectivity, it is time to develop resilience with next-generation information security controls.

Information security controls are wide-ranging and can be implemented at every level of the OSI model. There are nearly 100 different categories of controls but in general terms, they can be grouped into the following:

  • Directive (Policies etc)
  • Preventative (Reduce the likelihood of a security event)
  • Detective (Identify when a security event has occurred)
  • Corrective (Correct errors, omissions or malicious acts once they are detected)
  • Recovery (Associated with business continuity or disaster recovery and reduce the impact of a security event)

Whichever category they fall into, the purpose of an information security control is to preserve the confidentiality, integrity and availability of data, and reduce risk to a level that is acceptable to the organisation.

Advantages of Information Security

It helps protect sensitive data

Infosec policies prioritise protecting intellectual property and sensitive data such as personally identifiable information (PII) of key stakeholders, company operational data, customer sales data etc

It builds trust with customers and other stakeholders

Infosec policies summarise the organisation's security posture and explain how it protects IT resources and assets. This is critical in building trust with customers, employees, vendors and others alike that the company is reliable and is capable of managing their sensitive information and confidential processes.

It helps avoid unnecessary compliance penalties

Having a good infosec posture managed internally, validated with controls of the local infosec regulations - will help in avoiding such hefty fines.

It enables proactive risk management

Effective infosec policies help identify risks to information from the perspective of security, availability, integrity, confidentiality, and privacy. Maintaining an effective risk register can help a company in making calculated decisions on risks they want to avoid, mitigate or manage, based on the likelihood of risk actually materializing and the severity of the impact of such a risk.

Join Other Leading Companies Who Trust SR Cloud Solutions

AVALON C M
Stanhope Capital
Workspace
British Red Cross
tk maxx
NHS
Hakluyt - Edited

Frequently Asked Questions

Information security is the practice of protecting information and information systems from unauthorised disclosure, modification, and destruction. It encompasses the security of all IT resources, including both business information and the IT devices that access, process, store, or transmit it.

 

Unsecure or Poorly Secured Systems
The speed and technological development often leads to compromises in security measures. In other cases, systems are developed without security in mind, and remain in operation at an organisation as legacy systems. Organisations must identify these poorly secured systems, and mitigate the threat by securing or patching them, decommissioning them, or isolating them.

Social Media Attacks
Many people have social media accounts, where they often unintentionally share a lot of information about themselves. Attackers can launch attacks directly via social media, for example by spreading malware via social media messages, or indirectly, by using information obtained from these sites to analyse user and organisational vulnerabilities, and use them to design an attack.

Social Engineering
Social engineering involves attackers sending emails and messages that trick users into performing actions that may compromise their security or divulge private information. Attackers manipulate users using psychological triggers like curiosity, urgency or fear.

Because the source of a social engineering message appears to be trusted, people are more likely to comply, for example by clicking a link that installs malware on their device, or by providing personal information, credentials, or financial details.

Organisations can mitigate social engineering by making users aware of its dangers and training them to identify and avoid suspected social engineering messages. In addition, technological systems can be used to block social engineering at its source, or prevent users from performing dangerous actions such as clicking on unknown links or downloading unknown attachments.

Malware on Endpoints
Organisational users work with a large variety of endpoint devices, including desktop computers, laptops, tablets, and mobile phones, many of which are privately owned and not under the organisation’s control, and all of which connect regularly to the Internet.

A primary threat on all these endpoints is malware, which can be transmitted by a variety of means, can result in compromise of the endpoint itself, and can also lead to privilege escalation to other organisational systems.

Traditional antivirus software is insufficient to block all modern forms of malware, and more advanced approaches are developing to securing endpoints, such as endpoint detection and response (EDR).

Lack of Encryption
Encryption processes encode data so that it can only be decoded by users with secret keys. It is very effective in preventing data loss or corruption in case of equipment loss or theft, or in case organisational systems are compromised by attackers.

Unfortunately, this measure is often overlooked due to its complexity and lack of legal obligations associated with proper implementation. Organisations are increasingly adopting encryption, by purchasing storage devices or using cloud services that support encryption, or using dedicated security tools.

Security Misconfiguration
Modern organisations use a huge number of technological platforms and tools, in particular web applications, databases, and Software as a Service (SaaS) applications, or Infrastructure as a Service (IaaS) from providers like Amazon Web Services.

Enterprise grade platforms and cloud services have security features, but these must be configured by the organisation. Security misconfiguration due to negligence or human error can result in a security breach. Another problem is “configuration drift”, where correct security configuration can quickly become out of date and make a system vulnerable, unbeknownst to IT or security staff.

Organisations can mitigate security misconfiguration using technological platforms that continuously monitor systems, identify configuration gaps, and alert or even automatically remediate configuration issues that make systems vulnerable.

As a business owner, you should consider the value of your information systems and other IT assets in terms of the daily business of the organisation in order to determine the appropriate level of security. The impact of any security incident to your reputation, as well as the proper continuity of your business, should be considered. A process called risk analysis is normally used to identify what assets to protect, their relative importance to the proper operation and business of the organisation, and the priority ranking or level of security protection. The result should be a well-defined list of security requirements for your organisation.

A security policy sets the standards for a set of security specifications. It states what aspects of Information Security are of paramount importance to the organisation, and thus a security policy can be treated as a basic set of mandatory rules that must be observed. The policy should be observed throughout the organisation and should be in accordance with your security requirements, and your organisation’s business objectives and goals.

Security standards, guidelines and procedures are tools that can be used to implement and enforce a security policy. More detailed managerial, operational and technical issues can be addressed. These documents provide detailed steps and advice to assist users and system administrators in complying with the requirements in security policy. Standards, guidelines and procedures may require more frequent reviews than the security policy itself.

An information security policy should be practical, and work for your organisation. The following should be considered:

  • The sensitivity and value of the assets that need to be protected
  • The legal requirements, regulations and laws of the Government in your jurisdiction
  • Your organisation’s goals and business objectives
  • The practicalities in implementation, distribution and enforcement

Developing an information security policy requires the active support and ongoing participation of individuals from multiple ranks and functional units within the organisation. A working group or task force can be formed to develop the policy. In general, this group can include empowered representatives from senior management, technical personnel, operational personnel, and business users. Senior management represents the interests of the organisation’s goals and objectives, and can provide the overall guidance, assessment and decision-making.

Technical personnel can provide technical input and feasibility assessments for various security mechanisms or aspects of technology. Business users represent the users of related systems who may be directly affected by the policy. Sometimes, a third-party consultancy firm like SR Cloud Solutions may need to be involved, to review the draft information security policy.

An information security policy must address procedures and behaviours that can be changed. It is also important to recognise that there are always exceptions to every security rule. Keep the policy as flexible as possible in order that it remains viable for a longer time.

The CONTENTS of an information security policy should address the following questions:

  • What are the policy objectives and scope?
  • Which information resources need to be protected
  • Who does the policy affect?
  • Who exactly has what authorities and privileges?
  • Who can grant authorities and privileges?
  • What are the minimum measures required to protect information resources?
  • The expectations and procedures for reporting security violations and crimes
  • Specific management and user responsibilities for ensuring effective security
  • The effective date of the policy, along with revision dates or appropriate review intervals

With an information security policy in place, all staff will be able to clearly understand what is and is not permitted in the organisation relating to the protection of information assets and resources. This helps raise the level of security consciousness of all staff. In addition, a security policy provides a baseline from which detailed guidelines and procedures can be established. It may also help to support any decision to prosecute in the event of serious security violations.

Even if a security policy has obtained formal approval, putting a good security policy in place is another story. This requires a series of steps:

Security Awareness & Training

Security Awareness is crucial to ensuring that all related parties understand the risks, and accept and adopt good security practices. Training and education can provide users, developers, system administrators, security administrators and related parties with the necessary skills and knowledge needed to implement appropriate security measures.

Commitment and communication

No policy can be fully implemented unless all users and related parties are fully committed to complying with it. Good communication is ensured if users and third parties:

  • are informed about the policy through briefings or orientations when they join the organisation
  • are invited to participate in developing policy proposals
  • are trained in the skills needed to follow policies
  • feel that security measures are created for their own benefit
  • are periodically reminded and refreshed on new issues
  • have signed an acknowledgement agreement
  • are provided guidance on implementing the policy

Enforcement And Redress

This refers to the task of enforcement of rights arising from implementation of the policy, and redress for any violations of those rights. Organisations should set up procedures to provide prompt assistance in investigative matters relating to breaches of security.

On-going Involvement of All Parties

An effective information security policy also relies on a continuous exchange of information, consultation, co-ordination and co-operation among users and business units. Injection of knowledge on standards, methods, codes of practice and other expertise on security from external organisations will also help keep the security policy up-to-date and relevant.

A security assessment is the process of evaluating the security of an IT environment, including the network and the information systems. Security administrators or third party consultants usually use software tool called a vulnerability scanner specially designed to search out the security risks and vulnerabilities on internal hosts and workstations. In addition, adequacies in operation procedures would also be evaluated as part of the security assessment.

In general, a security risk assessment is conducted at the very beginning of a system deployment project to identify what security measures are required; or when there is a major change to the information assets or their environment. As new security vulnerabilities emerge from time to time, security risk assessments should be conducted regularly, for example once every two years.

A security Audit is a process or event where the IT security policy or standards are used as a basis to determine the overall state of existing protection, and to verify whether existing protection is being performed properly. It aims to determine whether the current environment is securely protected in accordance with the defined IT security policy.

Before performing a security assessment or audit, the organisation should define the scope of the security audit, and the budget and duration allowed for the assessment / audit.

A security audit only provides a snapshot of the vulnerabilities in a system at a particular point in time. As technology and the business environment changes, periodic and ongoing reviews will inevitably be required. Depending on the criticality of the business, a security audit might be conducted yearly, or every two years.

A security audit is a complex task requiring skilled and experienced personnel; it must be planned carefully. To perform the audit an independent and trusted third party is recommended. This third party can be another group of in-house staff or an external audit team, dependent on the skills of the internal staff and the criticality / sensitivity of the information being audited.

Speak to one of our security EXPERTS

Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.

Thank you for downloading the e-book “The state of remote work”

Contact us today for a closer look at how we can help your organization create an effective remote work strategy.

Download Whitepaper

Thank you for downloading the e-book “Maximize your investment in Microsoft Office 365 with Citrix Workspace.”

Contact us today for a closer look at how you can accelerate your transformation to a modern workplace and get the most out of Microsoft Office 365.

Download Whitepaper

Thank you for downloading the e-book “5 reasons your SMB workspace needs simple SSO.”

Contact us today for a closer look at how a digital workspace can help you improve user productivity while simplifying IT complexity.

Download Whitepaper