Probably the article “What is information security ?” should have been the first post on this blog. Information is a collection of meaningful data and we consider it as being a very important asset. Like any assets, it’s got a value for you (as the owner). The problem starts here. If it’s valuable to you, then it will probably be for a third party as well. Think for example of your list of clients and their purchases of products or services in relation with you. It surely has some value to your competition. If they can get hold of this information they might try to acquire some new business from you. That is why some protection needs to be in place. The CIA triad describes a fundamental security model with regards to the basic goals of information security.
Because the information is kept, or better said, is living on different mediums (e.g. IT networks, stored as a file on a hard drive, written on a contract or maybe spoken during a presentation), the measures to protect it are varied. Nowadays most information is held on information systems and because of this, most measures are to be found here. Such security measure include antiviruses, firewalls, intrusion detection systems, backups (to protect the availability) and so on. Due to this fact, a common mistake is to assume that information concerns only IT systems. Well, let me use the above mentioned example. If your database containing the customers list is protected by every imaginable IT security measure but the same information is printed and lost by a careless employee where is information security? What about the employees discussing in a pub the same matter? Why should the attacker spend an awful amount of energy on state-of-the-art IT attacking methods when he can get the same information, next to your employees, at the cost of a beer?
What level of information security should I implement?
As a rule of thumb you should consider implementing security measures according to the asset value. If an asset’s value is a thousand (take any currency you’d like) you shouldn’t implement security controls worth a million. In this case you should really consider that losing that asset is more cost effective than protecting it. On the other hand, the attacker would not consider spending that much as he is not getting any value compared to the energy spent.