INFORMATION SECURITY

Information Security focuses on protecting organizational information and information

systems from unauthorized access, misuse, disclosure, disruption, modification, or

destruction. The primary objective of information security is to ensure the confidentiality,

integrity, and availability (CIA triad) of information assets, which are critical to organizational

operations and decision-making.

The document emphasizes that information is a valuable asset that must be properly

managed and safeguarded against various threats, including cyberattacks, human error,

fraud, and system failures. Effective information security requires a combination of

administrative, technical, and physical controls, such as security policies, access controls,

encryption, authentication mechanisms, and continuous monitoring.

It also highlights the importance of risk management in information security, where

organizations identify potential threats and vulnerabilities, assess their impact, and

implement appropriate controls to mitigate risks. Management commitment, employee

awareness, and compliance with legal and regulatory requirements are identified as key

factors in establishing a strong security posture.

Overall, the document underscores that information security is not solely a technical issue

but an organizational responsibility that supports business continuity, protects stakeholder

trust, and ensures the long-term sustainability of the organization.

CURRENT I.T. ENVIRONMENT

Today’s IT environment is highly connected and digital. Organizations no longer rely only on

on-site computers.

Characteristics:

●​ Cloud computing – data stored on third-party platforms

 ●​ Mobile access – employees use phones, tablets, and laptops

●​ Remote & hybrid work – access from outside the office

●​ Interconnected systems – APIs, online apps, and shared databases

●​ Large volumes of data – personal, financial, and business data

○​ Impact: More access points = more security risks

●​ Because information is digital and online, it is:

○​ Easier to copy, steal, or manipulate

○​ Accessible from anywhere in the world

○​ A primary target for cybercriminals

Without strong IS:

●​ Businesses may suffer data breaches

●​ Operations may be interrupted

●​ Customer trust may be lost

●​ Organizations may face legal penalties

Information Security in the current IT environment is built around three goals:

1.​ Confidentiality- Ensures only authorized users can access information

Examples:

Passwords, Access controls, Encryption

2.​ Integrity- Ensures data is accurate and not altered without permission

Examples:

Audit trails, Data validation, Version control

3.​ Availability- Ensures systems and data are accessible when needed

Examples:

System backups, Disaster recovery plans, Redundant servers

●​ Organizations apply layered security controls:

1.​ Preventive Controls

○​ Firewalls

○​ Strong authentication (MFA)

 ○​ Security policies

2.​ Detective Controls

○​ Log monitoring

○​ Intrusion detection systems

○​ Regular security audits

3.​ Corrective Controls

○​ Incident response plans

○​ System recovery

○​ Data restoration from backups

THREATS & RISKS

Information security threats are potential causes of unwanted incidents that may harm

systems, networks, or data by violating confidentiality, integrity, or availability.

Common Information Security Threats

Malware – The collection of viruses, worms, Trojans and ransomware programs creates

threats that either damage data or enable attackers to steal data.

Phishing & Social Engineering – The process involves deceiving users to obtain their

confidential information.

Unauthorized Access (Hacking) – The process allows individuals to enter a system without

receiving proper authorization.

Insider Threats – Employees who possess system access rights use their privileges either to

harm the organization or to make mistakes.

Denial of Service (DoS/DDoS) – Attackers create system outages by sending excessive

traffic to systems.

Physical Threats – The collection of risks includes theft and fire and floods and power

failures.

Software Vulnerabilities – Attackers use existing system vulnerabilities which include

software bugs and security weaknesses in outdated systems.​

Information security risk speaks of a measure of possibility that a threat will use a particular

vulnerability, and the probable damage potential of such risks is very significant.

Types of Information Security Risks

Operational Risk – Disruption of business operations

Financial Risk – Loss of money, recovery costs, or fines

Legal & Compliance Risk – Violating data protection laws

Reputational Risk – Loss of trust and credibility

Data Loss Risk – Loss or corruption of sensitive information

STANDARDS

Major Standards in Information Security

1. ISO/IEC 27001
 ●​ The international standard establishes Information Security Management Systems

(ISMS) as its benchmark which organizations must follow.

●​ The standard establishes procedures for evaluating risks while implementing security

measures.

2. ISO/IEC 27002

●​ The document presents specific security measures which organizations should

implement as optimal procedures.

●​ The framework provides support for organizations which want to implement ISO/IEC

27001.

3. NIST Cybersecurity Framework

●​ The framework was created by NIST (USA).

●​ The framework helps organizations identify and decrease their cybersecurity threats.

●​ The framework consists of five functions which include Identify Protect Detect

Respond and Recover.

4. PCI DSS

●​ The security standard establishes protection requirements for organizations which

process payment card information.

●​ The system protects users from credit card theft.

5. COBIT

●​ The framework provides IT governance and information security management tools

for organizations to use.

●​ The framework enables organizations to synchronize their security operations with

their core business demands.

6. HIPAA Security Rule

●​ The rule safeguards all electronic health records at healthcare facilities.

POLICY

What Is an Information Security Policy?

●​ A policy is a formal document that states:
• Rules
• Requirements
• Responsibilities
Example: Acceptable Use Policy
●​ Policies are:
• Mandatory
• Organization‑wide
• High‑level and strategic

Purpose of an Information Security Policy

●​ Aligns security practices with business objectives
●​ Protects against threats such as:
• Unauthorized access
• Data loss or theft
• Misuse and denial of service
●​ Guides:
• Management
• Users
• System designers
●​ Defines goals, ethics, controls, and responsibilities

SANS Information Security Policy

●​ SANS Institute provides ready‑to‑use policy templates includes:
• General Security
• Network Security
• Server Security
• Application Security
●​ Examples:
• Acceptable Use Policy
• Password Policy
• Email Policy
• Disaster Recovery Policy
• Web Application Security Policy

Information Classification
●​ Organizations classify information to determine protection levels
●​ Common classifications:
 • Public
• Internal Use Only
• Confidential
●​ Sensitive information must be:
• Properly labeled
• Protected throughout its lifecycle

Need‑to‑Know Principle
●​ Access is granted only to those who need information to perform their job
●​ Requires:
• Access request process
• Owner approval
●​ Users must:
• Not access unauthorized data
• Not withhold access when instructed
●​ Applies to all formats:
• Digital
• Paper
• Conversations

ROLES & RESPONSIBILITIES

Information security is a shared responsibility across the organization. While the security

department sets guidelines and authority, protecting information requires the active

participation of owners, custodians, users, and third parties.

Information Owners

Managers or senior leaders who classify data sensitivity, determine its criticality, define

access rights, and approve how information is used. They set the rules for handling

organizational data.

Information Custodians

IT staff, system administrators, or even users with data on personal devices. Custodians

safeguard information by enforcing access controls, maintaining backups, and applying the

security measures defined by owners.

Users
All employees who interact with information systems. Users must follow policies and

procedures, handle data responsibly in distributed environments, and consult owners or

custodians when unsure. They form the frontline of security.

Third Parties

Contractors and outsourced partners who require access to organizational information. Their

access must be formally controlled through agreements and compliance processes. The

same standards apply when employees access third-party data.

INFORMATION SECURITY CONTROLS

●​ Security is not just tools—controls are essential

●​ According to ISO and NIST, controls include:
• Policies
• Procedures
• Processes
• Software and hardware
●​ Purpose:
• Protect CIA triad
• Meet business and security objectives

Vulnerability Management
●​ Vulnerabilities are weaknesses that create security risks
●​ Process includes:
• Identification
• Evaluation
• Remediation
●​ Requires:
• Asset management
• Patch testing
• Change management
●​ Vulnerabilities are prioritized based on risk

Threat Management
●​ Focuses on preventing and detecting threats
●​ Includes:
• Antivirus protection
• Spam filtering
• Intrusion detection
• Security event monitoring
 ●​ Controls include:
• Regular updates
• User awareness training

Trust Management & Encryption

●​ Uses encryption and access controls
●​ Requires formal cryptography policies
●​ Encryption provides:
• Identification
• Authentication
• Authorization
• Auditing
• Integrity
• Privacy
• Nonrepudiation
●​ Encryption depends on secure key management

Identity Management
●​ Determines who has access to what in an organization
●​ Requires coordination across departments
●​ Benefits include:
• Regulatory compliance
• Risk reduction
• Cost savings
●​ Automating identity management:
• Reduces password problems
• Improves productivity
• Enforces segregation of duties
Benefits of Automated Identity Management
●​ Faster user access provisioning
●​ Reduced help desk workload
●​ Improved reporting and auditing
●​ Automatic removal of inactive user access
●​ Better accountability and control
●​ Recommended to implement gradually

Incident Management
●​ Security incidents include:
• System failures
• Power loss
• Access violations
• User errors
●​ Incident process:
• Identify and record
• Report
• Prioritize
 • Analyze and respond
●​ Significant incidents must be:
• Documented
• Reported to management

SELECTION & TESTING OF CONTROLS

INVOLVEMENT IN AN INFORMATION SECURITY AUDIT

Involvement in an Information Security Audit

Information Security Audit Overview

An information security audit evaluates the effectiveness of an organization’s security

controls over IT systems such as servers, networks, databases, and applications. The goal

is to determine whether security controls are properly designed, implemented, and operating

effectively.

Audits are performed using:

●​ Manual techniques (interviews, policy reviews, vulnerability scans, access reviews,

physical security checks)

●​ Automated techniques using Computer-Assisted Audit Techniques (CAATs) to test

controls and analyze data

Scope of Information Security Audits

Key areas reviewed include:

●​ Security administration and governance

●​ Security policies and procedures

●​ Logical and physical access controls

●​ User identification and password management

●​ Privileged access management

●​ Security logging and monitoring

Risks of Weak Security Controls

Inadequate security controls may result in:

●​ Unauthorized access, modification, disclosure, or deletion of data

●​ Ineffective segregation of duties

●​ Undetected security breaches

●​ Application security being bypassed due to weak OS or network security

Common Audit Objectives

Information security audits aim to ensure:

●​ Proper configuration and management of applications, databases, networks, and

operating systems

●​ Protection against unauthorized access and system changes

●​ Accuracy, completeness, and validity of information processing and financial data

Key Information Security Controls Reviewed

Auditors typically verify that:

●​ Security administration is separate from IT operations

●​ Formal security policies define roles, responsibilities, and compliance requirements

●​ Access to sensitive IT functions is restricted and properly segregated

●​ Security tools are approved, configured, and monitored by management

●​ Unique user IDs are assigned to all users

●​ Strong password controls are enforced

●​ Default/vendor passwords are removed or disabled

●​ Privileged accounts are limited, logged, and reviewed

●​ Security logs are enabled, monitored, and acted upon

Access Management and Data Protection Controls

To ensure effective security, auditors confirm that:

●​ Security training is provided on policies, data protection, access privileges, incident

reporting, and password standards

●​ System owners authorize user access and privileges

●​ User access rights are periodically reviewed

 ●​ Access is promptly updated for role changes or terminations

●​ Sensitive data transmission is encrypted

Audit Tools and Best Practices

●​ SANS Institute provides practical information security policy templates

●​ ISACA, using COBIT 5, offers audit/assurance programs covering:

●​ Cybersecurity (NIST framework)

●​ Cloud computing, BYOD, data privacy, IT risk, and change management

●​ PCI DSS compliance

●​ SAP ERP audit programs across financial, operational, and control

environments