What is Information

Security?
Information security is the practice of
protecting information by mitigating information
risks. It involves the protection of information
systems and the information processed, stored
and transmitted by these systems from
unauthorized access, use, disclosure, disruption,
modification or destruction. This includes the
protection of personal information, financial
information, and sensitive or confidential
information stored in both digital and physical
forms. Effective information security requires a
comprehensive and multi-disciplinary approach,
involving people, processes, and technology.
Information Security is not only about
securing information from unauthorized access.
Information Security is basically the practice of
preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or
destruction of information. Information can be a
physical or electronic one. Information can be
anything like Your details or we can say your
profile on social media, your data on mobile
phone, your biometrics etc. Thus Information
Security spans so many research areas like
Cryptography, Mobile Computing, Cyber
Forensics, Online Social Media, etc.
Why we use Information
Security?

We use information security to protect valuable information

assets from a wide range of threats, including theft,
espionage, and cybercrime. Information security is
necessary to ensure the confidentiality, integrity, and
availability of information, whether it is stored digitally or in
other forms such as paper documents
 Here are some key reasons why information security is
important:
1.Protecting sensitive information: Information security helps protect
sensitive information from being accessed, disclosed, or modified by
unauthorized individuals. This includes personal information, financial data,
and trade secrets, as well as confidential government and military information.
2.Mitigating risk: By implementing information security measures,
organizations can mitigate the risks associated with cyber threats and other
security incidents. This includes minimizing the risk of data breaches, denial-
of-service attacks, and other malicious activities.
3.Compliance with regulations: Many industries and jurisdictions have
specific regulations governing the protection of sensitive information.
Information security measures help ensure compliance with these regulations,
reducing the risk of fines and legal liability.
4.Protecting reputation: Security breaches can damage an organization’s
reputation and lead to lost business. Effective information security can help
protect an organization’s reputation by minimizing the risk of security
incidents.
5.Ensuring business continuity: Information security helps ensure that
Information Security programs are build around 3
objectives, commonly known as CIA – Confidentiality,
Integrity, Availability.

1.Confidentiality – means information is not disclosed to unauthorized

individuals, entities and process. For example if we say I have a password for my
Gmail account but someone saw while I was doing a login into Gmail account. In
that case my password has been compromised and Confidentiality has been
breached.
2.Integrity – means maintaining accuracy and completeness of data. This means
data cannot be edited in an unauthorized way. For example if an employee leaves
an organisation then in that case data for that employee in all departments like
accounts, should be updated to reflect status to JOB LEFT so that data is complete
and accurate and in addition to this only authorized person should be allowed to
edit employee data.
3.Availability – means information must be available when needed. For example
if one needs to access information of a particular employee to check whether
employee has outstanded the number of leaves, in that case it requires
collaboration from different organizational teams like network operations,
 Apart from this there is one more principle that governs
information security programs. This is Non repudiation.
•Non repudiation – means one party cannot deny receiving a message or a transaction nor can the
other party deny sending a message or a transaction. For example in cryptography it is sufficient to
show that message matches the digital signature signed with sender’s private key and that sender
could have a sent a message and nobody else could have altered it in transit. Data Integrity and
Authenticity are pre-requisites for Non repudiation.

•Authenticity – means verifying that users are who they say they are and that each input arriving at
destination is from a trusted source.This principle if followed guarantees the valid and genuine
message received from a trusted source through a valid transmission. For example if take above
example sender sends the message along with digital signature which was generated using the hash
value of message and private key. Now at the receiver side this digital signature is decrypted using
the public key generating a hash value and message is again hashed to generate the hash value. If
the 2 value matches then it is known as valid transmission with the authentic or we say genuine
message received at the recipient side
•Accountability – means that it should be possible to trace actions of an entity uniquely to that
entity. For example as we discussed in Integrity section Not every employee should be allowed to do
changes in other employees data. For this there is a separate department in an organization that is
responsible for making such changes and when they receive request for a change then that letter
must be signed by higher authority for example Director of college and person that is allotted that
change will be able to do change after verifying his bio metrics, thus timestamp with the user(doing
Advantages to implementing an information
classification system in an organization’s information
security program:
1.Improved security: By identifying and classifying sensitive information,
organizations can better protect their most critical assets from unauthorized
access or disclosure.
2.Compliance: Many regulatory and industry standards, such as HIPAA and PCI-
DSS, require organizations to implement information classification and data
protection measures.
3.Improved efficiency: By clearly identifying and labeling information,
employees can quickly and easily determine the appropriate handling and access
requirements for different types of data.
4.Better risk management: By understanding the potential impact of a data
breach or unauthorized disclosure, organizations can prioritize resources and
develop more effective incident response plans.
5.Cost savings: By implementing appropriate security controls for different types
of information, organizations can avoid unnecessary spending on security
measures that may not be needed for less sensitive data.
6.Improved incident response: By having a clear understanding of the
 There are some potential disadvantages to implementing an
information classification system in an organization’s information
security program:
1.Complexity: Developing and maintaining an information classification system can
be complex and time-consuming, especially for large organizations with a diverse
range of data types.
2.Cost: Implementing and maintaining an information classification system can be
costly, especially if it requires new hardware or software.
3.Resistance to change: Some employees may resist the implementation of an
information classification system, especially if it requires them to change their usual
work habits.
4.Inaccurate classification: Information classification is often done by human, so it
is possible that some information may be misclassified, which can lead to inadequate
protection or unnecessary restrictions on access.
5.Lack of flexibility: Information classification systems can be rigid and inflexible,
making it difficult to adapt to changing business needs or new types of data.
6.False sense of security: Implementing an information classification system may
give organizations a false sense of security, leading them to overlook other important
security controls and best practices.
7.Maintenance: Information classification should be reviewed and updated
Uses of Information Security : Information security has many
uses, including:
1.Confidentiality: Keeping sensitive information confidential and protected from
unauthorized access.
2.Integrity: Maintaining the accuracy and consistency of data, even in the presence of
malicious attacks.
3.Availability: Ensuring that authorized users have access to the information they need,
when they need it.
4.Compliance: Meeting regulatory and legal requirements, such as those related to data
privacy and protection.
5.Risk management: Identifying and mitigating potential security threats to prevent
harm to the organization.
6.Disaster recovery: Developing and implementing a plan to quickly recover from data
loss or system failures.
7.Authentication: Verifying the identity of users accessing information systems.
8.Encryption: Protecting sensitive information from unauthorized access by encoding it
into a secure format.
9.Network security: Protecting computer networks from unauthorized access, theft, and
other types of attacks.
10.Physical security: Protecting information systems and the information they store
from theft, damage, or destruction by securing the physical facilities that house these
Issues of Information Security : Information security faces many challenges and
issues, including:
1.Cyber threats: The increasing sophistication of cyber attacks, including malware,
phishing, and ransomware, makes it difficult to protect information systems and the
information they store.
2.Human error: People can inadvertently put information at risk through actions such as
losing laptops or smartphones, clicking on malicious links, or using weak passwords.
3.Insider threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.
4.Legacy systems: Older information systems may not have the security features of
newer systems, making them more vulnerable to attack.
5.Complexity: The increasing complexity of information systems and the information
they store makes it difficult to secure them effectively.
6.Mobile and IoT devices: The growing number of mobile devices and internet of things
(IoT) devices creates new security challenges as they can be easily lost or stolen, and may
have weak security controls.
7.Integration with third-party systems: Integrating information systems with third-
party systems can introduce new security risks, as the third-party systems may have
security vulnerabilities.
8.Data privacy: Protecting personal and sensitive information from unauthorized access,
use, or disclosure is becoming increasingly important as data privacy regulations become
more strict.