Think about all the content your company needs and produces to go about its business. From budget spreadsheets to employee contracts, product brainstorming sessions to buyer personas, your business runs on information. Now, consider what would happen if some of that content fell into the wrong hands. Competitors could get an edge on you, hackers could access private customer data, and your company's financials could be put at risk.
Information security, or infosec, is a set of methods and processes that protect your company's information from unauthorized use, access, modification, misuse, disruption, or destruction. The data or content that information security protects can be electronic, like data stored in the content cloud, or physical, like printed files and contracts.
Information security vs. cybersecurity
You might hear people use cybersecurityandinfosec interchangeably, but the two are not the same. One way to describe thedifference between information security and cybersecurity is that infosec is a component of cybersecurity. Cybersecurity refers to a broader process or methodology of protecting information technology assets, not just content or information, from third-party attacks. Let's take a closer look at the basics of each.
Basics of cybersecurity
Cybersecurity is considerably broader than information security. It refers to methodologies and processes an organization might put into place to protect programs, servers, and networks from unauthorized access, misuse,or other types of threats. Cybersecurity may also be called information technology (IT) security. Infosec is primarily concerned with protecting data and content, whereas cybersecurity aims to protect devices and networks as well.
Several categories of cybersecurity exist, including:
- Application security: Protects devices and software programs from threats — examples include designing software programs with security features such as encryption and issuing patches to repair vulnerabilities as they appear
- Information security: Protects data whether it is being stored or transmitted
- Network security: Keeps intruders — in the form of malware or hackers who are specifically targeting the network — from gaining access to a company's computer network
- Operational security: Includes assigning users permissions and passwords to grant access to certain content types or the computer network itself
- Disaster recovery: A cybersecurity component that lays out what to do if an organization experiences an attack, has its business disrupted, or loses access to data
Examples of threats that cybersecurity measures can protect against include:
- Phishing scams: When a seemingly legitimate email or message tries to convince people to reveal personal information
- Malware: Viruses, trojans, or other computer programs that damage a device or give unauthorized access to specific computer programs or data
- Ransomware: A hacker who successfully installs ransomware on a device can lock the device and prevent the user from accessing files or programs until the device owner pays a ransom — and paying the ransom doesn't mean the malicious software goes away, in many cases
Basics of information security
The basic components of information security involve protecting data from unauthorized use or access and ensuring information remains compliant with regulations, such as the European Union's General Data Protection Regulation (GDPR). The GDPR is one of the strictest security and privacy regulations in the world. It’s meant to protect citizens of the E.U., but any organization worldwide needs to adhere to the regulation if it collects data from E.U. citizens.
Information security principles
There are three basic principles of infosec: confidentiality, availability, and integrity. The goal of an infosec policy is to achieve at least one of them. Together, the principles make up the "CIA" triad. Let's take a closer look at each of the three.
One of the first things that may come to mind when thinking about protecting your company's content is how to keep the data and information it contains confidential. Whether you're managing employee contracts or customer information, you need to ensure it's shielded from unauthorized users or views. The goal of the confidentiality branch of the CIA triad is keeping data private. This means only those who have the appropriate permissions can view specific forms of content.
Several tools are available to ensure a company can keep its data confidential. Those tools include:
- Password protection: Strong, difficult-to-guess passwords can ensure that only those with permission to view certain types of data get access to it
- Encryption: Encryption protects databeing sent from one location to another, such as over email, or data in the cloud, with the message and meaning hidden in a stream of seemingly meaningless words and number phrases that require a key to decipher
- Two-factor authentication: Two-factor authentication (2FA) adds another layer of identification and verification to the sign-on process by asking a user to verify their identity by supplying a second piece of information instead of just a username and password — for example, a four-digit code sent via text message or the answer to a secret question
- Penetration testing: By imitating the tactics hackers would use when trying to access confidential data, a penetration test lets a company see where it can improve the privacy of its content
Integrity refers to the condition of the data or content. It's critical that unauthorized users not be able to modify your company's content. A hacker shouldn't change the amount of an ingredient called for in a particular recipe, for example, potentially turning a beverage into a dangerous poison. Hackers should also not be able to adjust contracts to increase or reduce the salaries of employees.
It's also vital that the integrity of your company's data be protected from individuals within your organization who might not have the best intentions. A jealous co-worker shouldn't be able to access a colleague's personal file and change their hours reported or add write-ups or fabricated disciplinary actions to their history.
The tools you'd use to ensure the confidentiality of your content, such as encryption and password protection, also help ensure its integrity. There are measures beyond this that you can take to reverse any potential damage that does occur. If an individual gains unauthorized access to a recipe or spreadsheet and changes the information, a feature that lets you restore previous versions of the content can undo the damage and restore its integrity.
The availability principle ensures that eligible users and individuals can access your content. Availability means that people who need to download or open a piece of content can do so when needed. The principle also ensures that access to a particular piece of content is quick and immediate. This prevents authorized users from being left waiting to open afile or having to go through a lengthy process to access the content they need.
Types of infosec
Different types of information security focus on other areas where data or content might be vulnerable to attack or unauthorized access. Some areas of focus include:
Application security aims to protect software and hardware. This security often focuses on preventing code or data from getting stolen from inside the app, software platform, or hardware. An example of this type of infosec might be a router that masks a computer's IP address or a software program that requires user authentication and authorization. Another example of application security is logging: taking note of who has accessed which piece of content and when.
While some infosec types focus on preventing breaches, incident response focuses on understanding what happened and making a plan for prevention in the future. A key part of incident response is minimizing damage and reducing the cost to the organization. Incident response can also help an organization discover who was behind the attack and press charges or present evidence to law enforcement.
You want to protect your company's data while it’s at rest and when it’s in transit, such as being emailed to another user or being downloaded onto a device. Encryption protects the integrity and the confidentiality of your content's data. Cryptography is the process of encrypting content. If an unauthorized user accesses an encrypted file and doesn't have the right decryption key, the content will look meaningless to them. Another component of cryptography is a digital signature, which verifies the content's source and confirms that it is what it claims to be.
Many organizations store their content and data in the cloud, allowing them to access their content from any internet-connected device. The cloud needs protection just like software and hardware do in order to ensure the integrity and confidentiality of the content stored on it. This also ensures that authorized users have ready access to their data.
Another type of infosec manages and minimizes potential vulnerabilities. These vulnerabilities may include software updates that might introduce a new weak spot or out-of-date applications that could potentially lead to a breach or break-in.
Information security policy
How do you ensure you’re covering the three principles of infosec and all of the types of infosec? One way to make information security work for your company is to create a policy that outlines the process and procedures you'll use to keep your content secure. Your company's information security policy should be a living document updated regularly as regulations change, technology evolves, and threats develop. Some of the key features to include in your security policy include:
Purpose and objectives
The policy should describe its purpose, such as protecting your customers or maintaining your company's reputation. It should also outline objectives or goals, which should be in line with the CIA triad's principles. For example, the policy's objectives can be to preserve the confidentiality of your data, protect its integrity, and ensure access to all authorized users.
Identify who the policy is meant for and who it isn't meant for. The intended audience might be all employees who access the Box Content Cloud. Excluded audience members might be independent contractors who don't have access to the cloud or employees who work in a department that has a separate policy.
Acceptable use policy
The acceptable use policy outlines how your employees can use company content. It should explain where and when they can download files and what they must do to protect those files' confidentiality. The acceptable use policy can also include a password policy that describes how to create strong passwords, or the type of passwords employees need to set to protect your company's content.
Data support plan
The policy needs to include a plan for data support and operations so anyone with access can always get the data or content they need. The plan can describe how data is transferred, what types of protection are in place to secure the data, such as encryption, and what practices your company uses to back up or restore data when necessary.
Your business will likely have different content types, from documents that the public can view to top-secret company policies and procedures. A data classification system should be part of your infosec policy to allow you to rank data as needed, determining who can access it and how they can gain access.
Roles and responsibilities definition
The security policy should outline who is responsible for what when it comes to your content. That includes determining which employees are responsible for incident response and who is responsible for ensuring data is protected and kept confidential when needed.
Infosec measures are the processes and procedures your company uses to ensure the security of your data. They can take multiple forms, such as:
- Access measures: Allow you to control physical access to your data by restricting who can enter certain areas of your building and also include controls on who can access content in the cloud
- Procedural measures: Include educating your employees on best practices regarding information security, such as how to set strong passwords and how to put an incident response plan into place
- Technical measures: Include passwords, encryption, firewalls, and other software or hardware applications that protect your content
- Compliance measures: Might not be created by your organization, and are more likely regulations and rules you need to follow, such as GDPR or ISO 27001
The measures you put in place protect your information in three ways. They might be designed to prevent a data breach. Preventative measures include passwords, encryption, and physical barriers to content in print form. The measures might also be detective, meaning they spot a breach or hack while it's in process and alert the appropriate personnel. Your security measures might also be corrective, meaning you put them into practice after a breach occurs. An incident report plan is an example of corrective action, as it gives you the chance to reflect on what happened and make a plan to prevent a recurrence.
Information security certifications
There are a lot of roles in information security. The chief information security officer (CISO) is typically the person at a company responsible for overseeing all aspects of the infosec program. CISO can be its own position, or the responsibilities of the role can be lumped into the role of a chief security officer or vice president of security.
The path a person takes to become a CISO, VP of security, or CSO can vary. Several certification programs exist to train people and prepare them for roles in infosec. What your company's certification program might look for when hiring depends on the functions you envision for your infosec team and the type of vendors you work with.
Available certifications include:
Certified Ethical Hacker (CEH)
The EC-Council offers the CEH certification program. To earn the certificate, a person needs to attend training programs offered by EC-Council or its affiliates. They also need to have several years of experience in information security. The focus of the certification program is on preventing penetration attacks.
Certified Information System Security Professional (CISSP)
A person with a CISSP has proven they have the ability to design, manage, and implement a cybersecurity program. The certification isn't exclusive to infosec, but covers all aspects of cybersecurity.
Certified Information Systems Auditor (CISA)
After years of infosec experience, a person can apply to become a CISA, a certification program offered by ISACA. People usually earn the certification after passing rigorous tests and completing the application process. A CISA needs to comply with auditing standards and complete continuing education requirements to maintain their certification.
GIAS Security Essentials
Someone who earns the GIAS Security Essentials certification has demonstrated that they have the knowledge and skills required to complete hands-on information security tasks. This is an entry-level certificate designed for people who are relatively new to the field but who have some experience with infosec concepts and procedures.
Certified Information Security Manager (CISM)
ISACA also offers a CISM program designed for mid-career infosec professionals interested in moving into senior-level positions. The certification allows a person to demonstrate knowledge and expertise in risk management, incident management, information security governance, and program management and development.
Systems Security Certified Practitioner (SSCP)
Becoming an SSCP lets a person demonstrate they understand best practices and can administer, manage, and implement IT infrastructure.
How Box protects your organization's content
Your company's content has to flow freely without getting intercepted by the wrong people. You need a way to protect the integrity of your content, ensuring it hasn't been tampered with. And your content has to be available to your teams when and where they need it.
The Content Cloud is our secure platform that empowers you to observe the CIA triad, keeping your content confidential and available while maintaining its integrity. Every piece of content you upload to the Content Cloud is encrypted, and you have the option of setting user controls and authentication to align with user roles and responsibilities. Our security and compliance features also help you remain in compliance with regulations such as GDPR, ITAR/EAR, FINRA, and HIPAA.
Box Shield offers additional security features such as automated classification, Smart Access policies, and malware detection, as well as detection of both internal and external threats, to further protect your content’s integrity and ensure only authorized users have access. Box Shield also integrates with many security tools to enhance your company's security portfolio.
To learn more about Box and how we provide a best-in-class experience, get in touch with us today.
Learn how Box provides a best-in-class experience
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.