Information Security or IT Security?

Thursday, July 15, 2010

Dejan Kosutic


One would think that these two terms are synonyms - after all, isn't information security all about computers?

Not really. The basic point is this - you might have perfect IT security measures, but only one malicious act done by, for instance, the administrator can bring the whole IT system down. This risk has nothing to do with computers, it has to do with people, processes, supervision, etc.

Further, important information might not even be in digital form, it can also be in paper form - for instance, an important contract signed with the largest client, personal notes made by the managing director, or printed administrator passwords stored in a safe.

Therefore, I always like to say to my clients - IT security is 50% of information security, because information security also comprises physical security, human resources management, legal protection, organization, processes etc.

The purpose of information security is to build a system which takes into account all possible risks to the security of information (IT or non-IT related), and implement comprehensive controls which reduce all kinds of unacceptable risks.

This integrated approach to the security of information is best defined in ISO 27001, the leading international standard for information security management. In short, it requires risk assessment to be done on all organization's assets - including hardware, software, documentation, people, suppliers, partners etc., and to choose applicable controls for decreasing those risks.

ISO 27001 offers 133 controls in its Annex A - I have performed a brief analysis of the controls, and the results are the following:

  • IT related controls : 46%
  • controls related to organization / documentation: 30%
  • physical security controls: 9%
  • legal protection: 6%
  • controls related to relationship with suppliers and buyers: 5%
  • human resources management controls: 4%

What does all this mean in terms of information security / ISO 27001 implementation? This kind of project should not be viewed as an IT project, because as such it is likely that not all parts of the organization would be willing to participate in it.

It should be viewed as an enterprise-wide project, where relevant people from all business units should take part - top management, IT personnel, legal experts, human resource managers, physical security staff, the business side of the organization etc. Without such an approach you will end up working on IT security, and that will not protect you from the biggest risks.

Possibly Related Articles:
Enterprise Security
Security Management ISO 27001
Post Rating I Like this!
Yashodhan Sawant Not to forget, ISO 27001 clauses 4 to 8 defines the framework for INFORMATION SECURITY. As a result of the Risk Assessment, organization selects the controls from Annex A. Now the question is whether it chooses from those 46% IT controls or from rest of the controls. This would define whether it is really an 'Information' or 'IT' security.
Dejan Kosutic I agree with you completely - the organization must perform risk assessment in order to identify which controls are applicable to its risk profile. My point in this article is that it wouldn't make sense to apply IT controls only, because such controls wouldn't mitigate all the risks.
Mark Evertz Dejan,

Great post. I'm always for clarifying terminology to gain greater understanding of complex subject matter. That said, as I read through this a few times, I came up with a question I wanted to pose to you and your readers:

Can the delineation between Information Technology Security and Information Security be as simple as "IT Security protects the physical systems and software that moves data, while Information Security protects the data itself?"

In a recent presentation at a security summit in D.C. I heard a Gartner analyst...can't remember if it was John Pescatore or Andrew Walls...say if you have "Information Security" in your title you should immediately clarify your role -- IT Security is an operational objective while Information Security is a risk-mitigation/data protection exercise and -- from my perspective -- that data is both critical customer or business data AND system configuration data. In the wrong hands, configurations prove to be the gateways to repeatedly access personally identifiable customer data or business intellectual property and therefore information security risk.

Whereas, mitigating that risk would be not only an IT security exercise but likely involve HR, Marcom, and other communication arms within an organization or government to minimize human error.

I'd be interested to know if you or other agree or disagree. Even if I'm off, I'd appreciate the dialogue.

Thanks for the forum and your insight
Dejan Kosutic I think it's important to distinguish that information security is not the same as IT security because of the everyday problems I see - the security of information is usually pushed towards IT departments while they have neither the authority nor adequate training to protect information throughout the organization.

As of delineation, I'm not sure you could describe it as Mark said (IT security protects the physical systems and software that moves data, while Information Security protects the data itself) - for instance, typical IT security measure is anti-virus software which also protects the data itself. I would say that IT security is a subset of information security and it is focused on ICT while other security measures are focused on physical security, legal protection, human resources etc.
Yashodhan Sawant @Mark,

I would like to draw you attention to nature of 'information' the ISMS needs to protect. It can include the data residing in the physical systems and software as well as information created by people (e.g. MD's diary, discussions held in the board room, telephonic conversation with clients and partners, etc.). As per the CIA triad, we also need to consider the availability of information assets. E.g. what if the chairs are broken and the 'System Administrator cannot sit and their is a scarcity of chairs in the office on that day. Will he be comfortable working? Maybe Yes! He may choose to work because of the seriousness / urgency of the work but then there is a high possibility of him making mistakes. And a wrong configuration change can cost high. It may seem hypothetical but this is the way Risk is assessed. And ISMS is built upon such risks and it has more risks to consider than just technical risks (IT related).

I would like to thank Dejan and you to bring this up. This is really a need of the hour to make people realize that IT Security is just one of the components of Information Security.
Mark Evertz Agreed Yashodhan...great topic and thanks to you Dejan for surfacing the discussion. I really appreciate the dialogue. If there's more, keep it coming.
Stephen Thornber Brand New to this board so I hope I do not upset anybody.

For me the whole area that is under discussion is one that I come across regularly and in many forum.

I would like to propose that as discussed above IT Security is but a subset of "Information Governance" a subset in of itself of Corporate Governance.

Starting at the top "Governance" is about holistically managing the business ensuring that everybody is working to the same goal that of producing wealth for the owners / shareholders, stakeholders (including the employees) etc.

The Board or senior management team lay down a set of goals, instructions or directives one directive that says 'look after the information (Data) that we hold, obtain, record, use, share (HORUS) [p.s. I have used this term many times but it is not mine].

We now have a remit to look after information/data - this then is "Information Governance" (IG) and IG is then about a combination of Technical and non-technical controls to mitigate percieved risk. I will address Risk shortly.

Technical controls will include Firewalls, AntiVirus, Intrusion Detection and Prevention systems and many more and the non-technical controls include training for physical security staff, awareness training for all staff, Policy that directs staff and visitors to the organisation in the propper care of information / data so a clear desk policy that reminds us to tidy away confidential matter when it is not in use or a personnel policy that tells us to ensure we are wearing our identity at all times.

The reliance on large RISK ANALYSIS in information security is coming under review in a number of areas, of course risk assessment is important but really we know the risks from the top of our heads, do we really need a long winded documented approach to state the obvious - things might happen that will compromise our information and if that information is compromised we could at the least get a telling off from somebody and at the worst we could kill somebody or go out of business.

So start doing the obvious quick wins wether you are a large or small organisation.

Educate staff, family, customers, friends etc in the dangers to the data.
Put in ALL of the - 'relevant' - controls, Technical and non-technical that are recommended in ISO2700n, CoBIT, SoGP, PCI and any where else that you can get ideas from.

Make sure that the controls you put in place are understood and that they are in place for valid reasons that suit the business (or for that matter your home life).

Make the controls cost effective - if you have only limited resources (Money and People) sort the controls based on some idea of the most important to you, your websites might be the most important so Firewall AV and protect those before you protect the back office elements.

Make sure that you are able to continually resource your controls if you have licensed applications then you will incur year on year costs, do not forget to include that in budget.

And if you can ensure documentation is maintained along the way, it really does help in the long run. Auditors like it because it helps to give evidence that you are doing what you say you are doing.

And finally for now anyway continually review your processes to ensure they are fit for purpose and fit for YOUR organisation.

Dejan Kosutic Stephen, thank you for your valuable comment - I agree with you that Information Governance (of Information Security Governance) is a subset of Corporate Governance. Just as confirmation of what you are saying, I know one example where a financial investor took over a private company and found out that its corporate governance was not on a satisfactory level - as part of their effort to implement proper corporate governance they implemented ISO 27001 as well.
Dejan Kosutic I just remembered examples where regulations are prescribing Information Security Governance as subset of Corporate Governance:
- SoX Section 404 - it basically says that that all publicly-traded organizations demonstrate due diligence in the disclosure of financial information, and must also implement internal controls and procedures to communicate, store and protect that data
- Basel II - among other things, it says that banks must manage their operational risk, which means they have to protect their information systems from breaking down or from being corrupted
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.