Overview of Areas of Security
Contents
1. Introduction
Security is broad subject which can be quite daunting. We have, therefore, provided a simple view of the main areas of security below. These are:
- Physical Security
- Personnel Security
- Information Security and Cybersecurity
- Information Security
- Cybersecurity
- Information Security and Cybersecurity: Differences and Common Ground
- Information Security Risk Management
- POPIA and Security Safeguards
2. Physical Security
Physical security is represented as the security of personnel, hardware, programs, networks, and data from physical situations and events that can support severe losses or harm to an enterprise, departments, or organization. This contains security from fire, natural disasters, robbery, theft, elimination, and terrorism.
https://www.tutorialspoint.com/
3. Personnel Security
Personnel security is a system of policies and procedures which aim to manage and minimise the risk of people exploiting legitimate access to an organisation’s assets or premises for unauthorised purposes. These purposes can encompass many forms of criminal activity, from minor theft through to terrorism.
To achieve this is to consider the ‘people risks’ within your organisation by conducting a personnel risk assessment. Consider the implementation of thorough pre-employment screening methods. This will support your organisation to employ only suitably qualified and reliable individuals. Once employed, manage them professionally to minimise the chances of staff becoming disgruntled. Finally, create a strong security culture, detect suspicious behaviour, and resolve security concerns once they become apparent.
https://www.gov.uk/
4. Information Security and Cybersecurity
Information and cybersecurity are often regarded as being the same thing and while there is an overlap they are in fact unique characteristics for each of them. These are described below.
4.1. Information Security
Information security is the protection of organisations’ or individuals’ information, including personal information, business records, or intellectual property, by means of preventing any form of unauthorized access.
Information security is the foundation of data security. It is the first element to be considered by any organization that aims to develop a security program. Consequently adopting a security framework or achieving certification with a standard such as ISO/IEC 27001 Information Security enables organisations to implement practical, effective security measures and to demonstrate compliance with the Security Safeguards required for POPIA. It will also reduce risk to personal information.
An essential element of any information security program is the governance structure, i.e. a framework that ensures that the security strategies are aligned with organisational goals. Governance structure includes defining the organisational roles and responsibilities of every person in an organization. This aligns organizational goals with information security goals and facilitates teamwork.
- Information Security: Examples
- Procedural controls: Their main objective is to prevent, detect, or minimize security risks with regard to physical assets.
- Access controls: Their function is to verify access to information or network. Hence, these controls are used to establish restrictions on physical access to building entrances and virtual access.
- Technical controls: Their role is to provide automated protection to applications or information technology in general.
- Compliance controls: Their role is to ensure compliance with privacy laws and cybersecurity standards that enforce information security requirements to minimize security threats.
- CIA Triad
The CIA framework helps implement security controls and policies and outline the objectives of the organization’s security program.
This model comprises three elements:
- Confidentiality ensures that sensitive information is inaccessible to unauthorized people.
- Integrity ensures ongoing maintenance with regards to the consistency, accuracy, and reliability of data throughout its lifecycle.
- Availability ensures that authorized individuals are able to access the information when needed. In addition, it ensures that the software and hardware are maintained as appropriate.
The CIA triad helps build a set of security controls to protect important information and create a culture of compliance.
4.2. Cybersecurity
Cybersecurity is the protection digital information and equipment, including computers, servers, mobile devices, electronic systems, networks, and data, from malicious attacks. This can be done by implementing different processes, technologies, and practices.
Cybersecurity attacks are divided into three categories: cybercrime (targeting financial gain), cyberattacks (mostly political attacks), and cyberterrorism. According to Cybersecurity Ventures, the global spending on cybersecurity will reach $1 trillion in the period between 2017 and 2021.
Cyberattacks can target organization, or even certain employees, especially employees that may not be able to detect or handle cyberattacks. Hence, the organization’s top management must build a culture of security awareness within the organization. This is done through training and awareness sessions, such as ISO/IEC 27032 Cybersecurity training. Such training courses help individuals understand the processes that are vulnerable to cyberattacks and ensure that sensitive information within the organization is safe.
- Cybersecurity: Examples
- Network security is used to secure networks against misuse, interference, unauthorized access, or other disruptions.
- Application security is the way that organizations detect, fix, and enhance the security of applications to protect data.
- Cloud security is used to protect the cloud-based infrastructure and systems through developing policies and procedures and implementing protective controls and technologies.
- Critical infrastructure includes tools used to provide security services, including virus scanners, intrusion prevention systems, anti-malware software, amongst others.
5. Information Security and Cybersecurity: Differences and Common Ground
Cybersecurity is the protection of electronic assets, including, but not limited to, electronic information. Elements that fall under the protection of cybersecurity include servers, databases, endpoints, and networks. In simple words, cybersecurity deals with cybercrime, law enforcement, and cyber fraud. Information security, on the other hand, is the protection of information of any format of type of content. It aims information from unauthorized access, disclosure, modification, or disruption.
The most important common characteristic of cybersecurity and information security is the protection of information.
Information security is mainly focused to protect the CIA (confidentiality, integrity, and availability) of information. In cybersecurity, the primary concern is protecting unauthorized access. In both cases, it is highly important to understand the level of damage that unauthorized access can cause to an organization. For both fields, security frameworks with proper controls are essential in ensuring appropriate levels of security.
While cybersecurity and information security may have separate teams responsible for each, such teams must coordinate in developing a common data protection framework. Information security teams should prioritize the data that will be protected, while the cybersecurity team can develop the protocol for data protection.
For more information about the security areas outlined above, please browse the Security Safeguards section.