What is Information Security?

What is Information?

At the University information is all around us. The majority of colleagues around the University rely on information and the systems that process information to undertake their daily activities whether this is teaching, research or operationally.

Information can be stored in a range of different formats from paper to electronic. As information supports the key aspects of what we do as a University it has huge value and is therefore an organisational asset just like our people and the tangible things that we can see and touch.

Information assets therefore need to be protected so that we can continue to obtain value from them. Take a moment to think about how information affects you in your role; what would a typical day look like if the information wasn’t available as expected? In addition to the things that specifically relate to your role did you think about all of the critical systems that seem ancillary such as timetabling, door access, audio visual equipment, payroll systems, printing, building management systems, student records, library catalogues or canvas?

Some types of information are particularly sensitive for a whole range of reasons such as any information which identifies an individual (such as students, staff or research participants), intellectual property (such as a new design or invention) or information that helps protect the health and safety of our environment. In addition to protecting the value of the information to the University, for certain classes of information there are regulatory (i.e. legal) requirements on how we protect information and there may also be contractual requirements (for example from a research partner or supplier).

Information Security is the approach taken to ensure that valuable information assets are appropriately protected. The purpose of information security is to ensure that information is protected appropriately in accordance with the levels identified as necessary by the University, it is not intended as a barrier to prevent things from happening but rather to find a safe way to meet the needs of the University.

The three key properties of information that we need to protect are Confidentiality, Integrity and Availability although there are others! These are sometimes referred to as the CIA triad. Browse through the sections below to learn more about each of these properties…

Confidentiality

Confidentiality is the property that most people readily understand. It involves making sure that only those authorised by the organisation to access information can do so. It’s important to note that unauthorised parties could be within the organisation such as an employee who is not authorised to access particular information. More formally, Confidentiality, can be defined as "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes."

Integrity

Integrity is about assuring the accuracy and completeness of information, essentially this means that information should not be modified in an unauthorised manner. This would include accidental modification by an authorised person, malicious modification by an authorised person or modification by an unauthorised person, process or system whether internal or external to the organisation. Integrity protects the reliability of our information. Some examples that might highlight the importance of Integrity in our environment are the accuracy of our student records (including exam results and degree awards) or the accuracy of research findings if the underlying data had been modified.

Availability

The Availability property of information is about ensuing that the information is available in the correct format, in the correct place, at the right time (or rather when it is needed). To help put Availability into perspective, consider medical records required during emergency treatment, if a hospital has recorded accurately (Integrity) that a patient is allergic to a particular medicine and that the emergency staff are authorised to access the records (Confidentiality) then if the system holding the information isn’t available when needed then a fatal decision could be made. To help clarify, an example of an Availability attack is Ransomware, this is where an unauthorised party is able to encrypt, or scramble, the information in a system so that authorised users cannot access it when needed, until a ransom is paid and the information is then decrypted (or unscrambled). Another example would be where an information system is deliberately targeted by an unauthorised party who sends very large volumes of genuine requests to the system so that it becomes overwhelmed and is unable to process the requests of authorised parties (this is called a Denial of Service or DoS attack).

To ensure that information retains its value to the University we have to consider the key areas identified above throughout the entire information lifecycle irrespective of the format in which it exists. This includes when we acquire, store, process, transmit, share, archive and dispose of information. Any of the CIA properties can be affected either maliciously or accidentally, and by an authorised or an unauthorised party whether internal or external to the organisation.

What is Cyber Security?

While Information Security covers information in any format, Cyber Security is the general term that deals specifically with electronic information and networks. At the University we use the terms Information Security and Cyber Security interchangeably or in combination as Cyber and Information Security to refer to all aspects of data and information security whatever the format or threats.

How do we protect information?

Information assets are protected by controls. Controls can be defined at any level within an organisation however there is usually a hierarchy of controls to ensure that needs of the entire organisation are met. Control types are usually grouped into people, process or technology controls. Expand the sections below to find out more about each control group category….

People

Controls centred around people, involve ensuring those authorised to access information have the appropriate training and knowledge to understand their roles and responsibilities, in relation to the information. It also involves ensuring there are suitability qualified and experienced people within the organisation to effectively protect information. As an example, a member of staff with access to personal information about others should know not to transmit that information via email. People controls aim to ensure that everyone in an organisation is responsible for protecting information.

Process

Processes are the rules put in place by an organisation that clearly outline the expected conduct of individuals or how tasks are to be completed. For example, a process for handling personal information may explicitly state that information is not to be send via email and/or state the way in which it may be sent. Or an overall policy document may state that personal information is never to be sent via email.

Technology

Technology or technical controls are typically safeguards built into a system, for example a lock on a door aims to prevent access even if the individual knows that they should not access that room (People control) and the organisation policy prohibits that person from entering the room (Process control). A further example, to follow on from the other examples of sending personal information via email, would be if the email system refused to send an email if personal information was included.

These are sometimes called the three pillars of information security and the various controls work in combination. Controls can be designed with the intent to prevent, detect, respond, recover or any combination of these.

The overall approach taken to cyber and information security within an organisation, including the controls in place, form what is typically referred to as an Information Security Management System (ISMS). Controls work in combination to provide the required level of protection. How is the ‘required level’ defined? Quite simply this depends on the information in question, the volume, the value, any regulatory or contractual requirements, and the threats to that information (amongst other factors). These are determined by undertaking an information risk assessment for each asset. The senior leadership team within the organisation define the level of risk that the organisation is prepared to accept and this is called the risk tolerance level.

What is Information Security?