Information security, sometimes shortened to infosec,[1] is the practice of protecting information by mitigating information risks. It is part of information risk management.[2][3] It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information.[4] It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible (e.g., paperwork), or intangible (e.g., knowledge).[5][6] Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability (also known as the "CIA" triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity.[7] This is largely achieved through a structured risk management process that involves:
Identifying information and related assets, plus potential threats, vulnerabilities, and impacts;
Evaluating the risks
Deciding how to address or treat the risks, i.e., to avoid, mitigate, share, or accept them
Where risk mitigation is required, selecting or designing appropriate security controls and implementing them
Monitoring the activities and making adjustments as necessary to address any issues, changes, or improvement opportunities[8]
To standardize this discipline, academics and professionals collaborate to offer guidance, policies, and industry standards on passwords, antivirus software, firewalls, encryption software, legal liability, security awareness and training, and so forth.[9] This standardization may be further driven by a wide variety of laws and regulations that affect how data is accessed, processed, stored, transferred, and destroyed.[10] However, the implementation of any standards and guidance within an entity may have limited effect if a culture of continual improvement is not adopted.[11]
^Curry, Michael; Marshall, Byron; Crossler, Robert E.; Correia, John (April 25, 2018). "InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior". ACM SIGMIS Database: The DATABASE for Advances in Information Systems. 49 (SI): 49–66. doi:10.1145/3210530.3210535. ISSN 0095-0033. S2CID 14003960.
^Joshi, Chanchala; Singh, Umesh Kumar (August 2017). "Information security risks management framework – A step towards mitigating security risks in university network". Journal of Information Security and Applications. 35: 128–137. doi:10.1016/j.jisa.2017.06.006. ISSN 2214-2126.
^Fletcher, Martin (December 14, 2016). "An introduction to information risk". The National Archives. Retrieved February 23, 2022.
^Joshi, Chanchala; Singh, Umesh Kumar (August 2017). "Information security risks management framework – A step towards mitigating security risks in university network". Journal of Information Security and Applications. 35: 128–137. doi:10.1016/j.jisa.2017.06.006.
^Daniel, Kent; Titman, Sheridan (August 2006). "Market Reactions to Tangible and Intangible Information". The Journal of Finance. 61 (4): 1605–1643. doi:10.1111/j.1540-6261.2006.00884.x. SSRN 414701.
^Fink, Kerstin (2004). Knowledge Potential Measurement and Uncertainty. Deutscher Universitätsverlag. ISBN 978-3-322-81240-7. OCLC 851734708.
^Keyser, Tobias (April 19, 2018), "Security policy", The Information Governance Toolkit, CRC Press, pp. 57–62, doi:10.1201/9781315385488-13, ISBN 978-1-315-38548-8, retrieved May 28, 2021
^Danzig, Richard; National Defense University Washington DC Inst for National Strategic Studies (1995). "The big three: Our greatest security risks and how to address them". DTIC ADA421883.
^Lyu, M.R.; Lau, L.K.Y. (2000). "Firewall security: Policies, testing and performance evaluation". Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000. IEEE Comput. Soc. pp. 116–121. doi:10.1109/cmpsac.2000.884700. ISBN 0-7695-0792-1. S2CID 11202223.
^"How the Lack of Data Standardization Impedes Data-Driven Healthcare", Data-Driven Healthcare, Hoboken, NJ, US: John Wiley & Sons, Inc., p. 29, October 17, 2015, doi:10.1002/9781119205012.ch3, ISBN 978-1-119-20501-2, retrieved May 28, 2021
^Lent, Tom; Walsh, Bill (2009), "Rethinking Green Building Standards for Comprehensive Continuous Improvement", Common Ground, Consensus Building and Continual Improvement: International Standards and Sustainable Building, West Conshohocken, PA: ASTM International, pp. 1–1–10, doi:10.1520/stp47516s, ISBN 978-0-8031-4507-8, retrieved May 28, 2021
and 28 Related for: Information security information
Informationsecurity, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information...
Informationsecurity management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the...
Computer security, cybersecurity, digital security or information technology security (IT security) is the protection of computer systems and networks...
(Certified Information Systems Security Professional) is an independent informationsecurity certification granted by the International Information System...
An informationsecurity audit is an audit of the level of informationsecurity in an organization. It is an independent review and examination of system...
Informationsecurity standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment...
A chief informationsecurity officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise...
Securityinformation and event management (SIEM) is a field within the field of computer security, where software products and services combine security...
Informationsecurity awareness is an evolving part of informationsecurity that focuses on raising consciousness regarding potential risks of the rapidly...
Security engineering is the process of incorporating security controls into an information system so that the controls become an integral part of the system’s...
means of computer security include the physical security of systems and the security of information held on them. Corporate security refers to the resilience...
Sensitive securityinformation (SSI) is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities...
Securityinformation management (SIM) is an informationsecurity industry term for the collection of data such as log files into a central repository for...
The Federal InformationSecurity Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III...
Physical informationsecurity is the intersection, the common ground between physical security and informationsecurity. It primarily concerns the protection...
Founded in 1990, the InformationSecurity Group (ISG) is an academic department focusing on Information and Cyber Security within the Engineering, Physical...
A security clearance is a status granted to individuals allowing them access to classified information (state or organizational secrets) or to restricted...
The SecurityInformation Service (BIS, Czech: Bezpečnostní informační služba) is the primary domestic national intelligence agency of the Czech Republic...
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer...
Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government...
Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks. In an assessment...
Trusted InformationSecurity Assessment Exchange (TISAX) is an assessment and exchange mechanism for the informationsecurity of enterprises, developed...
Cardholder InformationSecurity Program (CISP) was a program established by Visa USA in 2001 to ensure the security of cardholder information as it is being...
Operations security (OPSEC) is a process that identifies critical information to determine whether friendly actions can be observed by enemy intelligence...
The Security of Information Act (French: Loi sur la protection de l’information, R.S.C. 1985, c. O-5), formerly known as the Official Secrets Act, is...
algorithmic information theory, and information-theoretic security. There is another opinion regarding the universal definition of information. It lies in...
The International Information System Security Certification Consortium, or ISC2, is a non-profit organization which specializes in training and certifications...