Information security: protection objectives and measures for the safety of information

Information security focuses on the three protection objectives confidentiality, availability and integrity of information. Information security can be verified and managed with an Information Security Management System (ISMS) which is approximately based on the internationally recognised ISO 27001 standard. Learn from us what you should know about information security.

Information Security Officer

When the position of information security officer needs to be filled, many companies seek an external solution...

Information Security Management System (ISMS)

To meet the challenge of continuously improving their information security, many companies are using...

ISO 27001 certification

ISO 27001 certification sends a strong message about the protection of data, information and systems...

TISAX certification

Information security is one of the most important prerequisites for cooperation between manufacturers and suppliers in the automotive...

What does information security mean?

The term information security describes the protection of information values (assets) by ensuring the three protection objectives confidentiality, availability and integrity. The information assets that need protection are for example software, data, processes, devices, clouds but also personnel resources and other equipment. Even though an Information Security Act exists based on the ISO 27001 standard there is no established detailed information security concept that your company must follow. Instead individual measures are being developed which follow a risk-based approach. For this purpose, possible security incidents are assessed according to their probability of occurrence in your company and an Information Security Management System (ISMS) is being developed accordingly. For support you can appoint an external Information Security Officer.

The fundamental values of information security

The pillars of the information security cover at least three protection objectives: the confidentiality, availability and integrity of information. They are defined as follows:

Confidentiality Information is considered confidential if it is only viewed by people who are authorised to do so. Therefore, it must be clear who is allowed to have access to the information and in what way. The measures serving the protection objective confidentiality include for example the encryption of data, communication security, environmental security and floor control.

Availability A technological infrastructure must guarantee that all information is available and usable at all times. In many cases the availability in continuous production and service processes the primary protection goal. In terms of the availability it is about minimising the probability of occurrence of system failures.

Integrity Information must be correct and complete at any point in time. The integrity is being violated when undetected or unwanted changes are being made by unauthorized persons. Therefore, all changes must always be traceable. This protection objective is highly relevant, as false information could lead to bad decisions in a company.

According to the definition of information security there are also the protection goals authenticity, commitment, reliability and accountability that fall under the expanded core values of the information security. Together they provide insight whether the information security in your company is being reached. This in turn means that the core values of the information security are breached when a security incident exists.

Possible security incidents

A security incident is an event that negatively affects the security of information. The first thing that companies usually think of is cybercrime. But the information security is not solely threatened by criminal attacks – even your own employees can jeopardise the information security.

Natural disasters and defective systems also need to be taken into account. Hence security incidents take on different forms while constantly posing a danger (accidental or wilful) for the core values of the information security. By definition for information security the following examples can be possible security incidents:

Malfunctions or unusual behaviour of devices, Malware detection
Theft or Loss of devices (e.g. laptops and computer), documents or data carriers (for example USB sticks)
Passing on information (accidental or wilful), blackmail or coercion to reveal information
Unauthorised or incorrect use of devices and software, misuse of permissions
Falsification of data, use of unreliable information
System failures due to external influences like power outage, water damage, corrosion, fire or dust

There is no such thing as a company whose information is 100 percent secure. These and other security incidents are primarily caused by weaknesses that can be prevented or at least minimised. Therefore, the most fundamental measure to protect your information is the introduction of an information security concept and the implementation of an Information Security Management System. Get to know us and let us advise you on all recommendable measures around information security.

Who is responsible for the information security in your company?

The information security is a corporate responsibility and therefore to be viewed holistically. Each individual in your company should be involved in information security: from the management that makes strategic decisions to the employees who put these decisions into practice. Nevertheless, there are various positions that should be filled in line with the information security. Although these positions are not legally required – except companies from the critical infrastructure – they are recommendable in order to cover the minimum requirements of the information security and increase your company’s awareness of information security. The management takes on an outstanding role in the information security management. The management assigns the responsibilities to the employees and decides which measures need to be taken as an information security guideline. An Information Security Officer who acts as a contact person for all questions around the information security management supports the management. In addition, the Information Security Officer is responsible for the development and introduction of an Information Security Management System – for example with ISO 27001 Certification or TISAX Certification. Certifications basically can only be conducted by external, authorised Information Security Officers. We are happy to offer you our support for your information security management. What are your questions regarding the positions to be filled? What would you like to know about the appointment of an Information Security Officer? Make an initial consultation appointment now so that we can answer your questions competently.

Information security management plays an important role for these industries

Regardless of the industry every company should basically address the information security. The company size plays a subordinate role here. However, particular importance is attributed to digital and software-driven companies. Also companies with high regulatory needs should strive for a well thought out Information Security Management System. In the health sector for instance, the guarantee of medical confidentiality is considered the minimum standard of information security. For companies from the critical infrastructure, a certified Information Security Management System must be introduced with an externally appointed Information Security Officer without exception.

Information security and data protection: what is the difference?

Information security and data protection are to be fundamentally differentiated even though they are often being mentioned in the same context. The two areas differ in the levels of application while information security is much more comprehensive. Data protection is about the proper handling and protection of personal data that relates to an identifiable or identified individual under the European General Data Protection Regulation (GDPR). This includes for example name, address and date of birth. The information security does not focus on certain data but rather on analogue and digital information of a company worth protecting.

Information security and IT security: what is the difference?

The information security is also much more broadly formulated than IT security. While by definition information security is concerned with organisational, spatial and personnel aspects, IT security focuses exclusively on the protection of information through information technology. Overall, IT security makes up a sub-area of information security.

Information security and data security: what is the difference?

The data security aims to protect all data regardless of whether it is personal data or not. There are also no restrictions as to that type and which content of data is protected – both digital and analogue data is considered. Similar to information security, data protection is based on the three security pillars confidentiality, availability and integrity of data or information. To ensure the security of data certain organisational and technical measures need to be defined and taken such as access controls.

Professional support for your information security

The protection of your information requires continuous attention and should become part of your daily business. But we know about the challenges that companies have to handle. Not all companies can or want to manage the information security with their own resources. Here our advantage becomes yours: as external support we are familiar with the challenges of information security as we have already mastered them elsewhere. Benefit from our experience and find out how an information security guideline tailored to your company can contribute to securing your long-term business success. Get to know us in an initial conversation.

Schedule a free call