At PM&A, we cover a broad range of IT topics with our clients and partners, and today we’d like to explore one of the most important – information security or InfoSec. This refers to the processes and methodologies involved in protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.
“Information security” is an umbrella term that includes various subtypes, such as network security, application security, data security, endpoint security, and cloud security – each focusing on different aspects of protecting sensitive information. And data security is similar. This is the practice of protecting digital information from unauthorised access, corruption, or theft throughout its entire lifecycle, including its storage, transmission, and processing. These are the general themes of what we’d like to get into today.
The term “InfoSec” is often used interchangeably with information security, but it specifically highlights the protection of both digital and physical forms of information.
The scope of information security is broad. It doesn’t only cover digital data but also physical records and intellectual property. Then within that, information security programs are comprehensive initiatives designed to protect an organisation’s data, intellectual property, and financial data from threats – such as cyberattacks, data breaches, and theft.
Information security professionals (like your team at PM&A) are responsible for developing and implementing these programs, ensuring that sensitive business information stays secure, and that your business maintains a competitive advantage with security, and profitability.
To achieve effective protection, organisations often adopt frameworks and standards that guide their security practices. One such framework is the information security management system (ISMS), also known as a security management system ISMS. An ISMS is a structured framework that includes policies, procedures, and controls to protect information assets, manage risks, and ensure compliance with standards like ISO/IEC 27001.
These systems help businesses comply with data protection laws like The Protection of Personal Information Act (POPIA) which applies to Capetonians, for example.
CIA triad and key principles
Information security is fundamentally built on three principles: confidentiality, integrity, and availability – collectively known as the CIA triad. The CIA triad serves as a foundational model for information security practices, guiding organisations in protecting their information systems. First suggested by the National Institute of Standards and Technology (NIST) in 1977, the CIA triad helps organisations choose appropriate technologies and policies for information protection.
Confidentiality helps ensure that sensitive information is accessible only to authorised users, helping prevent unauthorised disclosure. Sensitive information should only be accessible to authorised individuals, protecting data from being accessed by potentially malicious parties or simply users who don’t have permission to access it.
Integrity refers to how accurate and complete data is, ensuring that information is not improperly modified or tampered with. This principle safeguards data from changes that aren’t authorised, for better trustworthiness and reliability.
Availability ensures that authorised users have access to information and resources when they need them, emphasising the importance of system uptime and reliability. Of course, this availability should only be there for users with the right permissions, but overall plays a critical role in business functions – especially in industries where downtime has serious consequences.
The CIA triad is a good start but nonrepudiation is often considered another important principle as it ensures that two parties can’t deny the authenticity of their signatures or sending a message for example – providing proof of origin and delivery.
Types of information security
Information security covers a range of specialised domains, each designed to protect information in different environments and formats. Understanding these types helps organisations implement targeted security measures to protect information across all areas of their operations.
- Network security: Focuses on safeguarding computer networks from unauthorised access, misuse, or attacks. Security measures include firewalls, intrusion detection systems, and virtual private networks to ensure only authorized users can access sensitive systems.
- Endpoint security: Protects individual devices such as laptops, mobile devices, and desktops from security threats. Endpoint detection and response (EDR) tools help detect, investigate, and respond to suspicious activity on these devices.
- Application security: Involves securing software applications by identifying and fixing vulnerabilities that could be exploited by attackers. This includes regular code reviews, security testing, and implementing secure development practices.
- Cloud security: Addresses the unique challenges of protecting data and applications hosted in cloud environments. Security controls focus on access management, data encryption, and continuous monitoring to protect sensitive data stored in the cloud.
- Data security: Concentrates on protecting digital data from unauthorised access, corruption, or loss. Techniques include data classification, encryption, and data loss prevention to ensure data integrity and confidentiality.
- Physical security: Involves securing physical locations such as data centers and offices to prevent unauthorised access to hardware and sensitive information. Measures include access controls, surveillance, and environmental safeguards.
By understanding and implementing these types of information security, organisations can better protect information assets and reduce the risk of security incidents across their entire infrastructure.
Data breaches and major threats
A data breach occurs when unauthorised individuals gain access to personal and sensitive information, such as personally identifiable information (PII), resulting in the unauthorised disclosure of confidential data. Security breaches can be caused by a variety of security risks and cyber threats, including advanced persistent threats (APTs), botnets, distributed denial-of-service (DDoS) attacks, malware, phishing, ransomware, viruses, and worms.
Malicious attacks often target organisations’ data, seeking to exploit vulnerabilities and compromise information security. Data breaches can result in significant financial losses, reputational damage, and regulatory penalties, with the average total cost of a data breach fluctuating massively but often reaching multi-million dollar USD and ZAR costs.
One of the most common causes of data breaches is human error. Employees may inadvertently send sensitive information to the wrong recipient, use weak passwords, or fall victim to social engineering attacks. This has happened to almost all of us at some point, no matter how tech-savvy.
To dive deeper into one example, social engineering attacks manipulate individuals into giving out sensitive information or performing actions that compromise security, often exploiting psychological triggers like urgency or fear. Insider threats can also arise from employees inside an organisation who misuse their rightful access to compromise data -whether it’s intentional or simply an accident.
Malware and ransomware are also significant risks to information security. These malicious programs can infect systems, encrypt files, and demand payment for their release, or steal sensitive data for malicious purposes. Attackers may use these tools to gain unauthorised access to systems and exfiltrate personal and sensitive information, including PII, leading to unauthorised disclosure and further security breaches.
Security misconfiguration is another major risk factor. It occurs when IT systems, cloud services, or web applications are improperly set up or managed, leaving vulnerabilities that attackers can exploit.
Security misconfiguration is a common risk in organisations, accounting for 30% of web application vulnerabilities during penetration testing. This is often due to negligence or human error.
You should also be aware of cloud drift, where cloud configurations change over time without proper oversight. This can also introduce new vulnerabilities and increase the risk of a breach.
Data security practices and controls
Information security protocols are essential to protect sensitive information, secure data, and maintain compliance. Implementing security measures, such as technical controls, policies, and procedures, forms the foundation of a comprehensive information security strategy. Plus, these information security measures help protect data from unauthorised access, ensure confidentiality, integrity, and availability, and build customer trust.
Encryption is a critical tool to protect data, as it encodes information so that only authorised users can access it. Data encryption encodes data at rest and in transit, making it impossible for unauthorised users to read it, and it secures data from breaches. In addition to encryption, data masking and anonymisation are tactics which can be used to hide sensitive data in non-production environments. This way you’re protecting it from unauthorised viewing and reducing the risk of exposure.
We recommend Data Loss Prevention (DLP) tools for better protection by monitoring and controlling data movement across networks and endpoints. These tools enforce granular security policies to prevent data leaks and losses, ensuring that sensitive information is not inadvertently shared or exposed.
Don’t forget your data classification policy
A robust data classification policy is vital for protecting sensitive information. By categorising data based on its sensitivity and importance, you and your business can apply proactive measures to each category, helping to ensure that the most critical data receives the highest level of security.
Access control is another key aspect of securing data. Enforcing least-privilege access ensures that users only have the permissions necessary for their roles. Multi-factor authentication (MFA) adds additional security layers by requiring a second verification method beyond a password, like when you try to sign into a site and they need you to use your authenticator app, email and phone inbox for example.
By following these information security practices and implementing security measures such as encryption, DLP tools, data classification policies, and access controls, organisations can effectively protect data, secure sensitive information, and reduce the risk of data breaches.
Tools and technologies: detection, response, and management
Deploying a Security Information and Event Management (SIEM) system is a crucial detection step. SIEM enables real-time monitoring and incident response by aggregating and analysing security events across the IT infrastructure, helping to detect threats and manage breaches efficiently. Who’s responsible for implementing and managing SIEM, as well as overseeing event management processes to ensure timely alerting and response? That would be your security team or in-house IT in conjunction with PM&A.
Intrusion detection systems (IDS) and comprehensive logging can detect anomalies and unauthorised activities. An IDS monitors network traffic for potential threats, evaluating data and alerting administrators to suspicious or malicious activity. In addition, deploying an intrusion prevention system (IPS) is essential, as it actively blocks suspicious or malicious traffic to protect networks according to established security policies.
Integrating detection and response platforms, such as Endpoint Detection and Response (EDR), further improves the ability to identify and contain threats quickly.
Continuous vulnerability management scans are also advised to proactively identify and remediate security weaknesses before they can be exploited.
Vulnerability management
Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. A key aspect of this process is recognising that security misconfiguration is a common risk, often resulting from improper setup or management of IT systems, cloud services, and web applications.
To effectively manage vulnerabilities, organisations should establish a regular patching cadence and prioritise remediation based on the severity of risk. This means addressing critical vulnerabilities as soon as possible, while scheduling lower-risk issues for routine maintenance windows. By continuously monitoring for new vulnerabilities and promptly addressing configuration errors, organisations can significantly reduce their exposure to security breaches.
Security Operations Center and security management
A Security Operations Center (SOC) is responsible for monitoring, detecting, and responding to security incidents across an organization’s digital environment. SOC teams play a crucial role in securing information systems and ensuring infrastructure security by protecting physical network assets such as servers, data centers, and mobile devices. Their responsibilities include threat intelligence, incident response, vulnerability management, and maintaining situational awareness to minimize risks to the organization’s information assets.
Security management governance tasks involve developing and enforcing policies, procedures, and controls to safeguard sensitive data. Effective governance also requires the implementation and maintenance of robust security systems, which are essential for controlling access to sensitive information and supporting the overall security strategy within an organisation.
Implementing an Information Security Management System (ISMS) is highly recommended to establish a structured approach to managing sensitive company information. ISO/IEC 27001 is the international standard for establishing an ISMS, providing a framework for identifying, assessing, and mitigating information security risks.
Business continuity management is another critical component, ensuring that organizations have comprehensive plans, including disaster recovery strategies, to maintain ongoing operations during unforeseen events or crises. This protects against downtime that could cause significant financial losses.
SOC playbooks and escalation paths should be developed to standardize incident response procedures and ensure timely communication and resolution of security events.
Incident response and disaster recovery
An incident response plan (IRP) is a documented, structured approach outlining how an organisation detects, responds to, and recovers from security incidents. An IRP typically guides your business in responding to incidents, detailing the mitigation steps taken when a major threat is detected.
Computer security incident response teams (CSIRT) often create and execute IRPs with participation from stakeholders across the organisation, including IT staff and legal representatives. The Chief Information Security Officer (CISO) is the person who plays the most central role in managing the data protection process. They are directly involved in incident response planning and execution. However, you can also enlist the help of trained professionals to take on this process.
The whole team should be security-focused and tabletop exercises are recommended to test the readiness of the incident response plan. These exercises simulate real-world scenarios, allowing teams to practice their roles and refine procedures before an actual incident occurs.
Quick overview of steps to building a modern InfoSec program
Step 1: Perform a risk assessment as first step.
Step 2: Prioritise controls based on risk findings.
Step 3: Deploy endpoint detection and cloud security tools.
Step 4: Schedule regular vulnerability management tasks, and audits.
PM&A can help you with practical next steps and resources
PM&A is your InfoSec provider in Cape Town and the surrounding areas. We can help you prioritise addressing the top three risks related to information security, especially by creating an incident response test calendar. Contact the InfoSec experts today for more information or to find out where there might be gaps in your current infrastructure. Call +27 (21) 531 1136 or emailing info@pmaconsulting.co.za.