Basics of Cybersecurity
So, what exactly is cybersecurity and how does this fit in with all the other technology buzzwords we hear so often?
Let’s first go through some basic definitions:
Information security (commonly referred to as infosec) definition – the “preservation of confidentiality, integrity and availability of information” (ISO/IEC 27001:2005); where confidentiality is “the property that information is not made available or disclosed to unauthorized individuals, entities, or processes,” integrity is “the property of safeguarding the accuracy and completeness of assets,” and availability is “the property of being accessible and usable upon demand by an authorized entity.”
Just a small warning here – when you hear your security guys speak about the CIA, they are probably not referring to the government organization with international fame; they are probably referring to the three concepts mentioned above.
Using plain language, information security would be the following: if I come to a bank and deposit $10,000, first of all I do not want anyone else to know about this money except for the bank and myself. (This is confidentiality.)
In a few months time when I come to withdraw my deposit, I want the amount to be $10,000 plus any interest; I do not want the amount to be $1000 because someone has played around with my account. (This is integrity.)
Lastly, when I want to withdraw my money I donot want the bank clerk to tell me that thebank’s systems are down and that I have to come back tomorrow. (This is availability.)
The definition of Cybersecurity is not far from information security; “Cybersecurity is to be free from danger or damage caused by disruption or fall-out of ICT or abuse of ICT. The danger or the damage due to abuse, disruption or fall-out can be comprised of a limitation of the availability and reliability of the ICT, breach of the confidentiality of information stored in ICT or damage to the integrity of that information.” (The National Cyber Security Strategy 2011, Dutch Ministry of Security and Justice).As you have probably noticed, these two terms are quite similar.
See how they are related in the image below:
Information Security vs. Cybersecurity
Although there is no official position about the differences between information security and cybersecurity, I like to interpret them as follows: cybersecurity is 95% of information security; the only difference between them is that information security includes security of information on non-digital media (e.g., paper), while cybersecurity focuses on information in digital form only.
Today, non-digital media is a small portion of total information available, often much less than 5% of all information.
In many cases, information security and cybersecurity are used interchangeably, as synonyms; cybersecurity seems to be a more preferred term in government circles in the United States, while information security is generally used in banks and healthcare organizations.
The point here is – the use of “information security” and “cybersecurity” are usually interchangeable. You can use both of these terms and you won’t miss the point. You will notice I use the terms interchangeably.
Business Continuity and Risk Management
Business continuity is “strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level” (BS 25999-2:2007). I mention this here as a distinct concept because this is usually where most of the investment intotechnology is required, and business continuityis also indispensable in the case of natural disasters.
As you may have noticed from the above image, Cybersecurity has a big overlapping area with business continuity, because one of the key characteristics of cybersecurity is keeping the information available; this is where business continuity plays a key role.
The purpose of them all: cybersecurity, information security, and business continuity, is basically to decrease the risks of doing business, or risk management. In the banking world, this is called the operational risk management. While you might not use this term, or have anorganizational unit for managing risks, when youare trying to protect your information from being stolen or compromised, you are basically decreasing your business risks.
You might be surprised to learn that information technology is such a small part of cybersecurity.
As mentioned earlier, technology is not the solution for all the risks because IT safeguardsare normally 50% of cybersecurity.
What you do to decrease risks is, of course, the main effort of your cybersecurity. From a terminology point of view it is important to know that countermeasures, safeguards, security controls, or simply controls all have the same meaning: “means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management, or legal in nature” (ISO/IEC 27000:2009).
Simply speaking, controls are what you do to protect the information in your company.
Now that you know the basics of cybersecurity, let’s move on to the 9 steps of implementation.
Source : 9 steps to cybersecurity