What is data security? Definition, principles, and jobs

Data security is a set of practices intended to keep data secure from unauthorized access or alterations. Here'southward a wide look at the policies, principles, and people used to protect data.

Contributing writer, CSO |

cybersecurity > information security / data protection / lock / shield / layers of integration
iBrave / Getty Images

Information security definition

Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or alterations, both when it'south beingness stored and when it'south beingness transmitted from one automobile or physical location to some other. You might sometimes see it referred to as information security. Every bit knowledge has become one of the 21st century's most of import avails, efforts to proceed information secure take correspondingly get increasingly important.

The SANS Institute offers a somewhat more expansive definition:

Information security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or whatever other course of confidential, individual and sensitive information or data from unauthorized access, use, misuse, disclosure, devastation, modification, or disruption.

Data security vs. cybersecurity

Because information technology has become the accepted corporate buzzphrase that ways, basically, "computers and related stuff," you will sometimes see information security and cybersecurity used interchangeably. Strictly speaking, cybersecurity is the broader practise of defending IT assets from set on, and information security is a specific discipline nether the cybersecurity umbrella. Network security and application security are sister practices to infosec, focusing on networks and app code, respectively.

Obviously, there's some overlap here. Yous can't secure information transmitted across an insecure network or manipulated by a leaky application. As well, there is plenty of information that isn't stored electronically that also needs to be protected. Thus, the infosec pro'southward remit is necessarily broad.

Information security principles

The basic components of information security are near oft summed upward past the so-called CIA triad: confidentiality, integrity, and availability.

  • Confidentiality is perhaps the chemical element of the triad that most immediately comes to listen when you think of information security. Information is confidential when just those people who are authorized to access information technology can do then; to ensure confidentiality, y'all need to be able to place who is trying to access data and block attempts by those without say-so. Passwords, encryption, authentication, and defense against penetration attacks are all techniques designed to ensure confidentiality.
  • Integrity means maintaining information in its right land and preventing information technology from being improperly modified, either by accident or maliciously. Many of the techniques that ensure confidentiality volition also protect data integrity—after all, a hacker can't change data they can't access—but there are other tools that help provide a defense of integrity in depth: checksums can assistance you verify information integrity, for instance, and version control software and frequent backups can help you restore data to a right state if need be. Integrity also covers the concept of non-repudiation: you must be able to evidence that you've maintained the integrity of your data, peculiarly in legal contexts.
  • Availability is the mirror epitome of confidentiality: while you need to brand sure that your data can't be accessed by unauthorized users, you also need to ensure that it can be accessed by those who have the proper permissions. Ensuring data availability means matching network and computing resources to the volume of data admission you expect and implementing a adept backup policy for disaster recovery purposes.

In an ideal world, your data should always be kept confidential, in its correct country, and available; in practice, of grade, you often need to make choices about which information security principles to emphasize, and that requires assessing your data. If y'all're storing sensitive medical information, for instance, you'll focus on confidentiality, whereas a fiscal institution might emphasize data integrity to ensure that nobody'south bank business relationship is credited or debited incorrectly.

Information security policy

The means by which these principles are applied to an organization take the form of a security policy. This isn't a piece of security hardware or software; rather, it'southward a document that an enterprise draws upwardly, based on its own specific needs and quirks, to establish what data needs to be protected and in what means. These policies guide the organization'due south decisions effectually procuring cybersecurity tools, and also mandate employee behavior and responsibilities.

Among other things, your company'south information security policy should include:

  • A argument describing the purpose of the infosec program and your overall objectives
  • Definitions of key terms used in the certificate to ensure shared understanding
  • An admission control policy, determining who has access to what data and how they can establish their rights
  • A password policy
  • A data support and operations plan to ensure that data is e'er available to those who need information technology
  • Employee roles and responsibilities when it comes to safeguarding data, including who is ultimately responsible for information security

1 important thing to continue in heed is that, in a world where many companies outsource some calculator services or store data in the deject, your security policy needs to cover more than than just the assets you own. Yous demand to know how you'll deal with everything from personally identifying data stored on AWS instances to third-party contractors who need to be able to authenticate to access sensitive corporate info.

Information security measures

Equally should be clear past at present, simply nigh all the technical measures associated with cybersecurity touch on information security to a sure degree, but at that place it is worthwhile to think about infosec measures in a big-picture way:

  • Technical measures include the hardware and software that protects data — everything from encryption to firewalls
  • Organizational measures include the creation of an internal unit dedicated to data security, forth with making infosec part of the duties of some staff in every department
  • Human measures include providing awareness training for users on proper infosec practices
  • Physical measures include controlling access to the office locations and, especially, data centers

Information security jobs

It's no secret that cybersecurity jobs are in loftier demand, and in 2019 information security was at the top of every CIO'southward hiring wishlist, according to Mondo's Information technology Security Guide. At that place are two major motivations: There have been many high-profile security breaches that take resulted in harm to corporate finances and reputation, and most companies are standing to stockpile customer information and give more and more departments admission to information technology, increasing their potential attack surface and making information technology more and more likely they'll be the next victim.

There are a variety of dissimilar chore titles in the infosec globe. The same job championship can hateful dissimilar things in different companies, and you should also continue in mind our caveat from up top: a lot of people use "information" just to hateful "computer-y stuff," so some of these roles aren't restricted to just information security in the strict sense. But there are general conclusions one tin can draw.

Information security analyst: Duties and salary
Let's take a look at one such job: information security analyst, which is generally towards the entry level of an infosec career path. CSO's Christina Forest describes the job as follows:

Security analysts typically bargain with data protection (information loss protection [DLP] and data classification) and threat protection, which includes security data and event management (SIEM), user and entity beliefs analytics [UEBA], intrusion detection arrangement/intrusion prevention system (IDS/IPS), and penetration testing. Key duties include managing security measures and controls, monitoring security access, doing internal and external security audits, analyzing security breaches, recommending tools and processes, installing software, teaching security sensation, and coordinating security with outside vendors.

Information security analysts are definitely one of those infosec roles where in that location aren't plenty candidates to run across the demand for them: in 2017 and 2018, there were more than 100,000 information security analyst jobs that were unfilled in the U.s.a.. This means that infosec analyst is a lucrative gig: the Bureau of Labor Statistics pegged the median salary at $95,510 (PayScale.com has information technology a bit lower, at $71,398).

Information security preparation and courses

How does one get a job in data security? An undergraduate degree in figurer science certainly doesn't hurt, although it'south by no means the just manner in; tech remains an industry where, for instance, participation in open source projects or hacking collectives tin can serve as a valuable calling card.

Notwithstanding, infosec is condign increasingly professionalized, which means that institutions are offering more by way of formal credentials. Many universities at present offer graduate degrees focusing on information security. These programs may be best suited for those already in the field looking to aggrandize their knowledge and prove that they take what it takes to climb the ladder.

At the other end of the spectrum are free and low-price online courses in infosec, many of them fairly narrowly focused. The world of online pedagogy is something of a wild west; Tripwire breaks down xi highly regarded providers offering information security courses that may be worth your time and effort.

Information security certifications

If you're already in the field and are looking to stay up-to-date on the latest developments—both for your ain sake and every bit a betoken to potential employers—you might desire to expect into an data security certification. Among the top certifications for information security analysts are:

  • Systems Security Certified Practitioner (SSCP)
  • Certified Cyber Professional (CCP)
  • Certified Information System Security Professional person (CISSP)
  • Certified Ethical Hacker (CEH)
  • GCHQ Certified Grooming (GCT)

Many of the online courses listed by Tripwire are designed to set up you for these certification exams. Best of luck in your exploration!

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2020 IDG Communications, Inc.