Information security
Protecting information by mitigating risk / From Wikipedia, the free encyclopedia
Information security, sometimes shortened to infosec,[1] is the practice of protecting information by mitigating information risks. It is part of information risk management.[2][3] It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information.[4] It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible (e.g., paperwork), or intangible (e.g., knowledge).[5][6] Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability (also known as the "CIA" triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity.[7] This is largely achieved through a structured risk management process that involves:
- Identifying information and related assets, plus potential threats, vulnerabilities, and impacts;
- Evaluating the risks
- Deciding how to address or treat the risks, i.e., to avoid, mitigate, share, or accept them
- Where risk mitigation is required, selecting or designing appropriate security controls and implementing them
- Monitoring the activities and making adjustments as necessary to address any issues, changes, or improvement opportunities[8]
To standardize this discipline, academics and professionals collaborate to offer guidance, policies, and industry standards on passwords, antivirus software, firewalls, encryption software, legal liability, security awareness and training, and so forth.[9] This standardization may be further driven by a wide variety of laws and regulations that affect how data is accessed, processed, stored, transferred, and destroyed.[10] However, the implementation of any standards and guidance within an entity may have limited effect if a culture of continual improvement is not adopted.[11]