IDRISSA IBRAHIM SESAY aka ACCOUNTING MUFTI

INFORMATION COMMUNICATION TECHNOLOGY

TOPICS: INFORMATION SECURITY
Information security is the effort companies undertake to protect
their enterprise data information from security breaches. Without
information security, an organization is vulnerable to phishing,
malware, viruses, ransomware, and other attacks that may result
in the theft, tampering, or deletion of confidential information.

The average cost of a single incident can run $4.45 million. In

addition to the financial burden, such events can also disrupt
operations, damage the company’s reputation and cause
compliance-related problems.
What Is Information Security?
Information Security (infosec) is a set of information technology
practices, methodologies, and tools that allow security
professionals to protect the organization’s data assets from
information security risks.
An information security program aims to prevent unauthorized
users from accessing, modifying, manipulating, or destroying
enterprise information, thus maintaining its “CIA triad”:
confidentiality, integrity, and availability.

Infosec aims to protect all kinds of enterprise data, including:

1.Intellectual property. 2. Business secrets. 3.Customer data. 4.

Personal data. 5. Healthcare information. 6. Credit cards. 7.
Financial data
Other types of private information
Information security is often confused with cybersecurity, but the
two concepts differ. Cybersecurity includes network security,
application security, cloud security, and so forth. It protects
enterprise assets from threats originating from or via the Internet.

Information security management is broader and includes physical

and digital security. A cybersecurity program is a subset of your
information security strategy.

Principles of Information Security

There are three basic principles of information security:

Confidentiality
Integrity
Availability
Together, these principles are known as the CIA Triad. Every
infosec program must follow these principles for maximum
effectiveness.

CONFIDENTIALITY
This first principle is meant to prevent the unauthorized access or
disclosure of enterprise information; it seeks to assure that only
authorized users have access to data. The confidentiality principle
is considered to be compromised when someone who doesn’t have
the proper authorization is able to access your organization’s data
and then damage, compromise, or delete it.

INTEGRITY
Data integrity is about maintaining the data’s accuracy,
trustworthiness, consistency, and reliability. This means that the
data should not be compromised or improperly modified (either
inadvertently or maliciously) by someone without the proper
authority.
AVAILABILITY
Availability means that information is easily accessible to
authorized users whenever needed, minimizing interruptions or
downtime.

The CIA Triad is the foundation of information security. These three

principles inform and affect one another, determining the strength
and efficacy of your infosec program.

That said, other principles also govern infosec and enhance its
effectiveness.

Non-repudiation
The National Institute of Standards and Technology (NIST) defines
non-repudiation as assurance that the sender of information “is
provided with proof of delivery and the recipient is provided with
proof of the sender’s identity, so neither can later deny having
processed the information.”

The non-repudiation principle holds people accountable for actions

they take that might affect the organization’s information. Such
accountability can deter bad behaviors that put enterprise data at
risk.

Risk management
Risk management allows organizations to identify risks to
information, then protect that information without hampering
access or productivity. Risk management also helps a company
determine the level of risk it is willing to tolerate and implement
safeguards to reduce this risk.
Data classification
Data classification categorizes data according to type, sensitivity,
and impact in case it is compromised or stolen. Data can be
classified to improve access control and determine how long it
should be retained.

Data classification also helps organizations understand the value of

their data, identify whether it is at risk, and implement the proper
information security controls and security measures to mitigate
these risks. Classification also simplifies compliance with various
regulatory mandates an organization might have, such as GDPR,
HIPAA, or PCI-DSS.

There are different ways of classifying data. One is by sensitivity

level:

High sensitivity
Medium sensitivity
Low sensitivity
Another is by access:

Public
Internal-only
Confidential
Restricted

Business continuity (BC) and disaster recovery (DR)

Business continuity and disaster recovery are also essential
security principles in infosec. Proper business continuity planning
enables organizations to minimize downtime and maintain
business-critical functions during and after an interruption (such
as a cyberattack or natural disaster).

A disaster recovery plan helps the company regain use of its critical
information systems and IT infrastructure as soon as possible after
a disaster. It assures that data remains available and unchanged,
which reduces the risk of data loss. Data backups and redundant
systems are two common BC/DR strategies in infosec.

Change management
A formal change management process is also crucial for infosec.
When data and system changes are not managed properly, that can
lead to outages that affect availability, prevent authorized users
from accessing the data they need, or otherwise harm security.

What Are the Seven Ps of Information Security Management?

The following are the seven Ps of information security
management:

Policy. Policy involves defining and establishing information

security policies that guide an organization’s overall approach to
protecting its information assets. Policies outline rules,
responsibilities, and acceptable behavior related to information
security.
Program. Program refers to the strategic plan and management
system to implement and monitor information security policies
and practices. It includes risk assessments, security awareness
training, incident response planning, and compliance monitoring.
People. People create awareness among employees about security
risks and best practices, establishing roles and responsibilities, and
ensuring that individuals are accountable for their actions
regarding information security.
Processes. Processes focus on the procedures and workflows that
support information security. It includes access control, incident
response, change management, and vulnerability assessments.
Protection. Protection refers to the technical and physical measures
to safeguard information assets. This includes implementing
firewalls, encryption, access controls, antivirus software, and other
security technologies.
Projects. Projects involve managing information security initiatives
and improvements, such as system upgrades, security
enhancements, and the implementation of new security solutions.
Partnerships. Partnerships emphasize the importance of
collaborating with external partners, such as vendors, suppliers,
and other organizations. It assures that information security is
taken into account in third-party relationships and that partners
adhere to necessary security standards.

Top Seven Threats to Information Security

1. Viruses and worms

A virus is malicious code that can auto-replicate and spread from
one infected system to another, usually without the knowledge or
permission of a user or system administrator.

Like a virus, a worm is also a self-replicating program. Unlike a

virus, however, it spreads without copying itself to a host program
and without any human interaction. Both viruses and worms can
damage or destroy an organization’s data, network, or systems.

2. Malware
Malware is a destructive program that bypasses enterprise security
systems, such as firewalls, to infect enterprise networks. It allows a
malicious actor to infect, explore, or steal information. Malware
comes in many variants, including:
Adware
Malvertising
Botnet
Remote administration tools (RATs)
Rootkits
Spyware
Attackers may attack information security (and IT security in
general) with malware through many channels, including:
Email attachments
File servers
File sharing software
Peer to peer (P2P) file sharing
Exploit kits
Remote systems

3. Ransomware
Ransomware is malware that allows an attacker to encrypt data or
lock users out of their systems. The attacker demands a ransom
payment from the victim before restoring access to the data. The
number of ransomware attacks worldwide stands at a staggering
493.33 million as of 2023, and the average ransom demand is $4.7
million. This is one of the biggest cyber risks today.

4. Phishing scams
In a phishing scam, hackers trick victims into revealing
confidential or sensitive information, such as login credentials or
financial data.

Most phishing scams start with fake emails that appear to be from
legitimate sources. The email includes a malicious link or
attachment. When the victim clicks on the link, they are directed to
the fake website, where the victim is fooled into giving up sensitive
data. Sometimes opening an attachment installs malware on the
victim’s system that can harvest sensitive data for the attacker.

5. Drive-by download attacks

In drive-by download attacks, malicious code is downloaded from a
website to a user’s system via a browser without the user’s
permission or knowledge. Simply accessing or browsing an
infected website can start the downloading, allowing
cybercriminals to steal sensitive information from the victim’s
device.

6. Insider threats
Careless and malicious insiders are both serious information
security threats. Organizations have experienced a substantial
surge in the cost of credential theft, soaring by 65 percent, from
$2.79 million in 2020 to a staggering $4.6 million today. Moreover,
incidents that took over 90 days to contain have proven to be even
more

Insider credential thieves are another problem since they steal

credentials and valuable enterprise data. Insiders can be serious
information security threats since they can:

Exfiltrate sensitive data

Sell company data for financial gain
Steal intellectual property or trade secrets for corporate espionage
Expose information on the dark web to embarrass the firm or
damage its reputation
Send emails or files to the wrong recipient, leading to data theft or
abuse
7. Advanced persistent threats (APTs)
In an APT attack, an attacker penetrates the enterprise network
and remains undetected for an extended period. The attacker’s goal
is not to cause immediate damage but to monitor network activity
and steal information. These attackers are often organized crime,
terrorist groups, or state-sponsored hackers.

Make ZenGRC Part of Your Information Security Plans

Power your organization’s infosec program with ZenGRC, an
integrated platform that helps you manage risk and vulnerabilities
across your business.

ZenGRC is a single source of truth to assure that your organization’s

infosec efforts are all aligned. Policies and procedures are revision-
controlled and easy to find in the document repository. Workflow
management features offer easy tracking, automated reminders,
and audit trails. Insightful reporting and dashboards give visibility
to gaps and high-risk areas.

Meet information privacy requirements, streamline third-party

risk management, and quickly identify and respond to incidents.
With ZenGRC, you can do all this to protect data integrity, safeguard
your business, and minimize loss events. You can even plan for
worst-case scenarios and potential threats to boost your business
continuity and disaster recovery program.