INFOSEC

More Than Rules and Regulations

Information Security—commonly called InfoSec—is one of the most pressing needs for modern organizations. The issue is even more severe today due to vulnerabilities created by COVID-19. In the first quarter of 2020, we saw cloud-based attacks increase by 630% across the board, while phishing attempts were up by 600% as of February’s end.  As cyberthreats increase, firms need to develop dynamic infosec policies to protect both internal data and private customer information.

What is InfoSec?

While Information Security as a concept is a contemporary idea, its fundamentals date back to 100 BC and the development of the Caesar cipher. Also called a shift cipher, Julius Caesar used it to send encrypted messages to his generals in the field. This strategy involved shifting the letters in the alphabet to make messages unreadable without the key. The shift cipher would become a building block for many other complex cryptography methods in the future.

Today, the word InfoSec is primarily used to describe the protection of computer systems and the data contained within. InfoSec is often described as being based in the “CIA triad” of confidentiality, integrity, and availability:

Chatter Communication

Confidentiality

Ensuring that information is not disclosed to unauthorized parties

Full Compliance

Integrity

Establishing that information is protected from unauthorized changes for its entire life cycle

unlocked

Availability

Assuring that data will be accessible for its designated purpose at any time it is needed
Infosec Diagram

InfoSec is an overly broad term and is frequently applied to many different classifications of data—sensitive, classified, intellectual property, or privacy-based information. As a result, there is no single InfoSec process that works for all data. Instead, individual regulatory bodies create rules and restrictions for data specific to an industry or individual.

Rules and Regulations to Know

The list of regulations regarding data security is virtually endless, and many of them are focused on specific industries. However, there are some which are more common for companies to deal with. Here are a few of the more commonly encountered security and privacy regulations:

Children’s Online Privacy Protection Act (COPPA)

COPPA applies to companies which collect personal information on minors—specifically children under 13 years old. It strictly limits the information that can be collected on minors, as well as what can be done with that information. Companies subject to COPPA must provide notices of data collection and make an effort to inform parents or guardians of use. Parental permission is required to retain data, and companies can only keep it long enough to fulfill the initial contact. Provisions within this act are so challenging that companies often use 13 as the cutoff age for participants to avoid barriers.

Federal Information Security Management Act of 2002  (FISMA)

The Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley Act (SOX)

Family Educational Rights and Privacy Act (FERPA)

It’s not uncommon for a business to fall under the purview of multiple security regulations. A good example would be holders of Health Savings Accounts (HSAs), who must comply with HIPAA, GLBA and SOX. On top of that, it’s rare that all regulations will apply to all customers of an organization. Sometimes companies will attempt to juggle multiple regulations at the client level, making privacy management even more challenging, but usually an organization will simply apply the most stringent requirements to all of their customers.

In addition, there are a number of security frameworks that an organization’s business customers may expect their vendors to be compliant with—these are but a few of them:

NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-171: Assessing Security Requirements for Controlled Unclassified Information

Service Organization Controls – Level 2 (SOC 2)

Payment Card Industry Data Security Standard (PCI DSS)

Common Threats to Information Security

Bad actors continually think of new ways to access protected information. Companies and organizations must be aware of these threats and take the appropriate steps to combat these threats before they are breached. This can be a huge challenge in the face of growing data stores and limited budgets, but being prepared for these threats in advance is far easier than recovering from a breach that could have been prevented. Here are some of the most prevalent threats to data today:

no quality control

Distributed Denial of Service

risk

Backdoor and Supply-Chain Attacks

locked padlock

Ransomware

group

Social Engineering

focus

Insider Attacks

warning

Advanced Persistent Threats

This is only a small subset of the myriad InfoSec threats corporations face today, and new ones are being invented every day. With that in mind, methods for preventing attacks on a company’s data must evolve rapidly, just like the threats they defend against.

Managing Information Security More Effectively

The management of information security requires a wide range of knowledge across numerous domains, and the ability to properly frame that knowledge in the larger picture of the business.  Among other things, organizations in today’s world must consider Application Security, Cloud Security, Infrastructure and Network Security, Cryptography, Vulnerability Management, and Incident Response.

Application Security

Cloud Security

Encryption

Infrastructure Security

Incident Response

The reality is that no firm will be able to prevent all forms of breaches at all times. The sheer volume of attacks, along with the quantity of data stored, makes perfection unattainable. An incident response plan is essential. No organization ever wants to use it, but it is invaluable when it’s needed.

The ability to contain and quarantine affected systems and files can minimize the scope of the problem, but this is only if it’s possible to identify the issue and trace its origin. Building a system with clear observability and configuring automated monitoring of expected behavior are vital parts of error tracing and root cause analysis.

Vulnerability Management

Vulnerability management is an on-going process that involves continuous improvement of the systems and software. Scans, vulnerability alerting and threat intelligence feeds alert administrators to problems within a system and allow them to respond rapidly to patch or mitigate the issues. This process can often be automated to ensure timely regular testing to catch emerging threats.

New threats to information security emerge every day. Security cannot be static. Constant improvements must respond to these issues, and cyber threat intelligence feeds should be leveraged to stay abreast of changes.

This is a small listing of threats firms face today. Some of the biggest threats to come likely haven’t even been invented yet. With that in mind, security methods for preventing data breaches or modification must evolve right along with the risks.

play button white

View Demo Gallery

Explore Copado DevOps for Salesforce.

headset icon white

Get a Live Demo

Watch it in action.