More Than Rules and Regulations
Information Security—commonly called InfoSec—is one of the most pressing needs for modern organizations. The issue is even more severe today due to vulnerabilities created by COVID-19. In the first quarter of 2020, we saw cloud-based attacks increase by 630% across the board, while phishing attempts were up by 600% as of February’s end. As cyberthreats increase, firms need to develop dynamic infosec policies to protect both internal data and private customer information.
What is InfoSec?
While Information Security as a concept is a contemporary idea, its fundamentals date back to 100 BC and the development of the Caesar cipher. Also called a shift cipher, Julius Caesar used it to send encrypted messages to his generals in the field. This strategy involved shifting the letters in the alphabet to make messages unreadable without the key. The shift cipher would become a building block for many other complex cryptography methods in the future.
Today, the word InfoSec is primarily used to describe the protection of computer systems and the data contained within. InfoSec is often described as being based in the “CIA triad” of confidentiality, integrity, and availability:
Ensuring that information is not disclosed to unauthorized parties
Establishing that information is protected from unauthorized changes for its entire life cycle
InfoSec is an overly broad term and is frequently applied to many different classifications of data—sensitive, classified, intellectual property, or privacy-based information. As a result, there is no single InfoSec process that works for all data. Instead, individual regulatory bodies create rules and restrictions for data specific to an industry or individual.
Rules and Regulations to Know
The list of regulations regarding data security is virtually endless, and many of them are focused on specific industries. However, there are some which are more common for companies to deal with. Here are a few of the more commonly encountered security and privacy regulations:
Children’s Online Privacy Protection Act (COPPA)
COPPA applies to companies which collect personal information on minors—specifically children under 13 years old. It strictly limits the information that can be collected on minors, as well as what can be done with that information. Companies subject to COPPA must provide notices of data collection and make an effort to inform parents or guardians of use. Parental permission is required to retain data, and companies can only keep it long enough to fulfill the initial contact. Provisions within this act are so challenging that companies often use 13 as the cutoff age for participants to avoid barriers.
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Family Educational Rights and Privacy Act (FERPA)
It’s not uncommon for a business to fall under the purview of multiple security regulations. A good example would be holders of Health Savings Accounts (HSAs), who must comply with HIPAA, GLBA and SOX. On top of that, it’s rare that all regulations will apply to all customers of an organization. Sometimes companies will attempt to juggle multiple regulations at the client level, making privacy management even more challenging, but usually an organization will simply apply the most stringent requirements to all of their customers.
In addition, there are a number of security frameworks that an organization’s business customers may expect their vendors to be compliant with—these are but a few of them:
Service Organization Controls – Level 2 (SOC 2)
Payment Card Industry Data Security Standard (PCI DSS)
Common Threats to Information Security
Bad actors continually think of new ways to access protected information. Companies and organizations must be aware of these threats and take the appropriate steps to combat these threats before they are breached. This can be a huge challenge in the face of growing data stores and limited budgets, but being prepared for these threats in advance is far easier than recovering from a breach that could have been prevented. Here are some of the most prevalent threats to data today:
Distributed Denial of Service
Backdoor and Supply-Chain Attacks
Advanced Persistent Threats
This is only a small subset of the myriad InfoSec threats corporations face today, and new ones are being invented every day. With that in mind, methods for preventing attacks on a company’s data must evolve rapidly, just like the threats they defend against.
Managing Information Security More Effectively
The management of information security requires a wide range of knowledge across numerous domains, and the ability to properly frame that knowledge in the larger picture of the business. Among other things, organizations in today’s world must consider Application Security, Cloud Security, Infrastructure and Network Security, Cryptography, Vulnerability Management, and Incident Response.