IT SECURITY VS. INFORMATION SECURITY – WHAT’S THE DIFFERENCE?
Two things that are often confused with each other: the security of information technology (IT) and the security of information. In times of digitization, information is usually processed, stored or transported using IT – but information security is often even more analog than expected! Basically, IT security and information security are closely linked. A systematic approach is therefore required to effectively protect confidential information and IT.
IT SECURITY VS. INFORMATION SECURITY
Information security is more than just IT security. It focuses on the entire company. Because the security of confidential information is not just aimed at data that is processed with electronic systems. Information security encompasses all corporate values to be protected, including on analog data carriers such as paper.
“IT security and information security are two terms that are not (yet) interchangeable.”
PROTECTION GOALS OF INFORMATION SECURITY
The three main protection goals of information security – confidentiality, availability and integrity – also apply to a letter with important contract documents, which must be completely analog, but still punctual, reliable and undamaged by a courier to reach its recipient. And these protection goals apply equally to an A4 sheet that contains confidential information, but is visible to everyone on an unsupervised desk or is freely accessible in the copier waiting for unauthorized access.
Thus, information security extends beyond IT security. IT security, on the other hand, “only” relates to the protection of information on IT systems.
IT SECURITY BY DEFINITION
What do official bodies say? IT security is “a state in which the risks that exist when using information technology due to threats and vulnerabilities are reduced to an acceptable level through appropriate measures. IT security is therefore the state in which confidentiality, integrity and availability of information and information technology are protected by appropriate measures. ”According to the Federal Office ofSecurity in information technology (BSI).
INFORMATION SECURITY = IT SECURITY PLUS X
In practice, a different approach is sometimes followed, namely with the rule of thumb “information security = IT security + data protection”. This statement, which is noted as an equation, is quite striking. It is true when it comes to data protection GDPR the protection of privacy, which requires processors of personal data to have both secure IT and, for example, a secure building environment – and thus physical access to customer records is excluded. However, important analog data that do not require personal protection are left out. For example, company construction plans and much more.
The term information security contains basic criteria that go beyond pure IT aspects, but always include them. Comparatively simple technical or organizational measures in the context of IT security are always taken against the background of adequate information security. Examples include:
- Securing the power supply to the hardware
- Measures against hardware overheating
- Virus scans and secure programs
- Organization of folder structures
- Setting up and updating firewalls
- Training of employees etc.
It is obvious that computers and complete IT systems need not be protected by themselves. Because without information that you wanted to process or transport digitally, hardware and software become pointless.
IT SECURITY BY LAW
theme CRITICAL: The IT Security Act has critical infrastructures from different sectors in mind, such as electricity, gas and water supply, transport, Finances, Nutrition or health. The main focus here is on protecting the IT infrastructure from cybercrime, in order to maintain the availability and security of IT systems. In particular, the telecontrol systems that are digitally controlled today must be protected.
These protection goals are in the foreground (extract):
- Consider IT security risks
- Creation of IT security concepts
- Creation of emergency plans
- Take general security precautions
- Internet security control
- Use of cryptographic methods etc.
ISO 27001 – THE STANDARD FOR INFORMATION SECURITY
What says ISO 27001? The globally recognized standard for an information security management system (ISMS), with their derivatives ISO 27019, ISO 27017 and ISO 27701, means in the current German version:
DIN EN ISO / IEC 27001: 2017 – Information technology – Security procedures – Information security management systems – Requirements (ISO / IEC 27001: 2013 including Cor 1: 2014 and Cor 2: 2015)
The title of this important standard makes it clear that IT security plays a major role for information security today and will continue to gain in importance in the future. However, the requirements set out in ISO 27001 do not directly target digital IT systems. On the contrary: All of DIN ISO / IEC 27001 speaks of “information” across the board. A basic distinction is not made in which analog or the digital way this information is processed or to be protected.
A successfully implemented ISMS supports a holistic security strategy: It encompasses both organizational measures, security-conscious personnel management, the security of IT structures used and compliance with legal requirements.
INFORMATION SECURITY IS OFTEN MORE ANALOG THAN EXPECTED
Whoever wanted to could lay the standard requirements of ISO 27001 over a completely analog system and in the end would have achieved as much as someone who applies the requirements to a thoroughly digital system. Terms such as telework or mobile devices only appear in Appendix A of the well-known ISMS standard, which contains measures and measures for users. However, the measures in Annex A of the standard also remind that in every company there are still analogous processes and situations that must be taken into account with regard to information security.
Anyone who uses the smartphone to speak loudly about sensitive topics in public, for example on the train, does use digital communication channels, but in truth is wrong on the move with their misconduct. And if you don’t tidy up your desk, you’d better lock your office to keep confidential. At least the former, as one of the most effective individual measures for the secure protection of information, is usually still carried out manually, yet …
IT SECURITY VS. INFORMATION SECURITY – CONCLUSION
IT security and information security are two terms that are not (yet) interchangeable. Rather, IT security is a component of information security, which in turn also includes analogous facts, processes and communication – which, incidentally, is still common practice today. However, due to increasing digitization, these terms are moving closer together, so that the difference in meaning will probably become more marginal in the future.
FOR MORE INFORMATION CONTACT
Email ID: Sales.Support@dqs-india.in
Ph +91 924 320 3043