You are here: Home / News & more / News / The importance of information security and its implementation

The importance of information security and its implementation

Illustration de l'actualité - cliquer pour agrandir
Threats to the security of an organisation's information assets are constantly evolving and compliance requirements (e.g. GDPR, NIS) are becoming increasingly complex. Organisations, large and small, need to create a comprehensive security program to cover both of these challenges.

Without a formal information security policy, it is impossible to coordinate and implement a security program across an organisation or to communicate security measures to third parties.

What is information security?

To put it simply, information security is the sum of the people, processes and technologies implemented within an organisation to protect information assets. It also prevents the unauthorised disclosure, disruption, access, use, modification, etc. of these information assets.
There are three principles of information security, the famous CIA triad: confidentiality (C), integrity (I) and availability (A).
They are defined as follows:

  • Confidentiality - the protection of information from any unauthorised disclosure
  • Integrity - the protection of information against any unauthorised modification and the guarantee of authenticity, accuracy, non-repudiation and completeness of data
  • Availability - the protection of information from unauthorised destruction and the guarantee that data is accessible when needed

Without information security, an organisation's information assets, including any intellectual property, are at risk of being compromised or stolen. As a result, the trust or even the freedoms and rights of citizens as well as the reputation of the organisation may be jeopardised. It is important to keep the principles of the CIA triad in mind when developing an organisation's information security policies.

How can information security be implemented?

Information security is based on a set of process management strategies and a written policy, or policies and procedures, aimed at detecting, identifying, protecting against and countering threats targeting information regardless of format (digital or otherwise) or state (in transit, being processed or stored at rest).

What is an information security policy?

Information security policy is embodied in a document or set of documents that demonstrates the management's commitment and defines the objectives, organisation and means used to manage information security. It also provides guidance to those working with information assets.
In accordance with ISO 27001/2, security policy is constructed in the following way:
 

  • At the top of the pyramide : Corporate information security policy (principles and axioms)
  • At the second level of the pyramide : Topic-based security policies (specific controls addressing information risks)
  • At the third level of the pyramide : Information security standards (security parameters, protocols, etc.)
  • At the base of the pyramide : Procedures and guidelines (materials that incentivise and explain security awareness and training)

Why is having an information security policy important?

Information security policy defines what is required of an organisation's employees from a security perspective; it conveys the commitment of an organisation's management to this essential subject.
Information security policy also provides guidance on which a control framework can be built to protect an organisation against external and internal threats; it is a mechanism for supporting an organisation's legal and ethical responsibilities.
Finally, Information security policy is a mechanism for holding individuals accountable for complying with expected information security behaviours.