Information security and data privacy
Online security and privacy have been a hotly debated topic over the last few years due to the sheer scale and fast development of the information technology field, requiring a need for stable information architecture and implementation in addition to information literacy. Both electronic devices and smart software are beginning to sprawl everywhere around us and we have started to incorporate them in every aspect of our daily lives. However, in order for these devices and services to operate to their full potential, as well as to continue to expand and make our lives easier, they need to collect, store, utilize and manage user information and data effectively. A successful user report benefits such companies immensely, enabling them to get the edge over the competition.
Seeing as how information and user data are both extremely invaluable in our technological society, it does not come as a surprise that many companies have gone out of their way before to obtain them by any means necessary (with some even conducting actions beyond those bound by legislation). This has, consequently, made it clear that certain rules and regulations need to be imposed in order to prevent this abuse observed with online users’ data specifically in relation to the information collection, its storage, processing and even removal, if requested by the individual. Due to this, the terms information security and data privacy were coined, allowing them to evolve from simple concepts to irreplaceable and obligatory practices that need to be implemented by businesses and service providers worldwide.
But what exactly does information security and its principles mean? How is it different from data privacy? Do they have anything in common? Can they be interchangeable or are they completely separate in meaning? Additionally, there are a plethora of other questions that get thrown around when it comes to these popular concepts. Because of this, in the following article, we are going to cover these questions as well as expand upon the 2 terms.
What is information security?
Information security, usually shortened to just ‘infosec’, largely refers to how companies collect, store and process user data. In more direct terms, it encompasses the actions that need to be performed in order for the information to be kept safe and secure without the possibility of any leaks occurring, which can have potentially damaging effects on both the company or business and the individual whose information would be exposed. This also includes online privacy-protecting actions as well including something as simple as protecting your website from spammy bots, which is why we utilize hCaptcha.
The whole process of achieving and maintaining information security involves creating a number of different strategies and implementing them appropriately into the work process with the use of the correct tools and applications. However, in order for the entire process to be successfully designed and put into practice, there is a framework that needs to be followed, consisting of some rules and regulations that are required to be covered and subsequently implemented, which are also known as the information security pillars.
Generally speaking, there are 5 of these so-called pillars, but some companies like to combine them together in practice, hence why you can come across them online as only 3 or 4 major concepts. But what are they?
The 5 separate information security pillars include:
- Integrity
- Availability
- Confidentiality
- Non-repudiation/Indisputability
- Authenticity/Authentication
Let’s look at each one of these concepts in order to get a better understanding of what each information security pillar encompasses.
Integrity
Integrity in the field of infosec refers to the originality of the data and its ability to be preserved in its native format. Being able to store data in the exact same way that it was provided is absolutely crucial. Any changes made would tarnish the data and can potentially have severe consequences in the long run. Changes that need to be made have to first be approved legally. Only after they have been authenticated and thoroughly checked, including the outcomes that might occur after the data alteration, can the information actually be changed. Any haphazardous or unauthorized changes in the data will result in integrity loss.
Availability
The next pillar is availability. In simple terms, it means that users should be allowed to view the information that they have shared with a given company, business or service provider. Every individual has the rights to their own data and information and it is absolutely crucial for them to be able to do so. Any potential problems that might prevent users from gaining access to their information can be quite damaging to the company or business’ reputation. Such issues could range from inefficient system design and a confusing interface to system downtime, harmful bugs and slow maintenance speeds, which can lead to total system failures and complete data loss. Because of this, it is of the utmost importance for businesses and service providers to make sure that their systems are constantly updated and that no harmful or malicious software is installed on any of the servers or information-hosting machines.
Confidentiality
Confidentiality refers to the overall protection of the information from individuals who are working with it. This involves having employees sign confidentiality agreements, which prevent them from spreading user information and any findings that are based on it. Some of the data might be quite sensitive and if it falls into the public hands, it can have quite the bad impact on the individual who it belongs to. Additionally, the same applies to any company-specific information such as financial reports and development plans, as these are both examples of data that can aid the competition. Some more potential ways to implement this pillar in the grand scheme of information security are, as we already mentioned, introducing non-disclosure agreements and special contracts clauses, as well as sufficient data encryption on multiple levels.
Non-repudiation
Finally, there is non-repudiation, which is also commonly known as indisputability. This concept refers to the fact that any piece of information cannot be described as untrue due to the fact that there is sufficient evidence to prove that it is valid including its origin, initial format and overall integrity. Any information stored will always be regarded as true and original if any changes are not made to it. This is important because if any legal actions are required to be taken, the information will serve as evidence that cannot be denied. Due to this, it is important for it to be left unchanged, which in turn also supports the first pillar that we discussed - integrity.
Authenticity
This pillar can also be found as ‘authentication’ as it involves identifying the individual who is trying to access any information within a given company or business. Similarly to the confidentiality principle, companies need to implement additional security measures to ensure that random employees, outside visitors and hackers can not gain access to the information. Examples of this could be to introduce biometric scans with fingerprint or face recognition and a two-factor authentication system.
As it can be seen, although all 5 pillars can be looked at separately, it is evident that they work together to ensure that appropriate measures are taken to implement information security successfully.
How is data privacy different?
Data privacy, on the other hand, focuses on the legal ways that user information should be stored and protected. This includes data protection laws and regulations such as the GDPR in Europe as well as general practices for ensuring that the data collection and storage process is governed appropriately. This is why there is some overlap present between the 2 concepts of data privacy and information security, but there are also different due to the fact that data privacy focuses a lot more on the legal side of the process, while infosec is largely aimed towards the internal processes that companies need to undertake in order to protect the data.
Furthemore, with data privacy, individuals and online users are capable of asking companies about the data that they have collected about them, while also being allowed to request for said data to be deleted. This is also known as the RTBF, short for the Right To Be Forgotten, which is present in the EU and its similar counterpart in the US - the CCPA, which stands for the California Consumer Privacy Act.
Overall, information security refers to the ways in which companies and service providers should be taking actions in order to ensure that user data is stored correctly, while also preventing it from falling into the wrong hands, whereas data privacy primarily focuses on the laws and regulations that exist, which can help individuals take control of their data from said companies should they need to.