Editing Information security (section)

{{Short description|Protecting information by mitigating risk}}
{{Use mdy dates|date=November 2023}}
{{Merge from | Information assurance | discuss=Talk:Information security#Merger discussion |date=November 2024}}
'''Information security''' is the practice of protecting [[information]] by mitigating information risks. It is part of information risk management.<ref>{{Cite journal |last1=Joshi|first1=Chanchala|last2=Singh|first2=Umesh Kumar|date=August 2017|title=Information security risks management framework – A step towards mitigating security risks in university network|url=http://dx.doi.org/10.1016/j.jisa.2017.06.006|journal=Journal of Information Security and Applications|volume=35|pages=128–137|doi=10.1016/j.jisa.2017.06.006|issn=2214-2126|url-access=subscription}}</ref> It typically involves preventing or reducing the probability of unauthorized or inappropriate access to [[data]] or the unlawful use, [[Data breach|disclosure]], disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible (e.g., [[Document|paperwork]]), or intangible (e.g., [[knowledge]]).<ref>{{cite journal |last1=Daniel |first1=Kent |last2=Titman |first2=Sheridan |title=Market Reactions to Tangible and Intangible Information |journal=The Journal of Finance |date=August 2006 |volume=61 |issue=4 |pages=1605–1643 |doi=10.1111/j.1540-6261.2006.00884.x |url=https://www.nber.org/papers/w9743 |ssrn=414701 }}</ref><ref>{{Cite book|first=Kerstin|last=Fink|title=Knowledge Potential Measurement and Uncertainty|date=2004|publisher=Deutscher Universitätsverlag|isbn=978-3-322-81240-7|oclc=851734708}}</ref> Information security's primary focus is the balanced protection of [[data confidentiality]], [[data integrity|integrity]], and [[data availability|availability]] (also known as the 'CIA' triad)<ref name="SamonasTheCIA14">{{cite journal |author1=Samonas, S. |author2=Coss, D. |year=2014 |title=The CIA Strikes Back: Redefining Confidentiality, Integrity and Availability in Security |url=http://www.jissec.org/Contents/V10/N3/V10N3-Samonas.html |url-status=dead |journal=Journal of Information System Security |volume=10 |issue=3 |pages=21–45 |archive-url=https://web.archive.org/web/20180922115139/http://www.jissec.org/Contents/V10/N3/V10N3-Samonas.html |archive-date=2018-09-22 |access-date=2018-01-25}}</ref><ref>{{cite web |last1=Ledesma |first1=Josue |title=What is the CIA Triad? |url=https://www.varonis.com/blog/cia-triad |publisher=Varonis Systems |access-date=21 March 2025 |date=16 June 2023}}</ref> while maintaining a focus on efficient [[policy]] implementation, all without hampering organization [[productivity]].<ref>{{Citation|last=Keyser|first=Tobias|title=Security policy|date=2018-04-19|url=http://dx.doi.org/10.1201/9781315385488-13|work=The Information Governance Toolkit|pages=57–62|publisher=CRC Press|doi=10.1201/9781315385488-13|isbn=978-1-315-38548-8|access-date=2021-05-28|url-access=subscription}}</ref> This is largely achieved through a structured [[risk management]] process.<ref>{{cite web| url=https://apps.dtic.mil/sti/citations/ADA421883 |id={{DTIC|ADA421883}} |last1=Danzig |first1=Richard|author2=National Defense University Washington DC Inst for National Strategic Studies |year=1995 |title=The big three: Our greatest security risks and how to address them }}</ref> 

To standardize this discipline, academics and professionals collaborate to offer guidance, policies, and industry standards on [[password]]s, [[antivirus software]], [[firewall (computing)|firewalls]], [[encryption software]], [[legal liability]], [[security awareness]] and training, and so forth.<ref>{{Cite book|last1=Lyu|first1=M.R.|last2=Lau|first2=L.K.Y.|title=Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000 |chapter=Firewall security: Policies, testing and performance evaluation |chapter-url=http://dx.doi.org/10.1109/cmpsac.2000.884700|year=2000|pages=116–121|publisher=IEEE Comput. Soc|doi=10.1109/cmpsac.2000.884700|isbn=0-7695-0792-1|s2cid=11202223}}</ref> This [[standardization]] may be further driven by a wide variety of laws and regulations that affect how data is accessed, processed, stored, transferred, and destroyed.<ref>{{Citation|title=How the Lack of Data Standardization Impedes Data-Driven Healthcare|date=2015-10-17|url=http://dx.doi.org/10.1002/9781119205012.ch3|work=Data-Driven Healthcare|pages=29|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119205012.ch3|isbn=978-1-119-20501-2|access-date=2021-05-28|url-access=subscription}}</ref> 

While paper-based business operations are still prevalent, requiring their own set of information security practices, enterprise digital initiatives are increasingly being emphasized,<ref name="GartnerSays17">{{cite web |url=https://www.gartner.com/en/newsroom/press-releases/2017-10-02-gartner-says-digital-disruptors-are-impacting-all-industries-digital-kpis-are-crucial-to-measuring-success |title=Gartner Says Digital Disruptors Are Impacting All Industries; Digital KPIs Are Crucial to Measuring Success |publisher=Gartner |date=2 October 2017 |access-date=25 January 2018}}</ref><ref name="GartnerSurvey17">{{cite web |url=https://www.gartner.com/en/newsroom/press-releases/2017-04-24-gartner-survey-shows-42-percent-of-ceos-have-begun-digital-business-transformation |title=Gartner Survey Shows 42 Percent of CEOs Have Begun Digital Business Transformation |publisher=Gartner |date=24 April 2017 |access-date=25 January 2018}}</ref> with [[information assurance]] now typically being dealt with by information technology (IT) security specialists. These specialists apply information security to technology (most often some form of computer system). 

IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses.<ref name="AFH_1">{{cite web| title=Accounting for Firm Heterogeneity within U.S. Industries: Extended Supply-Use Tables and Trade in Value Added using Enterprise and Establishment Level Data| last1=Fetzer|first1=James|last2=Highfill|first2=Tina|last3=Hossiso|first3=Kassu|last4=Howells |first4=Thomas|last5=Strassner|first5=Erich|last6=Young|first6=Jeffrey| series=Working Paper Series| url=https://www.nber.org/papers/w25249| publisher=[[National Bureau of Economic Research]]| date=November 2018| doi=10.3386/w25249| s2cid=169324096}}</ref> They are responsible for keeping all of the [[technology]] within the company secure from malicious attacks that often attempt to acquire critical private information or gain control of the internal systems.<ref>{{Citation|title=Secure estimation subject to cyber stochastic attacks|date=2020|url=http://dx.doi.org/10.1016/b978-0-12-818701-2.00021-4|journal=Cloud Control Systems|series=Emerging Methodologies and Applications in Modelling|pages=373–404|publisher=Elsevier|doi=10.1016/b978-0-12-818701-2.00021-4|isbn=978-0-12-818701-2|s2cid=240746156|access-date=2021-05-28|url-access=subscription}}</ref><ref>{{Cite book|last=Nijmeijer|first=H.|title=Synchronization of mechanical systems|date=2003|publisher=World Scientific|isbn=978-981-279-497-0|oclc=262846185}}</ref>

There are many specialist roles in Information Security including securing networks and allied [[infrastructure]], securing [[Application software|applications]] and [[database]]s, [[security testing]], information systems [[Information technology audit|auditing]], [[business continuity planning]], electronic record discovery, and [[digital forensics]].<ref>{{Cite web |title=9 Types of Cybersecurity Specializations |url=https://learn.org/articles/types_of_cybersecurity_specializations.html}}</ref>