What is data security? Definition, principles, and jobs

Data security is a set of practices intended to keep data secure from unauthorized admission or alterations. Hither's a broad look at the policies, principles, and people used to protect data.

Contributing author, CSO |

cybersecurity > information security / data protection / lock / shield / layers of integration
iBrave / Getty Images

Information security definition

Information security, sometimes abbreviated to infosec, is a set of practices intended to keep information secure from unauthorized access or alterations, both when information technology'due south being stored and when it's existence transmitted from one machine or physical location to another. You lot might sometimes come across it referred to equally data security. Equally noesis has become 1 of the 21st century's most important assets, efforts to keep information secure have correspondingly become increasingly important.

The SANS Constitute offers a somewhat more than expansive definition:

Information security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other grade of confidential, individual and sensitive data or data from unauthorized access, utilise, misuse, disclosure, destruction, modification, or disruption.

Information security vs. cybersecurity

Considering it has become the accepted corporate buzzphrase that ways, basically, "computers and related stuff," you volition sometimes meet data security and cybersecurity used interchangeably. Strictly speaking, cybersecurity is the broader exercise of defending It avails from set on, and information security is a specific discipline under the cybersecurity umbrella. Network security and application security are sis practices to infosec, focusing on networks and app code, respectively.

Obviously, there's some overlap here. You can't secure information transmitted beyond an insecure network or manipulated by a leaky application. Likewise, in that location is plenty of information that isn't stored electronically that besides needs to be protected. Thus, the infosec pro's remit is necessarily wide.

Information security principles

The basic components of data security are virtually often summed up past the and then-called CIA triad: confidentiality, integrity, and availability.

  • Confidentiality is perhaps the element of the triad that most immediately comes to mind when y'all remember of data security. Information is confidential when but those people who are authorized to access it can do and then; to ensure confidentiality, you demand to be able to identify who is trying to access information and block attempts by those without authorisation. Passwords, encryption, authentication, and defence force against penetration attacks are all techniques designed to ensure confidentiality.
  • Integrity means maintaining data in its right state and preventing information technology from being improperly modified, either by accident or maliciously. Many of the techniques that ensure confidentiality volition too protect data integrity—after all, a hacker can't change data they can't admission—but in that location are other tools that assist provide a defence of integrity in depth: checksums tin help y'all verify data integrity, for case, and version control software and frequent backups can help you restore information to a correct land if need exist. Integrity besides covers the concept of not-repudiation: y'all must exist able to prove that you've maintained the integrity of your data, peculiarly in legal contexts.
  • Availability is the mirror prototype of confidentiality: while y'all need to make sure that your information can't exist accessed past unauthorized users, you also need to ensure that information technology can be accessed by those who have the proper permissions. Ensuring information availability means matching network and computing resource to the volume of information access yous expect and implementing a skillful backup policy for disaster recovery purposes.

In an platonic world, your data should ever exist kept confidential, in its correct land, and bachelor; in practice, of course, y'all often need to make choices about which information security principles to emphasize, and that requires assessing your information. If you lot're storing sensitive medical information, for instance, you lot'll focus on confidentiality, whereas a fiscal establishment might emphasize information integrity to ensure that nobody's bank account is credited or debited incorrectly.

Information security policy

The ways past which these principles are applied to an organisation take the grade of a security policy. This isn't a piece of security hardware or software; rather, it'south a document that an enterprise draws upward, based on its own specific needs and quirks, to establish what data needs to be protected and in what means. These policies guide the arrangement'southward decisions around procuring cybersecurity tools, and also mandate employee beliefs and responsibilities.

Amongst other things, your company's information security policy should include:

  • A statement describing the purpose of the infosec program and your overall objectives
  • Definitions of key terms used in the certificate to ensure shared agreement
  • An access control policy, determining who has access to what data and how they can constitute their rights
  • A countersign policy
  • A data support and operations plan to ensure that data is ever available to those who demand information technology
  • Employee roles and responsibilities when information technology comes to safeguarding information, including who is ultimately responsible for data security

1 of import thing to continue in heed is that, in a world where many companies outsource some computer services or store information in the deject, your security policy needs to comprehend more just the avails you own. You need to know how y'all'll deal with everything from personally identifying information stored on AWS instances to third-party contractors who need to be able to cosign to access sensitive corporate info.

Information security measures

As should be articulate past at present, just near all the technical measures associated with cybersecurity touch on information security to a certain degree, but there it is worthwhile to recollect about infosec measures in a large-picture way:

  • Technical measures include the hardware and software that protects data — everything from encryption to firewalls
  • Organizational measures include the creation of an internal unit of measurement dedicated to information security, forth with making infosec office of the duties of some staff in every department
  • Man measures include providing awareness training for users on proper infosec practices
  • Physical measures include controlling access to the office locations and, peculiarly, information centers

Data security jobs

It's no secret that cybersecurity jobs are in high demand, and in 2022 information security was at the peak of every CIO's hiring wishlist, according to Mondo's Information technology Security Guide. There are ii major motivations: There have been many high-profile security breaches that have resulted in harm to corporate finances and reputation, and most companies are continuing to stockpile customer data and give more than and more departments admission to it, increasing their potential attack surface and making it more and more than likely they'll exist the next victim.

There are a diversity of different chore titles in the infosec globe. The same job championship tin can mean different things in dissimilar companies, and you should also keep in mind our caveat from up top: a lot of people use "information" just to mean "computer-y stuff," so some of these roles aren't restricted to just information security in the strict sense. But there are general conclusions ane can describe.

Information security analyst: Duties and bacon
Allow's take a expect at one such job: data security annotator, which is generally towards the entry level of an infosec career path. CSO's Christina Wood describes the job as follows:

Security analysts typically bargain with information protection (information loss protection [DLP] and data classification) and threat protection, which includes security data and event direction (SIEM), user and entity beliefs analytics [UEBA], intrusion detection system/intrusion prevention system (IDS/IPS), and penetration testing. Primal duties include managing security measures and controls, monitoring security access, doing internal and external security audits, analyzing security breaches, recommending tools and processes, installing software, teaching security sensation, and coordinating security with outside vendors.

Information security analysts are definitely one of those infosec roles where at that place aren't enough candidates to meet the demand for them: in 2022 and 2022, in that location were more than 100,000 information security analyst jobs that were unfilled in the U.s.. This means that infosec annotator is a lucrative gig: the Agency of Labor Statistics pegged the median bacon at $95,510 (PayScale.com has it a scrap lower, at $71,398).

Information security training and courses

How does i become a job in information security? An undergraduate degree in estimator science certainly doesn't hurt, although it'south by no ways the only style in; tech remains an industry where, for instance, participation in open source projects or hacking collectives can serve as a valuable calling card.

Still, infosec is becoming increasingly professionalized, which means that institutions are offering more than by fashion of formal credentials. Many universities at present offering graduate degrees focusing on information security. These programs may exist best suited for those already in the field looking to expand their knowledge and show that they accept what it takes to climb the ladder.

At the other end of the spectrum are gratis and low-cost online courses in infosec, many of them adequately narrowly focused. The globe of online pedagogy is something of a wild west; Tripwire breaks down xi highly regarded providers offering information security courses that may be worth your time and effort.

Data security certifications

If you're already in the field and are looking to stay upwardly-to-appointment on the latest developments—both for your own sake and as a signal to potential employers—you might want to expect into an information security certification. Among the height certifications for data security analysts are:

  • Systems Security Certified Practitioner (SSCP)
  • Certified Cyber Professional (CCP)
  • Certified Information System Security Professional person (CISSP)
  • Certified Ethical Hacker (CEH)
  • GCHQ Certified Preparation (GCT)

Many of the online courses listed by Tripwire are designed to fix you for these certification exams. All-time of luck in your exploration!

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2022 IDG Communications, Inc.