A common misconception today is information assurance vs information security vs cyber security. They do not mean the same thing, though they are often used interchangeably. There is also a third term, information assurance, that has a different meaning as well. In this post, you will learn the differences between the three terms and why they are slightly different.
What Is Information Security?
Information security revolves around the protection of information in all its forms. This can include physical media, like disks, hard drives, papers, books, files, etc. It can also include the protection of information in cyberspace, such as on the internet or an air-gapped internal network. Infosec can be reduced to three main principles:
- Confidentiality – keeping information secret or hidden
- Integrity – ensuring information is unchanged
- Availability – ensuring access to information
In order to protect the information, it is important to hide that information from people who shouldn’t see it. When it is risky or impossible to hide the information completely, it can be encrypted or encapsulated to hide the contents. Cloudflare has a good, detailed explanation of encryption.
To make sure information remains useful, it is important to protect its integrity. This means finding a way to ensure it is not altered in any way. The easiest way to accomplish this is with a hash. Hashing is using a mathematical function to calculate a value of a file. When a copy is made, the copy is hashed with the same function to produce a value. If the values are the same, the file hasn’t been changed.
In order to fulfill its purpose, information must be accessible to those authorized to view it. Keeping it available means that users have access when they need it. In order to provide this, security professionals backup information and maintaining a stable environment.
You may be reading this and thinking ‘isn’t the CIA triad for cybersecurity?’ and you would be correct. Cyber security also features the principles of Confidentiality, Integrity, and Availability. The only distinction is cyber security is a focused effort.
Cyber Security Is Just Inside Cyberspace
Cyber security is a specialization of information security. Its counterpart is called information protection. The cyber piece focused mainly on cyberspace, electronics, computers, etc. The other half is physical security, paper files, cabinets, etc.
Information Security vs Cyber Security
As you can see in the figure above, information security covers both cyber security and information protection.
What is Information Protection?
Information protection is the other half of information security. It mainly deals with physical security. Security cameras, fire alarms, fire extinguishers, fences, and mantraps. It isn’t necessary for some cybersecurity roles but is important to the overall information security landscape.
What about Information Assurance?
Information assurance is the higher tier under which information security falls under. Confidentiality, integrity, and availability are important pillars of information assurance, but it also adds two more pillars:
- Authentication – checking identity before allowing access
- Non-Repudiation – knowing who sent or received information
Everyone who uses computers or cell phones knows the basics of authentication. Username/password is one of the oldest forms. There are really three types of authentication methods. Using multiple-factor authentication is a must for enterprises now. Here are the three types of authentication and examples:
- Something you know – username/password, or those quizzes banks give you about your history
- Something you have – smart card or access card, the chip on credit cards, a key fob, or an authenticator app on your phone
- Something you are – biometric scanners like eye, fingerprint, or palm, or DNA
When receiving information, you want to make sure it comes from a trusted source. In E-mail, for instance, enterprises use a digital signature from the sender. That way, you know who it came from. It is also important to ensure delivery of information as well.
The picture above shows the relationships between the five pillars of information assurance, and information security, cyber security and information protection.
Information Assurance vs Information Security vs Cyber Security
In summary, there is a confusion with information assurance vs information security vs cyber security. In reality, cyber security is just one half of information security. Information security is just a part of information assurance. Confidentiality, integrity, availability, authentication, and non-repudiation are important to information assurance. Only confidentiality, integrity and availability are important to information security.