Information security deals with several different "trust" aspects of information. Another common term is information assurance. Information security is not confined to computer systems, nor to information in an electronic or machine readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form.
The U.S. National Information Systems Security Glossary defines Information systems security (INFOSEC) as:
- the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.
It is an important point that information security is, inherently and necessarily, neither hermetic nor watertight nor perfectible. No-one can ever eradicate all risk of improper or capricious use of any information. The level of information security sought in any particular situation should be commensurate with the value of the information and the loss, financial or otherwise, that might acrue from improper use - disclosure, degradation, denial, or whatever. Bruce Schneier makes this point in Secrets and Lies: information security is about risk management.
Three widely accepted elements (aims, principles, qualities, characteristics, ... ) of information security are:
A further, generally accepted element is:
denial of service attacks.
Some other facets of information security are:
- Access control
- risk assessment
- identification and authentication
- administration and provisioning
- assurance and reliability
- Business Continuity Planning