Approaches to Information Security Implementation
Last Updated :
01 Mar, 2024
In order to determine the safety of data from potential violations and cyberattacks, the implementation of the security model has an important phase to be carried out. In order to ensure the integrity of the security model, it can be designed using two methods:
1. Bottom-Up Approach: The company's security model is applied by system administrators or people who are working in network security or as cyber-engineers. The main idea behind this approach is for individuals working in this field of information systems to use their knowledge and experience in cybersecurity to guarantee the design of a highly secure information security model.
- Key Advantages:disadvantages An individual's technical expertise in their field ensures that every system vulnerability is addressed and that the security model is able to counter any potential threats.
- Disadvantage:: Due to the lack of cooperation between senior managers and relevant directives, it is often not suitable for the requirements and strategies of the organisation.
2. Top-Down Approach: This type of approach is initialized and initiated by the executives of the organization.
- They formulate policies and outline the procedures to be followed.
- Determine the project's priorities and expected results
- Determine liability for every action needed
- Advantages And disadvantagesand of top-down implementation:
This approach looks at each department's data and explores how it’s connected to find vulnerabilities. Managers have the authority to issue company-wide instructions while still allowing each person to play an integral part in keeping data safe. Compared to an individual or department, a management-based approach incorporates more available resources and a clearer overview of the company's assets and concerns.
A top-down approach generally has more lasting power and efficacy than a bottom-up approach because it makes data protection a company-wide priority instead of placing all the responsibility on one person or team. Data vulnerabilities exist in all offices and departments, and each situation is unique. The only way for an information security program to work is by getting every manager, branch, department, and employee in agreement with a company-wide plan.
Implementing a layered information security approach:
Cybersecurity is critical for businesses of all types and sizes. In one survey, more than half of participants cited cybersecurity as a top concern for their organization. Data and network compromises can have devastating effects that many businesses never fully recover from. In 2019, cyberattacks cost individual businesses an average of $200,000.
Attacks come in several forms, such as phishing scams, hacking, unauthorized access at physical locations, Trojan viruses, ransomware, and password attacks. Because there are so many possible vulnerabilities, a layered approach is the best method for implementing total protection across departments.
Infosec layering accounts for all standard data protection along with other facets of cybersecurity, including web, network, device, application, software, and physical security. It also includes having a disaster recovery and data backup plan. Layered protection breaks larger security concerns into smaller, more manageable pieces. It lets you customize the type and protection level depending on specific needs, such as department, device, or stored data.
Consider a healthcare business. In the financial department, data integrity is likely the top concern to prevent overcharging or undercharging accounts. But the patient records department focuses on data security, privacy, and access control. This is where a layered approach comes in. Layered approaches are woven together so each area of information security relies on the other, creating a stronger, more defensive blanket of protection that makes it harder for outside attackers to gain entry.
Web and network security:
Web and network security cover creating policies and safeguarding all browsers, private networks, shared networks, and online user accounts, such as:
- Clearly assign user roles for each person with access, including management, employees, third-party contractors, and partners
- Various encryption methods for on-site and off-site employees and contractors
- IP network-wide security for all network traffic
- Firewalls, antivirus and antimalware systems, intrusion alerts, and defense software
- Disabling web browser pop-ups
- Security for all webmail, including attachments and possible phishing scams
- Using a secure, up-to-date web browser with an individual, controlled employee access account
- Mobile device security for company phones, tablets, and smart devices
- Network segmentation whenever applicable
- Data loss prevention (DLP) for files and messages
Device and app security:
Device and app security applies to all computers, tablets, company phones, smart devices, applications, user software, computer programs, and online accounts. Precautions include:
- Keeping all apps and software and their subsequent security up to date
- Requiring unique passwords and log-in credentials for each user, changed regularly
- Implementing regular device and system maintenance windows throughout the month
- Keeping thorough, up-to-date records for all device and app activity, including possible, detected, or isolated threats
- Giving each device user and account a host intrusion detection system
- Removing unnecessary apps, software, user accounts, and devices from rotation
- Implementing patch management to keep everything up to date and automatically fixed when new patches are released
It is more likely to succeed. That strategy usually provides strong support from top management by committing resources, a consistent preparation and execution mechanism and opportunities to affect corporate culture.
Security management issues have been handled by organizations in various ways. Traditionally, companies adopted a bottom-up approach, where the process is initiated by operational employees and their results are subsequently propagated to upper management as per the proposed policies. Since management has no information about the threat, the effects, the idea of resources, possible returns and the security method, this approach has occasionally created a sudden and violent collapse. On the contrary, the top-down approach is a highly successful reverse view of the whole issue. Management understands the gravity and starts the process, which is subsequently collected systematically from cyber engineers and operating personnel.
Similar Reads
Information Assurance vs Information Security
In the world of modern technologies, the security of digital information is an important aspect. Cyber-attacks and theft, exploitation and loss of data are the constant threats these days. To prevent all these, there is a variety of techniques available. But in all other ways, the two most common an
9 min read
How to become an Information Security Analyst?
Information security refers to the processes and methodologies used to protect sensitive information from unauthorized access, disclosure, disruption, modification, or destruction. It aims to ensure the confidentiality, integrity, and availability (often called the CIA triad) of data, whether it is
9 min read
Availability in Information Security
Prerequisite - Information Security Availability is one of the three basic functions of security management that are present in all systems. Availability is the assertion that a computer system is available or accessible by an authorized user whenever it is needed. Systems have high order of availab
3 min read
Information Security | Confidentiality
Confidentiality is the protection of information in the system so that an unauthorized person cannot access it. This type of protection is most important in military and government organizations that need to keep plans and capabilities secret from enemies. However, it can also be useful to businesse
5 min read
Information Assurance Model in Cyber Security
Information Assurance concerns implementation of methods that focused on protecting and safeguarding critical information and relevant information systems by assuring confidentiality, integrity, availability, and non-repudiation. It is strategic approach focused which focuses more on deployment of p
5 min read
Information Classification in Information Security
Information classification is a process used in information security to categorize data based on its level of sensitivity and importance. The purpose of classification is to protect sensitive information by implementing appropriate security controls based on the level of risk associated with that in
7 min read
Information System and Security
As organizations depend on digital infrastructure more with the increasing technology, making sure that the security of the system is safe is one of the top priorities. According to recent reports, over 60% of businesses in the world have experienced a cyber attack in the past year, where data breac
8 min read
Approaches to Intrusion Detection and Prevention
Prerequisites - Intrusion Detection System (IDS)Intrusion Prevention System (IPS) IDS stands for Intrusion Detection System (IDS). It is device or software application that monitors network or systems for malicious activity or policy violations. There are six basic approaches to Intrusion Detection
6 min read
Security Operations Center (SOC)
We all are very familiar with the cyber threats around us and these are Rapidly increasing day by day. So to Protect the Organization from hackers. Nowadays, Security Operation Center (SOC) is opened to Defending these threats in Formalized, Disciplined approach like a Professional. These Centers pr
3 min read
Difference Between Cyber Security and Information Security
Cyber security and information security are two ways to protect important information. Cyber security is about keeping computer systems and networks safe from bad people who try to break in or cause harm online. It deals with things like stopping hackers, fixing computer problems, and making sure we
7 min read