IT security, at its core, is concerned with balancing the necessary tasks of keeping information secure, reliable, and accessible. To illustrate this, take the extreme and diametrically opposed examples of two security systems, one set to irreversibly destroy its data at the first sign of any attempts at unauthorized access and the other left totally accessible to any anonymous user. While both have their niche, neither of the two is widely applicable, with most situations requiring more balanced implementations.
These core requirements of security, reliability, and accessibility expand and interact with each other, meeting at a different optimal balance for every distinct industry and application. Some of the more frequent and well studied roles of IT security are to
- Identify authorized users, verify their identity, and
- Restrict access to only those authorized users;
- Track authorized changes, and
- Prevent unauthorized changes, identifying them if they do occur;
- Keep from unnecessarily burdening authorized users and
- Maximize system uptime.
To achieve this, the IT security industry employs a number of different techniques, ranging from broadly applied digital cryptography to physical biometrics. Since poorly implemented security measures are potentially dangerous and the nature of information technology puts a premium on interoperability, various voluntary consensus standards have emerged in the IT security industry, some trickling down from mandatory IT security standards utilized by the military and various government agencies while others embrace massive volunteer efforts.
Within the scope of IT security, two industries, those of health care and financial services, distinguish themselves by how incredibly sensitive the information they need to function is, prompting the formation of industry specific IT security standards in response. In the medical field, health care providers need information about their patients that in any other situation would be incredibly invasive of the patient’s privacy. For the financial services industry, the ever-present threat of identity theft adequately encapsulates how sensitive the financial industry’s information is. While it becomes clear that medical and financial information must be kept secured, that same information is also legitimately used in different places, requiring ease of access to be carefully balanced against properly restricting access. With that said, progress made in IT security standards for specific industries is frequently applicable in other fields.
IT security standards are in large part responsible for the ongoing stability of our modern world, doing their part to keep our information safe and our privacy secured.
Some packages of IT Security Standards, as well as individual and industry specific ones:
- ISO/IEC 27001 AND 27002 IT SECURITY TECHNIQUES PACKAGE
- ISO/IEC 27000 INFORMATION TECHNOLOGY SECURITY TECHNIQUES COLLECTION
- ISO 9564 - BANKING PERSONAL IDENTIFICATION NUMBER PACKAGE
- ISO 11568 - BANKING KEY MANAGEMENT PACKAGE
- X9 ENCRYPTION COLLECTION
- X9 CRYPTOGRAPHIC MESSAGE COLLECTION
- Information Security Management Systems (ISMS)
- ISMS Overview and vocabulary
- ISMS Implementation guidance
- ISMS Requirements
- Requirements for bodies providing audit and certification of ISMS
- Financial Services Industry
- Security Framework
- Public key cryptography using irreversible algorithms
- Public key cryptography for the Financial Services industry
- Agreement of symmetric keys using discrete logarithm cryptography
- The Elliptical Curve Digital Signature Algorithm (ECDSA)
- Digital algorithms giving partial message recovery
- Wrapping of keys and associated data (symmetric key cryptography)
- Financial transaction cards
- Personal Identification Number (PIN) management and security
- Health Informatics
- Security requirements for archiving of electronic health records
- Information security management in health using ISO/IEC 27002
- Public key infrastructure
- Part 1: Overview of digital certificate services
- Part 2: Certificate profile
- Part 3: Policy management of certification authority
- Electronic health record communications