Information security is the process of making sure that data, whether digital or physical, is shielded from unauthorised use, access, disclosure, interruption, alteration, inspection, recording, or destruction. The goal is to guarantee the data’s availability, confidentiality, and integrity.  Information security is achieved through a set of strategies that include the management of processes, tools, and policies necessary to prevent, detect, respond to, and recover from security incidents. Information security differs from cyber-security in that Information security aims to keep data in any form secure, whereas cyber security protects only digital data.

CIA Triad

Confidentiality: ensures information is inaccessible to unauthorised people, most commonly enforced through encryption.

Integrity: protects information and systems from being modified by unauthorised people, ensures the data is accurate and trustworthy

Availability: ensures authorised people can access the information when needed and that all hardware and software are maintained properly and updated when necessary

Authentication, Authorisation and Accountability(AAA) & Non Repudiation:

• Authentication is the process by which it can be identified that the user, which want to access the network resources, valid or not by asking some credentials such as username and password. 
• Authorisation provide capabilities to enforce policies on network resources after the user has gain access to the network resources through authentication
• Accountability provide means of monitoring and capturing the events done by the user while accessing the network resources
• Non repudiation: is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data.

To secure information, organisations employ a range of measures like Physical security controls, Technical controls and Administrative controls

Physical security controls: Physical security controls are procedures used to keep people safe and stop illegal access to buildings, equipment, and data assets. These measures are designed to protect against external dangers like accidents, terrorism, espionage, theft, and vandalism. 

There are several types of physical security controls, which include:

1. Deterrent Controls: These are designed to discourage potential intruders from attempting to breach security. Examples include security signage, fencing, and visible security cameras.
2. Preventive Controls: These aim to prevent an incident from occurring. Examples include locks, access control systems, security guards, man-traps, and barriers.
3. Detection Controls: These are designed to identify and signal an intrusion or unauthorised access. Examples include motion detectors, intrusion detection systems, alarm systems, and surveillance cameras.
4. Delay Controls: These slow down the progress of an intruder, buying time for response teams to react. Examples include multiple layers of doors, turnstiles, and reinforced walls.
5. Response Controls: These facilitate the response to an incident once it has been detected. Examples include security personnel, alarm response protocols, and coordination with local law enforcement.
6. Environmental Controls: These are designed to protect against environmental hazards and natural disasters. Examples include fire suppression systems, HVAC systems, and seismic reinforcements.
7. Operational Controls: These include policies and procedures that define how other physical controls are used and maintained. Examples include security guard patrols, maintenance schedules for security systems, and access control policies.

Technical controls: Technical security controls, sometimes referred to as logical controls, are technologically based safeguards for the availability, confidentiality, and integrity of data and information systems. These controls make sure that authorised users can access the data when needed and guard against unauthorised access or changes to the data. Technical controls are usually incorporated into an organisation’s entire security plan and can be either software- or hardware-based.

1. Authentication Mechanisms: These ensure that only authorized users can access systems and data. Examples include passwords, multi-factor authentication (MFA), biometrics, and smart cards.
2. Encryption: This protects data at rest and in transit by converting it into an unreadable format for unauthorized users. Examples include the use of HTTPS for secure communication over the internet and encrypting hard drives or individual files.
3. Firewalls: These act as a barrier between secure internal networks and untrusted external networks like the internet. They monitor and control incoming and outgoing network traffic based on predetermined security rules.
4. Intrusion Detection and Prevention Systems (IDPS): These systems monitor network and system activities for malicious activities or policy violations and can act to block or prevent those activities.
5. Antivirus and Anti-malware Software: These programs scan computers and networks for malicious software and can remove or quarantine threats.

1. Access Control Lists (ACLs): These lists specify which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
2. Security Information and Event Management (SIEM): These systems provide real-time analysis of security alerts generated by applications and network hardware.
3. Data Loss Prevention (DLP): These systems monitor, detect, and block sensitive data while in use, in motion, and at rest to prevent unauthorized access or exfiltration.
4. Patch Management: This involves regularly updating software and systems with patches to fix vulnerabilities and improve security.
5. Network Segmentation: This practice divides a network into multiple segments or subnets, each acting as a separate network to contain security breaches and limit access to sensitive areas.
6. Secure Configuration: This ensures that systems are configured in the most secure way possible, reducing the number of potential vulnerabilities.
7. Virtual Private Networks (VPN): These provide secure remote access to an organization’s network by encrypting the connection from an end user’s device to the network.

Administrative controls: Administrative security controls are policies, procedures, and guidelines that are established by an organization to manage and control access to information systems and to protect assets and resources. These controls are designed to ensure that the behaviour of employees and users aligns with the organization’s security requirements.

1. Security Policies: Formal statements that define how security will be implemented within an organization, including acceptable use policies, password policies, and data classification policies.
2. Procedures: Step-by-step instructions or guidelines that describe how to perform specific tasks in accordance with the organization’s policies.
3. Training and Awareness Programs: Initiatives designed to educate employees about security best practices, potential threats, and the importance of following security policies.
4. Background Checks: Pre-employment screening processes to assess the trustworthiness and suitability of potential hires.
5. Access Control Policies: Guidelines that determine who is authorized to access certain information or areas within an organization and under what conditions.
6. Incident Response Plans: Detailed plans that outline the steps to be taken in the event of a security breach or incident.
7. Risk Assessments: Processes to identify, analyze, and evaluate risks to the organization’s information and systems.
8. Change Management Procedures: Processes to manage modifications to systems, software, or processes to ensure that changes do not compromise security.
9. Audits and Compliance Checks: Regular reviews and inspections to ensure that the organization adheres to its security policies and legal/regulatory requirements.
10. Employee Termination Procedures: Steps to ensure that access rights and privileges of former employees are revoked promptly to prevent unauthorized access.