IT security is broader in nature than cybersecurity and encompasses the protection of all of an entity’s data, including databases, software, applications, servers and devices.
What are the different types of IT security?
- Generally speaking, all IT security concepts can fall into three buckets: network security, end-point security and internet security.
IT security covers a vast range of concepts, meaning that there may be many concepts that may be deserving of their own category. This becomes more true as security threats and solutions continue to expand. However, the simplest way to categorize IT security concepts is by dividing them into three types: network security, end-point security and internet security.
Network security refers to guarding the underlying network infrastructure from unauthorized access, misuse, malfunction, modification, destruction or improper disclosure. End-point security is designed to protect devices attached to the network from cyberattacks and viruses. Computers, mobile devices, laptops and printers attached to the network are protected with software security solutions and policies, including privileged user control, application controls, intrusion detection and encryption. Internet security ensures the well-being of transmitted information through the use of encryption and authentication measures such as a Secure Sockets Layer (SSL) or Transport Layer Security (TSL.)
What are the seven layers of IT security?
- The seven layers of IT security are the human, perimeter, network, endpoint, application, data and mission-critical layers.
The seven layers of IT security are based on the Open Systems Interconnection (OSI) model, which standardizes the different stages of network communication and their levels of vulnerability. The method is designed to allow security measures to be applicable to each preceding and subsequent layer. The human layer is considered the most vulnerable layer in network communications, with more than 90 percent of data breaches coming due to human error. The best approach to securing this layer is through education and training. The perimeter layer is the outer layer of the network, including all connectivity and access points, which is secured by logging all connected devices and using firewalls, encryption and anti-virus software. The network layer determines what is accessible inside of a system, with mitigation techniques including creating permissions that only give employees access to data they need. The endpoint layer requires heavy encryption of both data and devices, with proper mobile device management protocols becoming increasingly necessary in remote environments. The application layer refers to the software used in business, which can be secured by keeping applications up-to-date.
The data layer requires the most attention, as it's often the primary target of cybercriminals and may include information such as payment data, social security numbers, healthcare information and intellectual property. File and disk encryption, regular backups, two-factor authentication and wiped data policies are musts at this level. Finally, mission-critical assets like operating systems, health records, software tools, financial records and cloud infrastructure make up the mission-critical layer.
What should be included in an IT security policy?
- IT security policies include the objective, scope, goals, compliance responsibilities and noncompliance consequences regarding data use.
An organization’s IT security policy identifies an organization’s rules and procedures for individuals accessing and using organizational IT assets and resources. IT security policies are designed to keep assets confidential from unauthorized entities, maintain integrity over the modification of assets, and ensure assets will remain continuously available to authorized users.
According to the National Research Council (NRC), company IT security policies should contain objectives for the security of data, the scope of how data security will be handled, specific goals intended to be reached in regards to data security and the responsibilities for compliance and actions to be taken in the event of noncompliance with the IT security policy.