datenschutz-it-blog-dqs-mensch bewegt digitale anzeige

IT 보안 대 정보 보안 - 차이점은 무엇입니까?

게르트 크루거

정보 보안 및 데이터 보호를 위한 DQS 전문가
11월 12 , 2022
# 정보 보안 대 IT 보안

정보 기술(IT) 보안과 정보 보안이라는 두 가지가 서로 혼동되는 경우가 많습니다. 디지털화 시대에 정보는 일반적으로 IT의 도움을 받아 처리, 저장 또는 전송됩니다. - 디지털화 시대에는 정보가 대부분 IT의 도움을 받아 처리, 저장 또는 전송되지만 정보 보안은 여전히 우리가 생각하는 것보다 더 아날로그적입니다. 생각한다! 기본적으로 IT 보안과 정보 보안은 매우 밀접하게 연결되어 있습니다. 따라서 IT 자체는 물론 기밀 정보를 효과적으로 보호하기 위해서는 체계적인 접근 방식이 필요합니다.

CONTENT

IT security vs. information security

Information security is more than just IT security. It focuses on the entire company. After all, the security of confidential information is not only aimed at data processed by electronic systems. Information security encompasses all corporate assets that need to be protected, including those on analog data carriers such as paper.

"IT security and information security are two terms that are not (yet) interchangeable."

Protection goals of information security

The three essential protection goals of information security - confidentiality, availability and integrity - therefore also apply to a letter containing important contractual documents, which must arrive at its recipient's door on time, reliably and intact, transported by a courier, but entirely analog. And these protection goals apply equally to a sheet of paper that contains confidential information, but that is lying on an unattended desk for anyone to see or is waiting in the copier, freely accessible, for unauthorized access.

Thus, information security has a broader scope than IT security. IT security, on the other hand, refers "only" to the protection of information on IT systems.

IT security according to definition

What do official bodies say? IT security is "a state in which the risks present in the use of information technology due to threats and vulnerabilities are reduced to an acceptable level by appropriate measures. IT security is therefore the state in which confidentiality, integrity, and availability of information and information technology are protected by appropriate measures." According to the German Federal Office for Information Security (BSI).

Information security= IT security plus X

In practice, a different approach is sometimes taken, using the rule of thumb "information security = IT security + data protection". However, this statement, written down as an equation, is quite striking. Admittedly, the issue of data protection under the European GDPR is about protecting privacy, which requires processors of personal data to have both secure IT and, for example, a secure building environment - thus ruling out physical access to customer data records. However, this leaves out important analog data that does not require personal privacy. For example, company construction plans and much more.

The term information security contains fundamental criteria that go beyond pure IT aspects, but always include them. Thus, comparatively, even simple technical or organizational measures within the scope of IT security are always taken against the background of appropriate information security. Examples of this can be:

  • Securing the power supply to the hardware
  • Measures against overheating of the hardware
  • Virus scans and secure programs
  • Organization of folder structures
  • Setting up and updating firewalls
  • Training of employees, etc.

It is obvious that computers and complete IT systems in themselves would not need to be protected. After all, without information to be digitally processed or transported, hardware and software become useless.

IT security by law, an example from Germany

The topic of CRITIS: The IT security law focuses on critical infrastructures from various sectors, such as electricity, gas and water supply, transportation, finance, food and health. Here, the main focus is on protecting IT infrastructure against cybercrime in order to maintain the availability and security of IT systems. In particular, today's digitally controlled telecontrol systems must be protected.

These protection goals are at the forefront (excerpt):

  • Consideration of IT security risks
  • Creation of IT security concepts
  • Creation of emergency plans
  • Taking general security precautions
  • Control of Internet security
  • Using cryptographic methods etc.

ISO 27001 - The standard for information security

What does ISO 27001 say? The globally recognized standard for an information security management system (ISMS), with its derivatives ISO 27019, ISO 27017 and ISO 27701, is called:

ISO/IEC 27001:2017 - Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015). 

The title of this important standard makes it clear that IT security plays a major role in information security today and will continue to grow in importance in the future. However, the requirements set out in ISO 27001 are not directly aimed at digital IT systems only. On the contrary:

"Throughout ISO/IEC 27001, "information" is referred to across the board, without exception."

In principle, no distinction is made as to the analog or digital way in which this information is processed or is to be protected.

A successfully implemented ISMS supports a holistic security strategy: it includes organizational measures, security-conscious personnel management, the security of deployed IT structures, and compliance with legal requirements.

Information security often more analog than we think

Anyone who wanted to could apply the standard requirements of ISO 27001 over a completely analog system and end up with just as much as someone who applied the requirements to a thoroughly digital system. It is only in Annex A of the well-known ISMS standard, which contains measure objectives and measures for users, that terms such as teleworking or mobile devices appear. But even the measures in Annex A of the standard remind us that there are still analog processes and situations in every company that must be taken into account with regard to information security.

Anyone who speaks loudly about sensitive topics via smartphone in public, for example on the train, may be using digital communication channels, but their misconduct is actually analog. And anyone who doesn't clean up their desk had better lock their office to maintain confidentiality. At least the former, as one of the most effective single measures for securely protecting information, is usually still done by hand, so far...

IT Security vs. Information Security - Conclusion

IT security and information security are two terms that are not (yet) interchangeable. Rather, IT security is a component of information security, which in turn also includes analog facts, processes and communication - which, incidentally, is still commonplace in many cases today. However, increasing digitization is bringing these terms ever closer together, so that the difference in meaning will probably become more marginal in the long term.

What you can expect from us

DQS is your specialist for audits and certifications - for management systems and processes. With 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner for all aspects of information security and data protection.

Do you have any questions?

Contact us!
Without obligation and free of charge.

We don't just talk about professional competence, we have it: You can expect many years of practical professional experience from all our DQS auditors. Collected in organizations of every size and every industry. With this diversity it is guaranteed that your DQS lead auditor will empathize with your individual company situation and management culture. Our auditors know management systems from their own experience, i.e. they have set up, managed and further developed ISMS themselves - and they know the daily challenges from their own experience. We look forward to talking with you.

저자
게르트 크루거

DQS에서 정보 보안, BSI-KritisV 및 데이터 보호를 위한 전문가 및 프로젝트 관리자. 또한 품질 및 환경 관리에 대한 오랜 심사원입니다.

질문이 있으신가요?

우리는 당신을 위해 여기 있습니다.
문의하기