Information Security from a Legal Counsel’s Perspective and Reflection
As a Data, Cyber, and Tech Lawyer and a Data Protection Officer knowledge in Information Security (and Cyber Security) is essential and something that one should really have as part of one’s arsenal of training and competence, to be able to really perform one’s function well. The Digital Society has created a promise and a risk. Digitalization is thought to be a key driver of recent economic, cultural, political, and societal transformations, with these changes entailing both positive and negative consequences. The negative ones include various risks and threats to the information security of both society and the state[1].
As stated in a website on Cybersecurity: building a secure digital society, “With the ubiquity and interconnection of information systems on the one hand and the increase and sophistication of threats on the other, cybersecurity has become a vital part of modern society[2].”
In this paper, the author will reflect on the learnings he received as part of the Introduction to Information Security Program which the University of the Philippines — Open University’s Massive Open Distance eLearning (MODeL) from 13th of June until 20th of July 2022.
Module 1 — Information Security: Overview
In this module clarifications as to the nature of Information Security have been provided following the definition from The SANS Institute provides a technical definition for information security:
“Information security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.[3]”
This emphasizes that Information Security is not only focused on digital data but also physical data. This makes Information Security a more comprehensive concept and covers both Cyber Security and Data Protection.
This Module also provided the first introduction to the participants of the foundational concept of CIA Triad of Confidentiality, Integrity, and Availability the model designed to guide policies for information security within an organization. This is foundational since the CIA should always be found whenever an InfoSec Policy is being created.
Module 2 — Security Threats and Vulnerabilities
In this module, we learned the current landscape relating to Information Security Threats and Vulnerabilities.
A Security Threat is a malicious act that aims to corrupt or steal data or disrupt an organization’s systems or the entire organization. A Security Event refers to an occurrence during which company data or its network may have been exposed. And an event that results in a data or network breach is called a Security Incident[4].
Threat and Vulnerability Landscape is an ever-growing list of attacks from a simple Phishing — Social Engineering Attacks to Malware and its various forms to Zero Day exploits this module is very essential and very intriguing to a practitioner in the field of cyber law since this is the very reason why information security and legal regulation in the field has been crated due to attacks, threat and vulnerability landscape that we must fight (both in Legal and Technical sense) to have a more secure Society.
My reflection on this module it that all should be given more focus and provided to all users within this digital society.
Module 3 — Risk Assessment and Management
In this module the following concepts have been discussed:
· Risk assessment refers to the qualitative assessment and quantitative measurement of risks, their effects, and how they are interrelated.
· Risk management refers to the program or strategy undertaken in order to avoid or minimize losses from a risk that materializes.
From a practitioner’s perspective, avoiding and managing risk in the context of business priorities and desired outcomes is imperative for facilitating productive business conversations with business leaders and executives so they understand the cyber implications of strategic decisions.
This topic has been a good way to level up the discussion on Information Security by introducing a very relevant discussion in the field of Risk Management.
Module 4 — Access Control
This module is one of my interests since currently, I am currently in a project revisiting and establishing the Access Control Matric of our organization.
Sadly, the discussion focused on the basics and did not discuss the operationalization of access control such as the current one we are using the Role Based Access Control (“RBAC”).
Module 5 — Data Protection
My current bread and butter since I have been a Data Protection Officer since 2017. The discussion is a sort of review for me on the basics of the DPA and its relation to GDPR.
Module 6 — Protecting Critical Assets
A good reminder that the priority in all Information security program should be the protection of critical assets.
Critical assets are those that are essential for supporting the social and business needs of both the local and national economy and in case of failure or attacks might cause devastating effects.
Module 7 — Security Controls
After knowing all attack vectors and its effect this module provided the much-needed understanding of what to do to prevent and deter attacks.
Module 8 — Incident Response
In case attacks does happen, what should one do, know how to respond in this module we are acquitted with the basic knowledge on incident response to security incidents and data breach.
Module 9 — Disaster Recovery and Business Continuity
Continuing where we left off Disaster Recovery and Business Continuity are what all entities processing data and information must have to ensure that business operations will continue even in front of risk and attacks.
Module 10 — Security Awareness
Finally empowering our personnel and employees must be the top priority in any organization to be able to prepare for any information attacks.
[1] D.M. Kovba and Y.Y. Moiseenko, (2020), “The Digital Society in the 21st Century: Security Issue” in Culture, Personality, Society in the Conditions of Digitalization: Methodology and Experience of Empirical Research Conference, KnE Social Sciences, pages 444–451.
[2] Retrieved from: https://hellofuture.orange.com/en/interactive/cybersecurity-building-a-secure-digital-society#introduction 17 July 2022
[3] Retrieved from https://www.sans.org/information-security/ 17 Jul. 22
[4] Retrieved from: https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams#:~:text=A%20security%20threat%20is%20a,network%20may%20have%20been%20exposed. 17 Jul. 22
