Security Guide: InfoSec and Cybersecurity Foundations
Information security — InfoSec — is the practice of protecting data, systems, and networks from unauthorized access, disclosure, modification, and destruction. As digital transformation accelerates across every industry, information security has evolved from an IT support function to a board-level strategic priority. This guide establishes the foundational concepts every security practitioner needs: the CIA triad, risk management methodologies, security frameworks, and the core domains of cybersecurity practice.
The CIA Triad
The CIA triad — Confidentiality, Integrity, and Availability — is the foundational security model that frames all security decisions.
Confidentiality
Confidentiality ensures that information is accessible only to authorized parties. Controls include: encryption (AES-256 for data at rest, TLS 1.3 for data in transit), access control lists (ACLs), role-based access control (RBAC), and data classification policies. The 2025 Verizon DBIR reports that 68% of breaches involved compromised credentials, directly targeting confidentiality controls. Principle of least privilege — granting only the minimum access necessary — is the primary mechanism for maintaining confidentiality.
Integrity
Integrity ensures that data has not been modified by unauthorized parties. Controls include: cryptographic hashing (SHA-256), digital signatures (Ed25519, ECDSA), checksums, database transaction logs, and change management processes. The 2024 Microsoft Midnight Blizzard attack demonstrated integrity compromise at the identity provider level — attackers manipulated signing keys to forge authentication tokens. Integrity monitoring tools (Tripwire, Wazuh FIM, AWS Config) alert on unauthorized file modifications.
Availability
Availability ensures that systems and data are accessible when needed. Controls include: redundancy (HA pairs, multi-AZ/region deployment), load balancing, backup and disaster recovery plans, DDoS protection (AWS Shield, Cloudflare), and SLA monitoring. Ransomware attacks directly threaten availability — the average downtime cost of ransomware in 2025 was $5.3 million per incident according to Sophos.
Risk Management
Risk management is the process of identifying, assessing, and responding to security risks. Every security decision is a risk management decision.
Risk Assessment Frameworks
NIST SP 800-30 Rev. 1 provides the standard methodology for conducting risk assessments: system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, and recommendations. The process produces a risk register — a prioritized list of risks with assigned owners and treatment plans.
ISO 31000 defines risk management principles and guidelines at the organizational level. ISO 27005 applies these principles to information security specifically, providing guidance for establishing context, risk assessment, risk treatment, risk acceptance, risk communication, and risk monitoring.
Risk Treatment Options
The four risk treatment options are: mitigate (implement controls to reduce likelihood or impact), accept (acknowledge the risk with formal sign-off by management), transfer (purchase cyber insurance, outsource to a managed security service provider), and avoid (discontinue the activity that generates the risk).
Quantitative vs Qualitative Risk Analysis
Qualitative analysis uses ordinal scales (High, Medium, Low) based on expert judgment — faster but subjective. Quantitative analysis uses monetary values and statistical methods (Annualized Loss Expectancy, Monte Carlo simulation) — more precise but resource-intensive. Most organizations use a hybrid approach: qualitative for day-to-day decisions, quantitative for major investments.
Security Frameworks
Security frameworks provide structured approaches for building and evaluating security programs.
NIST Cybersecurity Framework (CSF 2.0)
The NIST CSF, updated to version 2.0 in February 2024, expanded from five functions (Identify, Protect, Detect, Respond, Recover) to six — adding “Govern” as the foundation for all other functions. Govern covers cybersecurity strategy, risk management, supply chain risk, and oversight. The CSF is framework-agnostic, mapping to NIST SP 800-53, ISO 27001, and COBIT. Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) help organizations benchmark their maturity.
ISO 27001:2022
ISO 27001 mandates an Information Security Management System (ISMS) with continuous improvement. Annex A lists 93 controls across organizational, people, physical, and technological domains. The Plan-Do-Check-Act (PDCA) cycle drives iterative improvement. Unlike the CSF, ISO 27001 is certifiable — accredited third-party auditors validate compliance.
NIST SP 800-53 Rev. 5
NIST SP 800-53 catalogs over 1,000 security and privacy controls organized into 20 families (Access Control, Audit and Accountability, Configuration Management, Incident Response, etc.). FedRAMP requires CSPs to implement a subset of 800-53 controls. The control catalog is in the public domain and commonly referenced by non-federal organizations as a control baseline.
Core Security Domains
Network Security
Network security controls traffic between systems. Defense-in-depth applies multiple overlapping controls: perimeter firewalls, internal segmentation (VLANs, microsegmentation), IDS/IPS (Suricata, Snort), VPN gateways (WireGuard, OpenVPN), and network access control (802.1X). The zero trust model eliminates the concept of a trusted internal network — every request is authenticated, authorized, and encrypted regardless of origin.
Application Security
Application security (AppSec) protects software throughout the SDLC. The OWASP Top 10 catalogs the most critical web application risks. Secure coding practices (input validation, output encoding, parameterized queries, CSRF tokens) prevent vulnerabilities. Security testing integrates SAST, DAST, and SCA into CI/CD pipelines.
Endpoint Security
Endpoints — desktops, servers, mobile devices — are the most common breach target. Modern endpoint security stacks include: EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), antivirus/antimalware, host firewall, application control, device encryption (BitLocker, FileVault, LUKS), and mobile device management (MDM).
Identity Security
Identity is the new perimeter in modern architectures. Identity security encompasses: user authentication (SSO, MFA, passwordless), privileged access management (PAM), identity governance (access certification, SoD), and identity threat detection (anomalous login patterns, impossible travel).
Security Metrics and Program Maturity
Measuring security effectiveness is essential for demonstrating value and justifying investment.
Key Security Metrics
The SANS Critical Security Controls and the CISO Metrics Framework define categories for security measurement. Prevention metrics: percentage of systems patched within SLA, MFA adoption rate, phishing click-through rate, and configuration compliance score. Detection metrics: mean time to detect (MTTD), SIEM alert-to-case conversion rate, and coverage of log sources (percentage of assets sending logs to SIEM). Response metrics: mean time to contain (MTTC), mean time to recover (MTTR), and tabletop exercise completion rate. The 2025 CISO Benchmarking Report found that organizations measuring detection and response metrics achieve 38% lower breach costs.
Maturity Models
The C2M2 (Cybersecurity Capability Maturity Model) from DOE and the CMMC (Cybersecurity Maturity Model Certification) from DoD provide structured maturity frameworks. C2M2 defines MIL-0 (not performed) through MIL-4 (optimized) across 10 domains including: asset management, risk management, threat management, situational awareness, and information sharing. The NIST CSF 2.0 Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) provide maturity assessment without prescribed controls. Regular maturity assessments (annually) track program improvement and identify gaps.
Business Continuity and Disaster Recovery
Business continuity (BC) and disaster recovery (DR) ensure availability during disruptive events. BC maintains business operations during disruption; DR restores IT systems after a disaster. NIST SP 800-34 defines the DR lifecycle: develop recovery strategies, document procedures, train personnel, test plans, and maintain improvement. Key metrics: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Cloud DR strategies range from backup-and-restore (lowest cost) to multi-site active-active (lowest RTO). The 2025 Gartner DRaaS Market Guide reports 67% of enterprises use cloud DR. AI-driven security operations (AI-SOC) now use machine learning for alert triage, achieving 60% false positive reduction according to the 2025 SecOps AI Benchmark. Extended Detection and Response (XDR) converges endpoint, network, and cloud telemetry into unified workflows.
Cyber Threat Intelligence
Threat intelligence (CTI) provides context about adversaries, their capabilities, and their intentions. CTI is categorized by the intelligence lifecycle: direction (what to collect), collection (sources: open-source, dark web, closed communities, technical indicators), processing (normalize, deduplicate, enrich), analysis (correlation, attribution, risk assessment), dissemination (reports, feeds, briefings), and feedback (refine requirements). Structured threat information formats (STIX 2.1, TAXII 2.1) enable machine-readable intelligence sharing through Information Sharing and Analysis Centers (ISACs). The 2025 SANS CTI Survey found that organizations operationalizing CTI reduce breach dwell time by 37%. Cyber threat intelligence also directly informs vulnerability prioritization — when a CVE appears in threat intelligence feeds as actively exploited, its remediation priority should immediately escalate regardless of CVSS score, following CISA Known Exploited Vulnerabilities (KEV) catalog guidance.
FAQ
What is the difference between InfoSec and cybersecurity? Information security protects all data (digital and physical). Cybersecurity specifically protects digital assets connected to networks. In practice, the terms are often used interchangeably.
Which security framework should I use? NIST CSF for strategic guidance and C-suite communication. ISO 27001 for certifiable compliance. NIST SP 800-53 for detailed control implementation. Most mature organizations use a combination.
What is defense in depth? Multiple layers of security controls so that if one layer fails, others still provide protection. Example: firewall + IDS + endpoint EDR + application-level input validation + encryption.
How often should I conduct a risk assessment? Annually for organizational risk assessments, quarterly or event-driven for project and system-level assessments. Continuous risk monitoring through GRC platforms is replacing the annual cycle.
What is the difference between a threat and a vulnerability? A threat is a potential cause of an incident (hacker, malware, natural disaster). A vulnerability is a weakness that could be exploited by a threat. Risk is the intersection of threat, vulnerability, and impact.
For implementation details, read Cloud Security Guide for cloud environments. Learn Threat Modeling for proactive risk identification. See Security Compliance for framework-specific requirements.