Is there a difference between Information Security and Information Systems Security?
Very good question, Ray. Thank you for that.
Certainly different businesses and authorities may define these two terms differently. When they are presented together in this question, I believe that our natural reaction is to say, “Yes, there is a difference.” This makes me think, “Okay, what’s the difference?”
First an illuminating digression: one interesting difference between the thinking of Information Systems (IS) professionals and Information Technology (IT) professionals is that IS professionals are interested in information before it enters the IT infrastructure and after it leaves the IT infrastructure. Employees carry information with them or become living archives of institutional knowledge. IS professionals may seek to transform that knowledge into electronic form in order to preserve it beyond the date of last employment of the actual employee (or beyond the date that the employee can remember it). IS professionals view people as (possibly fragile) parts of the information system.
Your question was about Information Security and Information System Security. Information Security would seem to be the broader of the two terms and may include the following concerns (and likely others), that I have orderd from “closer to the machine” to “closer to the user”:
(closer to the machine)
- security of the physical computing infrastructure
- security of the encryption algorithms and communication protocols that run on the networks
- security of the operating systems and applications that are hosted on the system hardware
- security related to user privileges
- security of the information stored or transmitted in the system
- training of employees
- preserving employee knowledge
(closer to the user)
Now since Information Systems is the discipline that emphasizes information, I would suggest that Information Systems is primarily about the last three concerns: security of the information stored or transmitted in the system, training of employees, and preserving employee knowledge.
Certainly, the other concerns are important to the IS-Security professional such as the security of the operating systems, applications, and user privileges, since these can have an impact on the security of the information. But as we move closer to the top of the list of concerns, they seem to me to be more IT-security related and less IS-Security related. It would make sense that the entire list should be the concern of the “Information Security” professional, but it is my belief that in practice when we say “information security” we are being ambiguous. Each computing discipling has it’s own approach to the topic of security. Computer science (CS) is concerned primarily with the algorithms and formal proof of the security of a system. IT is concerned primarily with the security of the physical infrastructure, the operating systems, and applications. Software Engineers (SE) are concerned primarily with the application of proven or best practices in the design of software, and computer engineers (CE) are concerned primarily with the design and fault-tolerance of the actual machines.
2 Comments
Other Links to this Post
RSS feed for comments on this post. TrackBack URI
By robbert, April 13, 2010 @ 9:26 am
Nice article and just what I was looking for.
However, I think you mixed up IS and ISS in the paragraph after the table.
regards,
robbert
By Mark Renslow, April 30, 2010 @ 4:14 pm
I think you are right. I made the change you suggested, Robert.