Written by Dennis Palmer, Senior Assurance Associate, HITRUST.

A shift has recently been detected in the type and direction of attacks involving information systems. Traditionally, these events have either been reported as a hack, a network attack, or described in some similar fashion. However, when security professionals research these types of events, a new term is often used: cyber attack. So, if the terms can be used interchangeably, then how exactly is cyber security different from information security?

First, let’s take a look at the terms information assurance, information security, and cybersecurity.

Information Assurance (IA) can be defined as the measures taken to protect and defend information and information systems by ensuring their confidentiality, integrity, and availability. These measures can include, but are not limited to, risk reduction, compliance, certification, privacy, and business continuity programs. IA programs also typically include the physical infrastructure and human capital aspect of an organization.

Information Security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to protect confidentiality, integrity and availability. Although the terms are similar, information Security can be seen as a subset of an affective IA program. Information assurance generally operates at the strategic vice tactical level and generally addresses a broader spectrum of information management and protection. It’s also more concerned with the overall organization’s risk and risk mitigation than traditional information security, which is primarily focused on technology and operations, including applications and infrastructure.

Cybersecurity on the other hand is defined as the organization’s ability to protect or defend the user of cyberspace. Cyberspace is the global domain within the information environment consisting of an interdependent network of information system infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. One primary difference when considering cybersecurity as part of your information security and information assurance program is cybersecurity is focused on malicious human threats, where information assurance and information security include multiple threat actors, malicious or non-malicious, human and natural.

Questions surrounding cyber security versus information security can then originate from sources that struggle with differentiating these terms. Questions may come from management, the C-Suite, and/or the Board of Directors. Information protection professionals need to be prepared to address these questions from multiple levels, from executive management to line management on down to the workforce.

Dennis Palmer is a Senior Assurance Associate at HITRUST. He is a certified information security professional with over 25 years of government and corporate experience. His expertise includes information system evaluation, reporting, and classroom instruction.