Vectors of Information Security

Within the realm of information security, a lot of focus is paid to the vectors of attack. Essentially how an attacker can go after your networks, systems, people and information. These vectors focus on how the attacks can occur, how to detect and respond to them. But they only hit on part of the challenge in securing todays complex information technology (IT) environments.

Vectors of Information Security start with a definition of what behavior is allowed and then monitor and react to anything outside of that defined criteria. Most information security policies state policies in the form of “Administrators will deny access to those not allowed”. In the form of VIS, we will say that “Active employees are allowed access” and respond to all access outside that form. This is a variation of the security models focused on policies based on denying access and is a change in mindset for many security professionals.

More critical then the vectors of attach, are the overarching Vectors of Information Security (VIS). These correlate to the overall usage of information and allow Architects, Administrators and IT Leadership to plan accordingly for information access and risk management around expected usage patterns. The three Vectors of Information Security are:

• Paths of access – This category focuses on all the tools, technologies and applications that allow access to a corporation’s data. This includes both data in transit and data at rest.
• Paths of change – This avenue is for documenting and understanding how information changes; information can include access logs, configurations, customer information and financial information, just to name a few.
• Paths of risk – This is the category that vectors of attack will become part of. Path of risk is the likelihood that an unknown, unacceptable or unanticipated event will occur and the associated cost to the organization for the incident.

Information security is about risk management and mitigation. The Vectors of Information Security enable organizations to outline clear policies for understanding, managing and responding to the risk that is inherent with todays interconnected systems.