Difference bw IT security and Information Security!!!

mukuljack

Today I had an interview with one of the companies,but failed .

They asked me difference bw IT security and Information Security and what is information security all about..

Any thoughts on above two questions?

JDMurray

IT security is usually regarded as only considering technical (logical) security issues. Information Security is a much broader concept that encompasses all forms of information protection and control, not just those involving computers and networks. This might have been the kind of short answer they were looking for.

shednik

I'd have to agree with JD but I think that question is complete BS, the company should spend the interview time asking more intuitive questions then something like that IMO.

LarryDaMan

shednik wrote:

I'd have to agree with JD but I think that question is complete BS, the company should spend the interview time asking more intuitive questions then something like that IMO.

I agree, sounds like some HR idiots got a hold of a CISSP book and decided to get creative in the interview...

mukuljack

bt I lost the job ...okie one more thing"what is the role of QA in Info Security" and JD please tell me what is the scope of CISA with info security

JDMurray

mukuljack wrote:

"what is the role of QA in Info Security" and JD please tell me what is the scope of CISA with info security

It sounds like you were asked basic questions right out of the CISSP, CISM, and CISA material.

QA (Quailty Assuance) is used to provide assurance (i.e., testing and a guarantee) that a system (e.g., product, process, or service) is designed, implemented, and operates within the standards and specifications prescribed for that system. QA in InfoSec usually means that an information system (hardware or software or both) conforms to a specific security model(s) and is capable of executing specific security policies. QA is also used to try and "hack" software to find vulnerabilities that might be exploited to circumvent the security controls of an information system. (Don't you just love all this fancy InfoSec talk? )

The ISACA CISA Certification is related to InfoSec QA for auditing, control, and assurance professionals. The CISA exam is based on six InfoSec job practices (IS audit, IT governance, IT services, BCP/DRP, systems lifecycle, and asset protection) and can be thought of as covering most non-technical aspects of InfoSec.

Martinalix

JD i will go interview with one of company you i read your Q you clear my mind you solve my big problem thanks wht i should do for you ?

sexion8

shednik wrote:

I'd have to agree with JD but I think that question is complete BS, the company should spend the interview time asking more intuitive questions then something like that IMO.

They could have asked in anticipation of determining whether he was a fit. For instance, if they were looking for the auditor type (CISA), someone who is very sharp with reviewing policies, understanding roles, etc., in the security arena, its a far cry from looking for someone who is sharp on the technical side of things. Many who tinker with security come in focusing on tools, technologies, protocols often forgetting about the business aspects of it all. At a company's bottom line are terms like ROI, BIA, Change Management, DRM, etc., and its important to understand and distinguish between the two. I've disliked these portions since I prefer the technical side of things however, as time progresses I've found I've had no choice but to learn them.

It doesn't hurt to read up and learn on different standards, rules, regulations and methodologies of other certifying bodies (CISA, CISM, CISSP {ISSEM,ISSAM,ISSAP}, ITIL) even if you don't intend on taking those certs or even going the management route. At the end you grasp a better comprehension of what's involved on a larger scale. On the technical side of things, we (as engineers/admins) tend to look at our own processes, roles, duties forgetting there is a chain of command. Equipment has to be purchased... Why does it have to be purchased. How much does it cost. How much will it cost throughout its lifecycle. How does it benefit us. Will it protect us, will it meet regulatory compliance (if needed). What are the best practices at deploying it. Who else has deployed it. What were their results. What are the risks/pitfalls associated with it. And the list goes on. We on the technical side call this paperwork. Paperwork we often don't like to do or think about.

Any question a potential employer can ask you is a valid one if it pertains to a position you're applying for. Its best to read about the company, understand its functions, goals, business before going in. Using the information you learn, its easier to situate yourself and assess your knowledge beforehand. For example, if the ad for the job consisted of terms like BIA, DRM then I know its not going to be a technical (what kind of system/hardware) interview.

UnixGuy

shednik wrote:

I'd have to agree with JD but I think that question is complete BS, the company should spend the interview time asking more intuitive questions then something like that IMO.

+1

LarryDaMan wrote:

I agree, sounds like some HR idiots got a hold of a CISSP book and decided to get creative in the interview...

+1

jeffreyfrog

IT security is usually regarded as only considering technical (logical) security issues.

Information security on the other hand, is a somewhat more general concept of being sure information systems have confidentiality, integrity, and availability. This can include network security as well as cryptography, access control (not only who has access but what they can do), physical security, and more. It covers everything from the earliest encryption codes to how computers are locked down.

JDMurray

Coming from the opposite angle, the one lowest common denominator of both ITSec and InfoSec is that they both deal fundamentally with risk management. If there were no risks, there would be no need for security.