Security is generally defined as the state of being free from danger or threat. This concept applies to computer systems and digital information as well.
Authentication is the process by which a computer system determines the identity or permissions of a person. A key step in determining a user's authentication is to properly identify that person. Once their identity is known, their permissions can be handled.
Encryption is the use of an algorithm to alter data in such a way that it can't be interpreted by another person or computer system without knowledge of the algorithm. One-way encryption alters data in a way that can't easily be undone. This is useful for data such as passwords, where information simply needs to be compared to be acceptable, but not directly visible. Two-way encryption alters data with an algorithm that can then be used later to decrypt and read the data.
 Best Practices
As with other aspects of computing, there are best practices which apply to information security.
 Risk Management
- Assume your systems and information need to be secured. No organization of any size should ignore security.
- Having never been compromised does not mean a system is secure.
- Assign one person or small team to be in charge of security and risk management.
- Assume any component of a complete system or subsystem may be a security risk. For example, two independently secured computers may be communicating through an insecure network router. Evaluate the entire environment.
- When possible, train and educate users. Users themselves are typically the weakest security point. So-called "social engineering", for example, manipulates users to gain information and access. Educating users, while sometimes costly, can improve security more than many technical solutions. There will always be some users, however, that are resistant to learning.
- Users generally consider convenience over security. Assume they will use very simple passwords and write them down.
- A system locked down too tightly will frustrate users and alienate them. They will be less productive and will likely attempt to simplify the situation by easing security. For example, when they have the opportunity they might always operate under administrative privileges if it means they'll get far fewer barriers and annoying warnings.
- Assume that if you put up one barrier, users will find a way to circumvent it. For example, if you block instant messaging applications, users can go to web sites which have the feature integrated.
 Security Policies and Compliance
- When applicable, write a practical security policy. This can only be done with a deep understanding of the business and its processes. Be sure it follows all necessary regulatory compliance requirements.
- Make the policy easily available and as easy as possible to read.
- Don't assume users will read and adhere to a security policy. When possible, have the system enforce the policies.
- One generic policy may not be appropriate for all systems in an organization. When necessary, extend the policy for any specific systems.
- Do not blindly trust third party tools, such as firewalls and anti-virus software. Always test and audit the software and any upgrades. Add custom software to the chain which can monitor for flaws.
- Plan for failure. Any security software might fail or be breached. Monitor the software and periodically test for security holes.
- Have monitoring software retain logs. When a security hole is found, it needs to be determined if it's been leveraged to break into a system. Also, after a system has been cracked, it may go unnoticed until logs are scanned for evidence.