Information security
Information
security, sometimes shortened to Info Sec, is the practice of defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or
destruction. It is a general term that can be used regardless of the form the
data may take (electronic, physical, etc.)
1 IT security
Sometimes
referred to as computer security, Information Technology Security is
information security applied to technology (most often some form of computer
system). It is worthwhile to note that a computer does not necessarily mean a
home desktop. A computer is any device with a processor and some memory. Such
devices can range from non-networked standalone devices as simple as
calculators, to networked mobile computing devices such as smart phones and
tablet computers. IT security specialists are almost always found in any major
enterprise/establishment due to the nature and value of the data within larger
businesses. They are responsible for keeping all of the technology within the
company secure from malicious cyber attacks that often attempt to breach into
critical private information or gain control of the internal systems.
2 Information assurance
The act
of ensuring that data is not lost when critical issues arise. These issues
include but are not limited to: natural disasters, computer/server malfunction,
physical theft, or any other instance where data has the potential of being
lost. Since most information is stored on computers in our modern era,
information assurance is typically dealt with by IT security specialists. One
of the most common methods of providing information assurance is to have an
off-site backup of the data in case one of the mentioned issues arises.
Governments,
military, corporations, financial institutions, hospitals and private
businesses amass a great deal of confidential information about their
employees, customers, products, research and financial status. Most of this
information is now collected, processed and stored on electronic computers and
transmitted across networks to other computers.
Should
confidential information about a business' customers or finances or new product
line fall into the hands of a competitor or a black hat hacker, a business and
its customers could suffer widespread, irreparable financial loss, not to
mention damage to the company's reputation. Protecting confidential information
is a business requirement and in many cases also an ethical and legal
requirement. A key concern for organizations is the derivation of the optimal
amount to invest, from an economics perspective, on information security. The
Gordon-Loeb Model provides a mathematical economic approach for addressing this
latter concern.
For the
individual, information security has a significant effect on privacy, which is
viewed very differently in different cultures.
The field
of information security has grown and evolved significantly in recent years.
There are many ways of gaining entry into the field as a career. It offers many
areas for specialization including securing network(s) and allied
infrastructure, securing applications and databases, security testing,
information systems auditing, business continuity planning and digital
forensics, etc.
3 Definition
"Preservation of confidentiality, integrity
and availability of information.
"The protection of information and information
systems from unauthorized access, use, disclosure, disruption, modification, or
destruction in order to provide confidentiality, integrity, and
availability."
"Ensures that only authorized users
(confidentiality) have access to accurate and complete information (integrity)
when required (availability)."
"Information Security is the process of
protecting the intellectual property of an organization."
"Information security is a risk management
discipline, whose job is to manage the cost of information risk to the
business."
4 Basic principles
The CIA
triad of confidentiality, integrity, and availability is at the heart of
information security. (The members of the classic Info Sec triad
-confidentiality, integrity and availability - are interchangeably referred to
in the literature as security attributes properties, security goals,
fundamental aspects, information criteria, critical information characteristics
and basic building blocks.) There is continuous debate about extending this
classic trio. Other principles such as Accountability have sometimes been
proposed for addition it has been pointed out that issues such as
Non-Repudiation do not fit well within the three core concepts, and as
regulation of computer systems has increased (particularly amongst the Western
nations) Legality is becoming a key consideration for practical security
installations.
In 1992
and revised in 2002 the OECD's Guidelines for the Security of Information
Systems and Networks proposed the nine generally accepted principles:
Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment,
Security Design and Implementation, Security Management, and Reassessment.
Building upon those, in 2004 the NIST's Engineering Principles for Information
Technology Security proposed 33 principles. From each of these derived
guidelines and practices.
In 2002,
Donn Parker proposed an alternative model for the classic CIA triad that he
called the six atomic elements of information. The elements are
confidentiality, possession, integrity, authenticity, availability, and
utility. The merits of the Parkerian hexad are a subject of debate amongst
security professionals.
4.1 Integrity
In
information security, data integrity means maintaining and assuring the
accuracy and consistency of data over its entire life-cycle. This means that
data cannot be modified in an unauthorized or undetected manner. This is not
the same thing as referential integrity in databases, although it can be viewed
as a special case of consistency as understood in the classic ACID model of
transaction processing. Integrity is violated when a message is actively
modified in transit. Information security systems typically provide message
integrity in addition to data confidentiality.
4.2 Availability
For any
information system to serve its purpose, the information must be available when
it is needed. This means that the computing systems used to store and process
the information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly. High
availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades.
Ensuring availability also involves preventing denial-of-service attacks, such
as a flood of incoming messages to the target system essentially forcing it to
shut down.
4.3 Authenticity
In
computing, e-Business, and information security, it is necessary to ensure that
the data, transactions, communications or documents (electronic or physical)
are genuine. It is also important for authenticity to validate that both
parties involved are who they claim to be. Some information security systems
incorporate authentication features such as "digital signatures",
which give evidence that the message data is genuine and was sent by someone
possessing the proper signing key.
4.5 Non-repudiation
In law, non-repudiation implies one's intention to
fulfill their obligations to a contract. It also implies that one party of a
transaction cannot deny having received a transaction nor can the other party
deny having sent a transaction.
It is
important to note that while technology such as cryptographic systems can assist
in non-repudiation efforts, the concept is at its core a legal concept
transcending the realm of technology. It is not, for instance, sufficient to
show that the message matches a digital signature signed with the sender's
private key, and thus only the sender could have sent the message and nobody
else could have altered it in transit. The alleged sender could in return
demonstrate that the digital signature algorithm is vulnerable or flawed, or
allege or prove that his signing key has been compromised. The fault for these
violations may or may not lie with the sender himself, and such assertions may
or may not relieve the sender of liability, but the assertion would invalidate
the claim that the signature necessarily proves authenticity and integrity and
thus prevents repudiation.
5 Risk management
The
Certified Information Systems Auditor (CISA) Review Manual 2006 provides the
following definition of risk management: "Risk management is the process
of identifying vulnerabilities and threats to the information resources used by
an organization in achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based
on the value of the information resource to the organization."
There are
two things in this definition that may need some clarification. First, the
process of risk management is an ongoing, iterative process. It must be
repeated indefinitely. The business environment is constantly changing and new
threats and vulnerabilities emerge every day. Second, the choice of
countermeasures (controls) used to manage risks must strike a balance between
productivity, cost, effectiveness of the countermeasure, and the value of the
informational asset being protected.
Risk
analysis and risk evaluation processes have their limitations since, when
security incidents occur, they emerge in a context, and their rarity and even
their uniqueness give rise to unpredictable threats. The analysis of these
phenomena which are characterized by breakdowns, surprises and side-effects,
requires a theoretical approach which is able to examine and interpret
subjectively the detail of each incident.
Risk is
the likelihood that something bad will happen that causes harm to an
informational asset (or the loss of the asset). Vulnerability is a weakness
that could be used to endanger or cause harm to an informational asset. A
threat is anything (manmade or act of nature) that has the potential to cause
harm.
The
likelihood that a threat will use a vulnerability to cause harm creates a risk.
When a threat does use a vulnerability to inflict harm, it has an impact. In
the context of information security, the impact is a loss of availability,
integrity, and confidentiality, and possibly other losses (lost income, loss of
life, loss of real property). It should be pointed out that it is not possible
to identify all risks, nor is it possible to eliminate all risk. The remaining
risk is called "residual risk".
A risk
assessment is carried out by a team of people who have knowledge of specific
areas of the business. Membership of the team may vary over time as different
parts of the business are assessed. The assessment may use a subjective
qualitative analysis based on informed opinion, or where reliable dollar
figures and historical information is available, the analysis may use
quantitative analysis.
The
research has shown that the most vulnerable point in most information systems
is the human user, operator, designer, or other human The ISO/IEC 27002:2005
Code of practice for information security management recommends the following
be examined during a risk assessment:
security policy,
organization of information security,
asset management,
human resources security,
physical and environmental security,
communications and operations
management,
access control,
information systems acquisition,
development and maintenance,
information security incident
management,
business continuity management, and
Regulatory compliance.
In broad
terms, the risk management process consists of:
Identification of assets and
estimating their value. Include: people, buildings, hardware, software, data
(electronic, print, and other), and supplies.
Conduct a threat assessment. Include:
Acts of nature, acts of war, accidents, and malicious acts originating from
inside or outside the organization.
Conduct a vulnerability assessment,
and for each vulnerability, calculate the probability that it will be
exploited. Evaluate policies, procedures, standards, training, physical security,
quality control, technical security.
Calculate the impact that each threat
would have on each asset. Use qualitative analysis or quantitative analysis.
Identify, select and implement
appropriate controls. Provide a proportional response. Consider productivity,
cost effectiveness, and value of the asset.
Evaluate the effectiveness of the
control measures. Ensure the controls provide the required cost effective
protection without discernible loss of productivity.
For any
given risk, management can choose to accept the risk based upon the relative
low value of the asset, the relative low frequency of occurrence, and the
relative low impact on the business. Or, leadership may choose to mitigate the
risk by selecting and implementing appropriate control measures to reduce the
risk. In some cases, the risk can be transferred to another business by buying
insurance or outsourcing to another business. The reality of some risks may be
disputed. In such cases leadership may choose to deny the risk.
6 Security classification for information
An
important aspect of information security and risk management is recognizing the
value of information and defining appropriate procedures and protection
requirements for the information. Not all information is equal and so not all
information requires the same degree of protection. This requires information
to be assigned a security classification.
The first
step in information classification is to identify a member of senior management
as the owner of the particular information to be classified. Next, develop a
classification policy. The policy should describe the different classification
labels, define the criteria for information to be assigned a particular label,
and list the required security controls for each classification.
Some
factors that influence which classification information should be assigned
include how much value that information has to the organization, how old the
information is and whether or not the information has become obsolete. Laws and
other regulatory requirements are also important considerations when
classifying information.
The
Business Model for Information Security enables security professionals to
examine security from systems perspective, creating an environment where
security can be managed holistically, allowing actual risks to be addressed.
The type
of information security classification labels selected and used will depend on
the nature of the organization, with examples being:
In the business sector, labels such
as: Public, Sensitive, Private, and Confidential.
In the government sector, labels such
as: Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret,
Top Secret and their non-English equivalents.
In cross-sectoral formations, the
Traffic Light Protocol, this consists of: White, Green, Amber, and Red.
All
employees in the organization, as well as business partners, must be trained on
the classification schema and understand the required security controls and
handling procedures for each classification. The classification of a particular
information asset that has been assigned should be reviewed periodically to
ensure the classification is still appropriate for the information and to
ensure the security controls required by the classification are in place and
are followed in their right procedures.
7 Security governance
The
Software Engineering Institute at Carnegie Mellon University, in a publication
titled "Governing for Enterprise Security (GES)", defines
characteristics of effective security governance. These include:
An
enterprise-wide issue
Leaders
are accountable
Viewed as
a business requirement
Risk-based
Roles,
responsibilities, and segregation of duties defined
Addressed
and enforced in policy
Adequate
resources committed
Staff
aware and trained
A
development life cycle requirement
Planned,
managed, measurable, and measured
Reviewed
and audited
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.