Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Part II Key Principles and Practices

This section discusses the key principles and practices related to information security.

Chapter 3 “Key Concepts and Principles,” starts by explaining that every organization exists for achievement of its objectives. In this regard, we mention that information security has to be implemented keeping in mind an organization's business objectives and business requirements, such as how the information technology has to enable information security which, in turn, will protect its business, its customers, its partners, its systems including its people, infrastructure (including its networks), and applications. We then highlight that information security refers to the processes and methodologies that are designed to protect sensitive information or data from unauthorized access, use and misuse, disclosure, modification, destruction, or disruption. We also mention that it has to ensure the validity of the genuineness of the information and rejection of false information. We then highlight that over the years information security has moved further from primarily physical security to network, software security, and human/personnel security.

We then elaborate upon various threats with examples and differentiate between internal and external threats. We also categorize various threats under each of the layers of security. We then explain various layers of security in the layered approach to information security, including host/platform security layer, network security layer, application security layer, access control layer, and physical security layer. We also discuss how each layer complements the other layers and also highlight some of the significant issues pertaining to each layer. We then look into various security frameworks provided by various standards or models or methodologies like ISO 27001:2013 (i.e., Information Security Management Systems Requirements); NIST's special publication 800-39 (i.e., Managing Information Security Risk: Organization, Mission, and Information System View complemented by 800-53 Revision 4 (i.e., Security and Privacy Controls for Federal Information Systems and Organizations)and SABSA©. We explore each of these in detail. We then look into various Pillars of Information Security (i.e., policies and processes, people, and technology). We then highlight under the pillar “People” how organization of information security has to be carried out, the need for independence among various roles, the clear definition of specific roles and responsibilities related to information security, and authority for information security enforcement. We similarly highlight under the pillar “Policies & Processes” and “Technology” some of the important aspects to be borne in mind. We then discuss in detail the confidentiality, integrity, and availability aspects of information security as per the traditional CIA triad. Further, we explore some of the complementary aspects like possession or control, authenticity and utility and also highlight some of the subtle variations with respect to integrity and availability as professed by Parkerian Hexad. Finally, we elaborate upon the typical implementation cycle of information security. Then we explain some of the key principles of information security as specified by NIST.

In Chapter 4, “Access Control,” we mention at the outset that any type of access to information needs to be protected, whether the access is physical, meaning accessing CPUs and hard disks, or logical, meaning accessing the system directly or remotely. We then mention that access control has two components: Authentication and Authorization. Authentication is verifying the identity of a user or a host that is accessing the system or network resource. Authorization is permitting or restricting access to the information based on the type of users and their roles: employee, contractor, administrator, or manager. We then highlight how access control provides for confidentiality and integrity of data.

We then mention that Access controls are security features that control access to systems and resources in the network. The goal of access control is to protect information from being lost, stolen, deleted, or modified either intentionally or accidently by those who are not authorized to access it. Next, we discuss three types of access controls, that is, network access, system access, and data access. Three layers of access control: administrative controls, technical controls, and physical controls are discussed in detail. Under administrative controls we discuss access control policies; personnel-related jobs, responsibilities and authorities; segregation of duties; supporting policies and procedures; and control over information access to trade restricted persons. Technical (Logical) controls include passwords, smartcards, encryption, network access, and system access. Physical controls include network segregation, perimeter security, security guards, badge systems and biometric access controls. Then

we explore various access control strategies, including discretionary access control, mandatory access control, role-based access control, and attribute-based access control. Then we discuss how effective implementation of access controls is ensured through access control lists; AAA Framework including RADIUS and TACAS+; LDAP and Active Directory; and IDAM.

In Chapter 5, “Information Systems Management,” we discuss that in order to ensure information security, we need to act proactively. When proactiveness does not stop the breaches we need to react effectively and efficiently to them and when breaches cannot be avoided we need to recover the businesses as fast as possible to provide continued services to the customers or even to offer continued services during the breaches even if at a reduced level.

Risk Management when applied with the right intention, with the deployment of the right methodology, with the involvement of the right people, with the application of right thinking, and with the execution of the actions effectively, can provide a reasonably good proactive approach to ensure that there is a high chance of avoiding information security breaches or incidents. In spite of being proactive we cannot be assured that security breaches cannot happen as this evolving world provides many opportunities and ways to breach the system. Incident response provides such a reactive response to ensure that the breaches are handled, contained, and recovered from effectively. In spite of effective risk management and incident response systems in place you cannot rest assured of continuity of business or

speedy recovery when the organization is affected by severe security breaches or disasters. Hence, there is a great need for an effective disaster recovery and business continuity system to be put in place which is again a proactive as well as reactive system to ensure that the business can still continue in spite of disasters or severe security incidents and that there is a high probability of a speedy recovery. We define in lay terms the important terminologies like risk, incident, disaster, disaster recovery, and business continuity.

We then explain how to carry out effective risk management. We then describe how incident response mechanisms are effectively implemented by the organization. We further explore the disaster recovery and business continuity plans, their essential contents, and how they need to be validated, tested, and maintained.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science