Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Chapter 3 Key Concepts and Principles


Every organization or enterprise exists to achieve its objectives, both business objectives and social objectives.

Its existence or continued existence is of no use unless it is able to achieve its objectives. For the continued existence of any organization, information security has become a non-negotiable necessity. However, the acceptability for information security is very low in an organization because of its arbitrary implementation. Information security will be appreciated by everybody if it is implemented, keeping in mind an organization's business objectives and business requirements. Furthermore, information technology has to enable information security which, in turn, will protect its business, customers, partners, and systems, such as its people, infrastructure (including its networks), and applications. This in turn means that all the strategies of the organization – business strategies, IT strategies, and information security strategies – have to complement each other and are to be balanced.

Information security refers to the processes and methodologies that are designed to protect sensitive information or data from unauthorized access, use and misuse, disclosure, modification, destruction, or disruption. In addition, it also covers the validity or genuineness of the information and rejection of false information received from others. The terms “information security,” “computer security,” “data security,” and “information assurance” are frequently used interchangeably. Though there are subtle differences between these different terms, their common goal is to protect the Confidentiality, Integrity, and Availability (CIA) of data.

The objective of information security is to protect information and its critical assets including people, systems, and hardware that use or process, store, and transmit the data. To protect the information and its related systems, organizations have technology and tools, policies and processes, and also the necessary training and awareness programs, and also rewards for abiding by the security policies and processes and penalties for any security breaches. Many organizations have disciplinary processes instituted that consider and investigate the security breaches.

Intentional security breaches normally lead to the termination of the employee / contractor or disengagement of the supplier. Unintentional or accidental security breaches may be considered leniently but organizations should still warn the employees in such cases. Reporting of the security breaches or incidents is appreciated by many organizations and is rewarded in kind or cash.

The requirements of information security have undergone major changes in the last few decades. Before the widespread use of computers and the Internet, information security was primarily restricted to physical access, such as a guarded room and locked security cabinets to store sensitive confidential information. With technological

innovations and the introduction of computers and TCP/IP communication, automated tools became a necessity for protecting data stored on a computer system. The need for computer security became even more evident with the advent of the Internet where the systems and data are accessed and transmitted over the public telephone and data network. Physical Security is still a significant part of any security system and cannot be ignored as it is an important line of defense for most organizations. Hardware Security can be primarily considered under Physical Security, even though some of the components of the hardware can be considered under other securities such as Network Security.

TCP/IP is the underlying protocol for computer communication that facilitates distributed connectivity and communication facilities for sharing data between two computers present at different locations. TCP/IP is the underlying protocol that resulted in the invention of the Internet and the World Wide Web (WWW). As information is now being shared by millions of users on the Internet, Network Security became extremely essential to protect the data that is being transmitted and guarantee that the data is not tampered with during the transmission.

Communications Security, that is, securing communications through the use of various mechanisms, can be considered broadly as a part of Network Security. Secure routing mechanisms, secure session mechanisms, and secure encryption mechanisms may be considered as part of Communications Security.

Another important layer of security is Software Security, which broadly deals with the Operating System Security, the Application Security, and the security of software utilities/tools, including the security of tools used to provide information security. Operating systems provide many of the functionalities required for the servers and computers to work effectively, including communication capabilities with other systems, processing of information, and effective functioning of applications. Recently, with the increased use of mobile phones and tablets (which are also used for significant official work) and with such diverse operating systems like Android, iOS, Symbian, and BlackBerry, many more possible security issues have opened up. Recent years have also seen a huge growth in the number of applications developed and deployed on these products. It is not yet clear to what extent secure practices are being used during their design, development, and deployment. As seen in practice, secure design, development, and deployment is lagging behind significantly, even on stable and best in class operating systems, thus opening up several avenues for security flaws and providing entry points for malicious attackers. This may also provide unintended entry points for the insiders with malicious intent.

Human or personnel security is another important layer. Keeping personnel motivated, making them aware of the information security risks, and involving them in the implementation of the same is an important aspect of information security which cannot be forgotten at any cost. Employees (permanent or temporary), contractors, and suppliers are all significant in this regard.

All of the important layers that have been discussed (supported by policies, procedures, and processes to plan, implement, monitor, audit, detect, correct, and change of any of the components of all the above layers) constitute a layered approach to information security. Appropriate coordination between the various layers, and the distribution of risks and opportunities to different layers, will vary, depending on the cost effectiveness and ease of use, and the impact on the efficiency and effectiveness of information security.

Figure 3-1 illustrates the context diagram of various layers of information security interacting with each other and providing a robust security architecture.

An effective Information Security Architecture should consider all the layers without omitting any of them. It should also consider the effectiveness and have an integrated view of all of them, rather than a secluded and narrow view of any one business, unit, equipment, component, tool, or utility. Before beginning the discussion of an effective Information Security Architecture, we will look into various threats that are normally considered under these layers.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science