Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Information Security Concepts

What constitutes information security? What are we protecting through information security? This requires sufficient consideration if the field of information security is to be better understood. The following discussion sheds light on the important aspects or constituents of information security.

CIA Triad

The compromise of information security is one of the biggest issues faced by the IT and IT enabled industry, which is almost every industry these days. Some of the scenarios of the possible compromise of information security are depicted in Figure 3-6. Figure 3-7 depicts one of the important models of information security popularly known as CIA Triad.

Figure 3-6. The compromise of information security

Figure 3-7. CIA triad

Note


as mentioned in the introduction to this chapter, the Cia triad is one of the most important models of information security which specifies the important properties or characteristics of information assets, without which, an understanding of information security is not possible. however, the importance of the Cia triad has increased in recent years because of the way we input, transfer, or store the information. Mainly, “confidentiality” has taken a bigger beating compared to the other properties.

Traditional definitions/views on “confidentiality”, “integrity,” and “availability” came from the National Institute of Standards and Technology (NIST)/U.S.Code and are the most referred and used ones. However, if you look at the definitions from various organizations or standards organizations active in the field of information security, you will be quick to realize that each definition varies from the other and hence, these definitions may not be all pervasive and comprehensive. Some of the popular definitions are reviewed in the following sections.

Confidentiality

Some information is secret, sensitive, or needs to be restricted as a disclosure to unintended sources can create such things as the compromise of a nation's security or strategic installations, the loss of business opportunities,

a first mover advantage, intellectual property rights, and privacy. Such information is considered in general terms as “confidential” and needs to be protected zealously by appropriate authorization or restrictions. Consider the following scenarios to fully understand:

• You have decided on a business strategy to counter a competitor and it is leaked to others accidentally or by an aggrieved senior management person who just left the organization.

• You have innovated a new technological idea and want to patent it. But, before you patent it, the same idea is copied by someone and further passed on to someone else and is patented by them instead.

• The patient information and medical records of the patients you have stored have been stolen and made public.

• You find that one of the administrative passwords is compromised and significant data of confidential nature has been stolen.

Chapter 44, Title 35, Subchapter III, and Section 3542 of the U.S.C. defines “confidentiality” as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [NIST SP 800-100]”.6

Information security management systems – overview and vocabulary (ISO/IEC 27000:2014) defines “confidentiality” as “property that information is not made available or disclosed to unauthorized individuals, entities, or processes”.7

Integrity

Information is useful and reliable only if it is accurate and not modified against the intentions wanted of the originator. “Integrity” needs to be protected appropriately by means such as appropriate authentication, routing protocols, appropriate configuration of systems, and application security. Consider the following scenarios to understand:

• You have received a letter purported to be from a customer company and they have sought some important information to be divulged to one of their suppliers. You find something fishy in the letter and upon investigation, you find that the letter was fake and originated by a supplier company and not by the customer company.

• You divulged critical, confidential information about the strategy of your competitor company, purported to be leaked by one of their employees, but you find that it was conveyed to you in a misleading way in order for you to make the wrong decision.

• You were given the correct information, but only a portion of it, whereas the other portion of the information which was crucial if you would have been told would have given you an entirely different perspective on the matter.

Chapter 44, Title 35, Subchapter III, and Section 3542 of the U.S.C. defines “integrity” as “guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity [NIST SP 800-100]”.6

Information security management systems – overview and vocabulary (ISO/IEC 27000:2014) defines “integrity” as “property of protecting the accuracy and completeness of assets”.7

Availability

Information today is stored in systems, databases, storage units, or, most recently, on the Cloud. In today's fast-paced world where opportunities can be lost fast and the speed of decision making is important, the availability of crucial information at all times has become necessary. Consider the following scenarios to understand this concept:

• You are required to send an important note to your customer and you find that your e-mail system or Internet is not responding.

• You are required to carry out certain work and your reference documents are in a particular database and the particular database is down for technical reasons.

• You are required to initiate an important request through one of your applications and you find that the application is not responding.

Chapter 44, Title 35, Subchapter III, of Section 3542 of the U.S.C. defines “availability” as “ensuring timely and reliable access to and the use of information. [NIST SP 800-100]”.6

Information security management systems – overview and vocabulary (ISO/IEC 27000:2014) defines “availability” as “property of being accessible and usable upon demand by an authorized entity”.7

For information security to be complete and the organizations or individuals to be protected, it is necessary that all three properties or aspects are to be ensured. Emphasizing only one at the cost of others may lead to the reduced efficiency and effectiveness of any organization.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel