Information Security – An Overview of General Concepts

Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

– Definition of Information Security from the glossary of the U. S. Computer Security Resource Center

Why we need to protect information

Information and information systems help us to store and process information and distribute the right type of information to the right type of user at the right time. This sort of protection helps protect information from unauthorized access, distribution, and modification. Thus, it is evident that information is an asset and needs to be protected from internal and external resources.

CIA triangle

The CIA triad is a commonly used model for the requirements of information security.  CIA stands for confidentiality, integrity, and availability. These principles help in protecting information in a secured manner, and thereby safeguard the critical assets of an organization by protecting against disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access when access is required (availability).

Here, we’ll look at each of these concepts in more detail.

Confidentiality

Confidentiality helps to ascertain whether information is to be kept secret or private by employing mechanisms, such as encryption, which will render the data useless if accessed in an unauthorized manner. The necessary level of secrecy is enforced, and unauthorized disclosure is prevented.

Integrity

Integrity deals with the provision of accuracy and reliability of the information and systems. Information should be prevented from modification in an unauthorized manner by providing the necessary safety measures for timely detection of unauthorized changes.

Availability

Availability ensures that information is available when it is needed. Reliable and timely access to data and resources is provided to authorized individuals. This can be accomplished by implementing tools ranging from battery backup at a data center to a content distribution network in the cloud.

Balanced security

It is impossible to obtain perfect information security. Information security is a process, not a goal. It is possible to make a system available to anyone, anywhere, anytime through any means. However, such unrestricted access posses a danger to the security of the information.

On the other hand, a completely secure information system would not allow anyone to access information. To achieve balance, operate an information system that satisfies the user and the security professional – the security level must allow reasonable access, yet protect against threats.

Security Concepts

Vulnerabilities, Threats, and Risks. Security is often discussed in terms of vulnerabilities, threats, and risks.

Vulnerability

A vulnerability is a security weakness, such as an unpatched application or operating system, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.

Threat

A threat  occurs when someone identifies a specific vulnerability and uses it against a company or individual, thereby taking advantage of the vulnerability. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, or an employee circumventing controls in order to copy files to a medium that could expose confidential information.

Risk

A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.

If a firewall has several ports open, there is a higher risk that an intruder will use one to access the network in an unauthorized method.

If users are not educated on processes and procedures, there is a risk that an employee will make an unintentional mistake that may destroy data.

If an Intrusion Detection System (IDS) is not implemented on a network, there is a higher risk an attack will go unnoticed until its too late.

Exposure

Exposure is an instance of data being exposed. If users’ passwords are exposed they may be accessed and used in an unauthorized manner.

Countermeasure

Countermeasures are put into place to mitigate potential risks. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the chances a threat agent will be able to exploit a vulnerability. Examples of countermeasures are strong password management, firewalls, security guards, access control mechanisms, encryption and security awareness training.

Security Governance

Information security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Security governance is closely related to and often intertwined with enterprise and IT governance.

 

This article was written by Catherin S. 

References

https://csrc.nist.gov/glossary/term/information_security

Devopedia. 2020. “Information Security Principles.” Version 4, July 21. Accessed 2021-03-28. https://devopedia.org/information-security-principles

Maymi, F., & Harris, S. (2018). CISSP All-In-One Exam Guide, Eighth Edition. McGraw-Hill Education.

Vi Minh Toi. (2016, September 10). Security Risk Management, Tough Path to Success. Retrieved from https://www.slideshare.net/sbc-vn/vi-minh-toi-security-risk-management-tough-path-to-success