Scribd
Upload
154 views23 pages

What Is Information Security: Confidentiality Integrity Availability

Information security aims to preserve the confidentiality, integrity and availability of data. It involves protecting confidential business and personal information from unauthorized access or modification. The main components of information security are access controls, identification and authentication, authorization, privacy, non-repudiation, software, hardware, data, people, procedures and networks. Breaches can damage businesses through loss of customers, lawsuits or bankruptcy if confidential data is compromised.

Uploaded by

FLEXCODEC TECH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
154 views23 pages

What Is Information Security: Confidentiality Integrity Availability

Information security aims to preserve the confidentiality, integrity and availability of data. It involves protecting confidential business and personal information from unauthorized access or modification. The main components of information security are access controls, identification and authentication, authorization, privacy, non-repudiation, software, hardware, data, people, procedures and networks. Breaches can damage businesses through loss of customers, lawsuits or bankruptcy if confidential data is compromised.

Uploaded by

FLEXCODEC TECH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

What is information Security

Information security is the preservation of confidentiality, integrity


and availability of data regardless of the form they may take;
electronic, print, or other forms.

Governments, military, financial institutions, hospitals, and private


businesses amass a great deal of confidential information about their
employees, customers, products, research, and financial status. Most of
this information is now collected, processed and stored on electronic
computers and transmitted across networks to other computers.
Consequence of Information Security Breach
Should confidential information about a businesses customers or finances or new product line fall
into the hands of a competitor, such a breach of security could lead to lost business, law suits or
even bankruptcy of the business.

Protecting confidential information is a business requirement, and in many cases also an ethical
and legal requirement. For the individual, information security has a significant effect on privacy,
which is viewed very differently in different cultures.
CONFIDENTIALITY
Confidentiality is the property of preventing disclosure of information to
unauthorized individuals or systems.
For example, a credit card transaction on the Internet requires the credit
card number to be transmitted from the buyer to the merchant and from the
merchant to a transaction processing network.
The system attempts to enforce confidentiality by encrypting the card
number during transmission, by limiting the places where it might appear
(in databases, log files, backups, printed receipts, and so on), and by
restricting access to the places where it is stored. If an unauthorized party
obtains the card number in any way, a breach of confidentiality has
occurred.
Other examples of Confidentiality
• Permitting someone to look over your shoulder at your
computer screen while you have confidential data displayed
on it could be a breach of confidentiality.
• If a laptop computer containing sensitive information about
a company's employees is stolen or sold, it could result in a
breach of confidentiality.
• Giving out confidential information over the telephone is a
breach of confidentiality if the caller is not authorized to
have the information.
INTEGRITY

Integrity is the assurance that information has not been corrupted, degraded or undergone
unauthorized modifications. In information security, integrity means that data cannot be modified
without authorization. Integrity is violated when an employee (accidentally or with malicious
intent) deletes important data files, when a computer virus infects a computer, when an employee
is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a
web site, when someone is able to cast a very large number of votes in an online poll, and so on.
Examples of Integrity Breaches
• When an employee (accidentally or with malicious
intent) deletes important data files,
• when a computer virus infects a computer,
• when an employee is able to modify his own salary
in a payroll database, when an unauthorized user
vandalizes a web site,
• when someone is able to cast a very large number
of votes in an online poll, and so on.
AVAILABILITY

• For any information system to serve its purpose, the information must
be available when it is needed.
• This means that the computing systems used to store and process the
information, the security controls used to protect it, and the
communication channels used to access it must be functioning
correctly.
• High availability systems aim to remain available at all times,
preventing service disruptions due to power outages, hardware
failures, and system upgrades. Ensuring availability also involves
preventing denial-of-service attacks.
ensuring security in a system: Requirements

These include
Access,
Identification,
Authentication,
Authorization,
Privacy and
Non-Repudiation
ACCESS is the ability to permit or deny the use of an information asset, resource or facility.
IDENTIFICATION
Identification mechanisms allow users to identify themselves to a resource. They provide no
proof of identity; they merely provide the means for a user to profess her identity.
AUTHENTICATION
Authentication takes identification to the next level: It allows a user to prove his identity to the
satisfaction of the resource. Authentication is the process of verifying an identity. There are
three main factors of authentication.
AUTHORISATION
After a user has identified herself and has satisfied any applicable authentication mechanisms,
the system must have some means of deciding what level of access to grant her. This process is
known as authorization, and it controls the exact privileges granted to system users.
ACCESS CONTROL

The goal of effective access control is to ensure that the right people have access to the right things
based on their job function and placement in an organization, the principles and policies least
privilege access and separation of duties and the assignment of roles to each business process.
Three types of access control can be implemented. These are administrative, logical and physical
controls.
Administrative controls (also called procedural controls) consists of written down policies,
procedures, guidelines and standards which form the framework for running the business and
managing the people.
Logical controls (also called technical controls) use software and data to monitor and control access
to information and computing systems. For example: passwords, network and host based firewalls,
network intrusion detection systems, access control lists, and data encryption are logical controls.
Physical controls monitor and control the environment of the work place and computing facilities.
They also monitor and control access to and from such facilities. For example: doors, locks, heating
and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing,
security guards, cable locks, etc.
the principle of least privilege.

• An important logical control that is frequently overlooked is the


principle of least privilege.
• The principle of least privilege requires that an individual, program
or system process is not granted any more access privileges than are
necessary to perform the task.
• A blatant example of the failure to adhere to the principle of least
privilege is logging into Windows as user Administrator to read Email
and surf the Web.
• Violations of this principle can also occur when an individual collects
additional access privileges over time.
the separation of duties.
• An important physical control that is frequently overlooked
is the separation of duties.
• Separation of duties ensures that an individual cannot
complete a critical task by himself.
• For example: an employee who submits a request for
reimbursement should not also be able to authorize payment
or print the check. An applications programmer should not
also be the server administrator or the database administrator
- these roles and responsibilities must be separated from one
another.
NON REPUDIATION

Non-repudiation means to ensure that a transferred


message has been sent and received by the parties
claiming to have sent and received the message.
Nonrepudiation is a way to guarantee that the
sender of a message cannot later deny having sent
the message and that the recipient cannot deny
having received the message.
Managing the requirement involves

Accountability - Is the ability to positively identify the individual who


is responsible for a specific action
Responsibility - Is an issue with policy and determines who will receive
disciplinary action
Awareness is the process of making users understand the implications of
security on their ability to perform their job. It includes the importance
of security, use of security measures, and process of reporting security
violations.
Administration is the broad term covering the effort required to manage
the security of the Information system
Components of an Information System

• Software
• Hardware
• Data
• People
• Procedures
• Networks
SOFTWARE

• The software component of the IS comprises applications, operating


systems, and assorted command utilities.
• Software is perhaps the most difficult IS component to secure. The
exploitation of errors in software programming accounts for a substantial
portion of the attacks on information.
• Software programs are the vessels that carry the lifeblood of information
through an organization. Unfortunately, software programs are often created
under the demanding constraints of project management, which limit time,
cost, and manpower.
• Information security is all too often implemented as an afterthought rather
than developed as an integral component from the beginning. In this way,
software programs become an easy target of accidental or intentional attacks.
HARDWARE
• Hardware is the physical technology that houses and executes the software, stores
and carries the data, and provides interfaces for the entry and removal of information
from the system.
• Physical security policies deal with hardware as a physical asset and with the
protection of these physical assets from theft.
• Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of an information system.
• Securing the physical location of computers and the computers themselves is
important because a breach of physical security can result in loss of information.
• Unfortunately, most information systems are built on hardware platforms that cannot
guarantee any level of information security if unrestricted access to the hardware is
possible
DATA
• Data stored, processed, and transmitted through a computer system
must be protected.
• Data is often the most valuable asset possessed by an organization and
it is the main target of intentional attacks.
• Systems developed in recent years are likely to have been created to
make use of database management systems. When done properly, this
should improve the security of the data and the application.
• Unfortunately, many system development projects are not done in
ways that make use of the database management system’s security
capabilities, and in some cases, the database is implemented in ways
that are less secure than traditional file systems.
PEOPLE
Though often overlooked in computer security considerations, people have always been a threat to
information security.
people can be the weakest link in an organization’s information security program.
And unless policy, education and training, awareness, and technology are properly employed to prevent
people from accidentally damaging or losing information, they will remain the weakest link.
Social engineering can prey on tendency to cut corners and the commonplace nature of human error. It can
be used to manipulate the actions of people to obtain access information about a SYSTEM.
PROCEDURES
• Procedures are written instructions for accomplishing a specific task.
• When an unauthorized user obtains an organization’s procedures, this poses a
threat to the integrity of the information.
• For example, a consultant to a bank learned how to wire funds by using the
computer center’s procedures, which were readily available. By taking
advantage of a security weakness (lack of authentication), this bank
consultant ordered millions of dollars to be transferred by wire to an
unauthorized account. Lax security procedures caused the loss of over ten
million dollars before the situation was corrected.
• Most organizations distribute procedures to their legitimate employees about
safeguarding the procedures is as important as securing the information
system.
• After all, procedures are information in their own right. Therefore,
knowledge of procedures, as with all critical information, should be
disseminated among members of the organization only on a need-to-know
basis.
NETWORKS
• The IS component that created much of the need for increased computer and
information security is networking.
• When information systems are connected to each other to form Local Area Networks
(LANs), and these LANs are connected to other networks such as the internet, new
security challenges rapidly emerge.
• The physical technology that enables network functions is becoming more and more
accessible to organizations of every size. Applying the traditional tools of physical
security, such as locks and keys, to restrict access to and interaction with the hardware
components of an information system are still important; but when computer systems
are networked, this approach is no longer enough.
• Steps to provide network security are essential, as is the implementation of alarm and
intrusion systems to make system owners aware of ongoing compromises.
POLICIES, STANDARDS AND PROCEDURES

In managing security, policies, standards and procedures are used. The top
level policy involves
• Broad statement of intent
• Defines responsibility explicitly
• Must acknowledge individual accountability
• Culture-dependent
• Must cover appropriate use
• Must be enforced
 
As a policy, information custodians are responsible for providing a safe and secure processing
environment in which information can be maintained with integrity.
Standards versus Procedure
Standards describe what to do and not how to do it whilst, Procedures spell out the step-by-
step specifics of how the policy and the supporting standards and guidelines will actually
be implemented in an operating environment.
For example a standard will state that Custodians of information processing systems must
use ‘XXXXXX’ anti-viral software to ensure that the system is free from destructive
software elements (such as viruses) that would impair the normal and expected operation of
the system. By this the standard has explained the application of the policy and provided
the cornerstone for compliance.
In furtherance of a standard In order words, procedures state how to go about doing what
is stated as a standard. For example, after stating what must be done as standard, like the
above where custodians of information processing systems must use XXXXXX anti-viral
software, a procedure will state that, all users utilizing ‘XXXXXX’ anti –viral software will
have anti-viral signature files updated daily at a minimum. A statement like, “all users are
to ensure that any portable storage media is swept using XXXXXX before any data is
accessed” is a procedure.

You might also like