IAS - Information Assurance and Security

Computer Security

The need to secure physical locations, hardware, and software from threats, which arose during World War II.

Security

The quality or state of being secure; protection against adversaries.

Information Security

Protection of information assets that use, store, or transmit information from risk through policy, education, and technology.

Physical Security

Protection of physical items, objects, or areas from unauthorized access and misuse.

Personnel Security

Protection of individuals authorized to access the organization and its operations.

Operations Security

Protection of the details of a particular operation or series of activities.

Communications Security

Protection of communications media, technology, and content.

Network Security

Protection of networking components, connections, and contents.

Access

A subject or object’s ability to use, manipulate, modify, or affect another subject or object.

Asset

The organizational resource that is being protected.

Attack

An intentional or unintentional act that can cause damage to information or systems.

Countermeasure

Security mechanisms, policies, or procedures that counter attacks and reduce risk.

Exploit

A technique used to compromise a system.

Exposure

A condition or state of being exposed.

Loss

An instance of an information asset suffering damage or unauthorized modification.

Protection Profile

The set of controls and safeguards implemented to protect an asset.

Risk

The probability that something unwanted will happen.

Subjects and Objects

Entities involved in an attack; subjects conduct the attack, objects are the targets.

Threat

A category of entities that presents a danger to an asset.

Threat Agent

A specific instance or component of a threat.

Vulnerability

A weakness in a system that opens it to attack or damage.

Availability

Enables authorized users to access information without interference.

Accuracy

Information is free from mistakes and meets user expectations.

Authenticity

The quality of being genuine or original.

Confidentiality

Protection from unauthorized disclosure.

Integrity

Information is whole, complete, and uncorrupted.

Utility

The quality of having value for a purpose.

Possession

The quality of ownership or control.

CNSS Security Model

Defines information security as the protection of information and its critical elements.

C.I.A

The three characteristics of information that give it value:confidentiality, integrity, and availability.

Information System

The entire set of software, hardware, data, people, procedures, and networks for using information resources.

Software

Applications, operating systems, and command utilities; the most difficult IS component to secure.

Hardware

The physical technology that houses and executes software and stores data.

Data

The most valuable asset, often targeted by intentional attacks.

People

The weakest link in an organizations information security program.

Procedures

Written instructions for accomplishing specific tasks.

Networks

The IS component that increased the need for information security.

Bottom-Up Approach

A method of implementing information security starting from lower levels of the organization.

Top-Down Approach

A method of implementing information security starting from senior management.

Systems Development Life Cycle (SDLC)

A methodology for designing and implementing an information system.

Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and Change.

Phases

Senior Management

Typically the CIO, responsible for strategic information plans.

Chief Information Security Officer (CISO)

Responsible for assessment, management, and implementation of information security.

Champion

A senior executive who promotes and supports information security projects.

Team Leader

A project manager who understands project and personnel management.

Security Policy Developers

Individuals who understand organizational culture and policy requirements.

Risk Assessment Specialists

Experts in financial risk assessment and security methods.

Security Professionals

Trained specialists in all aspects of information security.

Systems Administrators

Individuals responsible for administering systems that house information.

End Users

Those who will be most directly affected by the new system.

Data Owners

Individuals responsible for the security and use of specific information sets.

Data Custodians

Responsible for the storage, maintenance, and protection of information.

Data Users

End users who work with information to support the organization's mission.