IAS - Information Assurance and Security
The history of information security begins with computer security. The need for
computer security - that is, the need to secure physical locations, hardware, and
software from threats, arose during World War II
security is “the quality or state of being secure—to be free from danger. In other words, protection against adversaries
Information security - is the protection of information assets that use, store, or transmit information from risk through the application of policy, education, and technology.
PPOCNI
Physical security - to protect physical items, objects, or areas from unauthorized access and misuse
Personnel security - to protect the individual or group of individuals who are authorized to access the organization and its operations
Operations security - to protect the details of a particular operation or series of activities
Communications security - to protect communications media, technology, and content
Network security - to protect networking components, connections, and contents
Information security - to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission.
Key Information Security Concepts
Access: A subject or object’s ability to use, manipulate, modify, or affect another
subject object.
Asset: The organizational resource that is being protected.
Attack: An intentional or unintentional act that can cause damage to or otherwise
Compromise information and/or the systems that support it
Countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
Exploit: A technique used to compromise a system.
Exposure: A condition or state of being exposed.
Loss: A single instance of an information asset suffering damage or unintended
or unauthorized modification or disclosure.
Protection profile: The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements to protect the asset.
Risk: The probability that something unwanted will happen.
Subjects and objects: A computer can be either the subject of an attack—an
agent entity used to conduct the attack—or the object of an attack—the target entity.
Threat: A category of objects, persons, or other entities that presents a danger to
an asset
Threat agent: The specific instance or a component of a threat.
Vulnerability: A weaknesses or fault in a system or protection mechanism that opens
to attack or damage.
Critical Characteristics of Information - AAA CI UP
Availability - enables authorized users to access information without interference or obstruction and to receive it in the required format.
Accuracy - it is free from mistakes or errors and it has the value that the end user expects.
Authenticity - the quality or state of being genuine or original, rather than a reproduction or fabrication.
Confidentiality - it is protected from disclosure overexposure to unauthorized individuals or systems.
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
Integrity - it is whole, complete, and uncorrupted.
Utility- the quality or state of having value for some purpose or end.
Possession - the quality or state of ownership or control.
CNSS (Committee on National Security Systems) Security Model - defines information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.
The C.I.A. triangle has been the industry standard for computer security since the development of the mainframe. three characteristics of information that give it value to organizations: confidentiality, integrity, and availability.
Information System - is much more than computer hardware; itis the entire set of
software, hardware, data, people, procedures, and networks that make possible the use
of information resources in the organization.
Components of an Information System - SHDPPN
Software - comprises applications, operating systems, and assorted command utilities.
the most difficult IS component to secure.
Hardware - the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system
Data - stored, processed, and transmitted by a computer system must be
protected. often the most valuable asset and it is the main target of intentional attacks.
People - the weakest link in an organization’s information security program.
Procedures- written instructions for accomplishing a specific task.
Networks - The IS component that created much of the need for increased computer
and information security is networking.
Approaches to Information Security Implementation
Bottom-Up Approach
Top-Down Approach
The Systems Development Life Cycle (SDLC)- A methodology for the design and implementation of an information system.
A methodology is a formal approach to solving a problem by means of a structured sequence of procedures.
Phases - IALPIM
Investigation
Analysis
Logical Design
Physical Design
Implementation
Maintenance and Change
Security Professionals and the Organization
Senior Management - typically the CIO
CIO - translates the strategic plans of the organization as a whole into strategic
information plans for the information systems or data processing division of the
organization.
Chief Information Security Officer (CISO) - has primary responsibility for the assessment, management, and implementation of information security in the
organization.
Information Security Project Team
Champion: A senior executive who promotes the project and ensures its support, both
financially and administratively, at the highest levels of the organization.
Team leader: A project manager, who may be a departmental line manager or staff
unit manager, who understands project management, personnel management, and
information security technical requirements.
Security policy developers: People who understand the organizational
culture, existing policies, and requirements for developing and implementing
successful policies.
Risk assessment specialists: People who understand financial risk assessment
techniques, the value of organizational assets, and the security methods to be used.
Security professionals: Dedicated, trained, and well-educated specialists in all
aspects of information security from both a technical and nontechnical standpoint.
Systems administrators: People with the primary responsibility for administering the
systems that house the information used by the organization.
End users: Those whom the new system will most directly affect. Ideally, a selection of
users from various departments, levels, and degrees of technical knowledge assist the
Data Responsibilities
Data owners: Those responsible for the security and use of a particular set of
information. They are usually members of senior management and could be CIOs.
Data custodians: Working directly with data owners, data custodians are responsible
for the storage, maintenance, and protection of the information.
Data users: End users who work with the information to perform their assigned roles
supporting the mission of the organization
.