glance of information technology

GLANCE OF INFORMATION SECURITY

www.safedecision.com.saInfo@safedecision.com.sa

WHAT IS INFORMATION SECURITY ?

Information security is defined as protecting information and informationsystems from unauthorised access, use, disclosure, disruption,modification, or destruction.

www.safedecision.com.saInfo@safedecision.com.sa

THE CORNERSTONE CONCEPT OF INFORMATIONSECURITY

* CONFIDENTIALITY,* INTEGRITY* AVAILABILITY KNOWN AS THE CIA

Confidentiality, integrity, and availability work togetherto provide assurance that data and systems remainsecure. Do not assume that one part of the triad is moreimportant than another.

CIA TRIAD

www.safedecision.com.saInfo@safedecision.com.sa

THE CORNERSTONE CONCEPT OF INFORMATIONSECURITY

CONFIDENTIALITY

Confidentiality prevents the unauthorised disclosure of information, it keepsdata secret. In other words, confidentiality prevents unauthorised readaccess to data.

Confidentiality can be compromised by - Tthe loss of a laptop containing data. - A person looking over our shoulder while we type a password. - An E-mail attachment being sent to the wrong person.

Example:

www.safedecision.com.saInfo@safedecision.com.sa

INTEGRITY

It prevents unauthorised modification of information. In other words, integrity it preventsunauthorised write access to data.

THERE ARE TWO TYPES OF INTEGRITY

* Data Integrity :It protects information against unauthorisedmodification

* System Integrity: It protects a system, such as a Windows 2008 serveroperating system, from unauthorised modification

www.safedecision.com.saInfo@safedecision.com.sa

If an unethical student compromises a college grade database to raisehis failing grades, he has violated the data integrity. If he installsmalicious software on the system to allow future backdoor access, hehas violated the system integrity.

Example

www.safedecision.com.saInfo@safedecision.com.sa

AVAILABILITY

ensures that information is available when needed. Systems need to beusable (available) for normal business use.

Example

attack on availability would be a denial of service (DoS) attack, whichseeks to deny service (or availability) of a system

www.safedecision.com.saInfo@safedecision.com.sa

BALANCED SECURITY

www.safedecision.com.saInfo@safedecision.com.sa

confidentiality

integrityavailability

BALANCED SECURITY

www.safedecision.com.saInfo@safedecision.com.sa

It is commonly onlythrough the lens of

keeping secrets secret

The integrity and availability threatscan be overlooked and only dealt withafter they are properly compromised.

BALANCED SECURITY

www.safedecision.com.saInfo@safedecision.com.sa

Some assets have a critical confidentiality requirement (company tradesecrets), some have critical integrity requirements (financial transactionvalues), and some have critical availability requirements (E-commerce webservers).

Many people understand the concepts of the CIA triad, but may not fullyappreciate the complexity of implementing the necessary controls to provideall the protection with these concepts cover.

THE CORNERSTONE CONCEPT OF INFORMATIONSECURITY

1- CONFIDENTIALITY

2- INTEGRITY

3- AVAILABILITY

www.safedecision.com.saInfo@safedecision.com.sa

The following provides a short list of some of these controls and how theymap to the components of the CIA triad:

CONFIDENTIALITY

• Encryption for data at rest (whole disk, database encryption)

• Encryption for data in transit (IPSec, SSL, PPTP, SSH)

• Access control (physical and technical)

www.safedecision.com.saInfo@safedecision.com.sa

INTEGRITY

Hashing (data integrity)Configuration management (system integrity) Change control (process integrity) Access control (physical and technical) Software digital signing

www.safedecision.com.saInfo@safedecision.com.sa

AVAILABILITY

• Redundant array of inexpensive disks (RAID)• Clustering• Load balancing• Redundant data and power lines• Software and data backups• Disk shadowing• Co-location and off-site facilitie

www.safedecision.com.saInfo@safedecision.com.sa