pace-it, security+2.9: goals of security controls

Goals of security controls.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Goals of security controls.PACE-IT.

– Confidentiality, integrity, and availability controls.

– Safety controls.

Confidentiality, integrity, and availability controls.Goals of security controls.

No matter how a security control is implemented, it always has a goal—to keep systems and data or personnel and facilities safe.

In some cases, these end goals can be combined; however, in most cases, they are deployed separately to achieve the goal. It is not uncommon for the categories to work together to increase the overall security of the data and systems.When the focus is on systems and data, the security control can be placed into one of three categories. The categories are: confidentiality, integrity, and availability (CIA).



– Confidentiality.» Using technological controls to ensure that only

authorized personnel can gain access to the information.

• Access control/permissions: explicitly establishing who can access the information; the person requesting access must have explicit permission to be able to do so.

• Encryption: using an algorithm to make data unreadable unless the appropriate security key is present; encryption can be placed at multiple levels (e.g., file level, storage level, or the communication channel level).

• Steganography: concealing data (e.g., a text file) within a graphic file; the person receiving the graphic file must use steganography software to read the secured data.

» In many cases, access control/permissions and encryption are used together to increase the confidentiality of data or systems.


– Integrity.» Using technological controls to ensure that, when data

is sent from a source, exactly the same data is received at the destination—in short, authenticating the data.

• Hashing: using a mathematical algorithm to verify that no change has occurred to the data in transit; once received, the hashed value of the data is used to ensure that integrity has been maintained.

• Certificates: a cryptographic means of transporting or exchanging security keys. Ensures the integrity of the security keys.

• Digital signatures: using a combination of certificates and security keys to authenticate the sender of a message or data—in short, ensuring the integrity of the source.

» Integrity controls are often used in conjunction with confidentiality controls.


– Availability.» Using various control types to ensure that data and

systems are always available when required.• Fault tolerance: ensuring that that even in the case of

a failure, data is available; can be achieved through multiple methods (e.g., RAID or server clustering).

• Redundancy: ensuring that systems are always available by using multiple units (e.g., using a partial mesh topology to guard against the failure of a network switch).

• Backups: ensuring that data can be recovered in the case of loss or corruption.

• Patching: ensuring that systems and data are available by keeping operating systems and configuration files up to date—a safeguard against common system attacks.

Safety controls.Goals of security controls.

Security controls should also be put in place to ensure the safety of personnel and facilities.

Often, the responsibility for securing systems and data are separated from the responsibility to secure personnel and facilities (but not always). Without the people and facilities, the systems and data will not do much good. Some security goals should be put in place with this in mind. These controls should cover disasters (e.g., fire or earthquake), personal safety (e.g., all parking lots have adequate lighting), and outside threats (e.g., controlling access to the facility). The controls also need to be tested on a periodic basis to ensure that all people know and understand them.

Safety controls.Goals of security controls.

What was covered.Goals of security controls.

When implementing security controls for systems and data, the controls can usually be broken down into one of three categories: confidentiality, integrity, or availability (CIA). Confidentiality: uses controls to ensure that only authorized personnel can gain access to the information. Integrity: uses controls to ensure that when data is sent from a source that exactly the same data is received at the destination. Availability: uses controls to ensure that data and systems are always available when required.

Topic

Confidentiality, integrity, and availability controls.

Summary

Security controls should also be put in place to ensure the safety of personnel and facilities. The responsibility for personnel and facility security is often separated from the responsibility for systems and data security (but not always). Security controls should be put in place to cover disasters, personal safety, and to guard against outside threats. All safety controls should be periodically tested.

Safety controls.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.