|
|
Total Number of Subscribers: 464 | |
|
| ||
|
| ||
|
Date:29th May 2009 |
Compiled by Mr. M. Sathya Kumar | |
|
|
Information
Security Information security means
protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification or
destruction. The terms information security, computer security and
information assurance are frequently incorrectly used interchangeably.
These fields are interrelated often and share the common goals of
protecting the confidentiality, integrity and availability of information;
however, there are some subtle differences between
them. These differences lie primarily in the approach to the
subject, the methodologies used, and the areas of concentration.
Information security is concerned with the confidentiality, integrity and
availability of data regardless of the form the data may take: electronic,
print, or other forms. Computer security can focus on ensuring the availability and
correct operation of a computer system without concern for the information
stored or processed by the computer. Governments, military, corporates, financial institutions,
hospitals, and private businesses amass a great deal of confidential
information about their employees, customers, products, research, and
financial status. Most of this information is now collected, processed and
stored on electronic computers and transmitted across networks to other
computers. Should confidential information about a businesses customers
or finances or new product line fall into the hands of a competitor, such
a breach of security could lead to lost business, law suits or even
bankruptcy of the business. Protecting confidential information is a
business requirement, and in many cases also an ethical and legal
requirement. For the individual, information security has a significant
effect on privacy, which is viewed very differently in different
cultures. The field of information security has grown and evolved
significantly in recent years. As a career choice there are many ways of
gaining entry into the field. It offers many areas for specialization
including, securing network(s) and allied infrastructure, securing
applications and databases, security testing, information systems
auditing, business continuity planning and digital forensics science, to
name a few. This article presents a general overview of information
security and its core concepts. Basic principles For over twenty years information security has held that confidentiality, integrity and availability (known as the CIA triad) as the core principles of information security. Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Confidentiality is necessary (but not sufficient) for
maintaining the privacy of the people whose personal information a system
holds. Integrity In information security, integrity means that data cannot be modified without authorization.
This is not the same thing as referential
integrity in databases. Integrity is violated when an employee accidentally or
with malicious intent deletes important data files, when a computer
virus infects a computer, when an employee is able to modify his own
salary in a payroll database, when an unauthorized user vandalizes a web
site, when someone is able to cast a very large number of votes in an
online poll, and so on. There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mis-type someone's address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity. For any information system to serve its purpose, the
information must be available when it is needed. This means that the
computing systems used to store and process the information, the security
controls used to protect it, and the communication channels used to access
it must be functioning correctly. High availability systems aim to remain
available at all times, preventing service disruptions due to power
outages, hardware failures, and system upgrades. Ensuring availability
also involves preventing denial-of-service
attacks. In 2002, Donn Parker proposed an alternative model for the
classic CIA triad that he called the six atomic elements of information.
The elements are confidentiality, possession, integrity, authenticity,
availability, and utility. The merits of the Parkerian
hexad are a subject of debate amongst
security professionals. Authenticity
In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. In law, non-repudiation implies one's intention to fulfill
their obligations to a contract. It also implies that one party of a
transaction cannot deny having received a transaction nor can the other
party deny having sent a transaction.
Electronic commerce uses technology such as digital signatures and encryption to establish authenticity and non-repudiation.
Risk management A comprehensive treatment of the topic of risk management is beyond the scope of this article. We will however, provide a useful definition of risk management, outline a commonly used process for risk management, and define some basic terminology. The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. There
are two things in this definition that may need some clarification. First,
the process of risk management is an ongoing iterative process. It
must be repeated indefinitely. The business environment is constantly
changing and new threats and vulnerability emerge every day. Second, the
choice of countermeasures (controls) used to manage risks must strike a
balance between productivity, cost, effectiveness of the countermeasure,
and the value of the informational asset being
protected.
Risk is the
likelihood that something bad will happen that causes harm to an
informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to
endanger or cause harm to an informational asset. A threat is anything (man made or act of nature)
that has the potential to cause harm. The
likelihood that a threat will use a vulnerability to cause harm creates a
risk. When a threat does use a vulnerability to inflict harm, it has an
impact. In the context of information security, the impact is a loss of
availability, integrity, and confidentiality, and possibly other losses
(lost income, loss of life, loss of real property). It should be pointed
out that it is not possible to identify all risks, nor is it possible to
eliminate all risk. The remaining risk is called residual
risk.
A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis. The
ISO/IEC 27002:2005 Code of practice for information security management
recommends the following be examined during a risk
assessment:
In
broad terms the risk management process consists of:
For any given risk, Executive Management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business. The reality of some risks may be disputed. In such cases leadership may choose to deny the risk. This is itself a potential risk.
| |
|
| ||
|
|
| |
|
|
Rewards waiting for feedback
at | |
|
|
| |
|
|
||
|
|
| |
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. | |
|
|
||
|
|
| |
|
|
Click here to contact us, if you are unable to view the content properly | |
|
|
| |
