Scribd
Upload
78 views

There Are Only Two People in The World I Trust-You & Me, and I'm Not So Sure About you-SHON HARRIS

The document discusses information security and the CIA triad of confidentiality, integrity, and availability. It outlines various controls that organizations use to protect these three aspects of data security, such as access controls, encryption, hashing, backups, and redundancy. The threats to confidentiality, integrity and availability are also discussed. The importance of proper security policies, standards, and senior management commitment to information security is emphasized.

Uploaded by

rekha
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
78 views

There Are Only Two People in The World I Trust-You & Me, and I'm Not So Sure About you-SHON HARRIS

The document discusses information security and the CIA triad of confidentiality, integrity, and availability. It outlines various controls that organizations use to protect these three aspects of data security, such as access controls, encryption, hashing, backups, and redundancy. The threats to confidentiality, integrity and availability are also discussed. The importance of proper security policies, standards, and senior management commitment to information security is emphasized.

Uploaded by

rekha
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

There are only two people in the World I trust-You & Me, and Im not so sure

about you-SHON HARRIS

In the Internet ,Information and Data are constantly generated and


disseminated.

Eliminating threat and making Data available & accessible on priority to


authorised users is the primary need of any Business and primary aim of any
security program.

For an information security manager meeting both User/Client requirement


and security requirement is always near impossible.

IT service providers apply administrative, physical and technical controls to


protect the Confidentiality, Integrity and Availability of Information .While they
are the Control types, the control functionalities based on these types should
be either Deterrent, Preventive, Corrective, Detective, Compensating controls.

The most common ways we protect Data against loss of confidentiality is with
access controls and encryption.

For securing Integrity the most prominent method used is by Hashing using an
hash algorithm.

Some methods that organizations use to protect against loss of availability are
fault tolerant systems, redundancies, and backups. Fault tolerance means that
a system can develop a fault, yet tolerate it and continue to operate.

This is often accomplished with redundant systems such as redundant drives or


redundant servers. Backups ensure that that important data is backed up and
service can be restored if the original data becomes corrupt with the available
backup data.
All of these controls should be majorly devised keeping in mind the business
objective and management intent.

The Confidentiality, Integrity and Availability concept popularly known as the


CIA triad emphasizes on the need for three major facets of data security.

Proper implementation of Communications Security Management and


techniques can prevent, detect, and correct errors so that CIA of transactions
over networks may be maintained.

The threats to confidentiality include Spoofing, Network sniffing ,Social


Engineering, Trojan Attacks

Integrity safeguards involves controls like Need to know basis, Separation of


Duties and Rotation of duties. Threat involves Misappropriation.

Availability is how robustly data is available for authorised people to access it.

The threats normally involve Denial of Service, Loss of Capabilities.

Further resolving these concepts will be to Identify-like the username

Authenticate-Pin,Password

Authorise-to do what with Data/system privileges etc

Accountability: to who is responsible for a set of action.

The CIA triad is the principle or standard that forms the basis for all security
architecture.

Think about Business Proprietary information or Intellectual Property Rights..,if


data secrecy or data integrity is not maintained in such cases then the data has
no value at all.

CIA of data or information becomes all the more important when many of our
business/payment transactions happen online.

After deciding the levels of CIA proper policies, guidelines ,standards and
procedures are to be laid out for a business. The fundamental characteristic of
an Information Security Policy is identifying major functional areas of
information and classifying them according to the required levels of
security.Once policies are framed it is mandatory to get them endorsed by the
senior management. Active participation and Commitment from the senior
management will establish a sense of ownership for security.

Security is a continuously evolving process as Threats and Risk also keep


changing and challenging forever.

The basic intention of the management when devising a security policy is a


clear definition of provisions that are to be made to provide optimised
security.

There is a need for complete and thorough understanding of access control


concepts,methodologies and implementation with all related environments
within the enterprise.

Some of the standards like the ISO/IEC 27000 Series can set the Information
Security Policy for the organisation.
The ISO/IEC 27000 Series is based on the following stages of implementation:

1.Creation of Information Security Infrastructure.


2.Asset Classification and Control.
3.Personal Security
4.Physical & Environmental Security
5.Communications and Operations Management
6.Access Controls
7.System Development & Maintenance
8.Business Continuity Management
9.Compliance

This is just one method that gives us a set of standards to build a security
program with and serves as industry best practices for IS management within
the Organisation.

You might also like