Information Security-Week1 Notes PDF

Preview

Summary

Download Information Security-Week1 Notes PDF

Description

Information Security: Legal and Ethical Issues Week 1: Introduction to Information Security In week 1, we are introduced to the course and establish a foundation for understanding the basic concepts and theories regarding information security. We will become familiar with the importance of information security within information technology and identifies key characteristics, principles, and concepts. Finally, we will conclude with a review of the CNSS security model, highlighting each of its three dimensions. Learning Outcomes 1. Define the concepts and key characteristics of information security. 2. Analyze the importance of information technology security. 3. Consider the relationship between an organization’s information assets and who is responsible for protecting those assets. 4. Discuss the differences between information security management and general management. 1. Foundation for Understanding Information Security Information security is the state or quality of being secure or free from potential risk. In order to maintain the appropriate level of security, an organization must make sound, informed, and calculated decisions about information security. The procedure that creates and develops security strategies is referred to as “planning.” The Committee on National Security Systems (or CNSS) describes information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. In 1991, John McCumber established an illustration for creating and evaluating information security referred to as The McCumber Cube. The McCumber Cube representation helps one to consider all significant design aspects, eliminating the desire to become focused on any particular one.

McCumber Cube

McCumber cube, 2006, CC BY-SA 3.0 Information security is comprised of a wide range of principles and concepts contained within information security management, data and computer security, and information communication security. The CNSS model of information security developed from a theory created by the security industry that is referred to as the C.I.A. triangle. The C.I.A. triangle is currently the industry standard for information security ever since the inception of the IBM mainframe. It is founded on three principles: confidentiality, integrity, and availability. The safeguarding of these three principles is of key importance in information security. However, using the C.I.A. model solely does not guarantee safety in a rapidly changing environment. The current information security environment has constantly evolved along with its threats, breaches, leaks, and attacks. Information Security (InfoSec) Information security is not a single technology; rather, it is a strategy comprised of the processes, tools, and policies necessary to prevent, detect, document, and counter threats to digital and nondigital information. Processes and policies typically involve both physical and digital security measures to protect data from unauthorized access, use, replication or destruction. InfoSec management can include everything from mantraps to encryption key management and malware detection. InfoSec programs are important for maintaining the confidentiality, integrity, and availability of IT systems and business data. Many large enterprises employ a dedicated security group to implement and maintain the organization's InfoSec program. Typically, the group is led by a chief information security officer (CISO).

Confidentiality Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is breached. To protect the confidentiality of information, you can use a number of measures, including the following: • •

• •

Information Classification: Classify information based on its business criticality. Classification schemes should drive authorization and authentication policies. Secure Document Storage: Ensure on-premise and off-site storage configurations meet reliability, availability, and serviceability requirements for documents based on the documents classification. Application of General Security Policies: Ensure security policies are consistently and diligently enforced. Education of Information Custodians and End Users: Ensure users and data stewards are informed of any changes to security policies.

Integrity Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or transmitted. Availability Availability enables authorized users—persons or computer systems—to access information without interference or obstruction and to receive it in the required format. Availability requirement vary by application and should be defined in a Service Level Agreement (SLA). 2. Importance of Information Security A company’s information is considered the key to a profitable and successful business. Most companies perceive security as an IT issue and do not consider the contributions of employees, managers, and other administrators. However, even the best information security awareness program can be made better with the proper insight and involvement. An organization’s security plan will only work if the entire workforce is trained properly. For that reason, the significance of administering proper technology security training cannot be overlooked. The mission of a security program is not only

to inform employees on possible security issues and how they can be prevented, but also to change the current information security culture and practices of the organization. Typically, security departments of IT are held accountable for the safety of information assets. The entire organization must understand that the IT security department is not solely responsible; rather, IT security is the responsibility of the employees at every level of the organization. One of the purposes of an IT security program is to express a clear, simple, and reasonable message in a layout that is simply realized by the proposed audience. It is essential to correctly recognize the security issues that organizations are facing, as insight from all divisions throughout the organization are vital to bridge the divide between management and technical perceptions of security risks and impacts to the organization. The importance of information security as a company-wide initiative cannot be stressed enough. Planning The process of developing, creating, and implementing strategies for the accomplishment of objectives is called planning. Planning launches the iterative process referred to as the PlanningControlling Link. Planning encompasses those activities that establish the goals, objectives, and strategies relative to the organization information security approach. After the plans to execute the strategy are developed, the company should examine their organization structure and employee skills and experience to determine if changes are needed to successfully execute the plan. Once the structure and people-component are solidified, the organization must execute the plan. The elements of employee motivation, organizational leadership, and enterprise-wide communication become paramount to successfully executing. Finally, the organization must measure itself to determine when and if success was achieved.

Adapted from Whitman & Mattod, 2017, p. 37 References: McCumber cube [Image file]. (2006, June). Retrieved from https://en.wikipedia.org/wiki/File:McCumber_cube.jpg CC BY-SA 3.0

Whitman, M. E., & Mattord, H. J. (2017). Management of information security (5th ed.). Boston, MA: Cengage....