Information Security Triad

Questions and Answers

What is the primary goal of confidentiality in the Information Security Triad?

To restrict access to authorized individuals

What is an example of unintentional loss of integrity in the context of information security?

A computer power surge corrupts a file

What is the main concern of availability in the Information Security Triad?

Ensuring information is accessible in a timely manner

What is an example of a situation where availability is critical?

A stock trader accessing real-time market data

What is the major difference between intentional and unintentional loss of integrity?

Intentional loss is caused by malicious intent, while unintentional loss is caused by accidents

What is the primary goal of authentication in information security?

To identify a user and verify their identity

What is the main difference between an access control list (ACL) and role-based access control (RBAC)?

ACL is based on individual user identities, while RBAC is based on job roles

What is the purpose of encryption in information security?

To protect data from unauthorized access

What is the recommended frequency for changing passwords in an organization?

Every 60 to 90 days

What is the minimum recommended length for a password in an organization?

8 characters

Study Notes

Information Security Triad

• To ensure confident computing, devices must not be compromised, and communications must be secure.
• The triad consists of confidentiality, integrity, and availability.

Confidentiality

• Restricts access to authorized individuals to view or access information.
• Example: federal law requires universities to restrict access to private student information.

Integrity

• Assurance that information has not been altered and truly represents the intended content.
• Information can lose its integrity intentionally (malicious intent) or unintentionally (e.g., power surge, accidental deletion).

Availability

• Ensures authorized individuals can access and modify information in an appropriate timeframe.
• Appropriate timeframe varies depending on the context (e.g., immediate access for a stock trader, daily report for a salesperson).

Tools for Information Security

• Authentication: identifies users through one or more factors (something they know, have, or are).
• Multi-factor authentication is a more secure way to authenticate users.
• Access Control: determines authorized users for reading, modifying, adding, and deleting information.
• Encryption: encodes data for transmission or storage, allowing only authorized individuals to read it.
• Password Security: choose complex passwords (8+ characters, 1 upper-case, 1 special, 1 number) and change them regularly (every 60-90 days).
• Backups: ensures data recovery in case of loss or corruption.
• Firewalls: blocks unauthorized access to a network.
• Intrusion Detection Systems: detects and alerts on potential security breaches.
• VPN: secures internet connections.
• Physical Security: protects physical assets and data from unauthorized access.
• Security Policy: outlines guidelines and procedures for information security.

Access Control

• Access Control List (ACL): specifies access rights for individual users or groups.
• Role-Based Access Control (RBAC): assigns access rights based on user roles, rather than individual users.