Are You a Security Pro?

Protecting Information by Mitigating Risk:

• Information security involves preventing or reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information.

• Protected information may take any form, e.g. electronic or physical, tangible or intangible.

• Information security's primary focus is the balanced protection of the data confidentiality, data integrity, and data availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity.

• Information security is achieved through a structured risk management process.

• Academics and professionals collaborate to offer guidance, policies, and industry standards on password, antivirus software, firewall, encryption software, legal liability, security awareness and training, and so forth.

• Governments, military, corporations, financial institutions, hospitals, non-profit organizations, and private businesses amass confidential information about their employees, customers, products, research, and financial status.

• Information security threats come in many forms, including software attacks, theft of intellectual property, theft of identity, theft of equipment or information, sabotage, and information extortion.

• Possible responses to a security threat or risk are acceptance, transference, avoidance, mitigation, or exploitation.

• The CIA triad of confidentiality, integrity, and availability is at the heart of information security.

• Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

• Data integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle.

• Ensuring availability involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system, essentially forcing it to shut down.Information Security: Non-Repudiation, Risk Management, Security Controls, Classification, and Access Control

• Non-repudiation is a legal concept that implies one's intention to fulfill their obligations to a contract; it involves the sender and receiver of a transaction not being able to deny their involvement.

• Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures to take in reducing risk to an acceptable level.

• The risk management process is ongoing and iterative, and the choice of countermeasures used to manage risks must balance productivity, cost, effectiveness, and the value of the informational asset being protected.

• Security controls can be administrative, logical, and physical, and they are ways of protecting the confidentiality, integrity, or availability of information; they form the basis for the selection and implementation of control measures.

• Administrative controls consist of policies, procedures, standards, and guidelines that inform people on how the business is to be run and how day-to-day operations are to be conducted.

• Logical controls use software and data to monitor and control access to information and computing systems, and an example of a logical control is the principle of least privilege.

• Physical controls monitor and control the environment of the workplace and computing facilities and include doors, locks, heating, and air conditioning, among others.

• Defense in depth is the building up, layering on, and overlapping of security measures that aims to protect information during its lifetime, and it can be conceptualized as three distinct layers or planes laid one on top of the other.

• Classification is an important aspect of information security and risk management that recognizes the value of information and defines appropriate procedures and protection requirements for the information.

• Access control mechanisms, such as identification, authentication, and authorization, must be in place to control access to protected information, and they should be in parity with the value of the information being protected.

• Identification is an assertion of who someone is or what something is, while authentication is the act of verifying a claim of identity.

• Authorization determines what informational resources a person, program, or computer is permitted to access and what actions they will be allowed to perform.Overview of Information Security

• Information security is the practice of protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction.

• Access control is a critical component of information security that ensures only authorized individuals have access to information.

• Cryptography is used in information security to protect information from unauthorized or accidental disclosure while it is in transit or storage.

• Due care and due diligence are important principles in information security that require continuous monitoring and activities to maintain protection mechanisms.

• Effective security governance requires clear policies, procedures, and guidelines for managing information security risks.

• Incident response plans are policies that dictate an organization's reaction to a cyber attack, and they should be unique to the organization's needs and involve specialized skill sets.

• Change management is a formal process for directing and controlling alterations to the information processing environment that reduces risks and improves stability and reliability.

• Business continuity management concerns arrangements that protect an organization's critical business functions from interruption due to incidents.

• Disaster recovery plans focus specifically on resuming business operations as quickly as possible after a disaster.

• There are various governmental laws and regulations that have a significant effect on data processing and information security.

• Information security culture is the ideas, customs, and social behaviors of an organization that impact information security in both positive and negative ways.

• The International Organization for Standardization (ISO) and the US National Institute of Standards and Technology (NIST) are two sources of standards that provide guidance on implementing effective information security practices.Professional Organizations and Standards in Information Security

• The Internet Society (ISOC) leads in addressing issues that confront the future of the internet and is responsible for internet infrastructure standards.

• The Information Security Forum (ISF) is a nonprofit organization that undertakes research into information security practices and offers advice in its Standard of Good Practice and more detailed advisories for members.

• The Institute of Information Security Professionals (IISP) is an independent, non-profit body that advances the professionalism of information security practitioners and developed the IISP Skills Framework.

• The German Federal Office for Information Security (BSI) developed the IT-Grundschutz Methodology, which includes a guide called IT Baseline Protection Catalogs for detecting and combating security-relevant weak points in the IT environment.

• The European Telecommunications Standards Institute standardized a catalog of information security indicators, headed by the Industrial Specification Group (ISG) ISI.