Chapter 1-Introduction to Information Security L2-CCI.pdf

Full Transcript

# Principles of Information Security, Fifth Edition

## Chapter 1: Introduction to Information Security

### Lesson 2 - Critical Characteristics of Information

#### Learning Objectives

* Define key terms and critical concepts of information security

#### Critical Characteristics of Information

The value of information comes from the characteristics it possesses:

* Availability
* Accuracy
* Authenticity
* Confidentiality
* Integrity
* Utility
* Possession

#### Availability

Enables authorized users — people or computer systems — to access information without interference or obstruction and to receive it in the required format.

#### Accuracy

Information has accuracy when it is free from mistakes or errors and has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate.

#### Authenticity

Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred.

#### Confidentiality

Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only users with the rights and privileges to access information are able to do so.

#### Integrity

Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction or other disruption of it's authentic state.

#### Utility

The utility of information is the quality or state of having value for some purpose or end. In other words, information has value when it can serve a purpose.

#### Possession

The possession of information is the quality or state of ownership or control. Information is said to be in one's possession if one obtains it, independent of format or other characteristics.

## CNSS Security Model

The CNSS Security Model is represented by a cube with three axes:

* **Confidentiality:** Ensures that information is only accessible to authorized individuals
* **Integrity:** Ensures that the information is accurate and complete, and hasn't been tampered with
* **Availability:** Ensures that the information is accessible to authorized users when they need it

Each axis represents a different aspect of information security, and the combination of all three axes represents the ideal state of information security.

## Components of an Information System

Information system (IS) is the entire set of people, procedures, and technology that enable business to use information.

* Software
* Hardware
* Data
* People
* Procedures
* Networks

## Balancing Information Security and Access

It is impossible to obtain perfect information security — it’s a process, not a goal.
Security should be considered a balance between protection and availability.

To achieve balance, the level of security must allow reasonable access, yet protect against threats.

## Approaches to Information Security Implementation

### Bottom-Up Approach

A grassroots effort where systems administrators attempt to improve security of their systems.

* **Key advantage:** Technical expertise of individual administrators
* **Seldom works:** It lacks essential features like participant support and organizational staying power.

### Top-Down Approach

Initiated by upper management:

* Issue policy, procedures, and processes
* Dictate goals and expected outcomes of the project
* Determine accountability for each required action

The most successful type of top-down approach also involves a formal development strategy referred to as systems development life cycle.

## Figure 1-12: Approaches to Information Security Implementation

A pyramid-like structure is shown. The top of the pyramid is the CEO, with multiple levels down to network technicians. The left side of the pyramid is labelled "Top-Down Approach" and the right "Bottom-Up Approach".