Wednesday, September 22, 2010

What is "Information Security" anyway?

by Forensic Focus columnist, Simon Biles

Simon Biles
About the Author

Simon Biles is a founder of Thinking Security Ltd., an Information Security and Risk Management consultancy firm based near Oxford in the UK.

So what is "Information Security" anyway? The traditional model that is taught to all InfoSec newbies is based around the “CIA Triad” – this isn’t some weird American-Chinese governmental underground society – rather it is the “holy trinity” of Confidentiality, Integrity and Availability that is used to define security. It’s been around for over 20 years, and, dig as I might, I couldn’t find the original source ( if anyone knows – please tell me ! ), it hasn’t stood unchallenged – more of that later – but certainly it is still in daily use, and, if your InfoSec professional doesn’t know what it stands for, it’s time to get a new professional ! In any case, it isn’t a bad place to start, so here are the component parts for you:

Confidentiality – this relates to secrecy of the information in question. Confidentiality comes in many and varied shades – from things that you actively want everybody to know all the way through to the things that you want nobody to know. These levels of secrecy relate to the “protective marking” of documents in Government departments – we are all familiar with the concept of “Top Secret”, they are in fact as follows : “NPM” ( Not Protectively Marked – e.g. anyone can know ), “Protect”, “Restricted”, “Confidential”, “Secret” and “Top Secret”. They are listed in a document called the Security Policy Framework ( which is publically available. Figuring out the required level of confidentiality for a given item of information is important – the higher the required confidentiality, the more expensive and difficult the process of securing it from others becomes – thus you only want to apply appropriate controls where necessary, rather than spending a fortune protecting something that is either of no consequence or that everyone already knows!

Integrity – this relates to the “quality” of the information. Is it the same as when it was entered ? Has it been corrupted? Such a corruption could be accidental or deliberate, but the effect, in either case, is that the information can no longer be used, or trusted. It could be as simple as a wrong digit in a phone number, or as complex as accounting fraud, but both are compromises of integrity. Again, the effort made and cost expended in maintaining integrity should be proportional to the value and type of the information – one bit error in a JPEG library ( which uses lossy compression anyway ) may go completely unnoticed, a one bit error in a bank account balance probably won’t...


1 comment:

Anonymous said...

Simon is spot on in defining information security. Integrity, confidentiality and availability of information is crucial for maintaining customer loyalty, retaining brand image and ensuring growth of business. The growing menace of cybercrime has resulted in greater demand for security professionals with security certifications such as CHFI, CISSP, CISM, ceh and CISA.