Information Security
Information is an asset to the corporation. It might be extremely sensitive, such as a company that provides financial services or it might be business sensitive, such as a company that provides material goods, but in either case the need to use the data is ever-present. Information security is the field that defines, designs, and monitors mechanisms and procedures that secure information.
Three requirements for information security
In order for information to be meaningful, it must be accurate. To be useful, it must be available for queries, as appropriate. To be safe from prying eyes or misuse, sensitive information must be kept confidential. Thus, the three principles of information security are:
Integrity
Availability
Confidentiality
Integrity
Integrity is the assurance that the information and programs can be changed only when authorized and in a controlled manner that completes without error.
The security policy addressing integrity should identify types of events that might disrupt information and program usage, and address the extent to which mitigation of these threats is deemed important. Some risks might be:
Malicious action
Incorrect program code
Power failure during a transaction
Hardware failure
Mitigation of these risks can include measures such as:
Requiring multiple authorized users to perform the transaction
Quality testing and change control procedures
Battery backups
Redundant equipment implementation
Availability
Availability is the assurance that authorized users have uninterrupted access to information and resources. From a system management standpoint, this refers to adequate response time and guaranteed bandwidth.
From a security standpoint, availability refers to the ability to protect against breaches and to recover from them. Availability can be divided into "normal operations" and "contingency planning," which deal with day-to-day operations and disaster recovery, respectively.
The security policy addressing availability should identify each event that might make a system unavailable and address the extent to which resistance to that threat is deemed important. Some risks might be:
Malicious or incompetent acts by authorized users
Cut phone lines
Denial of service attack
Mitigation of these risks can include measures such as:
Increased levels of user authorization
Multiple communication channels
Stringent network access controls
Confidentiality
Confidentiality is the need to keep sensitive information from being disclosed to unauthorized recipients. The need might be corporate, such as new product information or marketing strategies. The need might be regulatory, such as privacy of information belonging to or about customers, such as social security numbers and PINs, financial or health- related data. From a management standpoint, it can be summarized as ensuring that no data is revealed without appropriate authorization.
The security policy addressing confidentiality should identify each event that might make a system unavailable and address the extent to which resistance to the revelation of information is deemed important. Some risks might be:
Exposure of confidential transactions over a communication medium
Unauthorized personnel downloading restricted information to an unprotected computer system
Malicious theft of confidential information
Mitigation of these risks can include measures such as:
Encryption of communication lines
Securing restricted information using a system security package
Monitoring access attempts to confidential information
Categories of Information
There are four classes of information:
Confidential
Restricted
Internal-Use
Non-Restricted
Confidential
Confidential information is information that is only for use within the corporation. It is usually corporate specific, not addressing private information of clients . Confidential information might have an extremely high negative impact on the corporation if disclosed. Examples are: information concerned with activities such as strategic planning, mergers and acquisitions, product development, marketing strategy, financial forecasts and financial results. All passwords and encryption keys, as well as all information addressing vulnerabilities within the corporation, such as audits and security incident reports , are considered confidential. There may be regulatory restrictions on the protection of confidential information.
Restricted
Restricted information is usually customer or client specific. Restricted information might have a high negative impact on the corporation if disclosed. One example is information of a personal nature about corporate staff members or customers, which the corporation, as custodian of that information, is obligated to protect. Production data and software are also in this category. There are often regulatory restrictions on the protection of restricted information.
Internal-Use
Internal-use information might have a moderately negative impact on the corporation if disclosed. Information commonly shared within the company, including operating procedures, policies, interoffice memoranda and internal directories are common examples.
Non-Restricted
Nonsensitive information is designed to be available for public use, such as published annual reports, marketing material, special company programs, etc.
How To Go About Securing An Organization's Information
Once all the various types of information the organization must protect are categorized, the appropriate controls necessary to protect them must be put in place. The controls should reflect the sensitivity of the information and the cost of the loss or exposure of information.
How an organization meets these information security requirements is codified in its Corporate Security Policy and Standards.
The Policy must not only state the particular security need, confidentiality, for example, but also address the range of circumstances under which the need for confidentiality must be met and the associated operating standards. Without this, the policy will be so general as to be useless. The policy must:
List the expected risks and give guidelines for recognizing new risks
Assign a level of concern to each risk
State how the risks are to be mitigated
Document how to recover from breaches of security
Mandate training to instill security awareness and acceptance by users
Management controls , whether administrative, procedural or technical, are the mechanisms and techniques instituted to implement a security policy. Some controls are explicitly concerned with protecting information and information systems, but the concept of management controls includes much more than a computer's specific role in enforcing security.
Controls have 3 functions:
Prevent the unauthorized disclosure, modification or destruction of information.
Detect the unauthorized disclosure, modification or destruction of information.
Correct the unauthorized disclosure, modification or destruction of information.
Controls should be required for:
Physical protection of information in all forms (written, backup tapes, disks, communication lines, online and so on).
Procedures to handle information within the organization or between organizations (FTP authorization, high speed bulk transmission, and so on).
Software development and maintenance practices for the applications that generate and manage the information.
Administration of personnel who handle the information.
Logical protection of information residing on the HP NonStop server.
Technical measures alone cannot prevent security violations. Technical measures may prevent people from doing unauthorized things, but cannot prevent them from doing inappropriate things that their job functions entitle them to do.
Even a technically sound system with informed watchful management and users cannot be free of all possible vulnerabilities. The residual risk must be managed with auditing, backup, and recovery procedures, supported by general alertness and creative responses. Moreover, organizations must have administrative procedures in place to bring unusual activity to the attention of someone who can legitimately inquire into the appropriateness of such activity, and ensure that the appropriate inquiry and possible actions are taken.
