Information Security

Information is an asset to the corporation. It might be extremely sensitive, such as a company that provides financial services or it might be business sensitive, such as a company that provides material goods, but in either case the need to use the data is ever-present. Information security is the field that defines, designs, and monitors mechanisms and procedures that secure information.

Three requirements for information security

In order for information to be meaningful, it must be accurate. To be useful, it must be available for queries, as appropriate. To be safe from prying eyes or misuse, sensitive information must be kept confidential. Thus, the three principles of information security are:





Integrity is the assurance that the information and programs can be changed only when authorized and in a controlled manner that completes without error.

The security policy addressing integrity should identify types of events that might disrupt information and program usage, and address the extent to which mitigation of these threats is deemed important. Some risks might be:

Malicious action

Incorrect program code

Power failure during a transaction

Hardware failure

Mitigation of these risks can include measures such as:

Requiring multiple authorized users to perform the transaction

Quality testing and change control procedures

Battery backups

Redundant equipment implementation


Availability is the assurance that authorized users have uninterrupted access to information and resources. From a system management standpoint, this refers to adequate response time and guaranteed bandwidth.

From a security standpoint, availability refers to the ability to protect against breaches and to recover from them. Availability can be divided into "normal operations" and "contingency planning," which deal with day-to-day operations and disaster recovery, respectively.

The security policy addressing availability should identify each event that might make a system unavailable and address the extent to which resistance to that threat is deemed important. Some risks might be:

Malicious or incompetent acts by authorized users

Cut phone lines

Denial of service attack

Mitigation of these risks can include measures such as:

Increased levels of user authorization

Multiple communication channels

Stringent network access controls


Confidentiality is the need to keep sensitive information from being disclosed to unauthorized recipients. The need might be corporate, such as new product information or marketing strategies. The need might be regulatory, such as privacy of information belonging to or about customers, such as social security numbers and PINs, financial or health- related data. From a management standpoint, it can be summarized as ensuring that no data is revealed without appropriate authorization.

The security policy addressing confidentiality should identify each event that might make a system unavailable and address the extent to which resistance to the revelation of information is deemed important. Some risks might be:

Exposure of confidential transactions over a communication medium

Unauthorized personnel downloading restricted information to an unprotected computer system

Malicious theft of confidential information

Mitigation of these risks can include measures such as:

Encryption of communication lines

Securing restricted information using a system security package

Monitoring access attempts to confidential information

Categories of Information

There are four classes of information:






Confidential information is information that is only for use within the corporation. It is usually corporate specific, not addressing private information of clients . Confidential information might have an extremely high negative impact on the corporation if disclosed. Examples are: information concerned with activities such as strategic planning, mergers and acquisitions, product development, marketing strategy, financial forecasts and financial results. All passwords and encryption keys, as well as all information addressing vulnerabilities within the corporation, such as audits and security incident reports , are considered confidential. There may be regulatory restrictions on the protection of confidential information.


Restricted information is usually customer or client specific. Restricted information might have a high negative impact on the corporation if disclosed. One example is information of a personal nature about corporate staff members or customers, which the corporation, as custodian of that information, is obligated to protect. Production data and software are also in this category. There are often regulatory restrictions on the protection of restricted information.


Internal-use information might have a moderately negative impact on the corporation if disclosed. Information commonly shared within the company, including operating procedures, policies, interoffice memoranda and internal directories are common examples.


Nonsensitive information is designed to be available for public use, such as published annual reports, marketing material, special company programs, etc.

How To Go About Securing An Organization's Information

Once all the various types of information the organization must protect are categorized, the appropriate controls necessary to protect them must be put in place. The controls should reflect the sensitivity of the information and the cost of the loss or exposure of information.

How an organization meets these information security requirements is codified in its Corporate Security Policy and Standards.

The Policy must not only state the particular security need, confidentiality, for example, but also address the range of circumstances under which the need for confidentiality must be met and the associated operating standards. Without this, the policy will be so general as to be useless. The policy must:

List the expected risks and give guidelines for recognizing new risks

Assign a level of concern to each risk

State how the risks are to be mitigated

Document how to recover from breaches of security

Mandate training to instill security awareness and acceptance by users

Management controls , whether administrative, procedural or technical, are the mechanisms and techniques instituted to implement a security policy. Some controls are explicitly concerned with protecting information and information systems, but the concept of management controls includes much more than a computer's specific role in enforcing security.

Controls have 3 functions:

Prevent the unauthorized disclosure, modification or destruction of information.

Detect the unauthorized disclosure, modification or destruction of information.

Correct the unauthorized disclosure, modification or destruction of information.

Controls should be required for:

Physical protection of information in all forms (written, backup tapes, disks, communication lines, online and so on).

Procedures to handle information within the organization or between organizations (FTP authorization, high speed bulk transmission, and so on).

Software development and maintenance practices for the applications that generate and manage the information.

Administration of personnel who handle the information.

Logical protection of information residing on the HP NonStop server.

Technical measures alone cannot prevent security violations. Technical measures may prevent people from doing unauthorized things, but cannot prevent them from doing inappropriate things that their job functions entitle them to do.

Even a technically sound system with informed watchful management and users cannot be free of all possible vulnerabilities. The residual risk must be managed with auditing, backup, and recovery procedures, supported by general alertness and creative responses. Moreover, organizations must have administrative procedures in place to bring unusual activity to the attention of someone who can legitimately inquire into the appropriateness of such activity, and ensure that the appropriate inquiry and possible actions are taken.

HP NonStop Server Security 2004
HP NonStop Server Security 2004
ISBN: 159059035X
Year: 2004
Pages: 157 © 2008-2017.
If you may any questions please contact us: