Three Pillars of Information Security

Friday, July 02, 2010

Joe Morrissey

4e714dc795dc50b932e2a837e3efc472

Confidentiality

Defined in ISO-17799 as “ensuring that information is accessible only to those authorized to have access” and is one of the pillars of information security. 

Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptology.

Integrity

Data integrity is data that has a complete or whole structure. All characteristics of the data including business rules, rules for how pieces of data relate, dates, definitions and lineage must be correct for data to be complete.

Availability

Simply put, availability is the proportion of time a system is in a functioning condition, or with respect to data – the data providing systems ability to deliver the correct data to the correct person within the bounds of the correct policies.

Well that’s all very well, but how can I use these as digital tools?

The systems that provide “Digital information systems” can be further dissected into the following components, the hardware (physical devices like desktops, laptops etc), the software – that acts as the conduit for information and interfaces with us the humans,  and the communications with a view to identifying and applying standards and policies, as mechanisms of protection and prevention.

Essentially, procedures or policies are implemented to tell people (administrators, users and operators)how to use products to ensure information security within the organizations.

In short every information system that has integrity, should have

1 – The right hardware,  up to date, and well maintained.

2 – The right software, with easy to use automated advanced techniques.

3 – The right policies,  to guide practices.

Computer security could focus on ensuring the availability and correct operation of a digital information system, without concern for the information stored or processed by the computer – this is an unbalanced approach.

Governments, Corporations, Financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status.

Most of this information is now collected, processed and stored on electronic computers and transmitted across networks VPN, or otherwise to other computers.

Should confidential information about a business’ customers or finances or new product line, or sales pipeline, forecasts etc. fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business.

Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.  This business “know how” as it is collectively is one of the most valuable assets a company has – and we discuss it in greater detail in our “data and it’s associated value” category.

For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures.

This is collectively known as custodial data and is support by the data protection acts, and policed by the data protection commissioner’s, or information commissioner’s.

Our aim on this blog is to address all three areas:

1 – Hardware – we can suggest suitable equipment, or advise on updates to legacy systems you already may have

2 – The right software, with easy to use automated advanced techniques. We will discuss the most advanced methods, and document how our solution is a better offering than current industry standard offerings.

3 – Policy – Every enterprise will have it’s own requirements, and whilst we cannot input directly, we can assist and advise.
 Cross-posted from The Ventiblog

 

20582
Security Awareness
Post Rating I Like this!
C643eec6350152c6c3fbd1288578d98a
Terry Perkins Nice article
1278092452
Default-avatar
Rob Lewis Pretty nice overview but I think that the potential severity of data integrity issues is not well understood and is under represented in discussions.

I would also question whether having the "right" policies is enough though?

Many organizations have policies that designate user privileges inside the network, but lack a comprehensive means to enforce them. If there is no means to enforce policies, does one really have security? Without enforcement, the opportunity for unauthorized behaviors will exist, opening the door for issues such as APT and the compromise of even your most trusted staffer.
1278347171
4e714dc795dc50b932e2a837e3efc472
Joe Morrissey Hi Rob, your points are extremely valid, and you are correct having only the "right" policies is not enough.
They are an element that comprises the struts or pillar's however - without them it's difficult to access where one lies in terms of being measurably better or worse than industry standard - if the metrics being measured show indicators of compromise that "could" be viewed as a proactive step to decide how to combat or enforce as the case may dictate.
If the perimeter to be secured is not clear, and lets face it, in today's mobile enabled world perimeters have never been as intangible, this will create opportunities by default, no silver bullet answer to your points as every situation is almost unique - but I think being transparent and measurable are the first steps to making informed decisions on how to structure combats, or enforcement.
1278426716
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.