Original course: BCS Certificate in Information Security Management Principles - CISMP
IT Security Fundamentals
This video is designed to provide you with an introduction to Information technology security concepts. It is suitable for anyone interested in understanding the fundamentals of security concepts from a business and technology perspective.
Welcome to this video on the core concepts of information security.
In this video we’ll look at what security means and introduce some of the key information security terms and principles used throughout the course, including the CIA triad and principles of accountability.
We’ll start by looking at the key information security standards.
The main standards bodies for information security are:
· The International Organization for Standardisation (ISO)
· The International Electrotechnical Commission (IEC) and
· The National Institute of Standards and Technology in the United States (NIST)
The Certificate in Information Security Management Principles mainly uses definitions from ISO and from the ISO-IEC collaboration on IT standards which relate to:
· Overview and vocabulary
· Information security risk management and
· Risk management vocabulary
Have you ever considered what the word ‘security’ actually means in relation to information management?
Well, it means more than just keeping information safe. In the context of this course, security means the things an organization can do to protect its assets. By ‘asset’ we mean anything that has value to the organization – like people, processes, software, computer hardware, buildings, reputation and, of course, information.
These can be tangible – or physical – assets like a computer, or intangible assets like an organization’s reputation. But for most organizations – apart from very small ones – their most important asset is the information they hold.
Before we move on, just a quick note about ‘information’ and ‘data’. Data often refers to raw facts, while information is considered as data which is meaningful – either because of the way it’s organized or because of how it’s been processed. During this course, we use the terms interchangeably.
Information security relates to the protection of analogue and digital information assets.
As well as the information itself, this also means protecting:
· The media it’s stored on, for example paper, magnetic disk or optical disk
· The devices that process it, like PCs, tablets, smartphones and printers
· How it’s transported, for example through wired networks, wireless networks and courier companies and
· The places and people involved in processing, storing and handling it, like data centres, offices and key members of staff
As most information is now digital, information security generally relates to technological aspects like:
· Computer security – the devices that store and process the data
· IT security – the technology, including software and networks and
· Cyber security – the interconnected environment of hardware, software and networks, and the human interaction that comes with that environment
The three primary objectives – or tenets – of information security are Confidentiality, Integrity, and Availability. These are referred to as CIA or the CIA triad. Let’s look at each one in more detail.
Confidentiality is defined in ISO/IEC 27000 as:
‘Information is not made available or disclosed to unauthorized individuals and entities or processes.’
It’s about making sure that information isn’t disclosed to unauthorized people or processes.
Confidentiality requires that information is protected to prevent intentionally or unintentionally unauthorized disclosure.
Loss of confidentiality can occur in different ways, for example the intentional release of private company information by a disgruntled employee. So, based on the principle of confidentiality, it’s good practice to restrict access to information to those who have a ‘need to know’.
Examples of confidentiality breaches include:
· A potential employer obtaining an applicant’s medical records without their permission and using the information when considering their job application or
· A competitor stealing a company’s secret ice cream recipe
When we consider integrity, we need to understand that most information is only useful if it’s complete and accurate. ISO/IEC 27000 defines integrity as:
‘The property of accuracy and completeness.’
Maintaining the integrity of information is critical to any system. It ensures that:
· Modifications aren’t made to data by unauthorised people or processes
· Unauthorized modifications aren’t made to the data – even by authorized people or processes and
· The data is internally and externally consistent
Examples of integrity failures include:
· A student modifying their examination grade or
· An online payment system altering an electronic transaction to read £10,000 instead of £100
The final element of the CIA Triad is availability, which is defined in ISO/IEC 27000 as:
‘The property of being accessible and usable on demand by an authorised entity’
Availability ensures reliable and timely access to data or IT resources by appropriate personnel – in other words, it guarantees that systems are up and running when they’re needed.
Examples of availability failures include:
• A datacentre being damaged by fire and the back-up datacentre is unavailable or
• A Denial of Service attack taking a website down
Information security is about getting the balance right. Organizations don’t have unlimited resources and the three objectives of the CIA Triad are often in conflict.
Think about the relationship between ‘availability’ on one hand and ‘integrity’ and ‘confidentiality’ on the other – the more available an organization makes its information, the harder it is to protect it against attempts to tamper with it or prevent breaches of confidentiality.
Then, switching that around – locking data in a safe and encasing it in concrete would undoubtedly provide very strong ‘confidentiality’ and ‘integrity’, but lack of ‘availability’ would be a major security failure.
This balance is a key challenge for organizations, and there’s no magic ‘one-size-fits-all’ solution.
Alongside the CIA Triad, there’s a fourth important information security requirement – being able to monitor activity and trace back actions to the people who did them.
This relates to the concept of non-repudiation which is defined in ISO/IEC 27000 as:
‘[The] ability to prove the occurrence of a claimed event or action and its originating entities.’
Non-repudiation is about organizations holding individuals to account for what they do, by knowing who did what to information assets and when they did it.
This evidence can’t be forged and proof is generally determined by a third-party – so the action can’t be disputed.
Examples of non-repudiation include:
· Proving that a person sent an email and
· Proving that an individual performed a transaction, like ordering goods online
The ability to hold individuals, groups, companies and other organizations accountable for their actions is an important security measure to help…
…detect and deter malicious or risky behaviour.
There are five elements required to establish accountability:
· Identity – which is a way of distinguishing a unique entity
· Authentication and authenticity – which is about verifying the identity of an entity
· Access control and authorization – which restricts permission to use a resource
· Logging – which creates a record of an entity’s activity and
· Auditing – which is about checking records to monitor activity
Let’s look at these five areas in more detail.
According to the British Computer Society’s Information Security Management Principles, identity relates to:
‘The properties of an individual or resource that can be used to identify, uniquely, one individual or resource.’
An identity is typically used to establish what a user or process is doing on an IT system and is therefore the subject used in the authorization process.
When a user logs onto a computer they make an identity claim by supplying a username. This is then the identity by which the system accounts for their actions.
Identities are also used to name system processes uniquely so that the system can establish which processes are performing which tasks.
The second element is authentication which is defined in ISO/IEC 27000 as:
‘[The] Provision of assurance that a claimed characteristic of an entity is correct.’
There are many types of authentication processes depending on what type of entity is being authenticated. Perhaps the most common entity is a computer user, but it might also be a system process, a remote computer or a web service.
The terms identification and authentication are often used together in the acronym ID&A. They’re linked in the information security process because the entity claiming an identity must be authenticated to prove its identity.
Examples of authentication include:
· User authentication, when a user logs into a system with a username and password and
· Device authentication, when a smart card is authenticated by a card reader
After a user has logged into a computer system, the third element – access control and authorization, is required. ISO/IEC 27000 defines this as:
‘A means to ensure that access to assets is authorized and restricted based on business and security requirements.’
During operation, the system uses access control rules to decide whether access requests from authenticated entities – like users – should be granted or denied.
Authorization is the related function of providing access rights for entities to resources. For example, a system authorizes HR staff to access employee records, but other users without these access rights aren’t authorized.
Security events should be recorded – or logged – on a system and this is the fourth element of accountability. The information logged includes the entity responsible for the event and the time the event happened.
Having accurate and synchronized clocks across all devices is essential for logging work effectively. And log files should be secured to prevent malicious users from trying to remove evidence of their activities.
The final element is audit. This can have a wide scope but, for the purpose
s of this course, we’ll stick to the BCS definition which is:
‘[The] formal or informal review of actions, processes, policies and procedures.’
It means checking that processes, policies and procedures are followed, and checking computer system logs to see what users are doing. For example:
· An audit trail containing details of what files were opened or who executed a software application or
· A check that physical security procedures are being followed for controlling access to a secure data centre
That’s the end of this video on the core concepts of information security.