Module 1 - Information Security Management Principles
The course is part of this learning path
This course introduces the core concepts and definitions used in information security and will provide you with an important foundation for the rest of the course. It then builds on that knowledge by outlining how information security contributes to achieving the objectives of an organization through strong governance, risk management, and compliance.
The objectives of this course are to provide you with and understanding of:
- What security means
- The core concepts and definitions used in information security
- The key business drivers and how they shape the organization’s approach to governance, risk management and compliance
- The benefits of information security
- The role information security plays in an organization
- How an organization can make information security an integral part of its business
This course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at email@example.com if you are unsure about where to start or if would like help getting started.
Welcome to this video on the core concepts of information security.
In this video we’ll look at what security means and introduce some of the key information security terms and principles used throughout the course, including the CIA triad and principles of accountability.
We’ll start by looking at the key information security standards.
The main standards bodies for information security are:
· The International Organization for Standardisation (ISO);
· The International Electrotechnical Commission (IEC); and
· The National Institute of Standards and Technology in the United States (NIST).
The Certificate in Information Security Management Principles mainly uses definitions from ISO and from the ISO-IEC collaboration on IT standards which relate to:
· Overview and vocabulary;
· Information security risk management; and
· Risk management vocabulary.
Have you ever considered what the word ‘security’ actually means in relation to information management?
Well, it means more than just keeping information safe. In the context of this course, security means the things an organization can do to protect its assets. By ‘asset’ we mean anything that has value to the organization – like people, processes, software, computer hardware, buildings, reputation and, of course, information.
These can be tangible – or physical – assets like a computer, or intangible assets like an organization’s reputation. But for most organizations – apart from very small ones – their most important asset is the information they hold.
Before we move on, just a quick note about ‘information’ and ‘data’. Data often refers to raw facts, while information is considered as data which is meaningful – either because of the way it’s organized or because of how it’s been processed. During this course, we use the terms interchangeably.
Information security relates to the protection of analogue and digital information assets.
As well as the information itself, this also means protecting:
· The media it’s stored on, for example paper, magnetic disk or optical disk;
· The devices that process it, like PCs, tablets, smartphones and printers;
· How it’s transported, for example through wired networks, wireless networks and courier companies; and
· The places and people involved in processing, storing and handling it, like data centres, offices and key members of staff.
As most information is now digital, information security generally relates to technological aspects like:
· Computer security – the devices that store and process the data;
· IT security – the technology, including software and networks; and
· Cyber security – the interconnected environment of hardware, software and networks, and the human interaction that comes with that environment.
The three primary objectives – or tenets – of information security are Confidentiality, Integrity, and Availability. These are referred to as CIA or the CIA triad. Let’s look at each one in more detail.
Confidentiality is defined in ISO/IEC 27000 as:
‘Information is not made available or disclosed to unauthorized individuals and entities or processes.’
It’s about making sure that information isn’t disclosed to unauthorized people or processes.
Confidentiality requires that information is protected to prevent intentionally or unintentionally unauthorized disclosure.
Loss of confidentiality can occur in different ways, for example the intentional release of private company information by a disgruntled employee. So, based on the principle of confidentiality, it’s good practice to restrict access to information to those who have a ‘need to know’.
Examples of confidentiality breaches include:
· A potential employer obtaining an applicant’s medical records without their permission and using the information when considering their job application; or
· A competitor stealing a company’s secret ice cream recipe.
When we consider integrity, we need to understand that most information is only useful if it’s complete and accurate. ISO/IEC 27000 defines integrity as:
‘The property of accuracy and completeness.’
Maintaining the integrity of information is critical to any system. It ensures that:
· Modifications aren’t made to data by unauthorised people or processes;
· Unauthorized modifications aren’t made to the data – even by authorized people or processes; and
· The data is internally and externally consistent.
Examples of integrity failures include:
· A student modifying their examination grade; or
· An online payment system altering an electronic transaction to read £10,000 instead of £100.
The final element of the CIA Triad is availability, which is defined in ISO/IEC 27000 as:
‘The property of being accessible and usable on demand by an authorised entity’
Availability ensures reliable and timely access to data or IT resources by appropriate personnel – in other words, it guarantees that systems are up and running when they’re needed.
Examples of availability failures include:
• A datacentre being damaged by fire and the back-up datacentre is unavailable; or
• A Denial of Service attack taking a website down.
Information security is about getting the balance right. Organizations don’t have unlimited resources and the three objectives of the CIA Triad are often in conflict.
Think about the relationship between ‘availability’ on one hand and ‘integrity’ and ‘confidentiality’ on the other – the more available an organization makes its information, the harder it is to protect it against attempts to tamper with it or prevent breaches of confidentiality.
Then, switching that around – locking data in a safe and encasing it in concrete would undoubtedly provide very strong ‘confidentiality’ and ‘integrity’, but lack of ‘availability’ would be a major security failure.
This balance is a key challenge for organizations, and there’s no magic ‘one-size-fits-all’ solution.
Alongside the CIA Triad, there’s a fourth important information security requirement – being able to monitor activity and trace back actions to the people who did them.
This relates to the concept of non-repudiation which is defined in ISO/IEC 27000 as:
‘[The] ability to prove the occurrence of a claimed event or action and its originating entities.’
Non-repudiation is about organizations holding individuals to account for what they do, by knowing who did what to information assets and when they did it.
This evidence can’t be forged and proof is generally determined by a third-party – so the action can’t be disputed.
Examples of non-repudiation include:
· Proving that a person sent an email; and
· Proving that an individual performed a transaction, like ordering goods online.
The ability to hold individuals, groups, companies and other organizations accountable for their actions is an important security measure to help…
…detect and deter malicious or risky behaviour.
There are five elements required to establish accountability:
· Identity – which is a way of distinguishing a unique entity;
· Authentication and authenticity – which is about verifying the identity of an entity;
· Access control and authorization – which restricts permission to use a resource;
· Logging – which creates a record of an entity’s activity; and
· Auditing – which is about checking records to monitor activity.
Let’s look at these five areas in more detail.
According to the British Computer Society’s Information Security Management Principles, identity relates to:
‘The properties of an individual or resource that can be used to identify, uniquely, one individual or resource.’
An identity is typically used to establish what a user or process is doing on an IT system and is therefore the subject used in the authorization process.
When a user logs onto a computer they make an identity claim by supplying a username. This is then the identity by which the system accounts for their actions.
Identities are also used to name system processes uniquely so that the system can establish which processes are performing which tasks.
The second element is authentication which is defined in ISO/IEC 27000 as:
‘[The] Provision of assurance that a claimed characteristic of an entity is correct.’
There are many types of authentication processes depending on what type of entity is being authenticated. Perhaps the most common entity is a computer user, but it might also be a system process, a remote computer or a web service.
The terms identification and authentication are often used together in the acronym ID&A. They’re linked in the information security process because the entity claiming an identity must be authenticated to prove its identity.
Examples of authentication include:
· User authentication, when a user logs into a system with a username and password; and
· Device authentication, when a smart card is authenticated by a card reader.
After a user has logged into a computer system, the third element – access control and authorization, is required. ISO/IEC 27000 defines this as:
‘A means to ensure that access to assets is authorized and restricted based on business and security requirements.’
During operation, the system uses access control rules to decide whether access requests from authenticated entities – like users – should be granted or denied.
Authorization is the related function of providing access rights for entities to resources. For example, a system authorizes HR staff to access employee records, but other users without these access rights aren’t authorized.
Security events should be recorded – or logged – on a system and this is the fourth element of accountability. The information logged includes the entity responsible for the event and the time the event happened.
Having accurate and synchronized clocks across all devices is essential for logging work effectively. And log files should be secured to prevent malicious users from trying to remove evidence of their activities.
The final element is audit. This can have a wide scope but, for the purpose
s of this course, we’ll stick to the BCS definition which is:
‘[The] formal or informal review of actions, processes, policies and procedures.’
It means checking that processes, policies and procedures are followed, and checking computer system logs to see what users are doing. For example:
· An audit trail containing details of what files were opened or who executed a software application; or
· A check that physical security procedures are being followed for controlling access to a secure data centre.
That’s the end of this video on the core concepts of information security.
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.