FOUNDATIONS OF INFORMATION SECURITY
(Summary/Reviewer)
Defining Information Security
Generally speaking, security means protecting your assets, whether from attackers invading your
networks, natural disasters, vandalism, loss, or misuse. Ultimately, you’ll attempt to secure yourself
against the most likely forms of attack, to the best extent you reasonably can, given your environment.
Information security is defined as “protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction,” according to US law. 1 In
other words, you want to protect your data and systems from those who seek to misuse them,
intentionally or unintentionally, or those who should not have access to them at all.
When Are You Secure?
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in
a lead-lined room with armed guards—and even then, I have my doubts.” 2 A system in such a state
might be secure, but it’s not usable or productive. As you increase the level of security, you usually
decrease the level of productivity.
In some environments, however, such security measures might not be enough. In any
environment where you plan to put heightened levels of security in place, you also need to consider the
cost of replacing your assets if you happen to lose them and make sure you establish reasonable levels
of protection for their value.
Defining the exact point at which you can be considered secure presents a bit of a challenge. Are
you secure if your systems are properly patched? Are you secure if you use strong passwords? Are you
secure if you’re disconnected from the internet entirely? From my point of view, the answer to all these
questions is no. No single activity or action will make you secure in every situation. That’s because even
if your systems are properly patched, there will always be new attacks to which you’re vulnerable. When
you’re using strong passwords, an attacker will exploit a different avenue instead. When you’re
disconnected from the internet, an attacker could still physically access or steal your systems. In short,
it’s difficult to define when you’re truly secure
The Information Security Triad: Confidentiality, Integrity, Availability
(CIA)
Confidentiality
When protecting information, we want to be able to restrict access to those who are allowed to
see it; everyone else should be disallowed from learning anything about its contents. This is the
essence of confidentiality. For example, federal law requires that universities restrict access to
This is taken from the lesson and has been summarized to review important terms/notes about
Information Security.
#Institute of Information Technology
, private student information. The university must be sure that only those who are authorized have
access to view the grade records.
Integrity
Integrity is the assurance that the information being accessed has not been altered and truly
represents what is intended. Just as a person with integrity means what he or she says and can be
trusted to consistently represent the truth, information integrity means information truly
represents its intended meaning. Information can lose its integrity through malicious intent, such
as when someone who is not authorized makes a change to intentionally misrepresent something.
An example of this would be when a hacker is hired to go into the university’s system and
change a grade.
Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or
someone authorized to make a change accidentally deletes a file or enters incorrect information.
Availability
Information availability is the third part of the CIA triad. Availability means that information can
be accessed and modified by anyone authorized to do so in an appropriate timeframe. Depending
on the type of information, appropriate timeframe can mean different things. For example, a
stock trader needs information to be available immediately, while a sales person may be happy to
get sales numbers for the day in a report the next morning. Companies such as Amazon.com will
require their servers to be available twenty-four hours a day, seven days a week. Other
companies may not suffer if their web servers are down for a few minutes once in a while.
Introduction to Physical Security
Most people think about locks, bars, alarms, and uniformed guards when they think about security. While
these countermeasures are by no means the only precautions that need to be considered when trying to
secure an information system, they are a perfectly logical place to begin. Physical security is a vital part
of any security plan and is fundamental to all security efforts--without it, information security (Chapter 6),
software security (Chapter 7), user access security (Chapter 8), and network security (Chapter 9) are
considerably more difficult, if not impossible, to initiate. Physical security refers to the protection of
building sites and equipment (and all information and software contained therein) from theft, vandalism,
natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme
temperatures, and spilled coffee). It requires solid building construction, suitable emergency
preparedness, reliable power supplies, adequate climate control, and appropriate protection from
intruders.
Concepts of Information Security
This is taken from the lesson and has been summarized to review important terms/notes about
Information Security.
#Institute of Information Technology
(Summary/Reviewer)
Defining Information Security
Generally speaking, security means protecting your assets, whether from attackers invading your
networks, natural disasters, vandalism, loss, or misuse. Ultimately, you’ll attempt to secure yourself
against the most likely forms of attack, to the best extent you reasonably can, given your environment.
Information security is defined as “protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction,” according to US law. 1 In
other words, you want to protect your data and systems from those who seek to misuse them,
intentionally or unintentionally, or those who should not have access to them at all.
When Are You Secure?
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in
a lead-lined room with armed guards—and even then, I have my doubts.” 2 A system in such a state
might be secure, but it’s not usable or productive. As you increase the level of security, you usually
decrease the level of productivity.
In some environments, however, such security measures might not be enough. In any
environment where you plan to put heightened levels of security in place, you also need to consider the
cost of replacing your assets if you happen to lose them and make sure you establish reasonable levels
of protection for their value.
Defining the exact point at which you can be considered secure presents a bit of a challenge. Are
you secure if your systems are properly patched? Are you secure if you use strong passwords? Are you
secure if you’re disconnected from the internet entirely? From my point of view, the answer to all these
questions is no. No single activity or action will make you secure in every situation. That’s because even
if your systems are properly patched, there will always be new attacks to which you’re vulnerable. When
you’re using strong passwords, an attacker will exploit a different avenue instead. When you’re
disconnected from the internet, an attacker could still physically access or steal your systems. In short,
it’s difficult to define when you’re truly secure
The Information Security Triad: Confidentiality, Integrity, Availability
(CIA)
Confidentiality
When protecting information, we want to be able to restrict access to those who are allowed to
see it; everyone else should be disallowed from learning anything about its contents. This is the
essence of confidentiality. For example, federal law requires that universities restrict access to
This is taken from the lesson and has been summarized to review important terms/notes about
Information Security.
#Institute of Information Technology
, private student information. The university must be sure that only those who are authorized have
access to view the grade records.
Integrity
Integrity is the assurance that the information being accessed has not been altered and truly
represents what is intended. Just as a person with integrity means what he or she says and can be
trusted to consistently represent the truth, information integrity means information truly
represents its intended meaning. Information can lose its integrity through malicious intent, such
as when someone who is not authorized makes a change to intentionally misrepresent something.
An example of this would be when a hacker is hired to go into the university’s system and
change a grade.
Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or
someone authorized to make a change accidentally deletes a file or enters incorrect information.
Availability
Information availability is the third part of the CIA triad. Availability means that information can
be accessed and modified by anyone authorized to do so in an appropriate timeframe. Depending
on the type of information, appropriate timeframe can mean different things. For example, a
stock trader needs information to be available immediately, while a sales person may be happy to
get sales numbers for the day in a report the next morning. Companies such as Amazon.com will
require their servers to be available twenty-four hours a day, seven days a week. Other
companies may not suffer if their web servers are down for a few minutes once in a while.
Introduction to Physical Security
Most people think about locks, bars, alarms, and uniformed guards when they think about security. While
these countermeasures are by no means the only precautions that need to be considered when trying to
secure an information system, they are a perfectly logical place to begin. Physical security is a vital part
of any security plan and is fundamental to all security efforts--without it, information security (Chapter 6),
software security (Chapter 7), user access security (Chapter 8), and network security (Chapter 9) are
considerably more difficult, if not impossible, to initiate. Physical security refers to the protection of
building sites and equipment (and all information and software contained therein) from theft, vandalism,
natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme
temperatures, and spilled coffee). It requires solid building construction, suitable emergency
preparedness, reliable power supplies, adequate climate control, and appropriate protection from
intruders.
Concepts of Information Security
This is taken from the lesson and has been summarized to review important terms/notes about
Information Security.
#Institute of Information Technology
