Skip to content

Intro Information Security

links: SPA TOC - Information Security - Index


This chapter provides a general overview of information security, focusing on the various terms and their definitions.

Motivation

Preservation of confidentiality, integrity, availability And in addition authenticity (non-repudiation), accountability, auditability

Also known as CIA & AAA

Information

Information is data that has been processed, organized, or structured in a way that gives it meaning or context, making it useful for decision making, understanding, or communication.

Today we live in the information age, which means that the most important asset for organizations and individuals is information. - Information has a (monetary) value - Expenses (losses) or missed profits can result from the unavailability, disclosure, or improper modification of information.

Information Security

Overview all parts of Information Security:

Overview-Information-Security.png

Information Security is the science of protecting Information assets from threats.

Throughout history, there have been other terms that describe today's definition of information security:

  • computer security
  • data security
  • IT security

Today also the term Cyber Security is often used as marketing term for Information Security. But there is a distinct difference between these terms.

Information Security: As written before, it protects information assets and therefore is not only about information stored on electronic devices, but all information within an organization (e.g., information in employees' heads, information on paper).

Cyber security: Is a part of Information Security, describes the security of everything related to "Cyberspace". electronically processed information.

Information Asset

In a nutshell, an information asset is an atomic piece of information that has meaning/value to an organization or individual.

Information assets have manageable and recognizable value, risk, content and life-cycles.

Examples for information assets:

  • Database with contacts of the organization
  • All files related to a project
  • All financial records of an company

Organizations should know, manage and also secure (in regard to its value) their information assets. An information asset registry (IAR) can be handy for this. An IAR can be a simple Excel.

All information assets should have an owner.

Responsibility

The Responsibility of protecting information assets lays in many organization by one of these departments (depending on their size):

  • IT department
  • Information security department
  • Information risk management department

In addition many (bigger) organizations create a special position the

  • Chief Information Security Officer (CISO)

He is the main responsible for managing the protection on information assets. He can be part of the corporate management or report to the Chief Security Officer (CSO).

The owner is responsible for:

  • valuating information
  • requirements for information protection
  • ensuring the information is protected
    • Following defined procedures for information protection
    • auditing protection mechanisms

The custodian (Treuhänder) is responsible for

  • defining the security protection mechanisms that meet the requirements of the information asset owner.

Objectives

CIA & AAA: Main part of Information security is to ensure CIA, and in addition AAA is also sometimes mentioned.

Confidentiality

  • Information is only disclosed to those who have the rights to know
  • Assurance that information is only shared among authorized persons or organizations
  • Confidentiality can be breached
  • disclosure can be done by word of mouth, printing, mailing etc.

Integrity

  • Information is complete, accurate and protected against unauthorized modification

Availability

  • Information is available and usable when required. The system that provides it can resist attacks and recover
  • Accessible when needed by those who need them

Authenticity and Non-repudiation

  • Business transaction and information exchanges between enterprises/partners can be trusted.

Accountability

  • Someone is personally accountable and responsible for the protection of an asset
  • Often not working in an organization but should be the goal.

Auditability

  1. Any state a system is in should be able to be backtracked to determine how it got into that state
  2. An ongoing process of review and audit should be taken so the system meet documented requirements.

Risks

Risk refers to the potential for loss, damage, or adverse effects on the organization due to vulnerabilities in its information systems or processes. This includes threats to the confidentiality, integrity, and availability of information, which can stem from various sources such as cyber attacks, human error, system failures, or natural disasters.

Quantification of Risks

  • A risk is not a problem, it's the likelihood that the problem occurs

Calculation of a risk:

\[l = v \cdot p\]

\(l\) = risk \(v\) = value/costs of potential damage \(p\) = probability of this damage occurring


links: SPA TOC - Information Security - Index