The objective of Information Security is to protect business information from being stolen, compromised, or attacked. As a business, you owe it to your customers, suppliers, and employees. But most of all, you owe it to yourself. Most organizations fail to establish the objectives of information security with any specificity. Information Security experts have extensive and significant responsibilities for safeguarding the information and systems that are often an organization’s most valuable assets.
Information Security can be measured by at least one of three Fundamental Goals.
This model highlights the three most important functions that information security performs in an enterprise: confidentiality, integrity, and availability.
Confidentiality:
Confidentiality means maintaining secrecy during the transmission of information. It ensures that only authorized individuals have access to information and resources and restrict unauthorized users from making modifications to data programs. Confidentiality is what most people think of when they think about information security, keeping secrets away from prying eyes. And in fact, confidentiality is how most security professionals spend most of their time. Data encryption is a great example to ensure confidentiality.
- Encryption is a method of encoding information to make it unreadable to unauthorized users by using an algorithm. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. It protects sensitive data such as credit card numbers by encoding and reconstructing data into unreadable ciphertext. An authorized receiver can easily decrypt the message with the key provided by the originator to receivers but not to unauthorized users.
- Access control defines rules and policies for limiting access to a system or physical or virtual resources. It is a process by which users are granted access and certain privileges to systems, resources, or information. In access control systems, users need to present credentials before they can be granted access such as a person’s name or a computer’s serial number. In physical systems, these credentials may come in many forms, but credentials that cannot be transferred provide the most security.
- Authentication is a process that ensures and confirms a user’s identity or role that someone has. It can be done in several different ways, but it is usually based on a combination of-
• something the person has (like a smart card or a radio key for storing secret keys),
• something the person knows (like a password),
• something the person is (like a human with a fingerprint).
Authentication is the necessity of every organization because it enables organizations to keep their networks secure by permitting only authenticated users to access their protected resources. These resources may include computer systems, networks, databases, websites, and other network-based applications or services. - Authorization is a security mechanism that permits to do or have something. It is used to determine a person or system is allowed access to resources, based on an access control policy, including computer programs, files, services, data, and application features. It is normally preceded by authentication for user identity verification. System administrators are typically assigned permission levels covering all system and user resources. During authorization, a system verifies an authenticated user’s access rules and either grants or refuses resource access.
- Physical security describes measures designed to deny unauthorized access to IT assets like facilities, equipment, personnel, resources, and other properties from damage. It protects these assets from physical threats including theft, vandalism, fire, and natural disasters.
Integrity:
Integrity means changes made in the stored information need to be done only by authorized entities and through authorized mechanisms. This means that there are not any unauthorized changes to information. These unauthorized changes may come in the form of a hacker seeking to intentionally alter information or a service disruption that accidentally affects data stored in a system. In either case, it is the information security professional’s responsibility to prevent these lapses in integrity.
- Backup is the periodic archiving of data. It is a process of making copies of data or data files to use in the event when the original data or data files are lost or destroyed. Backups can be used to recover data after its loss from data deletion or corruption or to recover data from an earlier time. Backups provide a simple form of disaster recovery; however, not all backup systems can reconstitute a computer system or other complex configuration such as a computer cluster, active directory server, or database server. It is also used to make copies for historical purposes, such as for longitudinal studies, statistics, or historical records, or to meet the requirements of a data retention policy.
- A checksum is a numerical value used to verify the integrity of a file or a data transfer. It is a small-sized block of data derived from another block of digital data to detect errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity. They are typically used to compare two sets of data to make sure that they are the same. A checksum function depends on the entire contents of a file.
- Data Correcting Codes is a method for storing data in such a way that small changes can be easily detected and automatically corrected.
Availability:
Availability means information created and stored should be available to authorized entities. Information is useless if it is not available and may have a profound impact on the business. This final goal of information security ensures that authorized individuals can gain access to information when they need it.
- Physical Protection means keeping information available even in the event of physical challenges. It ensures sensitive information and critical information technology are housed in secure areas.
- Computational redundancies are applied as fault-tolerant against accidental faults. It protects computers and storage devices that serve as fallbacks in the case of failures.
