Header Ads

Information Security: understanding the basic terminologies and goals.

Security as a concept is not something pristine but has always been in existence as long as there has been something that has value. There is a tendency for humans to protect something that has value and that instinct birthed security. Information security is the act of protecting information that has value or significance to the owner. To give a more precise definition information security is defined as the
“methodologies, standards, mechanisms, and tools which are designed and implemented for the purposes of protecting information from unauthorized access, use, modification or destruction, in order to ensure confidentiality, integrity, and availability of information.” 1
In order to help make information security more understandable, information is often described and classified based on several criteria. The four criteria I will discuss are information format, information state, information location and information sensitivity.

Information Format
This simply means the format in which the information is in, this could be physical such as such as textbooks, journals, newspapers, policies, and contracts. It could also be electronic such as text, audio, and videos such as Webpages. Understanding the format can aid in achieving your information security goals.

Information State
Information like most things has a lifecycle. Information lifecycle refers to the stages information goes through from creation to its eventual archiving or destruction. Information state refers to the particular stage information is at in its lifecycle. Information states include creation, processing, storage, transition, and destruction.

Information creation refers to the process of generating content that conveys a message which can be shared through various mediums. Since information creation is never done all at once, steps must be taken to ensure that the content being generated is protected throughout this period.

Information processing is the act of converting information from one format to another. During this process, information losses can occur both intentionally and unintentionally. Hence measures must be put in place to ensure that information is not compromised at the point of processing and guidelines for processing should reduce or prevent intentional and unintentional losses.

Information storage is concerned with how data is kept after it is created. Information can be stored onsite using storage devices such as hard drives, flash drives, or network storage or offsite such as another physical location or using the cloud. Once information is created and stored, it must be protected from unauthorized access using security measures such as encryption and passwords. Also, information in physical formats can be protected using physical security measures such as magnetic stripe ID cards and locks.

Information transition is the process of sharing information over public or private networks. Such information is exchanged using open and propriety protocols.”2 Information in transition is at great risk and is often protected by means of encryption.

Information destruction is the process by which information which is no longer needed is disposed of and destroyed. In some cases, to ensure that the process is successful the physical medium holding the information is destroyed as well. The selected method of destruction depends on the type and sensitivity of the information.

Information location
This refers to where the information is at that moment in time. The Risk to information and the measures that can be undertaken to protect it depends to a large extent on where the information is located. For example, information located on a laptop would require different security measures that information located on a desktop residing in the office. Another critical distinction often made about information location is that of whether the information is at rest or in motion. Information at rest refers to information that is stored somewhere and is not currently undergoing any movement while information in motion is the converse, with the information moving from place to place. Information at rest is easier to secure than information in motion because such information resides in storage media in a secure location and the only concern is with how to secure the information at that location. Information in motion presents more risk because the information is moving from one location to another and can be intercepted while in transit.

Information Sensitivity
This is the categorization of information based on its value to the owner and also the likelihood that the information will be a target of unauthorized access. The three categories of information sensitivity are confidential information, private information, and public information. Confidential information is information that has a high-risk rating and can cause a significant level of harm if unauthorized access, alteration or destruction of the information were to occur. Examples of these are but not limited to electronic medical records, financial information, and credit card transactions. Private information is information that has a moderate risk rating. Also, information that does not fall into the confidential or public categories is generally classified as private information. Public information is information that has little or no risk rating. It is information that can be made available if requested. Examples of include press release, maps, directories, and research publications.

Security Goals

These are typical of what information security measures try to achieve. Ideally, the triad of confidentiality, integrity, and availability was the standard but more recently some information security professionals have advocated the adoption of nine security goals to address the challenges of modern threats. These nine goals are:

1) Confidentiality: this means that information should be secured and access to it restricted to only to those who are authorized to view it. Common security threats to confidentiality are malware, social engineering, and network breaches, while common security measures are cryptography and using access controls.

2) Integrity:  this is ensuring that information has not been modified or tampered with in any way. Data integrity covers data in storage, during processing and while in transit. Data in transit has the added concern of validating the source of the information, which is making sure the sender of the information is who it is supposed to be. This can be achieved by digital signatures and hash algorithms.

3) Availability: this is making sure that information is accessible when it is needed. Confidentiality and integrity are worthless if access to the information by its intended users is not possible. Threats to information availability are not only technical such as DDOS but also natural and manmade such as earthquakes and fire incidents.

4) Identification: this is the act of making a claim to an identity. An example of this would be when you provide a username for a form login process. This is usually the first step in then identify-authenticate- authorize sequence.

5) Authentication: this is the process of verifying the authenticity of the claimed identity. During this process, the user is proved to be who he/she claims to be. These are different ways to authenticate users such as something you know (passwords), something you have (smartcards), or something you are (biometrics).

6) Authorization: this is the act of assigning a user permissions and privileges after they have been identified and authenticated. The permissions and privileges define what the user can do with the information on the system. A common method of granting permission once a user is authenticated is to use a role-based access control in which permissions are associated with roles and the user is made a member of the appropriate role group.

7) Accountability: this is the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. Accountability supports non-repudiation, fault isolation, intrusion detection, and prevention etc.

8) Privacy: this is the process of restricting subscriber or relying party information in accordance with federal law or agency policy. Privacy is important because user data can be combined with other parameters like IP address, search engine inputs and device specs to form a complete profile of the user. Information security policies help in protecting personal information and how such information is processed.

9) Non-repudiation: “is the security service by which the entities involved in a communication cannot deny having participated. Specifically, the sending entity cannot deny having sent a message, and the receiving entity cannot deny having received a message.”3

These are the basic concepts and goals of information security. Next, we’ll look at risk management as an organizational framework for information security.

1. I. Alsmadi et al., Practical Information Security, Springer International Publishing AG 2018.
2. Ibid.
3. Ibid.

No comments

Powered by Blogger.