Sunday, May 27, 2007

Principles of Information Security

Information Security has three basic principles commonly referred to as the CIA Triad of Information Security (i.e. Confidentiality, Integrity and Availability). These principles include standards, conventions and mechanisms that form the basis for defining and implementing security controls and practices.

In addition to the base principles (i.e. confidentiality, availability and integrity), there are the few additional principles which are more related to the technological and process controls that could be deployed to achieve the desired level of Information Security. Following paragraphs detail the base as well as additional principles which assist in effective management of Information Security:

Confidentiality

Providing the framework to restrict data/information access, Confidentiality refers to protection of information from disclosure to or interception by unauthorized individuals. The concept of Data / Information Privacy stems out from the Confidentiality Principle.

Simple question to be answered for Confidentiality Part is - "Is the Person Accessing Data/Information the right person to do so?"

Integrity

Providing the framework for Data / Information accuracy and completeness, Integrity refers to the Quality of Data / Information. Integrity ensures that information once recorded and approved cannot be modified in an unauthorized manner through improper channels.

The focus is more so on the accuracy and completeness a the consequences of using inaccurate information could result in inaccurate / inadequate inputs for decision making purpose.

Availability

Providing the framework to the timeliness and extent of Data /Information availability to the users, Availability refers to the continuity of services and controls for the reachability of the users to the required Data / Information.

Availability also encompasses the technical deployment i.e. - networked machines and other aspects of the technology infrastructure.

Authentication

Authentication refers to the mechanism deployed to ensure that the person trying to access the Data / Information is the right person to do so. It involves the Identification step and can be called as the Gate Keeper Stage for Data / Information Access.

Authorization

Authorization refers to the mechanism deployed to control the kind of access a user gets on the Data / Information and the systems as deployed to store, process and transmit the Data / Information.Its a usual practice to define the Authorization levels as per the roles and responsibilities of the authenticated user.

Accountability

Accountability refers to the mechanism deployed to ensure that the ownership of actions carried out by a user while dealing with Data / Information could be ascertained and that the users are made responsible for the overall Security of the Data / Information.

Auditability

Auditability refers to the system controls that would ensure that the System has a mechanism to record the user actions and assist in establishing the accountability of the user. The Auditability feature is vital during troubleshooting exercises.

Assurance

Assurance highlights the need of ensuring that the interest of the various parties involved in the are safeguarded. Assurance of Data / Information Security is required from the perspective of the various stack holds including Governmental / Law enforcement Agencies, Investors, Management, Employees etc.

Awareness

Last but not the least, Awareness is still not a much stressed principle. Awareness about the Policies/Procedures/Process/Guidelines/Organizational Operating Procedures etc, provides for the mechanism of trained and efficient users, to support the Effective Processes and Procedures.

IT Security V/S Information Security

IT Security and Information Security are the two different domains often misunderstood as one. Though both of them have some common areas that are to be dealt, but by large, IT Security is a subset of Information Security.

IT Security deals with the technical set of controls and revolves more around the technological deployments across the Business to store, process, generate or transmit the Information. On the contrary Information Security also covers up the additional functionalities as those of Business Operations, legal, Human Resource, Facility Management etc. i.e. the Information Security also encompasses the various departments that deal with the data/information in other than electronic format.

If we talk of the controls that make part of the IT Security, then we would have controls revolving around following heads -
  1. IT Risk Assessment
  2. IT Asset Classification and Management
  3. Logical Access Control
    1. User Management
    2. Password Guidelines
    3. Access Rights and Permissions
    4. Login Restrictions
  4. Physical Access Control
    1. To the Data Center / Server Room
    2. To End User Terminal
  5. Emanation Security - dealing with Cabling security etc
  6. Communication Security - dealing with security during electronic transmission
  7. Systems Development, Acquisition and Management
    1. In-house Development
    2. Out-Sourced Development
    3. Off the Shelf Purchase
    4. System Change Management
  8. End User Computing
    1. Access to End User Development - Usage of Scripts and Macros in documents and spreadsheets
    2. Access to Install Custom Programs and Free-wares
    3. File Sharing through Local Shares
    4. Email and Internet Usage
    5. Acceptable usage of IT Resources
  9. Disaster Recovery Planning
    1. Back and Archiving
    2. DR Site Planning
    3. Fault Tolerance and Site Redundancy Planning
  10. Network and Operations Management
    1. Network Documentation
    2. Network Controls
    3. IP Addressing and Network Zoning
    4. Network Performance Monitoring and Capacity Management
    5. Remote Connectivity and Remote Access Management
    6. Usage of Cryptographic Techniques
    7. Operations Management
    8. Malicious Content Management
    9. Incident Monitoring and Management
    10. Media Handling and Storage
    11. Audit Logging and Log Retention
    12. Segregation of Development, Test and Production Environment
The Additional Control Areas that would make part of the Information Security can be listed as -
  1. Physical and Environmental Security - Encompasses Emanation and Cabling Security along with deployment of Human Personnel, CCTV Monitoring mechanism etc.
  2. Third Party Operations
  3. Business Continuity Management
  4. Compliance Audit and Management
  5. Human Resource Security - Identifying Human resource involved in operations as a source of threat
  6. Business Threat and Risk Assessment including Business Impact Analysis
References -

ISO/IEC 17799, ISO/IEC 27001, CObIT