Information Security Fundamentals

0 %
100 %
Information about Information Security Fundamentals

Published on February 17, 2014

Author: jderienzo



Information Security Fundamentals

Information Assurance Training INFORMATION SECURITY FUNDAMENTALS Integrity 3 Availability 4 Accountability A system should ensure completeness, accuracy and absence of unauthorized modifications in all its  components. A system should ensure that all system’s components are available and operational when they are  required by authorized users. An ability of a system to hold users responsible for their actions (e.g. misuse of information). 5 Auditability 6 7 Authenticity/ Trustworthiness Non‐repudiation 8 Privacy An ability of a system to conduct persistent, non‐bypassable monitoring of all actions performed by  humans or machines within the system. An ability of a system to verify identity and establish trust in a third party and in information it  provides. An  ability  of  a  system  to  prove  (with  legal  validity) occurrence/non‐occurrence  of  an  event  or  participation/non‐participation of a party in an event. A  system  should  obey  privacy  legislation and  it should enable individuals to control, where  feasible, their personal information (user‐involvement). Facilities 2 People A system should ensure that only authorized users access information. Information (Data) Confidentiality Network (Communications) Definition 1 Software Security  Attributes Technology Hardware # Information System Components Processes Security controls strengthen the security attributes inherent in assets, such as facilities and information system  components (i.e., people, technology and information).  NIST SP 800‐60 Volume 1 Revision 2 focuses on the categorization  of information systems/information types, based on the impact from changes to the sensitivity level of information types  stored or processed by the information system. A risk assessment determines the risk level of an information system by  estimating the likelihood that a threat agent/actor can exploit a known vulnerability within an asset; and the perceived  impact to the organization if a breach were to occur.  The Authorizing Official determines the Maximum Risk Tolerance  Threshold and applies compensating controls to mitigate risk to an acceptable level if necessary. Assets X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X The goal of Information Security is to protect and defend valuable information assets from motivated threat actors or agents‐‐‐where the source of an attack can be internal or  external, intentional or unintentional, environmental or man‐made.  Information Assurance (IA) Professionals recommend security controls to safeguard information system  components‐‐‐Information, People, Processes, Hardware, Software, Network‐‐‐from harm, loss, misconfiguration, misuse or exploitation.  An IA Professional determines the    Sensitivity Level of an information system by assigning an impact level of LOW, MODERATE or HIGH to each of the three security attributes associated with "Information" (red X's  above) stored or processed on the information system.  NIST SP 800‐60 V2R1 Appendices C, D and E divide Information into Information Types, and the process for determining  sensitivity level is repeated for each Information Type.  An IA Professional determines the minimum set of baseline security controls using the high water mark method based on  the highest sensitivity level for all information types stored or processed on the information system.  For example, if the impact value associated with the confidentiality security  attribute of an information type is HIGH, then the IA Professional selects a HIGH set of minimum baseline controls from the NIST SP 800‐53 Revision 4 Security Control Catalog.   The "Data" information system component aligns with a broader set of security attributes as well, including Authenticity/Trustworthiness, Non‐repudiation and Privacy (see table  above).  For instance, systems that store Personally Identifiable Information (PII)  must contain security controls that protect against the loss of PII.  NIST SP 800‐53 Rev. 4  Appendix J contains a set of Privacy security controls. Print Date: 2/22/2014 Page 1 of 1 Contact: James W. De Rienzo

Add a comment

Related presentations

Related pages

Information Security Fundamentals, Second Edition eBook ...

Information Security Fundamentals, Second Edition eBook: Thomas R. Peltier: Kindle-Shop
Read more

Information Security Fundamentals -

Information Security Fundamentals Thomas R. Peltier. The purpose of information protection is to protect an organization's valuable resources, such as ...
Read more

Information Security Fundamentals, Second Edition ebook ...

eBook Shop: Information Security Fundamentals, Second Edition als Download. Jetzt eBook herunterladen & bequem mit Ihrem Tablet oder eBook Reader lesen.
Read more

Information Security Fundamentals - John A. Blackley ...

Effective security rules and procedures do not exist for their own sake-they are put in place to protect critical assets, thereby supporting overall ...
Read more

Information Security Fundamentals eBook von Blackley, John ...

Lesen Sie Information Security Fundamentals von Blackley, John A. mit Kobo. Effective security rules and procedures do not exist for their own sake-they ...
Read more

GIAC Information Security Fundamentals (GISF)

Discover the information security fundamentals certification, GISF, from GIAC, the leader in information and cyber security certifications
Read more

Information Security Fundamentals ebook |

eBook Shop: Information Security Fundamentals als Download. Jetzt eBook sicher bei Weltbild runterladen & bequem mit Ihrem Tablet oder eBook Reader lesen.
Read more

Information Security Fundamentals: John A ...

Information Security Fundamentals: John A. Blackley, Justin Peltier, Thomas R. Peltier: Fremdsprachige Bücher
Read more

Information Security Fundamentals, Second Edition: Thomas ...

Information Security Fundamentals, Second Edition [Thomas R. Peltier] on *FREE* shipping on qualifying offers. Developing an ...
Read more

Information Security Fundamentals, Second Edition - CRC ...

Developing an information security program that adheres to the principle of security as a business enabler must be the first step in an enterprise’s ...
Read more