For over twenty years information security has held that three key concepts form the core principles of information security: confidentiality, integrity and availability. These are known as the CIA Triad. These are the part of the principles of information security.
The other part of the principle is the risk management. Here is a definition about it by the CISA Review Manual 2006: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”The risk management themselves is an ongoing recurring process. Risk means that something bad will happen which can cause harm.During the risk management the first step is the estimating their value. Conduct a threat assessment, then conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. The next step is the calculating the impact with using qualitative and quantitative analysis. Identify, select and implement appropriate controls. Finally, evaluate the effectiveness of the control measures.
The control is one of the principles and it has three types The first is the administrative controls which consist of approved written policies, procedures, standards and guidelines.The second control is the logical control. They use software and data to monitor and control access to information and computing systems. The third one is the physical which monitor and control the environment of the work place and computing facilities.
Security classification of information. Not all information is equal and so not all information requires the same degree of protection. We have to assess the importance of information. Common information security classification labels used by the business sector are: public, sensitive, private, confidential, and labels used by government are: unclassified, sensitive but unclassified, confidential, secret, top secret.
Access control : access to protected information must be restricted to people who are authorized to access the information.
The cryptography is used by the information security’s technology which transforms the usable information into a form that renders it unusable by anyone other than an authorized user. Cryptography provides information security with other useful applications as well including improved authentication methods, message digests, digital signatures, non-repudiation, and encrypted network communications.
On of the most important principles is the defense in depth. The information must be protected during the motion and during the rest too. Using a defense in depth strategy, should one defensive measure fail there are other defensive measures in place that continue to provide protection. The three types of controls can be used to form the bases upon which to build a defence-in depth-strategy.
You can read more: www. infosecuritylab.com
No comments:
Post a Comment