|
Fundamental Principles of Security
Security objectives -
Confidentiality:
Provides the ability to ensure that the necessary level of secrecy is enforced.
Integrity:
Is upheld when the assurance of accuracy and reliability of information and system is provided and unauthorized modification of data is prevented.
Availability:
Prevents disruption of service of productivity.
Definitions -
Vulnerability:
Is a software, hardware or procedural weakness that may provide the attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
Threat:
Is any potential danger to information or systems
Risk:
Is the likelihood of a threat agent taking advantage of a vulnerability.
Exposure:
Is an instance of being exposed to losses from a threat agent.
Countermeasure / safeguard:
Mitigates the potential risk.
Top-down approach:
The initiation, support and direction come from top management and work their way through middle management and then to staff members.
Bottom-up approach:
Security program developed by IT without getting proper management support and direction.
Operational goals:
Daily goals.
Tactical goals:
Mid-term goals.
Strategic goals:
Long-term goals.
Risk Management:
Is the process of identifying, assessing and reducing risks to an acceptable level and implementing the right mechanisms to maintain that level of risk.
Risk Analysis
Is a method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards.
Three main goals:
- identify risks
- quantify the impact of potential threats
- provide an economic balance between the impact of the risk and the cost of the countermeasure.
Risks have a loss potential: The company would lose something if a threat agent actually exploits a vulnerability.
Delayed loss: Has a negative effect on a company after a risk is initially exploited.
|
|
