Chapter 1 Introduction to Information Security
project team
A number of individuals who are experienced in one or multiple requirements of both the technical and nontechnical areas.
team leader
A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.
champion
A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization
security professionals
Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.
availability
Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.
accuracy
Free from mistake or error and having the value that the end user expects. If information contains a value different from the user's expectations due to the intentional or unintentional modification of its content, it is no longer accurate.
security policy developers
Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.
risk assessment specialist
People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.
system administrator
People with the primary responsibility for administering the systems that house the information used by the organization.
authenticitiy
The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
integrity
The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
possession
The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
utility
The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.
confidentiality
The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
end user
Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.
threats
a category of objects, persons, or other entities that represents a potential danger to an asset.
hash value
a fingerprint of the author's message that is compared wit the recipients locally calculated hash of the same message
McCumber Cube
a graphical representation of the architectural approach widely used in computer and info security.
bottom up approach
a method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of options of a password
top-down-approach
a methodology of establishing security policies that is initiated by upper management
waterfall model
a methodology of the system development life cycle in which each phase of the process begins with the information gained din the previous phase
operations security
a process used by an organization to deny or adversary information (generally not confidential info) about its intention and capabilities by identifying, controlling, and protecting the organization's planning processes or operations. OPSEC does not replace other security disciplines- it supplements them
loss
a single instance of an info asset suffering damage or unintended or unauthorized modification or disclosure
exposure
a single instance of being open to damage.
threat agent
a specific instance or component of a more general threat.
computer security
a term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. this term later came to stand for all actions taken to preserve computer systems from losses. it has evolved into the current concept of information security as the scope of protecting info in the organization has expanded.
salami theft
aggression of info used with criminal intent
enterprise Information system policy (EISP)
also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
attack
an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it.
subjects and objects
an active entity that interacts with an information system and causes information to move through the system for a specific end purpose
physical security
an aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization
phishing
an attempt to obtain personal or financial info using fraudulent means, usually by posing as a legitimate entity
implementation
any needed software is created or purchased Components are ordered, received, and tested. Afterwards, users are trained and supporting documentation is created. Again a feasibility analysis is prepared, and the users are then presented with the system for a performance review and acceptance test.
analysis
begins with the information learned during the investigation phase. This phase consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. Analysts begin to determine what the new system is expected to do and how it will interact with existing systems. This phase ends with the documentation of the findings and a feasibility analysis update.
data users
end users who work with information to perform their daily jobs supporting the mission of the organization
methodology
formal approach to problem solving based on structured sequence of procedures
community of interest
group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives
file hashing
method for ensuring info validity. involves a file being read by a special algorithm that uses the value of the bits in the file to computer a single large number called a hash value
system development life cycle (SDLC)
methodology for design and implementation of information system within an organization
risk management
process of identifying vulnerabilities in an organizations info systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organizations information systems
data custodians
responsible for storage, maintenance, and protection of information
data owners
responsible for the security and use of a particular set of information
communications security
securing info in transit using tools such as cryptographic systems, as well as its associated media and technology
control safeguard counter measure
security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
Chief Information Officer (CIO)
senior technology officer. also known as vice president of info, VP of info technology, and VP of systems
physical design
specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision (develop in-house or purchase from a vendor). Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the end user representatives for approval.
protection file
synonymous security posture. a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place.
access
the ability to use, manipulate, modify, or affect an object
information system
the entire set of software, hardware, data, people, procedures, and networks necessary to use info as a resource in the organization
investigation
the first phase and the most important. begins with an examination of the event or plan that initiates the process.The objectives, constraints, and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits. A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization's time and effort.
CIA triangle
the industry standard for computer security since the developmemnt of the mainframe. it is based on three characteristics that describe the utility of info: confidentiality, integrity, and availability
logical design
the information gained from the analysis phase is used to begin creating a solution system for a business problem. Then, based on the business need, select applications capable of providing needed services. Based on the apps needed, select data support and structures capable of providing the needed inputs. Finally, based on all of the above, select specific technologies to implement the physical solution. In the end, another feasibility analysis is performed.
maintenance and change
the longest and most expensive phase of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase. When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented.
asset
the organizational resource that is being protected.
risk
the probability that something can happen
email spoofing
the process of sending an e-mail with a modified field. the modified field is often the address of the originator
information security
the protection of info and the systems and hardware that use, store, and transmit that info
network security
the protection of networks (systems and hardware) that use, store, and transmit an organization's info
risk appetite
the quantity and nature of risk that organizations are willing to accept
organizational culture
the specific social and political atmosphere within a given organization that determines the organization's procedures and policies and willingness to adapt to changes.
security
to be protected from adversaries- from those who would do harm, intentionally or otherwise
personnel security
to protect an individual or group of individuals who are authorized to access the organization and its operations
exploit
to take advantage of weaknesses or vulnerability in a system.
vulnerability
weaknesses or faults in a system or protection mechanism that expose information to attack or damage.