Chapter 1 Introduction to Information Security

project team

A number of individuals who are experienced in one or multiple requirements of both the technical and nontechnical areas.

team leader

A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.

champion

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization

security professionals

Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.

availability

Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

accuracy

Free from mistake or error and having the value that the end user expects. If information contains a value different from the user's expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

security policy developers

Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.

risk assessment specialist

People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

system administrator

People with the primary responsibility for administering the systems that house the information used by the organization.

authenticitiy

The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

integrity

The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

possession

The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

utility

The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

confidentiality

The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

end user

Those whom the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

threats

a category of objects, persons, or other entities that represents a potential danger to an asset.

hash value

a fingerprint of the author's message that is compared wit the recipients locally calculated hash of the same message

McCumber Cube

a graphical representation of the architectural approach widely used in computer and info security.

bottom up approach

a method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of options of a password

top-down-approach

a methodology of establishing security policies that is initiated by upper management

waterfall model

a methodology of the system development life cycle in which each phase of the process begins with the information gained din the previous phase

operations security

a process used by an organization to deny or adversary information (generally not confidential info) about its intention and capabilities by identifying, controlling, and protecting the organization's planning processes or operations. OPSEC does not replace other security disciplines- it supplements them

loss

a single instance of an info asset suffering damage or unintended or unauthorized modification or disclosure

exposure

a single instance of being open to damage.

threat agent

a specific instance or component of a more general threat.

computer security

a term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. this term later came to stand for all actions taken to preserve computer systems from losses. it has evolved into the current concept of information security as the scope of protecting info in the organization has expanded.

salami theft

aggression of info used with criminal intent

enterprise Information system policy (EISP)

also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

attack

an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it.

subjects and objects

an active entity that interacts with an information system and causes information to move through the system for a specific end purpose

physical security

an aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization

phishing

an attempt to obtain personal or financial info using fraudulent means, usually by posing as a legitimate entity

implementation

any needed software is created or purchased Components are ordered, received, and tested. Afterwards, users are trained and supporting documentation is created. Again a feasibility analysis is prepared, and the users are then presented with the system for a performance review and acceptance test.

analysis

begins with the information learned during the investigation phase. This phase consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. Analysts begin to determine what the new system is expected to do and how it will interact with existing systems. This phase ends with the documentation of the findings and a feasibility analysis update.

data users

end users who work with information to perform their daily jobs supporting the mission of the organization

methodology

formal approach to problem solving based on structured sequence of procedures

community of interest

group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives

file hashing

method for ensuring info validity. involves a file being read by a special algorithm that uses the value of the bits in the file to computer a single large number called a hash value

system development life cycle (SDLC)

methodology for design and implementation of information system within an organization

risk management

process of identifying vulnerabilities in an organizations info systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organizations information systems

data custodians

responsible for storage, maintenance, and protection of information

data owners

responsible for the security and use of a particular set of information

communications security

securing info in transit using tools such as cryptographic systems, as well as its associated media and technology

control safeguard counter measure

security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.

Chief Information Officer (CIO)

senior technology officer. also known as vice president of info, VP of info technology, and VP of systems

physical design

specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision (develop in-house or purchase from a vendor). Final designs integrate various components and technologies. After yet another feasibility analysis, the entire solution is presented to the end user representatives for approval.

protection file

synonymous security posture. a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place.

access

the ability to use, manipulate, modify, or affect an object

information system

the entire set of software, hardware, data, people, procedures, and networks necessary to use info as a resource in the organization

investigation

the first phase and the most important. begins with an examination of the event or plan that initiates the process.The objectives, constraints, and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits. A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization's time and effort.

CIA triangle

the industry standard for computer security since the developmemnt of the mainframe. it is based on three characteristics that describe the utility of info: confidentiality, integrity, and availability

logical design

the information gained from the analysis phase is used to begin creating a solution system for a business problem. Then, based on the business need, select applications capable of providing needed services. Based on the apps needed, select data support and structures capable of providing the needed inputs. Finally, based on all of the above, select specific technologies to implement the physical solution. In the end, another feasibility analysis is performed.

maintenance and change

the longest and most expensive phase of the process. This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase. When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented.

asset

the organizational resource that is being protected.

risk

the probability that something can happen

email spoofing

the process of sending an e-mail with a modified field. the modified field is often the address of the originator

information security

the protection of info and the systems and hardware that use, store, and transmit that info

network security

the protection of networks (systems and hardware) that use, store, and transmit an organization's info

risk appetite

the quantity and nature of risk that organizations are willing to accept

organizational culture

the specific social and political atmosphere within a given organization that determines the organization's procedures and policies and willingness to adapt to changes.

security

to be protected from adversaries- from those who would do harm, intentionally or otherwise

personnel security

to protect an individual or group of individuals who are authorized to access the organization and its operations

exploit

to take advantage of weaknesses or vulnerability in a system.

vulnerability

weaknesses or faults in a system or protection mechanism that expose information to attack or damage.