SlideShare a Scribd company logo
1 of 19
INFORMATION ASSURANCE
CONCEPTS
HUMPHREY A. DIAZ
CONFIDENTIALITY, INTEGRITY,
AND AVAILABILITY
When dealing with information assurance
and its subcomponent information security,
you should be familiar with three primary
security objectives—confidentiality, integrity,
and availability—to identify problems and
provide proper solutions. This concept is widely
known as the CIA triad.
CONFIDENTIALITY
Confidentiality and privacy are related terms but
are not synonymous. Confidentiality is the assurance
of data secrecy where no one is able to read data
except for the intended entity.
Confidentiality should prevail no matter what the
data state is—whether data resides on a system, is
being transmitted, or is in a particular location (for
example, a file cabinet, a desk drawer, or a safe).
Privacy, on the other hand, involves personal
autonomy and control of information about oneself.
Both are discussed in this chapter. The word
classification merely means categorization in certain
INTEGRITY
People understand integrity in terms of dealing with people.
People understand the sentiment “Jill is a woman of integrity”
to mean Jill is a person who is truthful, is trustworthy, and
can be relied upon to perform as she promises. When
considering integrity in an information assurance perspective,
organizations will use it not only from a personnel
perspective but also from a systems perspective.
In information systems, integrity is a service that assures that
the information in a system has not been altered except by
authorized individuals and processes. It provides assurance
of the accuracy of the data and that it has not been corrupted
or modified improperly.
AVAILABILITY
Availability is the service that assures data and resources are
accessible to authorized subjects or personnel when
required. The second component of the availability service is
that resources such as systems and networks should provide
sufficient capacity to perform in a predictable and acceptable
manner. Secure and quick recovery from disruptions is crucial
to avoid delays or decreased productivity. Therefore, it is
necessary that protection mechanisms should be in place to
ensure availability and to protect against internal and
external threats.
Availability is also often viewed as a property of an
information system or service. Most service level agreements
and measures of performance for service providers surround
availability above all else. The availability of a system may be
CIA BALANCE
The three fundamental security requirements are not
equally critical in each application. For example, to one
organization, service availability and the integrity of
information may be more important than the
confidentiality of information. A web site hosting publicly
available information is an example. Therefore, you
should apply the appropriate combination of CIA in
correct portions to support your organization’s goals
and provide users with dependable system.
NONREPUDIATION AND
AUTHENTICATION
Nonrepudiation
The MSR model of information assurance describes additional services
associated with
nonrepudiation. Digital transactions are prone to frauds in which participants
in the
transaction could repudiate (deny) a transaction. A digital signature is
evidence that the
information originated with the asserted sender of the information and
prevents subsequent
denial of sending the message.
Digital signatures may provide evidence that the receiver has in fact received
the message
and that the receiver will not be able to deny this reception. This is commonly
The term nonrepudiation describes the service that ensures entities are honest
in their
actions. There are variants of nonrepudiation, but the most often used are as
follows:
• Nonrepudiation of source prevents an author from false refusal of ownership
to a
created or sent message, or the service will prove it otherwise.
• Nonrepudiation of acceptance prevents the receiver from denying having
received
a message, or else the service will prove it otherwise.
IDENTIFICATION, AUTHENTICATION,
AUTHORIZATION, AND
ACCOUNTABILITY
Identification, authentication, authorization, and accountability are the essential functions
in providing an access management system. This service as described by the MSR model of
information assurance is summarized as authentication but reflects the entire IAAA process.
The overall architecture of an access management system includes the means of identifying
its users, authenticating a user’s identity and credentials, and setting and controlling the
access level of a user’s authorization.
STEPS OF IAAA
Steps to access a system and the act of recording a user’s actions during system access
IDENTIFICATION
Identification is a method for a user within a system to introduce
oneself. In an organization-wide identification requirement, you must
address identification issues. An example would be more than one
person having the same name. Identifiers must be unique so that a
user can be accurately identified across the organization.
Each user should have a unique identifier, even if performing multiple
roles within the organization. This simplifies matters for users as well
as the management of an information system. It also eases control in
that an organization may have a centralized directory or repository
for better user management. A standard interface is crucial for ease
of verification process. The same goes for the availability of the
verification process itself. This is to ensure that access can be
granted only with verification.
AUTHENTICATION
Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the
identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second
credential. Three basic factors of authentication are available to all types of identities.
• What you should know (a shared secret, such as a password, which both the user and the authenticator know)
• What you should have (a physical identification, such as a smartcard, hardware token, or identification card)
• What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition) In addition, organizations may
consider having an implicit factor such as a “where you are” factor.
• Physical location, such as within an organization’s office.
• Logical location, such as on an internal network or private network.
• A combination of those factors can be considered to provide different strength levels of authentication. This improves
authentication and increases security.
The following are examples of technology used for authentication:
• Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on a public key cryptography
method. Public key cryptography provides two independent keys generated together; one key is made public, and another is
kept private. Any information protected by one key (public) can be opened only with another key (private). If one key is
compromised, a new key pair must be generated.
• Smartcards can store personal information accessible by a personal identification number (PIN). An organization may consider
smartcard implementation to provide another identification method via physical identification (physical security) and electronic
identification (electronic access).
Authorization
Once a user presents a second credential and is identified, the system checks an access control matrix
to determine their associated privileges. If the system allows the user access, the user is authorized.
Accountability
The act of being responsible for actions taken within a system is accountability. The only way to ensure
accountability is to identify the user of a system and record their actions. Accountability makes
nonrepudiation extremely important.
ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS
Information assets have unique vulnerabilities, and they are
continuously exposed to new threats. The combination of
vulnerabilities and threats contribute to risk. To mitigate and control
risks effectively, organizations should be aware of the shortcomings
in their information systems and should be prepared to tackle them
in case the shortcomings turn into threats to activities or business.
Understanding these entities and their interactions is crucial to
ensuring the controls are cost effective and relevant. This chapter
provides an overview of threats and vulnerabilities as well as the
controls that are implemented to manage their risks.
ASSET
An asset is anything valuable to the organization. An
information asset, if compromised, may cause losses should it
be disclosed, be altered, or become unavailable. An
information asset can be tangible or intangible, such as
hardware, software, data, services, and people. The losses can
also be tangible or intangible, such as the number of machines
or a smeared reputation.
THREATS
Threats are potential events that may cause
the loss of an information asset. A threat
may be natural, deliberate, or accidental.
VULNERABILITIES
Vulnerabilities are weaknesses exploited by
threats. They are threat independent, and if
exploited, they allow harm in terms of the CIA
triad. Examples of vulnerabilities include software
bugs, open ports, poorly trained personnel, and
outdated policy.
RISK
A risk expresses the chance of something happening
because of a threat successfully exploiting a
vulnerability that will eventually affect the organization.
Examples of impact are loss of competitive edge, loss of
confidential information, systems unavailability, failure
to meet a service level agreement, and tarnished
reputation.
TITLE LOREM IPSUM DOLOR
LOREM IPSUM DOLOR SIT AMET,
CONSECTETUER ADIPISCING ELIT.
NUNC VIVERRA IMPERDIET ENIM.
FUSCE EST. VIVAMUS A TELLUS.
PELLENTESQUE HABITANT MORBI
TRISTIQUE SENECTUS ET NETUS.

More Related Content

What's hot

Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1MLG College of Learning, Inc
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfEarlvonDeiparine1
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2MLG College of Learning, Inc
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Edureka!
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
Network security
Network securityNetwork security
Network securityAli Kamil
 

What's hot (20)

Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
 
Information security
Information securityInformation security
Information security
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdf
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2
 
Hackers and cyber crimes
Hackers and cyber crimesHackers and cyber crimes
Hackers and cyber crimes
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
 
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
Cybersecurity Career Paths | Skills Required in Cybersecurity Career | Learn ...
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network security
Network securityNetwork security
Network security
 

Similar to Module 2 - Information Assurance Concepts.pptx

The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityBharath Rao
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
What is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERVWhat is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERVSaqifKhan3
 
1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional 1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional TatianaMajor22
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...Precise Testing Solution
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
Identity Security.docx
Identity Security.docxIdentity Security.docx
Identity Security.docxMohsin Abbas
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Implementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanImplementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanAngie Willis
 

Similar to Module 2 - Information Assurance Concepts.pptx (20)

The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Information security
Information securityInformation security
Information security
 
What is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERVWhat is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERV
 
security IDS
security IDSsecurity IDS
security IDS
 
1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional 1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
 
CC ss.pptx
CC ss.pptxCC ss.pptx
CC ss.pptx
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Identity Security.docx
Identity Security.docxIdentity Security.docx
Identity Security.docx
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
internet security and cyber lawUnit1
internet security and  cyber lawUnit1internet security and  cyber lawUnit1
internet security and cyber lawUnit1
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Data security
Data securityData security
Data security
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Implementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanImplementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control Plan
 
Data Security
Data SecurityData Security
Data Security
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls Paper
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Module 2 - Information Assurance Concepts.pptx

  • 2. CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY When dealing with information assurance and its subcomponent information security, you should be familiar with three primary security objectives—confidentiality, integrity, and availability—to identify problems and provide proper solutions. This concept is widely known as the CIA triad.
  • 3. CONFIDENTIALITY Confidentiality and privacy are related terms but are not synonymous. Confidentiality is the assurance of data secrecy where no one is able to read data except for the intended entity. Confidentiality should prevail no matter what the data state is—whether data resides on a system, is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a safe). Privacy, on the other hand, involves personal autonomy and control of information about oneself. Both are discussed in this chapter. The word classification merely means categorization in certain
  • 4. INTEGRITY People understand integrity in terms of dealing with people. People understand the sentiment “Jill is a woman of integrity” to mean Jill is a person who is truthful, is trustworthy, and can be relied upon to perform as she promises. When considering integrity in an information assurance perspective, organizations will use it not only from a personnel perspective but also from a systems perspective. In information systems, integrity is a service that assures that the information in a system has not been altered except by authorized individuals and processes. It provides assurance of the accuracy of the data and that it has not been corrupted or modified improperly.
  • 5. AVAILABILITY Availability is the service that assures data and resources are accessible to authorized subjects or personnel when required. The second component of the availability service is that resources such as systems and networks should provide sufficient capacity to perform in a predictable and acceptable manner. Secure and quick recovery from disruptions is crucial to avoid delays or decreased productivity. Therefore, it is necessary that protection mechanisms should be in place to ensure availability and to protect against internal and external threats. Availability is also often viewed as a property of an information system or service. Most service level agreements and measures of performance for service providers surround availability above all else. The availability of a system may be
  • 6. CIA BALANCE The three fundamental security requirements are not equally critical in each application. For example, to one organization, service availability and the integrity of information may be more important than the confidentiality of information. A web site hosting publicly available information is an example. Therefore, you should apply the appropriate combination of CIA in correct portions to support your organization’s goals and provide users with dependable system.
  • 7. NONREPUDIATION AND AUTHENTICATION Nonrepudiation The MSR model of information assurance describes additional services associated with nonrepudiation. Digital transactions are prone to frauds in which participants in the transaction could repudiate (deny) a transaction. A digital signature is evidence that the information originated with the asserted sender of the information and prevents subsequent denial of sending the message. Digital signatures may provide evidence that the receiver has in fact received the message and that the receiver will not be able to deny this reception. This is commonly
  • 8. The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
  • 9. IDENTIFICATION, AUTHENTICATION, AUTHORIZATION, AND ACCOUNTABILITY Identification, authentication, authorization, and accountability are the essential functions in providing an access management system. This service as described by the MSR model of information assurance is summarized as authentication but reflects the entire IAAA process. The overall architecture of an access management system includes the means of identifying its users, authenticating a user’s identity and credentials, and setting and controlling the access level of a user’s authorization.
  • 10. STEPS OF IAAA Steps to access a system and the act of recording a user’s actions during system access
  • 11. IDENTIFICATION Identification is a method for a user within a system to introduce oneself. In an organization-wide identification requirement, you must address identification issues. An example would be more than one person having the same name. Identifiers must be unique so that a user can be accurately identified across the organization. Each user should have a unique identifier, even if performing multiple roles within the organization. This simplifies matters for users as well as the management of an information system. It also eases control in that an organization may have a centralized directory or repository for better user management. A standard interface is crucial for ease of verification process. The same goes for the availability of the verification process itself. This is to ensure that access can be granted only with verification.
  • 12. AUTHENTICATION Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition) In addition, organizations may consider having an implicit factor such as a “where you are” factor. • Physical location, such as within an organization’s office. • Logical location, such as on an internal network or private network. • A combination of those factors can be considered to provide different strength levels of authentication. This improves authentication and increases security. The following are examples of technology used for authentication: • Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on a public key cryptography method. Public key cryptography provides two independent keys generated together; one key is made public, and another is kept private. Any information protected by one key (public) can be opened only with another key (private). If one key is compromised, a new key pair must be generated. • Smartcards can store personal information accessible by a personal identification number (PIN). An organization may consider smartcard implementation to provide another identification method via physical identification (physical security) and electronic identification (electronic access).
  • 13. Authorization Once a user presents a second credential and is identified, the system checks an access control matrix to determine their associated privileges. If the system allows the user access, the user is authorized. Accountability The act of being responsible for actions taken within a system is accountability. The only way to ensure accountability is to identify the user of a system and record their actions. Accountability makes nonrepudiation extremely important.
  • 14. ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS Information assets have unique vulnerabilities, and they are continuously exposed to new threats. The combination of vulnerabilities and threats contribute to risk. To mitigate and control risks effectively, organizations should be aware of the shortcomings in their information systems and should be prepared to tackle them in case the shortcomings turn into threats to activities or business. Understanding these entities and their interactions is crucial to ensuring the controls are cost effective and relevant. This chapter provides an overview of threats and vulnerabilities as well as the controls that are implemented to manage their risks.
  • 15. ASSET An asset is anything valuable to the organization. An information asset, if compromised, may cause losses should it be disclosed, be altered, or become unavailable. An information asset can be tangible or intangible, such as hardware, software, data, services, and people. The losses can also be tangible or intangible, such as the number of machines or a smeared reputation.
  • 16. THREATS Threats are potential events that may cause the loss of an information asset. A threat may be natural, deliberate, or accidental.
  • 17. VULNERABILITIES Vulnerabilities are weaknesses exploited by threats. They are threat independent, and if exploited, they allow harm in terms of the CIA triad. Examples of vulnerabilities include software bugs, open ports, poorly trained personnel, and outdated policy.
  • 18. RISK A risk expresses the chance of something happening because of a threat successfully exploiting a vulnerability that will eventually affect the organization. Examples of impact are loss of competitive edge, loss of confidential information, systems unavailability, failure to meet a service level agreement, and tarnished reputation.
  • 19. TITLE LOREM IPSUM DOLOR LOREM IPSUM DOLOR SIT AMET, CONSECTETUER ADIPISCING ELIT. NUNC VIVERRA IMPERDIET ENIM. FUSCE EST. VIVAMUS A TELLUS. PELLENTESQUE HABITANT MORBI TRISTIQUE SENECTUS ET NETUS.