2. CONFIDENTIALITY, INTEGRITY,
AND AVAILABILITY
When dealing with information assurance
and its subcomponent information security,
you should be familiar with three primary
security objectives—confidentiality, integrity,
and availability—to identify problems and
provide proper solutions. This concept is widely
known as the CIA triad.
3. CONFIDENTIALITY
Confidentiality and privacy are related terms but
are not synonymous. Confidentiality is the assurance
of data secrecy where no one is able to read data
except for the intended entity.
Confidentiality should prevail no matter what the
data state is—whether data resides on a system, is
being transmitted, or is in a particular location (for
example, a file cabinet, a desk drawer, or a safe).
Privacy, on the other hand, involves personal
autonomy and control of information about oneself.
Both are discussed in this chapter. The word
classification merely means categorization in certain
4. INTEGRITY
People understand integrity in terms of dealing with people.
People understand the sentiment “Jill is a woman of integrity”
to mean Jill is a person who is truthful, is trustworthy, and
can be relied upon to perform as she promises. When
considering integrity in an information assurance perspective,
organizations will use it not only from a personnel
perspective but also from a systems perspective.
In information systems, integrity is a service that assures that
the information in a system has not been altered except by
authorized individuals and processes. It provides assurance
of the accuracy of the data and that it has not been corrupted
or modified improperly.
5. AVAILABILITY
Availability is the service that assures data and resources are
accessible to authorized subjects or personnel when
required. The second component of the availability service is
that resources such as systems and networks should provide
sufficient capacity to perform in a predictable and acceptable
manner. Secure and quick recovery from disruptions is crucial
to avoid delays or decreased productivity. Therefore, it is
necessary that protection mechanisms should be in place to
ensure availability and to protect against internal and
external threats.
Availability is also often viewed as a property of an
information system or service. Most service level agreements
and measures of performance for service providers surround
availability above all else. The availability of a system may be
6. CIA BALANCE
The three fundamental security requirements are not
equally critical in each application. For example, to one
organization, service availability and the integrity of
information may be more important than the
confidentiality of information. A web site hosting publicly
available information is an example. Therefore, you
should apply the appropriate combination of CIA in
correct portions to support your organization’s goals
and provide users with dependable system.
7. NONREPUDIATION AND
AUTHENTICATION
Nonrepudiation
The MSR model of information assurance describes additional services
associated with
nonrepudiation. Digital transactions are prone to frauds in which participants
in the
transaction could repudiate (deny) a transaction. A digital signature is
evidence that the
information originated with the asserted sender of the information and
prevents subsequent
denial of sending the message.
Digital signatures may provide evidence that the receiver has in fact received
the message
and that the receiver will not be able to deny this reception. This is commonly
8. The term nonrepudiation describes the service that ensures entities are honest
in their
actions. There are variants of nonrepudiation, but the most often used are as
follows:
• Nonrepudiation of source prevents an author from false refusal of ownership
to a
created or sent message, or the service will prove it otherwise.
• Nonrepudiation of acceptance prevents the receiver from denying having
received
a message, or else the service will prove it otherwise.
9. IDENTIFICATION, AUTHENTICATION,
AUTHORIZATION, AND
ACCOUNTABILITY
Identification, authentication, authorization, and accountability are the essential functions
in providing an access management system. This service as described by the MSR model of
information assurance is summarized as authentication but reflects the entire IAAA process.
The overall architecture of an access management system includes the means of identifying
its users, authenticating a user’s identity and credentials, and setting and controlling the
access level of a user’s authorization.
10. STEPS OF IAAA
Steps to access a system and the act of recording a user’s actions during system access
11. IDENTIFICATION
Identification is a method for a user within a system to introduce
oneself. In an organization-wide identification requirement, you must
address identification issues. An example would be more than one
person having the same name. Identifiers must be unique so that a
user can be accurately identified across the organization.
Each user should have a unique identifier, even if performing multiple
roles within the organization. This simplifies matters for users as well
as the management of an information system. It also eases control in
that an organization may have a centralized directory or repository
for better user management. A standard interface is crucial for ease
of verification process. The same goes for the availability of the
verification process itself. This is to ensure that access can be
granted only with verification.
12. AUTHENTICATION
Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the
identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second
credential. Three basic factors of authentication are available to all types of identities.
• What you should know (a shared secret, such as a password, which both the user and the authenticator know)
• What you should have (a physical identification, such as a smartcard, hardware token, or identification card)
• What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition) In addition, organizations may
consider having an implicit factor such as a “where you are” factor.
• Physical location, such as within an organization’s office.
• Logical location, such as on an internal network or private network.
• A combination of those factors can be considered to provide different strength levels of authentication. This improves
authentication and increases security.
The following are examples of technology used for authentication:
• Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on a public key cryptography
method. Public key cryptography provides two independent keys generated together; one key is made public, and another is
kept private. Any information protected by one key (public) can be opened only with another key (private). If one key is
compromised, a new key pair must be generated.
• Smartcards can store personal information accessible by a personal identification number (PIN). An organization may consider
smartcard implementation to provide another identification method via physical identification (physical security) and electronic
identification (electronic access).
13. Authorization
Once a user presents a second credential and is identified, the system checks an access control matrix
to determine their associated privileges. If the system allows the user access, the user is authorized.
Accountability
The act of being responsible for actions taken within a system is accountability. The only way to ensure
accountability is to identify the user of a system and record their actions. Accountability makes
nonrepudiation extremely important.
14. ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS
Information assets have unique vulnerabilities, and they are
continuously exposed to new threats. The combination of
vulnerabilities and threats contribute to risk. To mitigate and control
risks effectively, organizations should be aware of the shortcomings
in their information systems and should be prepared to tackle them
in case the shortcomings turn into threats to activities or business.
Understanding these entities and their interactions is crucial to
ensuring the controls are cost effective and relevant. This chapter
provides an overview of threats and vulnerabilities as well as the
controls that are implemented to manage their risks.
15. ASSET
An asset is anything valuable to the organization. An
information asset, if compromised, may cause losses should it
be disclosed, be altered, or become unavailable. An
information asset can be tangible or intangible, such as
hardware, software, data, services, and people. The losses can
also be tangible or intangible, such as the number of machines
or a smeared reputation.
16. THREATS
Threats are potential events that may cause
the loss of an information asset. A threat
may be natural, deliberate, or accidental.
17. VULNERABILITIES
Vulnerabilities are weaknesses exploited by
threats. They are threat independent, and if
exploited, they allow harm in terms of the CIA
triad. Examples of vulnerabilities include software
bugs, open ports, poorly trained personnel, and
outdated policy.
18. RISK
A risk expresses the chance of something happening
because of a threat successfully exploiting a
vulnerability that will eventually affect the organization.
Examples of impact are loss of competitive edge, loss of
confidential information, systems unavailability, failure
to meet a service level agreement, and tarnished
reputation.
19. TITLE LOREM IPSUM DOLOR
LOREM IPSUM DOLOR SIT AMET,
CONSECTETUER ADIPISCING ELIT.
NUNC VIVERRA IMPERDIET ENIM.
FUSCE EST. VIVAMUS A TELLUS.
PELLENTESQUE HABITANT MORBI
TRISTIQUE SENECTUS ET NETUS.