SlideShare a Scribd company logo

Module 2 - Information Assurance Concepts.pptx

Download as PPTX, PDF
Humphrey Humphrey
Humphrey Humphrey

Information Assurance Concepts

Technology
1 of 19
INFORMATION ASSURANCE CONCEPTS HUMPHREY A. DIAZ
CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY When dealing with information assurance and its subcomponent information security, you should be familiar with three primary security objectives—confidentiality, integrity, and availability—to identify problems and provide proper solutions. This concept is widely known as the CIA triad.
CONFIDENTIALITY Confidentiality and privacy are related terms but are not synonymous. Confidentiality is the assurance of data secrecy where no one is able to read data except for the intended entity. Confidentiality should prevail no matter what the data state is—whether data resides on a system, is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a safe). Privacy, on the other hand, involves personal autonomy and control of information about oneself. Both are discussed in this chapter. The word classification merely means categorization in certain
INTEGRITY People understand integrity in terms of dealing with people. People understand the sentiment “Jill is a woman of integrity” to mean Jill is a person who is truthful, is trustworthy, and can be relied upon to perform as she promises. When considering integrity in an information assurance perspective, organizations will use it not only from a personnel perspective but also from a systems perspective. In information systems, integrity is a service that assures that the information in a system has not been altered except by authorized individuals and processes. It provides assurance of the accuracy of the data and that it has not been corrupted or modified improperly.
AVAILABILITY Availability is the service that assures data and resources are accessible to authorized subjects or personnel when required. The second component of the availability service is that resources such as systems and networks should provide sufficient capacity to perform in a predictable and acceptable manner. Secure and quick recovery from disruptions is crucial to avoid delays or decreased productivity. Therefore, it is necessary that protection mechanisms should be in place to ensure availability and to protect against internal and external threats. Availability is also often viewed as a property of an information system or service. Most service level agreements and measures of performance for service providers surround availability above all else. The availability of a system may be
CIA BALANCE The three fundamental security requirements are not equally critical in each application. For example, to one organization, service availability and the integrity of information may be more important than the confidentiality of information. A web site hosting publicly available information is an example. Therefore, you should apply the appropriate combination of CIA in correct portions to support your organization’s goals and provide users with dependable system.
NONREPUDIATION AND AUTHENTICATION Nonrepudiation The MSR model of information assurance describes additional services associated with nonrepudiation. Digital transactions are prone to frauds in which participants in the transaction could repudiate (deny) a transaction. A digital signature is evidence that the information originated with the asserted sender of the information and prevents subsequent denial of sending the message. Digital signatures may provide evidence that the receiver has in fact received the message and that the receiver will not be able to deny this reception. This is commonly
The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
IDENTIFICATION, AUTHENTICATION, AUTHORIZATION, AND ACCOUNTABILITY Identification, authentication, authorization, and accountability are the essential functions in providing an access management system. This service as described by the MSR model of information assurance is summarized as authentication but reflects the entire IAAA process. The overall architecture of an access management system includes the means of identifying its users, authenticating a user’s identity and credentials, and setting and controlling the access level of a user’s authorization.
STEPS OF IAAA Steps to access a system and the act of recording a user’s actions during system access
IDENTIFICATION Identification is a method for a user within a system to introduce oneself. In an organization-wide identification requirement, you must address identification issues. An example would be more than one person having the same name. Identifiers must be unique so that a user can be accurately identified across the organization. Each user should have a unique identifier, even if performing multiple roles within the organization. This simplifies matters for users as well as the management of an information system. It also eases control in that an organization may have a centralized directory or repository for better user management. A standard interface is crucial for ease of verification process. The same goes for the availability of the verification process itself. This is to ensure that access can be granted only with verification.
AUTHENTICATION Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition) In addition, organizations may consider having an implicit factor such as a “where you are” factor. • Physical location, such as within an organization’s office. • Logical location, such as on an internal network or private network. • A combination of those factors can be considered to provide different strength levels of authentication. This improves authentication and increases security. The following are examples of technology used for authentication: • Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on a public key cryptography method. Public key cryptography provides two independent keys generated together; one key is made public, and another is kept private. Any information protected by one key (public) can be opened only with another key (private). If one key is compromised, a new key pair must be generated. • Smartcards can store personal information accessible by a personal identification number (PIN). An organization may consider smartcard implementation to provide another identification method via physical identification (physical security) and electronic identification (electronic access).
Authorization Once a user presents a second credential and is identified, the system checks an access control matrix to determine their associated privileges. If the system allows the user access, the user is authorized. Accountability The act of being responsible for actions taken within a system is accountability. The only way to ensure accountability is to identify the user of a system and record their actions. Accountability makes nonrepudiation extremely important.
ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS Information assets have unique vulnerabilities, and they are continuously exposed to new threats. The combination of vulnerabilities and threats contribute to risk. To mitigate and control risks effectively, organizations should be aware of the shortcomings in their information systems and should be prepared to tackle them in case the shortcomings turn into threats to activities or business. Understanding these entities and their interactions is crucial to ensuring the controls are cost effective and relevant. This chapter provides an overview of threats and vulnerabilities as well as the controls that are implemented to manage their risks.
ASSET An asset is anything valuable to the organization. An information asset, if compromised, may cause losses should it be disclosed, be altered, or become unavailable. An information asset can be tangible or intangible, such as hardware, software, data, services, and people. The losses can also be tangible or intangible, such as the number of machines or a smeared reputation.
THREATS Threats are potential events that may cause the loss of an information asset. A threat may be natural, deliberate, or accidental.
VULNERABILITIES Vulnerabilities are weaknesses exploited by threats. They are threat independent, and if exploited, they allow harm in terms of the CIA triad. Examples of vulnerabilities include software bugs, open ports, poorly trained personnel, and outdated policy.
RISK A risk expresses the chance of something happening because of a threat successfully exploiting a vulnerability that will eventually affect the organization. Examples of impact are loss of competitive edge, loss of confidential information, systems unavailability, failure to meet a service level agreement, and tarnished reputation.
TITLE LOREM IPSUM DOLOR LOREM IPSUM DOLOR SIT AMET, CONSECTETUER ADIPISCING ELIT. NUNC VIVERRA IMPERDIET ENIM. FUSCE EST. VIVAMUS A TELLUS. PELLENTESQUE HABITANT MORBI TRISTIQUE SENECTUS ET NETUS.

Recommended

INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdf
EarlvonDeiparine1
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
Sachin Darekar
 

Recommended

INFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdfINFORMATION ASSURANCE AND SECURITY 1.pdf
INFORMATION ASSURANCE AND SECURITY 1.pdf
EarlvonDeiparine1
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
MLG College of Learning, Inc
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
Sachin Darekar
 
Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
Syaiful Ahdan
 
Computer Security
Computer SecurityComputer Security
Computer Security
Frederik Questier
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
bdemchak
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
Computer Security and safety
Computer Security and safety Computer Security and safety
Computer Security and safety Sadaf Walliyani
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
PraphullaShrestha1
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security Shreedevi Tharanidharan
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
eiramespi07
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Dheeraj Kataria
 
Intruders
IntrudersIntruders
Intruders
ALOK KUMAR
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Security threats and attacks in cyber security
Security threats and attacks in cyber securitySecurity threats and attacks in cyber security
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
PriSim
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 

More Related Content

What's hot

Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
Syaiful Ahdan
 
Computer Security
Computer SecurityComputer Security
Computer Security
Frederik Questier
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
bdemchak
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
Computer Security and safety
Computer Security and safety Computer Security and safety
Computer Security and safety Sadaf Walliyani
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
PraphullaShrestha1
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
eiramespi07
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Dheeraj Kataria
 
Intruders
IntrudersIntruders
Intruders
ALOK KUMAR
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Security threats and attacks in cyber security
Security threats and attacks in cyber securitySecurity threats and attacks in cyber security
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
PriSim
 

What's hot (20)

Chapter 11 laws and ethic information security
Chapter 11 laws and ethic information securityChapter 11 laws and ethic information security
Chapter 11 laws and ethic information security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
Network Security
Network SecurityNetwork Security
Network Security
 
Computer Security and safety
Computer Security and safety Computer Security and safety
Computer Security and safety
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security Presentation
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIAInformation Security- Threats and Attacks presentation by DHEERAJ KATARIA
Information Security- Threats and Attacks presentation by DHEERAJ KATARIA
 
Intruders
IntrudersIntruders
Intruders
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Security threats and attacks in cyber security
Security threats and attacks in cyber securitySecurity threats and attacks in cyber security
Security threats and attacks in cyber security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 

Similar to Module 2 - Information Assurance Concepts.pptx

The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
What is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERVWhat is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERV
SaqifKhan3
 
1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional 1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional
TatianaMajor22
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
Precise Testing Solution
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
Arti Parab Academics
 
CC ss.pptx
CC ss.pptxCC ss.pptx
CC ss.pptx
ShakthiShakthi13
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
ShakthiShakthi13
 
Identity Security.docx
Identity Security.docxIdentity Security.docx
Identity Security.docx
Mohsin Abbas
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
mistryritesh
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
 
Data security
Data securityData security
Data security
AbdulBasit938
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing
 
Implementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanImplementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control Plan
Angie Willis
 
Data Security
Data SecurityData Security
Data Security
ankita_kashyap
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls Paper
Jennifer Lopez
 

Similar to Module 2 - Information Assurance Concepts.pptx (20)

The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Information security
Information securityInformation security
Information security
 
What is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERVWhat is Authentication vs Authorization Difference? | INTROSERV
What is Authentication vs Authorization Difference? | INTROSERV
 
security IDS
security IDSsecurity IDS
security IDS
 
1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional 1. Respond to other student Discussion Board providing additional
1. Respond to other student Discussion Board providing additional
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
 
CC ss.pptx
CC ss.pptxCC ss.pptx
CC ss.pptx
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Identity Security.docx
Identity Security.docxIdentity Security.docx
Identity Security.docx
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Data security
Data securityData security
Data security
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Implementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control PlanImplementing Physical Security As An Access Control Plan
Implementing Physical Security As An Access Control Plan
 
Data Security
Data SecurityData Security
Data Security
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls Paper
 

Recently uploaded

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

Recently uploaded (20)

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 

Module 2 - Information Assurance Concepts.pptx

  • 2. CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY When dealing with information assurance and its subcomponent information security, you should be familiar with three primary security objectives—confidentiality, integrity, and availability—to identify problems and provide proper solutions. This concept is widely known as the CIA triad.
  • 3. CONFIDENTIALITY Confidentiality and privacy are related terms but are not synonymous. Confidentiality is the assurance of data secrecy where no one is able to read data except for the intended entity. Confidentiality should prevail no matter what the data state is—whether data resides on a system, is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a safe). Privacy, on the other hand, involves personal autonomy and control of information about oneself. Both are discussed in this chapter. The word classification merely means categorization in certain
  • 4. INTEGRITY People understand integrity in terms of dealing with people. People understand the sentiment “Jill is a woman of integrity” to mean Jill is a person who is truthful, is trustworthy, and can be relied upon to perform as she promises. When considering integrity in an information assurance perspective, organizations will use it not only from a personnel perspective but also from a systems perspective. In information systems, integrity is a service that assures that the information in a system has not been altered except by authorized individuals and processes. It provides assurance of the accuracy of the data and that it has not been corrupted or modified improperly.
  • 5. AVAILABILITY Availability is the service that assures data and resources are accessible to authorized subjects or personnel when required. The second component of the availability service is that resources such as systems and networks should provide sufficient capacity to perform in a predictable and acceptable manner. Secure and quick recovery from disruptions is crucial to avoid delays or decreased productivity. Therefore, it is necessary that protection mechanisms should be in place to ensure availability and to protect against internal and external threats. Availability is also often viewed as a property of an information system or service. Most service level agreements and measures of performance for service providers surround availability above all else. The availability of a system may be
  • 6. CIA BALANCE The three fundamental security requirements are not equally critical in each application. For example, to one organization, service availability and the integrity of information may be more important than the confidentiality of information. A web site hosting publicly available information is an example. Therefore, you should apply the appropriate combination of CIA in correct portions to support your organization’s goals and provide users with dependable system.
  • 7. NONREPUDIATION AND AUTHENTICATION Nonrepudiation The MSR model of information assurance describes additional services associated with nonrepudiation. Digital transactions are prone to frauds in which participants in the transaction could repudiate (deny) a transaction. A digital signature is evidence that the information originated with the asserted sender of the information and prevents subsequent denial of sending the message. Digital signatures may provide evidence that the receiver has in fact received the message and that the receiver will not be able to deny this reception. This is commonly
  • 8. The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows: • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise. • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.
  • 9. IDENTIFICATION, AUTHENTICATION, AUTHORIZATION, AND ACCOUNTABILITY Identification, authentication, authorization, and accountability are the essential functions in providing an access management system. This service as described by the MSR model of information assurance is summarized as authentication but reflects the entire IAAA process. The overall architecture of an access management system includes the means of identifying its users, authenticating a user’s identity and credentials, and setting and controlling the access level of a user’s authorization.
  • 10. STEPS OF IAAA Steps to access a system and the act of recording a user’s actions during system access
  • 11. IDENTIFICATION Identification is a method for a user within a system to introduce oneself. In an organization-wide identification requirement, you must address identification issues. An example would be more than one person having the same name. Identifiers must be unique so that a user can be accurately identified across the organization. Each user should have a unique identifier, even if performing multiple roles within the organization. This simplifies matters for users as well as the management of an information system. It also eases control in that an organization may have a centralized directory or repository for better user management. A standard interface is crucial for ease of verification process. The same goes for the availability of the verification process itself. This is to ensure that access can be granted only with verification.
  • 12. AUTHENTICATION Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities. • What you should know (a shared secret, such as a password, which both the user and the authenticator know) • What you should have (a physical identification, such as a smartcard, hardware token, or identification card) • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition) In addition, organizations may consider having an implicit factor such as a “where you are” factor. • Physical location, such as within an organization’s office. • Logical location, such as on an internal network or private network. • A combination of those factors can be considered to provide different strength levels of authentication. This improves authentication and increases security. The following are examples of technology used for authentication: • Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on a public key cryptography method. Public key cryptography provides two independent keys generated together; one key is made public, and another is kept private. Any information protected by one key (public) can be opened only with another key (private). If one key is compromised, a new key pair must be generated. • Smartcards can store personal information accessible by a personal identification number (PIN). An organization may consider smartcard implementation to provide another identification method via physical identification (physical security) and electronic identification (electronic access).
  • 13. Authorization Once a user presents a second credential and is identified, the system checks an access control matrix to determine their associated privileges. If the system allows the user access, the user is authorized. Accountability The act of being responsible for actions taken within a system is accountability. The only way to ensure accountability is to identify the user of a system and record their actions. Accountability makes nonrepudiation extremely important.
  • 14. ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS Information assets have unique vulnerabilities, and they are continuously exposed to new threats. The combination of vulnerabilities and threats contribute to risk. To mitigate and control risks effectively, organizations should be aware of the shortcomings in their information systems and should be prepared to tackle them in case the shortcomings turn into threats to activities or business. Understanding these entities and their interactions is crucial to ensuring the controls are cost effective and relevant. This chapter provides an overview of threats and vulnerabilities as well as the controls that are implemented to manage their risks.
  • 15. ASSET An asset is anything valuable to the organization. An information asset, if compromised, may cause losses should it be disclosed, be altered, or become unavailable. An information asset can be tangible or intangible, such as hardware, software, data, services, and people. The losses can also be tangible or intangible, such as the number of machines or a smeared reputation.
  • 16. THREATS Threats are potential events that may cause the loss of an information asset. A threat may be natural, deliberate, or accidental.
  • 17. VULNERABILITIES Vulnerabilities are weaknesses exploited by threats. They are threat independent, and if exploited, they allow harm in terms of the CIA triad. Examples of vulnerabilities include software bugs, open ports, poorly trained personnel, and outdated policy.
  • 18. RISK A risk expresses the chance of something happening because of a threat successfully exploiting a vulnerability that will eventually affect the organization. Examples of impact are loss of competitive edge, loss of confidential information, systems unavailability, failure to meet a service level agreement, and tarnished reputation.
  • 19. TITLE LOREM IPSUM DOLOR LOREM IPSUM DOLOR SIT AMET, CONSECTETUER ADIPISCING ELIT. NUNC VIVERRA IMPERDIET ENIM. FUSCE EST. VIVAMUS A TELLUS. PELLENTESQUE HABITANT MORBI TRISTIQUE SENECTUS ET NETUS.