1

Fundamental Principles of Security

Three Control Objectives• Confidentiality• Integrity• Availability

These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls

2

Three Control Objectives

Confidentiality principle

Protection of sensitive information from unauthorized disclosure; prevention of inappropriate reading or copying

• Examples of confidential information– Medical records– Payroll lists– Client lists– Trade secrets

3

Three Control Objectives

Integrity principle

Detection or prevention of inappropriate and unauthorized data transformations

• Threats to integrity may be classified as either accidental or intentional:– Errors– Omissions– Modification– Deletion– Replay and Insertion

• Accidental integrity violations are actually data reliability problems

4

Three Control Objectives

Availability principle

Ensuring systems resources are available to sustain

critical business activities

• Preparation for an unforeseen event • It has many names: Contingency Planning; Disaster Recovery

Planning; Business Continuance Planning • Two Primary Objectives

– Disaster Avoidance or Mitigation Strategies– Disaster Recovery Procedures

5

Three Control Objectives

Three Control Objectives (“CIA”) Confidentiality Integrity Availability

These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls

Which one is the most important to your organization?

6

Information Security Definition

The protection of information assets from unauthorized disclosure, modification, or destruction;

or the inability to process that information

Confidentiality principle

Integrity principle

Availability principle

Embedded within the basic definition of information security are the three fundamental principles of information security:

7

Risk Management

The following terms are routinely used during information security projects; they are often used interchangeably and incorrectly.

• Threat • Vulnerability • Threat Agent• Exposure• Control • Risk

8

Risk Management Terminology

Threat

An Event or Action that can have a Negative

Impact upon an Organization

or

A Potential Danger to an Information System

9

Examples of Threats

• Unauthorized access– Hackers– Mishandled password

• Misuse of authorized access• Interception of information

– Wiretap– Document left at a copier

• Introduction of malicious software– Virus– Worms– Trojan Horses

• Denial of Service Attacks• Accidental alteration or deletion of data• Social Engineering• Undetected software errors• Natural disasters • A bomb• A fire• Disgruntled employee

10

Risk Management Terminology

Vulnerability

A Condition Which Allows a Threat to OccurOr

A Software, Hardware or Procedural Weakness

• Threats considered alone do not provide very meaningful information• Threats and vulnerabilities are best considered in pairs• Threats describe the environment; external considerations

– Your organization may have little control or influence over these• Vulnerabilities describe the internal environment

– Vulnerabilities are your responsibility; you can take action to correct these

11

Examples of Threat/Vulnerability Pairing

Threats

Bomb

Water

Disgruntled employee

Severed network cables

Vulnerabilities

An operations center with signage

A data center below ground level

No exit or termination procedures

Unlocked telecom cables closets

We have little or no control over these

Things you can change

12

Risk Management Terminology

Threat Agent

The Entity that Takes Advantage of a Vulnerability

Examples:• Intruder• Employee• Software

13

Risk Management Terminology

Exposure

The Negative Effect or Loss that Results after a Threat Occurs

• Monetary Loss– Direct: Destruction or Theft of Assets– Indirect: Replacement Costs, Customer Bad Will

• Loss of Business• Loss of Public Trust or Confidence• Negative Publicity• Loss of New Business Opportunities

14

Risk Management Terminology

Risk

The Likelihood of a Threat Agent Taking

Advantage of a Vulnerability

There are two approaches are used to measure risk:• Quantitative Methods• Qualitative Methods

15

Risk Management Terminology

Control

Mechanisms or Procedures Used to

Prevent, Detect Or Limit Exposures

or

A Countermeasure or Safeguard that Mitigates Risk

There Are Three Basic Types of Controls:• Administrative• Physical • Technical

16

Prevent Detect Limit

Administrative

Physical

Technical

Controls Cube

Risk Management Terminology

This simple graphicShows the types of controls available.

All types must be used To form a completeand effectivesystem of controls

17

Risk Management Terminology

P D L

A

P

T

Examples of ControlsAdministrative/Prevention Controls • Segregation of duties• Security checks on new personnel• Authorization process for changes

Physical/Detection Controls:• Cameras• Door intrusion alarms

Technical/Limiting Controls:• Transaction limits on ATM cards• Access privileges on user accounts

18

Controls-Another Perspective

InformationAssets

NetworkControls

ComputerControls

AuditPrograms

PhysicalControls

Other controls...

19

Risk Management Terminology Summary

Threat An event or action that can have a negative impact upon an organization

Vulnerability A condition that allows a threat to occur

Threat Agent The entity that takes advantage of a vulnerability

Exposure The negative effect or loss that results after a threat occurs

Control Mechanisms or procedures used to prevent, detect or limit exposures

20

Risk Management Terminology

From: CISSP Exam Guide

Shon Harris

McGraw Hill

ThreatAgent

Threat

Vulner-ability

Risk

Asset

Exposure

Control

Gives rise to a

Whichexploits a

and creates

Can damage

And cause an

May be Counteredwith…

21

Information Security Definition

The protection of information assets from unauthorized disclosure, modification, or destruction

or the inability to process that information

Remember, our basic definition of security is to protect information.

This information may be moving (through a network), at rest (in storage), or is being manipulated (processed by a computer or human).

Keep your eye on the information, no matter where it is.