The information security objectives of an organization is a must to ensure the confidentiality, integrity, availability, authenticity, and non-repudiation of the information and data stored in the information systems.
- Confidentiality: Confidentiality means that information is restricted to those authorized to have access to it. Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Access restriction is only one aspect of confidentiality.Confidentiality prevents misuse of confidential information (illegal or immoral use). It protects reputation. Employment may depend on it (e.g. non-disclosure agreement). It ensures compliance with the law.
- Integrity: Data integrity refers to the accuracy and consistency (validity) of data over its lifecycle. Compromised data, after all, is of little use to enterprises, not to mention the dangers presented by sensitive data loss. For this reason, maintaining data integrity is a core focus of many enterprise security solutions. Data integrity is the assurance that digital information is uncorrupted and can only be accessed or modified by those authorized to do so. Corruption of data is a failure to maintain data integrity.
- Availability: This means that the network should be readily available to its users. This applies to systems and to data. To ensure availability, the network administrator should maintain hardware, make regular upgrades, have a plan for fail-over, and prevent bottlenecks in a network. Attacks such as DoS or DDoS may render a network unavailable as the resources of the network get exhausted. The impact may be significant to the companies and users who rely on the network as a business tool. Thus, proper measures should be taken to prevent such attacks.
- Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. Authenticity validates the source or origin of data and other file transfers through proof of identity. This is important because it ensures that the message (email, payment transaction, digital file, etc.) was not corrupted or intercepted during transmission. Through authentication processes, users can verify their identities by providing specific credentials, which include: Login information (username and password), Biometric data, Electronic or digital signatures, Authentication tokens, Smart cards, etc.
- Non-repudiation: To repudiate means to deny or contest something. Therefore, non-repudiation must be the ability to ensure that someone cannot deny or contest about the transaction they have done. Nonrepudiation ensures that no party can deny that it sent or received a message via encryption and/or digital signatures or approved some information. It also cannot deny the authenticity of its signature on a document.
Security engineering principles includes,
- Developing layered protections;
- Establishing sound security policy, architecture, and controls as the foundation for design;
- Incorporating security requirements into the system development life cycle;
- Delineating physical and logical security boundaries;
- Ensuring that system developers are trained on how to build secure software;
- Tailoring security controls to meet organizational and operational needs;
- Performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and
- Reducing risk to acceptable levels, thus enabling informed risk management decisions.
Source: https://www.arc-it.net/html/security/control201.htm
No comments:
Post a Comment