Information Security Principles

March 20, 2023 - 4 mins read

I originally created this series of notes in 2020 as an output of personal study of the BCS syllabus for the CISMP[1][2]. The original version can be found on Gitlab. This post will cover part one of those notes with further sections to follow in the same series.

Information Security Principles

Concepts and Definitions

Information Security (IS)

Information Security is at least the preservation of the following properties:

Confidentiality: not made available to unauthorised entities
Integrity: safeguarding accuracy and completeness
Availability: usable upon demand by authorised entities

Other properties such as authenticity, accountability, non-repudiation, and reliability may also be involved. IS is a ‘whole organization’ responsibility.

Information Assurance (IA)

Information Assurance is the confidence that systems will protect information and will function as needed, when needed, under the control of legitimate users. To achieve this, controls need to be built into all stages of business processes. Additionally, any assurance system must be flexible enough to adapt to changing business needs.

Asset

An Asset is anything that has value to the organization, operations, and continuity. Value is calculated by means of a business impact analysis (BIA).

pure information
physical
software

Risk

Threat: a (realistic) potential cause of an incident that may result in harm (eg. threat of rain). These can be categorized as combinations of:
- accidental
- deliberate (an intentional threat)
and
- internal (having some degree of access)
- external
These cover the following types of threat:
- physical
- outages/failures
- hacking/abuse
- legal/contractual
- accidents/disasters
Vulnerability: weakness of assets which may be exploited by threats to realise risk (eg. not carrying an umbrella) which can be categorized as:
- general (eg. poor software design or basic weaknesses in hardware or processes)
- information specific (eg. unsecured computers)
Risk: potential of threats to exploit vulnerabilities producing an impact (eg. potential to be rained on)
Impact: result of IS incidents affecting assets (eg. a wet coat)

Controls

Controls are activities undertaken to manage identified risks. The best approach to assurance is to adopt ‘defence in depth’, a combination of complementary controls ensuring effective coverage in layers. It is also necessary to consider ‘defence in breadth’; all nodes of a distributed or networked system are potential sites of vulnerability. Controls can be categorized as:

Strategic Controls

Avoid
Reduce: lessen probability/impact (or both) of a risk
Transfer: share burden of loss/gain of a risk, overall ownership and responsibility for the risk is not transferred
Accept: this must be done with the explicit endorsement of persons accountable for the risk. In best practice this is also endorsed by a second person with an understanding of the impact but who is organizationally remote from the risk itself.

Tactical Controls

Preventative
Detective
Corrective
Directive (‘personnel controls’)

Operational Controls

Physical: physical limitations to activities, ie. obstacles that can prevent intrusion. eg. locked doors
Technical: any security measure involving electronic hardware/software solutions. eg. firewalls
Procedural: rules, regulations, policies in place to reduce risks, typically providing guidance on the expected ways to undertake work. eg. contracts, appropriate use policies

Identity concepts

Identity: properties of an entity that uniquely distinguish it in a given domain
Authentication: provision of assurance of the claimed identity
Authorisation: the right granted to a system entity to access a system resource

Accountability concepts

Accountability: the property ensuring actions of an entity can be uniquely traced to an entity
Audit: review of a party’s capacity to meet ongoing approval agreements
Compliance: meeting or exceeding all applicable requirements

Information Security Management System (ISMS)

The ISMS is the part of the overall management system to establish, implement, operate, monitor, review, maintain, and improve information security. One of the additional purposes is to maintain a high level of availability to appropriate information pertaining to security measures across the organization. This information must be both comprehensive and appropriate to the audience (’easily digestible’) and maintained to a high standard.

Requirements

Business/User
Security
Statutory: legal (obligatory, eg. privacy legislation)
Regulatory: conformance to standards (obligatory)
Advisory: guidelines for encouraging best practice

Additional References

Taylor A, editor, Alexander D, Finch A, Sutton D. Information Security Management Principles. 2nd ed. BCS Learning and Development Ltd. 2013.
Taylor A, Alexander D, Finch A, Sutton D. Information Security Management Principles. 3rd ed. BCS Learning and Development Ltd. 2020.

This is a post in the ISMP notes series.
Other posts in this series:

June 3, 2023 - Disaster Recovery and Business Continuity Management
June 3, 2023 - Physical and Environmental Security
June 3, 2023 - Procedural and People Security Controls
June 3, 2023 - Technical Controls
April 19, 2023 - Security Life Cycles
March 25, 2023 - Information Security Framework
March 23, 2023 - Information Risk
March 20, 2023 - Information Security Principles