I originally created this series of notes in 2020 as an output of personal study of the BCS syllabus for the CISMP[1][2]. The original version can be found on Gitlab. This post will cover part one of those notes with further sections to follow in the same series.
Information Security Principles
Concepts and Definitions
Information Security (IS)
Information Security is at least the preservation of the following properties:
-
Confidentiality: not made available to unauthorised entities
-
Integrity: safeguarding accuracy and completeness
-
Availability: usable upon demand by authorised entities
Other properties such as authenticity, accountability, non-repudiation, and reliability may also be involved. IS is a ‘whole organization’ responsibility.
Information Assurance (IA)
Information Assurance is the confidence that systems will protect information and will function as needed, when needed, under the control of legitimate users. To achieve this, controls need to be built into all stages of business processes. Additionally, any assurance system must be flexible enough to adapt to changing business needs.
Asset
An Asset is anything that has value to the organization, operations, and continuity. Value is calculated by means of a business impact analysis (BIA).
-
pure information
-
physical
-
software
Risk
-
Threat: a (realistic) potential cause of an incident that may result in harm (eg. threat of rain). These can be categorized as combinations of:
-
accidental
-
deliberate (an intentional threat)
and
-
internal (having some degree of access)
-
external
These cover the following types of threat:
-
physical
-
outages/failures
-
hacking/abuse
-
legal/contractual
-
accidents/disasters
-
-
Vulnerability: weakness of assets which may be exploited by threats to realise risk (eg. not carrying an umbrella) which can be categorized as:
-
general (eg. poor software design or basic weaknesses in hardware or processes)
-
information specific (eg. unsecured computers)
-
-
Risk: potential of threats to exploit vulnerabilities producing an impact (eg. potential to be rained on)
-
Impact: result of IS incidents affecting assets (eg. a wet coat)
Controls
Controls are activities undertaken to manage identified risks. The best approach to assurance is to adopt ‘defence in depth’, a combination of complementary controls ensuring effective coverage in layers. It is also necessary to consider ‘defence in breadth’; all nodes of a distributed or networked system are potential sites of vulnerability. Controls can be categorized as:
Strategic Controls
-
Avoid
-
Reduce: lessen probability/impact (or both) of a risk
-
Transfer: share burden of loss/gain of a risk, overall ownership and responsibility for the risk is not transferred
-
Accept: this must be done with the explicit endorsement of persons accountable for the risk. In best practice this is also endorsed by a second person with an understanding of the impact but who is organizationally remote from the risk itself.
Tactical Controls
-
Preventative
-
Detective
-
Corrective
-
Directive (‘personnel controls’)
Operational Controls
-
Physical: physical limitations to activities, ie. obstacles that can prevent intrusion. eg. locked doors
-
Technical: any security measure involving electronic hardware/software solutions. eg. firewalls
-
Procedural: rules, regulations, policies in place to reduce risks, typically providing guidance on the expected ways to undertake work. eg. contracts, appropriate use policies
Identity concepts
-
Identity: properties of an entity that uniquely distinguish it in a given domain
-
Authentication: provision of assurance of the claimed identity
-
Authorisation: the right granted to a system entity to access a system resource
Accountability concepts
-
Accountability: the property ensuring actions of an entity can be uniquely traced to an entity
-
Audit: review of a party’s capacity to meet ongoing approval agreements
-
Compliance: meeting or exceeding all applicable requirements
Information Security Management System (ISMS)
The ISMS is the part of the overall management system to establish, implement, operate, monitor, review, maintain, and improve information security. One of the additional purposes is to maintain a high level of availability to appropriate information pertaining to security measures across the organization. This information must be both comprehensive and appropriate to the audience (’easily digestible’) and maintained to a high standard.
Requirements
-
Business/User
-
Security
-
Statutory: legal (obligatory, eg. privacy legislation)
-
Regulatory: conformance to standards (obligatory)
-
Advisory: guidelines for encouraging best practice
Additional References
- Taylor A, editor, Alexander D, Finch A, Sutton D. Information Security Management Principles. 2nd ed. BCS Learning and Development Ltd. 2013.
- Taylor A, Alexander D, Finch A, Sutton D. Information Security Management Principles. 3rd ed. BCS Learning and Development Ltd. 2020.