This document discusses information security and key concepts related to protecting information. It describes information security as providing assurance that information risks and controls are balanced. It outlines multiple layers of security including physical, personnel, operations, communications, network, and information security. The document also discusses the McCumber Cube model for evaluating information system security across technical, programmatic, and operational dimensions.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
48 views16 pages
Information Security Unit 1
This document discusses information security and key concepts related to protecting information. It describes information security as providing assurance that information risks and controls are balanced. It outlines multiple layers of security including physical, personnel, operations, communications, network, and information security. The document also discusses the McCumber Cube model for evaluating information system security across technical, programmatic, and operational dimensions.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16
Information Security
• According to James Anderson, executive
consultant at Emagined Security, Inc., Information security in an enterprise is a “well- informed sense of assurance that the information risks and controls are in balance.” What is Security • Security is “the quality or state of being secure —to be free from danger.” • In other words, protection against adversaries —from those who would do harm, intentionally or otherwise—is the objective. Security concepts A successful organization should have the following multiple layers of security in place to protect its operations: • Physical security, to protect physical items, objects, or areas from unauthorized access and misuse • Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations • Operations security, to protect the details of a particular operation or series of activities • Communications security, to protect communications media, technology, and content • Network security, to protect networking components, connections, and contents • Information security, to protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology. Critical Characteristics of Information • Availability enables authorized users—persons or computer systems—to access information without interference or obstruction and to receive it in the required format • Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. • Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. • Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. • Information has integrity when it is whole, complete, and uncorrupted • The utility of information is the quality or state of having value for some purpose or end. Information has value when it can serve a purpose. • The possession of information is the quality or state of ownership or control CNSS/NSTISSC Security Model This document presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems. The model, created by John McCumber in 1991, provides a graphical representation of the architectural approach widely used in computer and information security; it is now known as the McCumber Cube McCumber Cube McCumber Cube • To ensure system security, each of the 27 areas must be properly addressed during the security process • For example, the intersection between technology, integrity, and storage requires a control or safeguard that addresses the need to use technology to protect the integrity of information while in storage. Components of IS • Software • Hardware • Data • People • Procedures • Networks Balancing IS and Access • Information security cannot be absolute: it is a process, not a goal. • To achieve balance—that is, to operate an information system that satisfies the user and the security professional—the security level must allow reasonable access, yet protect against threats. System Development Life Cycle • The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system • A methodology is a formal approach to solving a problem by means of a structured sequence of procedures. • The traditional SDLC consists of six general phases Phases of SDLC Phases of SDLC • Investigation The investigation phase begins with an examination of the event or plan that initiates the process. During the investigation phase, the objectives, constraints, and scope of the project are specified. Phases of SDLC • Analysis This phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems. • Logical Design The logical design is, the blue print for the desired solution. The logical design is implementation independent, meaning that it contains no reference to specific technologies, vendors, or products. Instead, it defines how the proposed system will solve the problem at hand. Phases of SDLC • Physical Design Specific technologies are selected to support the alternatives identified and evaluated in the logical design • Implementation Needed software is created. Components are ordered, received, and tested. Afterward, users are trained and supporting documentation created. Phases of SDLC • Maintenance and Change This phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. At periodic points, the system is tested for compliance and the feasibility of continuance versus discontinuance is evaluated. When a current system can no longer support the evolving mission of the organization, the project is terminated and a new project is implemented. Security Systems Development Life Cycle
• SSDLC is also a trial and error process
• The SecSDLC unifies the SDLC process and
makes it a coherent program rather than a series of random seemingly unconnected actions