Introduction

Information
Assurance and
Security 1
Topic
01 Information Systems Security Concepts
02 Confidentiality, Integrity, and Availability (CIA)
03 The Seven Domains of an IT Infrastructure
04 IT Security Policy Framework and Data Standard Classification
01.
Information Systems
Security Concepts
Introduction to Information Systems
Security
 Information Systems Security (ISS) refers to the
practices and technologies used to protect
information systems from unauthorized access,
misuse, disclosure, disruption, modification, or
destruction. It aims to ensure that data is secure,
systems are operational, and users can rely on the
integrity of their information.
These concepts encompass the core principles, strategies, and methods
designed to protect information systems. The key components include:

 Risk Management: Identifying and mitigating potential security threats

and vulnerabilities. Example: A company assessing risks associated with
remote workers accessing sensitive data.

 Authentication and Authorization: Verifying user identities and

granting access based on roles. Example: Multi-factor authentication
(MFA) requiring a password and a mobile OTP for login.

 Encryption: Transforming data to prevent unauthorized access.

Example: Encrypting emails to ensure secure communication.

 Incident Response: Steps to detect, analyze, and mitigate security

breaches. Example: Activating a response plan after detecting a
phishing attack.
02.
Confidentiality,
Integrity, and
Availability (CIA)
The CIA triad forms the foundation of ISS by defining its
objectives:

 Confidentiality: Ensures sensitive information is accessible

only to authorized individuals. Example: Restricting access to
financial records to the finance team through role-based
permissions.

 Integrity: Ensures data is accurate and unaltered unless

authorized. Example: Using hashing algorithms to verify the
integrity of transmitted files.

 Availability: Ensures that information and systems are

accessible when needed. Example: Implementing redundant
systems to maintain service during hardware failures.
 Five Fundamental Security
Principles
Confidentiality
Ensuring that information
is only accessible to those
who are authorized to
view it. For example, using
encryption to protect
sensitive data.
Integrity
Maintaining the accuracy
and completeness of
information. For example,
using checksums or hashes
to verify that data has not
been altered.
Availability
Ensuring that information and
resources are available to
authorized users when needed.
For example, implementing
redundancy and failover systems
to prevent downtime.

Authentication
Verifying the identity of users
and systems. For example,
using multi-factor
authentication (MFA) to
strengthen access controls.
Authorization
Ensuring that actions or
transactions cannot be denied
by the parties involved. For
example, using digital
signatures to provide proof of
origin and integrity of data.
03.
The Seven
Domains of an
IT Infrastructure
The seven domains outline areas within an IT infrastructure that require
security controls:

1. User Domain: End users interacting with IT systems. Example: Employees using secure
passwords.

2. Workstation Domain: Devices used by users (e.g., computers, laptops). Example: Installing
antivirus software on workstations.

3. LAN Domain: Internal networks connecting workstations and servers. Example: Configuring
firewalls to restrict traffic.

4. LAN-to-WAN Domain: The transition point between the internal network and the internet.
Example: Deploying intrusion detection systems (IDS).

5. WAN Domain: Connections between remote sites or external networks. Example: Using VPNs
for secure remote access.

6. Remote Access Domain: Connections from external users or devices to internal systems.
Example: Implementing MFA for remote logins.

7. System/Application Domain: Critical systems and applications. Example: Applying regular

patches and updates to a customer relationship management (CRM) system.
04.
IT Security Policy
Framework and Data
Standard
Classification
An IT security policy framework defines the structure and guidelines for securing
information systems, while data classification organizes data based on its sensitivity.

 IT Security Policy Framework: A structured set of policies, procedures, and standards.

 Example Policies:
 Acceptable Use Policy (AUP): Specifies appropriate use of IT resources.
 Incident Response Policy: Defines actions during security incidents.

 Data Standard Classification: Categorizes data into levels based on sensitivity and required
protection.
 Examples of Classifications:
 Public Data: Minimal impact if disclosed (e.g., website content).
 Internal Data: For internal use only (e.g., employee directories).
 Confidential Data: Sensitive information (e.g., customer records).
 Restricted Data: Highly sensitive (e.g., trade secrets).