Passwords, encryption, firewall, antivirus, user rights, domain… security terms are numerous and often a source of frustration for company end-users. However, with IT becoming such an influential piece of the business, any security compromise could result terribly. Protection of the information and data in an organization from unauthorized access, use, disclosure, disruption, modification or destruction has become an essential part of the IT function.
Defining the ISO 27001 Security Space
According to the ISO 27001, information security is defined as the preservation of confidentiality, integrity and availability of information; in addition to authenticity, accountability/traceability, non-repudiation, and reliability which can also be involved. To help clarify these principles, we’ve put together this list of essential security term definitions:
Confidentiality is possible through encryption that renders unusable data. A process of decryption is compulsory in order to use the data, and only possible with a cryptographic key.
Integrity: Ensure that the data were not modified
Unauthorized modifications can be made accidentally or intentionally by an employee or by a virus. Integrity is therefore necessary and accomplished through tools including, but not limited to, user-specific rights, antivirus or firewall.
Availability: Ensure that services are available whenever needed by the users (or system)
Information must be available anytime it is needed therefore, every system must be functioning correctly and every service disruption (due to power outages, hardware failure and system upgrades ) should be prevented. This implies some logistic services as well as air conditioning and security access in datacenters.
Authenticity: Ensure that the user (or system) is the one he’s pretending to be
Authenticity has to prevent unauthorized persons from accessing an environment. A variety of well known means exist, including passwords, network authentication, access control and authorization or access control to the data by setting up access rights or encryption.
Accountability/Traceability: Make the users responsible of their acts
The responsibility of the employee is a key factor here, as they become less tempted to disrupt the functioning of IT operations and are typically more cautious of their actions. Following and saving the history of users in a system or a network is becoming a common tool for dealing with accountability at large organizations.
Non Repudiation: Ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message
It is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
Reliability: Ensure that the information or a system can be trusted
Defining Security Domains
Based on the above criteria, security is then divided into three main domains: logical security, physician security and operational security.
Logical security refers to security through software safeguards for the systems of an organization and relies on the set up of user identification and password access, authentication, access rights and authority levels. It also includes the encryption processes that help to control confidentiality and the eventual firewall, which prevents unauthorized exchanges between different applications. In order to correctly apply logical security, a classification of the data in terms of confidentiality is needed. Indeed, documents may have different level of confidentiality: normal, private or top secret.
Physical security refers to that which is linked to the environment where the systems/servers are installed. It includes both the security of people and assets. Examples of physical security tools include:
· Security norms
· Access control
· Personal identification
· Video monitoring
· Protection of environment (fire, temperature…)
· Good functioning air conditioning
· Protection of documentations
Operational security refers to every type of security dealing with the good functioning of the application system. It relies on the implementation of tools and procedures that master the maintenance, backups, updates, etc. The following are often used to promote efficient operational security:
· Definition of back up and continuity plan
· DRP
· Computing equipment management, configuration management
· Monitoring of the production
Conclusion
Standards such as ISO 27001 and risk analysis methods such as MEHARI will provide a more detailed approach to IT operations security. In these frameworks, more security management will be identified including: Asset Management, Human Resources Security, Physical and Environmental Security, Communications and Operations Management, Access Control , Information Systems Acquisition, Development and Maintenance, Information Security Incident Management, and Business Continuity Management and Compliance.
