2. INFORMATION SYSTEM SECURITY PRINCIPLES
Confidentiality is concerned with preventing the unauthorized disclosure of sensitive information. The disclosure could be intentional, such as breaking a cipher and reading the information, or it could be unintentional, due to carelessness or incompetence of individuals handling the information.
There are three goals of integrity:
✦ Prevention of the modification of information by unauthorized users ✦ Prevention of the unauthorized or unintentional modification of information by authorized users
✦ Preservation of the internal and external consistency
• Internal consistency ensures that internal data is consistent. For example, in an organizational database, the total number of items owned by an organization must equal the sum of the same items shown in the database as being held by each element of the organization.
• External consistency ensures that the data stored in the database is consistent with the real world. Relative to the previous example, the total number of items physically sitting on the shelf must equal the total number of items indicated by the database.
Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system and to the network.
Other important terms
Also important to network security are the following four C-I-A–related terms: ✦ Identification—The act of a user professing an identity to the system, such as a logon ID
✦ Authentication—Verification that the user’s claimed identity is valid, such as through the use of a password
✦ Accountability—Determination of the actions and behavior of a single individual within a system, and holding the individual responsible for his or her actions
✦ Authorization—The privileges allocated to an individual (or process) that enable access to a computer resource
Defense-in-Depth is a layered protection scheme for critical information system components. The Defense-in-Depth strategy comprises the following areas: ✦ Defending the network and infrastructure
✦ Defending the enclave boundary
✦ Defending the computing environment
✦ Supporting Infrastructures
The term enclave as used in the Defense-in-Depth protection strategy refers to a “collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security. Enclaves always assume the highest mission assurance category and security classification of the automated information system (AIS) applications or outsourced IT-based processes they support, and derive their security needs from those systems. They provide standard information assurance (IA) capabilities such as boundary defense, incident detection and response, and key management, and also deliver common applications such as office automation and electronic mail. Enclaves are analogous to general support systems as defined in OMB A-130. Enclaves may be specific to an organization or a mission, and the computing environments may be organized by physical proximity or by function independent of location. Examples of enclaves include local area networks (LANs) and the applications they host, backbone networks, and data processing centers.” (DoD Directive 8500.1, “Information Assurance (IA), October 24, 2002). The enclaves in the U.S. federal and defense computing environments can be categorized as public, private, or classified.
The Defense-in-Depth strategy is built on three critical elements: people, technology, and operations.
To implement effective information assurance in an organization, management must have a high-level commitment to the process. This commitment is manifested through the following items and activities:
✦ Development of information assurance policies and procedures ✦ Assignment of roles and responsibilities
✦ Training of critical...
Please join StudyMode to read the full document