Edward Hall
Topics in Technology
and Management
Information Systems Security.
What is Information Systems security?
Information systems security is often expressed in terms of the basic
principles of CIA - confidentiality, integrity and availability. The
following table gives a simple description of the principle, plus an
example of a control measure that can be used to achieve that
principle.
|
Principle |
Description |
Control example |
|
Confidentiality |
Only those people who should have access do have access |
Access control lists on objects or files |
|
Integrity |
Data is not changed by either accident or by deliberate malicious intent |
Hash or signing of files to allow identification of unauthorized changes. |
|
Availability |
Data should be available whenever it is needed. |
Fault tolerant clusters of servers |
These three base principles can be expanded out into a large array of
detailed technical areas. Some examples include:
-Access control to prevent unauthorised access,
-Access control to enable authorised access,
-Encryption to protect data from prying eyes,
-Access controls to prevent unauthorised modification,
-Change control,
-Separation of duties, so that two people are needed for important
changes,
-Logging and accounting to track any changes made,
-Business continuity planning,
-High availability design,
-Malware protection,
-Backup and recovery,
-Software and applications security,
-Risk management,
-Physical security,
-Network security,
-Governance and management systems.
and this is nowhere near a comprehensive list but does give some feel
for the wide array of topics covered by the information security
field.
So the information security field gets to touch almost all areas of information systems management.
Information Security Management System (ISMS)
An information security management system is all about developing policies and processes to meet an organisations information security objectives.
There are a number of good standards covering information security or IT governance designed to improve information security. A common standard is ISO 27001 which describes requirements for Information Security Management Systems (ISMS).
Cybersecurity
Cybersecurity is an odd term. In modern sense cyber is taking to mean "relating to computers, information technology and the internet" (Put "definition of cyber" into your favourite search engine if you something more formal).
Security, in regards to information systems, is anything that impacts on confidentiality, integrity or availability of the systems or the information and data they contain.
Cyber security is a major issue in the information systems space. Just do a quick search for 'security breach' and the list of organisations that have had data stolen is huge. Computer virus's are now being changed to extract money - a recent example being cryptolocker.
See my cybersecurity page for more on this fast developing area.
Some Further Key Issues (coming soon, watch this space...)
ISO 27001 implementation and assessment.
COBIT.
ITIL and Security.
User Security Awareness Training.
Malware and computer viruses.
Security Metrics.
Copyright 2014 Edward Hall. All rights reserved.
Last revised 17 May 2014.