Information system

An information system is a system, whether automated or manual, that comprises people, machines and/or methods organized to collect, process, transmit and disseminate data that represent user information.

Information

Information is data that have been shaped into a form that is meaningful and useful to human beings, while data are raw facts representing events or physical environment.

Security

Security is a minimization of vulnerabilities of assets and resources.

Information technology security - security of systems that are based on computers
Information systems security - security of computer based systems that includes human factor

Security importance has been growing with the wider application and penetration of computer communications during last decades. Until recently the emphasis in the field of security and privacy has been on technology. Today the importance of the human factor became a major concern as human resources usually present the weakest link in the security. Security and privacy should become integral part of corporate culture.

Legislation always lags behind technological advances. Legislation is important not only to prevent unacceptable practices but also to support and stimulate further development.

• Threat - any potential cause of an incident
• Risk - potential of a given threat to exploit vulnerabilities of an asset and cause damage
• Vulnerability - weakness that may be exploit by a threat

• Risk management - process of identifying, controlling and minimizing events that may endanger resources
• Risk analysis - identifying security risks, their magnitude and required safeguards
• Safeguards - comprise practices, procedures or mechanisms that reduce risks
• Residual risk - risk remaining after the implementation of safeguards (should be sufficiently low to be acceptable)
• Baseline control - the determined minimal set of safeguards

• Security policy - rules and practices that govern information systems assets protection
• Configuration management - process dealing with keeping track of system changes in order to prevent the degradation of implemented safeguards as the result of change

Privacy definition

Privacy means someone's right to keep their personal matters and relationships secret.

Confidentiality - property of preventing information disclosure to unauthorized entities
Authenticity - property that ensures that an entity is the one claimed to be

Data integrity - meaning that data have not been altered or destroyed without authorization
System integrity - property that ensures the intended system functionality in an unimpaired manner

Assets

Anything of a value to the organization.
Identification of assets is the first step of security. If we do not know what should be protected we cannot protect it.


Reliability - property of ensuring intended behavior
Availability - being accessible and usable as planned
Accountability - property of ensuring that the actions of a certain entity can be traced to this entity

• absent safeguards
• physical mechanisms (cryptographic keys)
• logical safeguards
  
  • human (human-human and human-machine interactions)
  • security services
  • security mechanisms (cryptographic algorithms)

Threats

• physical
• logical
• social

Threats identification is second step. We organize them into categories.

• categories should not overlap
• all categories together cover all possibilities
• classification is unambiguous and precise
• classification is repeatable
• classification is logical and intuitive
• useful in terms of providing an insight into the field

Vulnerability risk analysis is performed - includes examination of the following weaknesses:

• physical
• organizational
• procedural
• personnel related
• management related
• constructional
• logical weakness of hardware and software
• information weakness

Analysis of risk impacts as a consequences of a successful attack.
Impacts can be

• direct (e.g. destroying asset)
• indirect (e.g. damage to goodwill).

Risk impact can be estimated through:

• qualitative measurement
• quantitative measurement

Risk management

• determination of security and privacy objectives (based on strategies)
• determination of required safeguards (based on risk analysis)
• monitoring implementation
• detecting incidents and reacting to them
• establishing security and privacy awareness culture

Risk analysis can be based on:

• Informal approach
  
  • pragmatic approach without structured methods
  • exploits knowledge and experiences of employees
  • can be done in a short time period
  • some risks can be overlooked
  • change management is difficult
• Baseline approach
  • selection of a standardized set of safeguards
  • no need for detailed risk analysis
  • it may overestimate or underestimate real requirements
• Detailed analysis
  • identification and evaluation of assets and threats
  • each safeguard is justified to the level of acceptable risk
  • extensive input of resources
• Combined approach
  • critical systems are subject of detailed approach
  • non-critical systems are subject of baseline approach

• There is nothing like 100% security! It is wise to prepare for proper handling of bad times as much as possible.
• managing security and privacy cost money
• there is no profit organization can make by effective risk management
• organization can avoid costs due to intrusions and stolen information
• security and privacy is in many cases already legally obligatory