Csf011g01 - CIA Triad

IBM ICE (Innovation Centre for Education)
Welcome to:
Unit 1 - The CIA Triad
© Copyright IBM Corporation 2015 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems
After completing this unit, you should be able to:

• Basic understanding of Information Security
• Conceptual clarity about Information Security elements
• Clear idea about benefits and issues
• Knowledge of an appropriate methodology for Cost Benefit
Analysis
© Copyright IBM Corporation 2015

Background IBM ICE (Innovation Centre for Education)
IBM Power Systems
• The Internet is a worldwide collection of networks that has

advanced beyond anybody’s expectations
• Internet provides convenience to an individual trying to
access data but this convenience comes along with
associated risks
• The critical information can be either changed, misused,
stolen or lost
• All of this points towards limitless advancements in
Information Security

Introduction to Information Security IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Definition
– Information Security is a process of protecting critical information along
with its significant elements, including networks and systems that use
the data at rest, in use or in motion
• Explanation
– Information Security is not only about securing the system which
receives or sends data, it is about securing the entire set of assets in
an organization including hardware, software, people, data, networks
and procedures that make use of information resources that are
available in the organization
• Example
– If we have allowed the usage of pen drive in the company then
leakage of any information can never be restricted

Elements of Information Security 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Confidentiality
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information is
called maintaining confidentiality
• Explanation
– Confidentiality means to control or restrict access of critical information
to certain individuals or group of individuals. One of the crucial
principles of confidentiality is “need-to-know” or in other words “least
privileged”
• Example
– An employee not having the appropriate authorization should not be
allowed to view the payroll details or the personal information of other
colleague

IBM Power Systems
• Integrity
– To preserve the integrity of information means to protect the accuracy
and completeness of information and the methods that are used to
process and manage it
• Explanation
– Integrity of data means that the Information presented is trustworthy
and it has not been changed or tampered with during its transmission
by an unauthorized individual or group of individuals. Integrity assures
that the information has not been changed. It includes authenticity that
means that the form in which the original data is present has not been
changed
• Example
– If someone was sending an online money transfer for $100, but the
information was tampered in such a way that the transfer value
changed to $10,000, it could prove to be very costly for that person
IBM Power Systems
• Availability
– Availability states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
• Explanation
– This means all the components that are a part of computing systems
used to process and store the critical information, the different
communication channels used to access it and the security controls
that are used to protect the information must be working as expected
and should be available all the time
• Example
– Service disruptions in a network due to hardware failures or power
outages and system upgrades which could make the system or the
network unavailable

IBM Power Systems
• Identification
– The process that enables recognition of a user described to an
automated data processing system. This is generally by the use of
unique machine-readable names
• Explanation
– It is the process of identifying the user to verify whether he is what he
claims to be. Normally, identification is done with the help of
information that is known to everyone, i.e., user name or user ID. .
Identification is the first step in the chain process of Access
Management
• Example
– When the user swipes his ATM card in an ATM machine then the user
is identified by the core banking platform

IBM Power Systems
• Authentication
– Authentication is the process of verifying that the identified user is the
real owner of his/her identity
• Explanation
– Authentication is the process of ascertaining claimed user identity by
verifying user-provided evidence
• Example
– After swiping the ATM card, the user has to enter his secret PIN. Once
it is entered, the user is authenticated to process the desired
transaction

IBM Power Systems
• Authorization
– Authorization is the act or technique of providing the appropriate
permissions to the user for accessing a particular file or perform a
particular action
• Explanation
– Authorization is the process of ensuring that an employee has enough
access rights to a particular information such that the employee can
perform the operation requested by him
• Example
– When the user has completed his authentication by entering the ATM
PIN then he gets access to do all the transactions that he has
authorization for

IBM Power Systems
• Accountability
– Accountability means that every individual who works with an
information system should have specific responsibilities for information
assurance
• Explanation
– It focuses that different events and actions taken can be tracked to
their very origin, establishing responsibilities for the actions and/or
omissions that may have taken place
• Example
– After the user is provided authorization to his account through the ATM
then he is accountable for any tasks that is carried by him on his
account

IBM Power Systems
• Auditing
– Auditing is the formal review and examination of the actions or
activities of any user
• Explanation
– Event Auditing allows the reliable, configurable and fine-grained
logging of the various system events that occur regularly
• Example
– The transaction done by the user on the ATM machine will be stored in
the logs and can be reviewed to understand the various activities
conducted during the transaction

Implementing Information Security IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Information Security implementation is based upon one of

the most followed approach called Deming cycle which is
an iterative 4-step management method used in business
for the control and continuous improvement of processes
and products
• This approach is also known as PDCA cycle according to
which there are 4 steps for appropriate implementation of
information security that are as follows:
– Plan: The approach for implementing information security must be
planned effectively
– Do: Implement the plan that was created in the planning phase
– Check: The implementation of information security must be reviewed
– Act: Appropriate measures must be taken based on the findings of the
review
PDCA Cycle IBM ICE (Innovation Centre for Education)
IBM Power Systems

Developing an Information Security Strategy IBM ICE (Innovation Centre for Education)
IBM Power Systems
• To develop a strategic information security plan, the

classical information security values of confidentiality,
integrity and availability are integrated into trust-
relationships that is based on certain protocols of data
communication
• An information security strategic plan assists in establishing
an organization's approach towards securing information
• This approach is the collection of various activities that
support as well as protects information
• Effective mechanisms is created to control the security of
the company. It is about managing these mechanisms and
making them operational

Types of Security Strategy IBM ICE (Innovation Centre for Education)
IBM Power Systems
• There are 2 types of Security Strategy:

– Business Strategy: It helps an organization to tangibly connect their
information security policies, procedures and practices with business
goals, enabling them to secure the funding they need to create real
value for your organization
• Business-Aligned Security Program
• Communicating and Selling Your Vision to Executives
• Threat and Risk Analysis to prioritize
– Technical Strategy: Most security departments are overwhelmed in
managing the day-to -day activities, sticking to a dated program and
trying to add value to the business – there’s no time or resources to
proactively create or shore up important security programs such as
data protection, risk management or threat management

Stakeholders of Security Strategy IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Top Management
• Head of Departments
• Information Security Team
• IT Manager
• System Administrators

Considerations for Security Strategy IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Align an organization's information security strategy with

business goals: It enables an organization to more
successfully secure budget for initiatives, gain support for
the security mandate and demonstrate the value of a
comprehensive information security strategy
• Align an organization's security technology with their
business need, maturity and capabilities: It helps an
organization to maximize the capabilities of their current
information security solutions and determine which new
technologies are needed to support their strategy
• Develop an in-depth analysis of the threats and risks that
impact an organization: It will help to identify relevant
threats, document areas of risk and benchmark the maturity
of an organization's current information security program
Steps of Security Strategy IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Defining the various control objectives

• Identifying and assessing the approaches necessary to
meet the given objectives
• Selecting the controls
• Establishing the benchmarks and metrics
• Preparing the implementation and testing plans

Information Security Benefits IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Protects the assets

• Improves awareness
• Saves money
• Provides an organization a competitive edge through
enhancing brand and reputation
• Reduces the lawsuits against an organization

Threat and Vulnerability types IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Environmental: They include undesirable site-specific

chances or occurrences such as lightning, fire, sprinkler
activation etc.
• Physical: They include undesirable personnel actions, that
can be either intentional or unintentional such as theft,
robbery etc.
• Site-Support: These concerns include site aspects such as
electrical power, telephone service etc.
• Technical: They include dangerous specific situations which
concern the systems such as improper system operation,
malicious software installation etc.

Information Security Issues IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Non-existent Security Architecture

• Updating Software and Applications from time to time
• Phishing and Targeted Attacks
• Poor Configuration Management
• Cloud Computing associated issues
• Insider attack

Cost Benefit Analysis (CBA) – Requirements IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Damages due to incidents

• Costs due to implementation of the solutions for
maintaining security
• Neglecting amount for security solution as per incident

Cost Benefit Analysis (CBA) – Phases IBM ICE (Innovation Centre for Education)
IBM Power Systems
• To calculate the net neglecting amount for all solutions to

implement security
• Calculate incident risk, baseline scenario and total damage
• Calculate Risk-based Return on Investment (RROI)

Checkpoint (1 of 7) IBM ICE (Innovation Centre for Education)
IBM Power Systems
1. What does Information Security protect?

– IT
– Assets of an organization
– Computer systems
– Process
2. What is a Deming cycle?
– Strategy cycle
– Implementation method
– PDCA cycle
– Information Security process

Checkpoint Solutions (1 of 7) IBM ICE (Innovation Centre for Education)
IBM Power Systems
1. What does Information Security protect?

– IT
– Assets of an organization
– Computer systems
– Process
2. What is a Deming cycle?
– Strategy cycle
– Implementation method
– PDCA cycle
– Information Security process

IBM Power Systems
3. What does CIA stands for?

– Change, Incident and Agreement
– Confidentiality, Integrity and Auditing
– Confidentiality, Integrity and Accountability
– Confidentiality, Integrity and Availability
4. What is Confidentiality?
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
– Every individual who works with an information system should have
specific responsibilities for information assurance

IBM Power Systems
3. What does CIA stands for?

– Change, Incident and Agreement
– Confidentiality, Integrity and Auditing
– Confidentiality, Integrity and Accountability
– Confidentiality, Integrity and Availability
4. What is Confidentiality?
– To prevent the disclosure of information to individuals or group
of individuals who are unauthorized to have access to that
information
IBM Power Systems
5. What is Integrity?

IBM Power Systems
5. What is Integrity?

IBM Power Systems
6. What is Availability?

IBM Power Systems
6. What is Availability?

IBM Power Systems
7. What is Accountability?

IBM Power Systems
7. What is Accountability?
– Every individual who works with an information system should
have specific responsibilities for information assurance

IBM Power Systems
8. Who are the Stakeholders for Information Security

strategy?
– Top Management, IT Managers, Information Security officials and
Administrators
– Top Management, IT Managers, Information Security team and
Technology developers
– Top Management, Information Security team, Security Guards and
Surveillance team
– Departmental Heads, Information Security team, Administrator heads
and Incident Response team
9. What is Risk Mitigation?
– To accept the risk
– To reduce the risk
– To manage the risk
– To transfer the risk
IBM Power Systems
8. Who are the Stakeholders for Information Security

strategy?
– Top Management, IT Managers, Information Security officials and
Administrators
– Top Management, IT Managers, Information Security team and
Technology developers
– Top Management, Information Security team, Security Guards and
Surveillance team
– Departmental Heads, Information Security team, Administrator heads
and Incident Response team
9. What is Risk Mitigation?
– To accept the risk
– To reduce the risk
– To manage the risk
– To transfer the risk
IBM Power Systems
10.What is Cost vs Benefits analysis?

– Monetary value of the benefits gained from the security products
– Benefits gained from the expensive security products
– Security products has a certain cost and benefits associated to it
– Comparison between the cost of the product and the benefits gained
from it by an organization

IBM Power Systems
10.What is Cost vs Benefits analysis?

– Monetary value of the benefits gained from the security products
– Benefits gained from the expensive security products
– Security products has a certain cost and benefits associated to it
– Comparison between the cost of the product and the benefits
gained from it by an organization

Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems
Having completed this unit, you should be able to:

• Basic understanding of Information Security
• Conceptual clarity about Information Security elements
• Clear idea about benefits and issues
• Knowledge of an appropriate methodology for Cost Benefit
Analysis

Csf011g01 - CIA Triad

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Csf011g01 - CIA Triad

Uploaded by

Copyright:

Available Formats

IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015 9.1

After completing this unit, you should be able to:

© Copyright IBM Corporation 2015

• The Internet is a worldwide collection of networks that has

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

• Information Security implementation is based upon one of

© Copyright IBM Corporation 2015

• To develop a strategic information security plan, the

© Copyright IBM Corporation 2015

• There are 2 types of Security Strategy:

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

• Align an organization's information security strategy with

• Defining the various control objectives

© Copyright IBM Corporation 2015

• Protects the assets

© Copyright IBM Corporation 2015

• Environmental: They include undesirable site-specific

© Copyright IBM Corporation 2015

• Non-existent Security Architecture

© Copyright IBM Corporation 2015

• Damages due to incidents

© Copyright IBM Corporation 2015

• To calculate the net neglecting amount for all solutions to

© Copyright IBM Corporation 2015

1. What does Information Security protect?

© Copyright IBM Corporation 2015

1. What does Information Security protect?

© Copyright IBM Corporation 2015

3. What does CIA stands for?

© Copyright IBM Corporation 2015

3. What does CIA stands for?

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

8. Who are the Stakeholders for Information Security

8. Who are the Stakeholders for Information Security

10.What is Cost vs Benefits analysis?

© Copyright IBM Corporation 2015

10.What is Cost vs Benefits analysis?

© Copyright IBM Corporation 2015

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2015

You might also like