Professional Documents
Culture Documents
Welcome to:
Unit 1 - The CIA Triad
• Definition
– Information Security is a process of protecting critical information along
with its significant elements, including networks and systems that use
the data at rest, in use or in motion
• Explanation
– Information Security is not only about securing the system which
receives or sends data, it is about securing the entire set of assets in
an organization including hardware, software, people, data, networks
and procedures that make use of information resources that are
available in the organization
• Example
– If we have allowed the usage of pen drive in the company then
leakage of any information can never be restricted
• Confidentiality
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information is
called maintaining confidentiality
• Explanation
– Confidentiality means to control or restrict access of critical information
to certain individuals or group of individuals. One of the crucial
principles of confidentiality is “need-to-know” or in other words “least
privileged”
• Example
– An employee not having the appropriate authorization should not be
allowed to view the payroll details or the personal information of other
colleague
• Integrity
– To preserve the integrity of information means to protect the accuracy
and completeness of information and the methods that are used to
process and manage it
• Explanation
– Integrity of data means that the Information presented is trustworthy
and it has not been changed or tampered with during its transmission
by an unauthorized individual or group of individuals. Integrity assures
that the information has not been changed. It includes authenticity that
means that the form in which the original data is present has not been
changed
• Example
– If someone was sending an online money transfer for $100, but the
information was tampered in such a way that the transfer value
changed to $10,000, it could prove to be very costly for that person
© Copyright IBM Corporation 2015
Elements of Information Security 3 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Availability
– Availability states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
• Explanation
– This means all the components that are a part of computing systems
used to process and store the critical information, the different
communication channels used to access it and the security controls
that are used to protect the information must be working as expected
and should be available all the time
• Example
– Service disruptions in a network due to hardware failures or power
outages and system upgrades which could make the system or the
network unavailable
• Identification
– The process that enables recognition of a user described to an
automated data processing system. This is generally by the use of
unique machine-readable names
• Explanation
– It is the process of identifying the user to verify whether he is what he
claims to be. Normally, identification is done with the help of
information that is known to everyone, i.e., user name or user ID. .
Identification is the first step in the chain process of Access
Management
• Example
– When the user swipes his ATM card in an ATM machine then the user
is identified by the core banking platform
• Authentication
– Authentication is the process of verifying that the identified user is the
real owner of his/her identity
• Explanation
– Authentication is the process of ascertaining claimed user identity by
verifying user-provided evidence
• Example
– After swiping the ATM card, the user has to enter his secret PIN. Once
it is entered, the user is authenticated to process the desired
transaction
• Authorization
– Authorization is the act or technique of providing the appropriate
permissions to the user for accessing a particular file or perform a
particular action
• Explanation
– Authorization is the process of ensuring that an employee has enough
access rights to a particular information such that the employee can
perform the operation requested by him
• Example
– When the user has completed his authentication by entering the ATM
PIN then he gets access to do all the transactions that he has
authorization for
• Accountability
– Accountability means that every individual who works with an
information system should have specific responsibilities for information
assurance
• Explanation
– It focuses that different events and actions taken can be tracked to
their very origin, establishing responsibilities for the actions and/or
omissions that may have taken place
• Example
– After the user is provided authorization to his account through the ATM
then he is accountable for any tasks that is carried by him on his
account
• Auditing
– Auditing is the formal review and examination of the actions or
activities of any user
• Explanation
– Event Auditing allows the reliable, configurable and fine-grained
logging of the various system events that occur regularly
• Example
– The transaction done by the user on the ATM machine will be stored in
the logs and can be reviewed to understand the various activities
conducted during the transaction
• Top Management
• Head of Departments
• Information Security Team
• IT Manager
• System Administrators
5. What is Integrity?
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
– Every individual who works with an information system should have
specific responsibilities for information assurance
5. What is Integrity?
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
– Every individual who works with an information system should have
specific responsibilities for information assurance
6. What is Availability?
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
– Every individual who works with an information system should have
specific responsibilities for information assurance
6. What is Availability?
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
– Every individual who works with an information system should have
specific responsibilities for information assurance
7. What is Accountability?
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
– Every individual who works with an information system should have
specific responsibilities for information assurance
7. What is Accountability?
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
– To protect the accuracy and completeness of information and the
methods that are used to process and manage it
– It states that an asset must be available when needed by an
authorized entity, if it is accessible and usable
– Every individual who works with an information system should
have specific responsibilities for information assurance