CSF011G01 - CIA Triad

IBM ICE (Innovation Centre for
Welcome to:
Unit 1 - The CIA Triad
© Copyright IBM Corporation 2015 9.1

Unit objectives IBM ICE (Innovation Centre for Education)
After completing this unit, you should be able to:

• Basic understanding of Information Security
• Conceptual clarity about Information Security elements
• Clear idea about benefits and issues
• Knowledge of an appropriate methodology for Cost Benefit
Analysis
© Copyright IBM Corporation 2015

Background IBM ICE (Innovation Centre for Education)
• The Internet is a worldwide collection of networks that has

advanced beyond anybody’s expectations
• Internet provides convenience to an individual trying to
access data but this convenience comes along with
associated risks
• The critical information can be either changed, misused,
stolen or lost
• All of this points towards limitless advancements in
Information Security

Introduction to Information IBM ICE (Innovation Centre for Education)
Security – Information
Security is a
• Definition process of
protecting
critical
information
along with its
significant
elements,
including
networks and
systems that
use the data at
rest, in use or
in motion
• Explanation
– Information
Security is not only about securing the system
which receives or sends data, it is about
securing the entire set of assets in an
organization including hardware, software,
people, data, networks and procedures that
make use of information resources that are
available in the organization
• Example
– If we have allowed the usage of pen
drive in the company then leakage of
any information can never be restricted

Elements of Information Security 1
IBM ICE (Innovation Centre for Education)
• Confidentiality
– To prevent the disclosure of information to individuals or group of
individuals who are unauthorized to have access to that information
is called maintaining confidentiality
• Explanation
– Confidentiality means to control or restrict access of critical
information to certain individuals or group of individuals. One of the
crucial principles of confidentiality is “need-to-know” or in other words
“least privileged”
• Example
– An employee not having the appropriate authorization should not be
allowed to view the payroll details or the personal information of
other colleague

• Integrity
– To preserve the integrity of information means to protect the
accuracy and completeness of information and the methods that are
used to process and manage it
• Explanation
– Integrity of data means that the Information presented is trustworthy
and it has not been changed or tampered with during its transmission
by an unauthorized individual or group of individuals. Integrity assures
that the information has not been changed. It includes authenticity
that means that the form in which the original data is present has not
been changed
• Example
– If someone was sending an online money transfer for $100, but
the information was tampered in such a way that the transfer value
changed to $10,000, it could prove to be very costly for that
person
• Availability
– Availability states that an asset must be available when needed by
an authorized entity, if it is accessible and usable
• Explanation
– This means all the components that are a part of computing systems
used to process and store the critical information, the different
communication channels used to access it and the security controls
that are used to protect the information must be working as
expected and should be available all the time
• Example
– Service disruptions in a network due to hardware failures or power
outages and system upgrades which could make the system or
the network unavailable
• Identification
– The process that enables recognition of a user described to an
automated data processing system. This is generally by the use
of unique machine-readable names
• Explanation
– It is the process of identifying the user to verify whether he is what
he claims to be. Normally, identification is done with the help of
information that is known to everyone, i.e., user name or user ID. .
Identification is the first step in the chain process of
Access Management
• Example
– When the user swipes his ATM card in an ATM machine then the
user is identified by the core banking platform
• Authentication
– Authentication is the process of verifying that the identified user is
the real owner of his/her identity
• Explanation
– Authentication is the process of ascertaining claimed user identity
by verifying user-provided evidence
• Example
– After swiping the ATM card, the user has to enter his secret PIN.
Once it is entered, the user is authenticated to process the desired
transaction
• Authorization
– Authorization is the act or technique of providing the appropriate
permissions to the user for accessing a particular file or perform
a particular action
• Explanation
– Authorization is the process of ensuring that an employee has
enough access rights to a particular information such that the
employee can perform the operation requested by him
• Example
– When the user has completed his authentication by entering the
ATM PIN then he gets access to do all the transactions that he has
authorization for
• Accountability
– Accountability means that every individual who works with an
information system should have specific responsibilities for
information assurance
• Explanation
– It focuses that different events and actions taken can be tracked
to their very origin, establishing responsibilities for the actions
and/or omissions that may have taken place
• Example
– After the user is provided authorization to his account through the
ATM then he is accountable for any tasks that is carried by him on his
account
• Auditing
– Auditing is the formal review and examination of the actions
or activities of any user
• Explanation
– Event Auditing allows the reliable, configurable and fine-
grained logging of the various system events that occur
regularly
• Example
– The transaction done by the user on the ATM machine will be stored
in the logs and can be reviewed to understand the various activities
conducted during the transaction
Implementing Information Security IBM ICE (Innovation Centre for Education)
• Information Security implementation is based upon one of

the most followed approach called Deming cycle which is
an iterative 4-step management method used in business
for the control and continuous improvement of processes
and products
• This approach is also known as PDCA cycle according to
which there are 4 steps for appropriate implementation of
information security that are as follows:
– Plan: The approach for implementing information security must
be planned effectively
– Do: Implement the plan that was created in the planning phase
– Check: The implementation of information security must be reviewed
– Act: Appropriate measures must be taken based on the findings of
the review
PDCA IBM ICE (Innovation Centre for Education)
Cycle

Developing an Information Security IBM ICE (Innovation Centre for Education)
Strategy
• To develop a strategic information security plan, the
classical information security values of confidentiality,
integrity and availability are integrated into trust-
relationships that is based on certain protocols of data
communication
• An information security strategic plan assists in establishing
an organization's approach towards securing information
• This approach is the collection of various activities that
support as well as protects information
• Effective mechanisms is created to control the security of
the company. It is about managing these mechanisms and
making them operational

Types of Security Strategy IBM ICE (Innovation Centre for Education)
• There are 2 types of Security Strategy:

– Business Strategy: It helps an organization to tangibly connect their
information security policies, procedures and practices with
business goals, enabling them to secure the funding they need to
create real value for your organization
• Business-Aligned Security Program
• Communicating and Selling Your Vision to Executives
• Threat and Risk Analysis to prioritize
– Technical Strategy: Most security departments are overwhelmed in
managing the day-to -day activities, sticking to a dated program
and trying to add value to the business – there’s no time or
resources to proactively create or shore up important security
programs such as data protection, risk management or threat
management

Stakeholders of Security Strategy IBM ICE (Innovation Centre for Education)
• Top Management
• Head of Departments
• Information Security Team
• IT Manager
• System Administrators

Considerations for Security Strategy IBM ICE (Innovation Centre for Education)
• Align an organization's information security strategy with

business goals: It enables an organization to more
successfully secure budget for initiatives, gain support for
the security mandate and demonstrate the value of a
comprehensive information security strategy
• Align an organization's security technology with their
business need, maturity and capabilities: It helps an
organization to maximize the capabilities of their current
information security solutions and determine which new
technologies are needed to support their strategy
• Develop an in-depth analysis of the threats and risks that
impact an organization: It will help to identify relevant
threats, document areas of risk and benchmark the maturity
of an organization's current information security program

Steps of Security Strategy IBM ICE (Innovation Centre for Education)
• Defining the various control objectives

• Identifying and assessing the approaches necessary to
meet the given objectives
• Selecting the controls
• Establishing the benchmarks and metrics
• Preparing the implementation and testing plans

Information Security Benefits IBM ICE (Innovation Centre for Education)
• Protects the assets

• Improves awareness
• Saves money
• Provides an organization a competitive edge through
enhancing brand and reputation
• Reduces the lawsuits against an organization

Threat and Vulnerability types IBM ICE (Innovation Centre for Education)
• Environmental: They include undesirable site-specific

chances or occurrences such as lightning, fire, sprinkler
activation etc.
• Physical: They include undesirable personnel actions, that
can be either intentional or unintentional such as theft,
robbery etc.
• Site-Support: These concerns include site aspects such as
electrical power, telephone service etc.
• Technical: They include dangerous specific situations which
concern the systems such as improper system operation,
malicious software installation etc.

Information Security Issues IBM ICE (Innovation Centre for Education)
• Non-existent Security Architecture

• Updating Software and Applications from time to time
• Phishing and Targeted Attacks
• Poor Configuration Management
• Cloud Computing associated issues
• Insider attack

Cost Benefit Analysis (CBA) – IBM ICE (Innovation Centre for Education)
Requirements
• Damages due to incidents
• Costs due to implementation of the solutions for
maintaining security
• Neglecting amount for security solution as per incident

Cost Benefit Analysis (CBA) – IBM ICE (Innovation Centre for Education)
Phases
• To calculate the net neglecting amount for all solutions to
implement security
• Calculate incident risk, baseline scenario and total damage
• Calculate Risk-based Return on Investment (RROI)

Checkpoint (1 of 7) IBM ICE (Innovation Centre for Education)
1. What does Information Security protect?

– IT
– Assets of an organization
– Computer systems
– Process
2. What is a Deming cycle?
– Strategy cycle
– Implementation method
– PDCA cycle
– Information Security process

Checkpoint Solutions (1 of 7) IBM ICE (Innovation Centre for Education)
1. What does Information Security protect?

– IT
– Assets of an organization
– Computer systems
– Process
2. What is a Deming cycle?
– Strategy cycle
– Implementation method
– PDCA cycle
– Information Security process

3. What does CIA stands for?

– Change, Incident and Agreement
– Confidentiality, Integrity and Auditing
– Confidentiality, Integrity and Accountability
– Confidentiality, Integrity and Availability
4. What is Confidentiality?
individuals who are unauthorized to have access to that
information
– To protect the accuracy and completeness of information and
the methods that are used to process and manage it
– It states that an asset must be available when needed by
– Every individual who works with an information system should
have specific responsibilities for information assurance
3. What does CIA stands for?

– Change, Incident and Agreement
– Confidentiality, Integrity and Auditing
– Confidentiality, Integrity and Accountability
– Confidentiality, Integrity and Availability
4. What is Confidentiality?
– To prevent the disclosure of information to individuals or
group of individuals who are unauthorized to have access to
that information
5. What is Integrity?
information

5. What is Integrity?
information

6. What is Availability?
information

6. What is Availability?
information

7. What is Accountability?
information

7. What is Accountability?
information
– Every individual who works with an information system
should have specific responsibilities for information
assurance

8. Who are the Stakeholders for Information Security

strategy?
– Top Management, IT Managers, Information Security officials
and Administrators
– Top Management, IT Managers, Information Security team
and Technology developers
– Top Management, Information Security team, Security Guards
and Surveillance team
– Departmental Heads, Information Security team, Administrator
heads and Incident Response team
9. What is Risk Mitigation?
– To accept the risk
– To reduce the risk
– To manage the risk
– To transfer the risk
8. Who are the Stakeholders for Information Security

strategy?
– Top Management, IT Managers, Information Security officials
and Administrators
– Top Management, IT Managers, Information Security team
and Technology developers
– Top Management, Information Security team, Security Guards
and Surveillance team
– Departmental Heads, Information Security team, Administrator
heads and Incident Response team
9. What is Risk Mitigation?
– To accept the risk
– To reduce the risk
– To manage the risk
– To transfer the risk
10.What is Cost vs Benefits analysis?

– Monetary value of the benefits gained from the security products
– Benefits gained from the expensive security products
– Security products has a certain cost and benefits associated to it
– Comparison between the cost of the product and the benefits
gained from it by an organization

10.What is Cost vs Benefits analysis?

– Monetary value of the benefits gained from the security products
– Benefits gained from the expensive security products
– Security products has a certain cost and benefits associated to it
– Comparison between the cost of the product and the
benefits gained from it by an organization

Unit summary IBM ICE (Innovation Centre for Education)
Having completed this unit, you should be able to:

• Basic understanding of Information Security
• Conceptual clarity about Information Security elements
• Clear idea about benefits and issues
• Knowledge of an appropriate methodology for Cost Benefit
Analysis

CSF011G01 - CIA Triad

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSF011G01 - CIA Triad

Uploaded by

Copyright:

Available Formats

IBM ICE (Innovation Centre for

© Copyright IBM Corporation 2015 9.1

After completing this unit, you should be able to:

© Copyright IBM Corporation 2015

• The Internet is a worldwide collection of networks that has

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

• Information Security implementation is based upon one of

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

• There are 2 types of Security Strategy:

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

• Align an organization's information security strategy with

© Copyright IBM Corporation 2015

• Defining the various control objectives

© Copyright IBM Corporation 2015

• Protects the assets

© Copyright IBM Corporation 2015

• Environmental: They include undesirable site-specific

© Copyright IBM Corporation 2015

• Non-existent Security Architecture

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

1. What does Information Security protect?

© Copyright IBM Corporation 2015

1. What does Information Security protect?

© Copyright IBM Corporation 2015

3. What does CIA stands for?

3. What does CIA stands for?

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

© Copyright IBM Corporation 2015

8. Who are the Stakeholders for Information Security

8. Who are the Stakeholders for Information Security

10.What is Cost vs Benefits analysis?

© Copyright IBM Corporation 2015

10.What is Cost vs Benefits analysis?

© Copyright IBM Corporation 2015

Having completed this unit, you should be able to:

© Copyright IBM Corporation 2015

You might also like