Information Assurance and Security 1

CHAPTER I - INTRODUCTION TO INFORMATION SECURITY

Overview:

Objective:
At the end of the lesson, the students should be able to;
 Define a computer system
 Identify components of computer system
 Identify the components of Security
 Explain the Security Life Cycle

Security in Practice

How do you take care of your valuables?

When you leave your things elsewhere which is highly valuable or important to you because of its
value to you, what measures do you do to be sure that it is safe and secured?

We are now in the digital era, where everything we do involves the use of technology and the network.
Our life depends on it already. In fact, it is already becoming a necessity.

Why? The birth of systems and the rapid developments of technology made all things easy and fast
made us all dependent in the environment we are living now.

Our information is all over the network, from your personal details to your daily activities and every
little thing about us. Because of the information we share when we do e-commerce transactions,
business transactions like enrollment in school, enrollment in webinars online, applying for loans,
applying for scholarships and other online transactions including our social media accounts. There are
those who would update their accounts almost every hour, every day or as often as they want.

With that being said, that makes all of us vulnerable to cyber threats.

o Identity Theft
o Property theft
o Danger
o Exposed - scandal
o Business Process
o Trade secrets

These are just some of the possible things that can happen to each one of us and to organizations we
remain complacent and do not secure our information and or our computer system.

So what is information Security?

Information Security is not only about securing information from unauthorized access.

Information Security is basically the practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction of information.

Information Security is the protection of information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability.

Information can be physical or electronic one. Information can be anything like your details or we
can say your profile on social media, your data in mobile phone, your biometrics etc.

Module 1 1|Page
 Information Assurance and Security 1

Thus Information Security spans so many research areas like Cryptography, Mobile Computing,
Cyber Forensics, Online Social Media etc. 

Why we need to protect information

Information and information systems help us to store and process information and distribute the right
type of information to the right type of user at the right time. This sort of protection helps protect
information from unauthorized access, distribution, and modification. Thus, it is evident that
information is an asset and needs to be protected from internal and external resources.

How do we define a secure computer system?

Computer system components include data/information, hardware, software, communication/
network.
o And when these components are reasonably secure from unauthorized access and misuse,
and then we can say that there is System and Information security.

The three primary objectives of information security is what we call the CIA triad.

The CIA Triad

The CIA triad is a commonly used model for the requirements of information security.  CIA stands
for confidentiality, integrity, and availability. These principles help in protecting information in a
secured manner, and thereby safeguard the critical assets of an organization by protecting against
disclosure to unauthorized users (confidentiality), improper modification (integrity) and non-access
when access is required (availability).

Here, we’ll look at each of these

concepts in more detail.

 Confidentiality is perhaps the

element of the triad that most
immediately comes to mind when you
think of information security. Data is
confidential when only those people
who are authorized to access it can do
so; to ensure confidentiality, you need
to be able to identify who is trying to
access data and block attempts by
those without authorization.
Passwords, encryption, authentication,
and defense against penetration
attacks are all techniques designed to
ensure confidentiality.

Confidentiality helps to ascertain

whether information is to be kept secret or private by employing mechanisms, such as encryption,
which will render the data useless if accessed in an unauthorized manner. The necessary level of
secrecy is enforced, and unauthorized disclosure is prevented.

 Integrity means maintaining data in its correct state and preventing it from being improperly
modified, either by accident or maliciously. Many of the techniques that ensure confidentiality will
also protect data integrity—after all, a hacker can't change data they can't access—but there are
other tools that help provide a defense of integrity in depth: checksums can help you verify data
integrity, for instance, and version control software and frequent backups can help you restore
data to a correct state if need be. Integrity also covers the concept of non-repudiation: you must
be able to prove that you've maintained the integrity of your data, especially in legal contexts.

Module 1 2|Page
 Information Assurance and Security 1

In information systems, integrity is a service that assures that the information in a system has not
been altered except by authorized individuals and processes. It provides assurance of the accuracy of
the data and that it has not been corrupted or modified improperly. Integrity may be achieved by
applying a mathematical technique whereby the information will later be verified. E

Integrity deals with the provision of accuracy and reliability of the information and systems.
Information should be prevented from modification in an unauthorized manner by providing the
necessary safety measures for timely detection of unauthorized changes.

 Availability is the mirror image of confidentiality: while you need to make sure that your data
can't be accessed by unauthorized users, you also need to ensure that it can be accessed by
those who have the proper permissions. Ensuring data availability means matching network and
computing resources to the volume of data access you expect and implementing a good backup
policy for disaster recovery purposes.

Availability ensures that information is available when it is needed. Reliable and timely access to data
and resources is provided to authorize individuals. This can be accomplished by implementing tools
ranging from battery backup at a data center to a content distribution network in the cloud.

Security Lifecycle

Like any other IT process, security can follow a lifecycle model. The model presented here follows the
basic steps of IDENTIFY – ASSESS – PROTECT – MONITOR. This lifecycle provides a good
foundation for any security program. Using this lifecycle model provides you with a guide to ensure
that security is continually being improved. A security program is not a static assessment or a finished
product. Rather it requires constant attention and continual improvement.

As with any other aspect of a security program, implementing the security lifecycle requires that policy
and standards be implemented first. Security policy and standards are the foundation to any
component of a security plan. These are especially critical in both the assessment and protection
phase of the lifecycle. The assessment phase will use the standards and policy as the basis of
conducting the assessment. Resources will be evaluated against the security policy. During the
protection phase, resources will be configured to meet policy and standards.

Module 1 3|Page