Security

08 November 2019 08:35 PM

Definition of Security
Is a state of well-being of information and infrastructure in which the
possibility of theft, tampering and disruption of information and services is
kept low or tolerable.

Security rests on three events

Confidentiality: Only authorize individual should have access to information for
example Credit card details, National insurance number etc.

Integrity: Information or data should be safeguarded from being tampered with

or modified in anyway and should be complete and accurate when accessed.

Availability: When an authorized user needs information it should be available.

Other requirements in an organization

Authentication: Ensuring that the identity of a subject and resource is the one clamed
Authorization: Making sure that the authenticated subject has the authority to access
and use a specific resource or information
Accounting: Making sure that an account kept of the actions taken by the
authenticated and authorized subjects.
Non-Repudiation: Ensuring that there cannot be deniability of an action e.g.
transmission of an email, SMS, Signature, etc.

Asset:
Is defined as anything that has value to the organization, its business operations and its continuity.
Assets can be of the following types
Information: Any data in whatever format e.g. Intellectual property, personal information

Physical Asset: Any physical object e.g. Desktops, Servers buildings, etc.
Software: applications used to manage, store or process information.

Threat:
Defined as any event or activity that has the potential to cause harm to the asset.

Accidental: Human error, system failure, fire, earthquakes, floods etc. The implications are that
no has voluntarily cause it, some form of mitigation should be in place.

Deliberate: As the name implies, this is intentional and can take the form of hacking, theft,
sabotage etc.

Each of the above can be further divided as follows,

External: A threat that arise from outside an organization. Often this can be competitors,
hackers performing espionage and so on.

Internal: These can be from within the organization but difficult to identify and may cause
considerable damage. These can come from employees, partners with some level access
in the organization.

Chapter 2. Information security principles Page 1

 in the organization.

Vulnerability:
It is a weakness of an asset that can exploited by or more threats. Often bugs or flaw in a
software or an altogether design flaw, lack of security etc.

Impact: It is the result of an incident caused by a threat which affects an asset. In the context of
business this can be of great or the least concern depending on the value of the asset impacted.
Once that is determined steps should be taken to secure it

Risk: It is defined as the potential that a given threat will exploit vulnerability of an asset and
cause harm to the organization.

Risk = Threat*Vulnerability*Likelihood*Impact

Chapter 2. Information security principles Page 2