The Trust Services Framework organizes IT-related controls into five principles that

jointly contribute to systems reliability:

1. Security—access (both physical and logical) to the system and its data is controlled and
restricted to legitimate users.
2. Confidentiality—sensitive organizational information (e.g., marketing plans, trade se-
crets) is protected from unauthorized disclosure.
3. Privacy—personal information about customers, employees, suppliers, or business part-
ners is collected, used, disclosed, and maintained only in compliance with internal poli-
cies and external regulatory requirements and is protected from unauthorized disclosure.
4. Processing Integrity—data are processed accurately, completely, in a timely manner, and
only with proper authorization.
5. Availability—the system and its information are available to meet operational and con-
tractual obligations.

Two Fundamental Information Security Concepts

Security Is a Management Issue, Not Just a Technology Issue

1. Assess threats & select risk response > 2. Develop and communicate policy > 3. Acquire &
implement solutions > 4. Monitor performance > 1

Defense-in-Depth and the Time-Based Model of Information Security

The idea of defense-in-depth is to employ multiple layers of controls in order to avoid having
a single point of failure.
For example, many organizations use not only firewalls but also mul-
tiple authentication methods (passwords, tokens, and biometrics) to restrict access to their in-
formation systems. The use of overlapping, complementary, and redundant controls increases
overall effectiveness because if one control fails or gets circumvented, another may function
as planned.

Time-Based model of security - Implementing a combination of preventive, detective and

corrective controls that protect information assets long enough to enable an organization to
recognize that an attack is oc-curring and take steps to thwart it before any information is lost
or compromised.

This objective can be expressed in a formula that uses the following three
variables:
P = the time it takes an attacker to break through the organization’s preventive controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond to the attack and take corrective action

Those three variables are then evaluated as follows: If P 7 D + C, then the organization’s
security procedures are effective. Otherwise, security is ineffective.