Chapter: 1 Introduction Information Security

Joel Morrobel

Information Asset

An Information Asset is a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization. The information which comprises an Information Asset, may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete with competitors.

Irrespective, the nature of the information assets themselves, they all have one or more of the following characteristics:• They are recognized to be of value to the organization.• They are not easily replaceable without cost, skill, time, resources or a

combination.• They form a part of the organization's corporate identity, without which, the

organization may be threatened.• Their Data Classification would normally be Proprietary, Highly Confidential

or even Top Secret.

Information Security

• Information security is the process of protecting information. It protects its availability, privacy and integrity.

The CIA:Information Security Principles• Confidentiality

– Allowing only authorized subjects access to information

• Integrity– Allowing only authorized subjects to modify

information• Availability

– Ensuring that information and resources are accessible when needed

Reverse CIA• Confidentiality

– Preventing unauthorized subjects from accessing information

• Integrity– Preventing unauthorized subjects from modifying

information• Availability

– Preventing information and resources from being inaccessible when needed

Using the CIA

• Think in terms of the core information security principles• How does this threat impact the CIA?• What controls can be used to reduce the risk to CIA?• If we increase confidentiality, will we decrease availability?

Information Classification

• Not all information has the same value

• Need to evaluate value based on CIA• Value determines protection level• Protection levels determine procedures• Labeling informs users on handling • Example:

Information Type Confidentiality Integrity Availability Public Information Low HIGH HIGH

Information Classification

• Government classifications:– Top Secret– Secret– Confidential– Sensitive but Unclassified– Unclassified

Information Classification

• Private Sector classifications:– Confidential– Private– Sensitive– Public

Information Classification

• Criteria:– Value– Age– Useful Life– Personal Association

You will never have a 100 % Secure System