Information security is the method of providing confidentiality, integrity and availability to data, information, applications and equipment for those who needs it. The key concept to providing such a level of protection falls on the concept of The C.I.A. triangle which consist of:
Confidentiality of information ensures that only those with sufficient privileges may access certain information. To protect the confidentiality of information, a number of measures may be used including:
- Information classification
- Secure document storage
- Application of general security policies
- Education of information custodians and end users
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted.
Availability is making information accessible to user access without interference or obstruction in the required format. A user in this definition may be either a person or another computer system.
Over time the list of characteristics has expanded to other key and important concepts, but The C.I.A. Triangle remain central core of Information Security. Some of the other key concepts of Information Security are:
- Privacy – Information is to be used only for purposes known to the data owner.
- Identification– Information systems possesses the characteristic of identification when they are able to recognize individual users.
- Authentication – Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.
- Authorization – After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset.
- Accountability – The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process.
Understanding these concepts and the controls that are associated with each will provide the security/system administrator with the proper capabilities to protect their organization.