In today’s connected world, security has become the number one concern for most corporations, large or small. With the rise of cases of Computer crime in the last decade, companies have had to find ways to secure their computing environments. The process of securing systems cannot be accomplished without the knowledge and experience in the area of Information Systems Security.
Information Systems Security is primarily concerned with three main areas of Information Technology. These areas form what we refer to in the Industry, as the CIA triad. The letters CIA represent Confidentiality, Integrity and Availability. In the next section I will explain what these three concepts are.
The concept of confidentiality is an assurance that data will be kept confidential and that only those subjects authorized to access the said data will have access to it. An example of this is a bank account, as the holder of the account, I am authorized by the bank to access my account in form of withdrawals and deposits but other people are not. The balance in my account is confidential and only known by the bank and me. Other examples of confidential data include health records and salaries.
Integrity of data ensures that the data being accessed has not been modified or tampered with company personnel or intruders. An example of this an email being sent by the Chief Executive Office to shareholders announcing the profits of the company but someone in accounting intercepts it and changes the values of those profits to lower figures so they can pocket the rest. In order to ensure Integrity of data, security personnel must have measures in place to prevent unauthorized modifications of data. An Important term in the area of Integrity is the concept of Non Repudiation, where entities cannot deny having completed a certain action. If everything is implemented correctly, non repudiation dictates that if I send an email to someone in the company, there should be no way for me to deny having sent that email, due to the tracking enabled within the company’s email servers.
To me, availability is probably the most interesting aspect of Information Systems Security in the sense that it is really not responsible for protecting anything, and one can argue that this not security, but it is. This concept assures that the protected resources are available to the users whenever they are needed and that there are no unscheduled interruptions. This is a big deal in the banking industry where customers need to have access to their bank accounts at any time during the day or night. Any interruption to this availability is then, a security concern and can cost the company a lot in revenues.
Now that we have explained the different areas of Information Systems Security, what are some inherent threats against our Information Systems?
The most prominent of threats for any system in this age, is hacking. Hackers now have a myriad ways to gain access to systems. When hackers penetrate a system this is an attack both on confidentiality since they now have access to data that they were not supposed to, and Integrity because they now have the ability to do whatever they so wish, with that data. Sometimes hackers can also attack availability by issuing what we call a “Denial of Service” where legitimates users of the system can no longer get access. This usually happens when they have failed to gain access themselves and they revert to just bringing systems down so no one else can get in.
Without going into a lot of detail, we see that, no matter how small your IT footprint is, Information Systems Security is of prime importance and an investment should be made to protect your company.
© Mwaba Shannon Chisenga, M.Sc. CISSP