Introduction To Security Governance with CIA – Confidentiality , Integrity, Availibility
Security Governance are implemented with management concepts, security policies, implementation etc. While working with these items we need some parameters to understand and describe security in IT environment.
There is CIA which is actually the synonym of
Availability . These are used to define the level and status of current security situation. We will look all of them and more in below. We will simply start defining related term an then provide advanced explanation and examples below.
Let’s start with an example about a credit card password from confidentiality point of view.We have credit cards those have printed cards and used to make payment physically from a POS or from electronic POS from internet. We need pin code for POS usage. The only one who should know this PIN is card holder. We call this rule or policy confidentiality. Also credit card should be kept in secure environment like our pocket. We can not put the credit card on the street or in a pub alone. Confidentiality also related with unauthorized access. Now we have two item
- Keeping secret
- Unauthorized access
We want to make payment about 50$ . But during the transmission the payment is changed to 5000$ by adding or changing the given value. We call this issue integrity problem. The information shouldn’t be altered or at least if altered it can be detected and eliminated.
Another subject is availability which means we can make payment in a 7×24 manner. If there are problems for some time periods and we can not make payment this is an availability problem. DDOS or similar attacks hurts the availability of given IT infrastructure or application.
Security is designed to protect information and related environment. Sensitivity refers to the quality of information. It is used as subterm with confidentiality. As an example we can access different type of information like Apache Logs or user pins by breaking confidentiality. But their sensitivity is far more different from each other.PIN’s are for more sensitive than Apache Logs.
Criticality is similar to the sensitivity but generally related with operations running. If an issued which interrupts the whole process is found it is more critical than breaking down a test server.
Secrecy is act of keeping something secret or prevent to access this information from unwanted and unauthorized parties. We should prevent the PIN information to be accessible from Linux admins.
Privacy is very popular issue at recents years. Privacy is keeping personally identifiable information confidential. For example we should confidential the credit card holder name and surname.
Seclusion is storing data at rest in a very strictly secured area. We should tore cold backups about credit cards in a seclusion.
Isolation is another way to protect and prevent using same channel to area for different type information. We should prevent network of normal users with higher privileged users.
Authorization is given required and privileged rights to a authenticated user or part.
Authentication is verifying identity. We should authentication before giving authorization to a part because authorization will world according to the identity of part.
Auditing is act of storing the acts of given role. This will provide evidents about the actions the role done.
Nonrepudiation is similar to integrity. Nonrepudiation provides a bit more than integrity. Nonrepudiation make the given auditing information can not deniable.