Fundamentals of Information Security
The founder of cybernetics Norbert Wiener believed that information has the unique characteristics and cannot be described as neither energy nor matter. A special status of information as a phenomenon resulted in a proliferation of definitions.
The vocabulary of ISO/IEC 2382:2015 standard provides the following interpretation of the information technology notion:
To elaborate the concept of information security (IS), information is understood as information that is available for collecting, storing, and processing (editing, transformation), using and transferring in various ways, including on computer networks and other information systems.
Such information is critical and can be exposed by third parties. Development of information security systems was driven by the need to protect information from threats.
Legal Framework. Definition of Information Security
Before developing an information security strategy, it is necessary to adopt a basic definition of the concept itself, which will enable applying a certain set of protection methods.
Industry experts propose to understand information security as a sustainable protection of information, its carriers and infrastructure which ensures the integrity and resistance of information-related processes to intentional or unintentional, natural and artificial impacts. Impacts are classified as information security threats which can cause damage to subjects of information relations.
Thus, we will understand the protection of information as a set of legal, administrative, organizational and technical measures aimed at preventing real or alleged IS threats, as well as the elimination of consequences. The ongoing protection should contribute to countering threats at all phases of the information cycle, i.e. when the information is collected, stored, processed, used and transferred.
Information security in this sense becomes one of the characteristics of the system performance. At each point, the system must have a measurable level of security, and security should be a continuous process in all periods of the system life.
Information security theory understands the subjects of information security as owners and users of information on not only an ongoing basis (employees), but also users who access databases in isolated instances, for example, government bodies, requesting information. In a number of cases, for example, in banking IS standards, owners include shareholders or legal entities which possess certain data.
In IS fundamentals, the supporting infrastructure includes computers, networks, telecommunication equipment, premises, life support systems and staff. When analyzing security, it is necessary to review all system elements with a special attention to employees which can provoke internal threats.
The characteristic of acceptability is used for the management of information security and damage assessment. The damage can be acceptable or unacceptable. Each company should approve its own criteria for the acceptability of damage in cash or, for example, in the form of acceptable reputational damage. Public institutions can adopt other characteristics, for example, the impact on management process or the degree of damage to the life and health of citizens. Criteria for the significance, importance and value of information may change during the life cycle of the information, so should be reviewed in a timely manner.
Information threat in the narrow sense is defined as the objective possibility to influence the object of protection, which can result in the leakage, theft, disclosure or dissemination of information. In a broader sense, threats are information-based actions, aimed at damaging a state, an organization, or an individual. Such threats include, for example, defamation, fraudulent misrepresentation and improper advertising.
The authors of the IS concept of any organization should answer three main questions:
For legal entities, the information security system involves three basic notions: integrity, accessibility and confidentiality. Each of them reveals concepts with a number of features.
Integrity means the resistance of databases, other information arrays to accidental or deliberate destruction, and unauthorized changes. Integrity can be considered as:
- Static, expressed in the permanence, authenticity of information objects to those objects created for a specific technical task and which contain the amount of information that users need for performing the main activity, in the proper combination and sequence.
- Dynamic, implying the correct fulfillment of complex actions or transactions which does not harm the safety of information.
Dynamic integrity is ensured with the use of technical means. They analyze information flows and identify incidents of theft, duplication, redirection, and change in the message order. Being the main characteristic, integrity is important when it is necessary to take decisions about actions with the consideration of incoming or existing information. Violated order of commands or sequence of actions can cause great damage in the case of the description of technological processes, software codes and in other similar situations.
Accessibility is a property allowing authorized subjects to access or to share data. The key requirement of legitimatization or authorization of subjects makes it possible to set different access levels. Failure of the system to provide information is a problem for any organization or a group of users. For example, the inaccessibility of the websites with government services in the event of a system failure makes it impossible for many users to obtain the necessary services or information.
Confidentiality means the property of information to be available to users, parties and processes with the initial allowed authorization. Most companies and organizations consider confidentiality as a key element of information security. However, it is difficult to put it into practice. Not all data on the existing leakage channels are available to the authors of IS concepts, and many technical security means, including cryptographic ones, cannot be purchased freely, as being limited in some cases.
Equal properties of IS have different value for users. That’s why there are two extreme categories in the development of data protection concepts. Confidentiality is the key parameter for companies or organizations dealing with state secrets, while the accessibility is the most important parameter for public services or educational institutions.
Objects of Protection in IS Concepts
The difference in subjects generates differences in the objects of protection. The main groups of objects are:
- Information resources of all kinds (a resource is a material object: a hard disk, another media, document with data and company details that help to identify and attribute it to a specific group of subjects).
- Rights of citizens, organizations and states to access information, the opportunity to receive it within the law. It is inadmissible to create any barriers that violate human rights, and only legal acts can restrict access.
- Systems of creation, use and distribution of data (systems and technologies, archives, libraries, regulatory documents).
- Systems of shaping public opinion (mass media, Internet resources, social institutions, educational institutions).
Each object implies using a special system of protection measures against IS threats and public order. In each case, information security requires a systematic approach with the consideration of the specific nature of the object.
Categories and Information Carriers
The legal system, law enforcement practice and established social relations classify information according to its accessibility. This allows to clarify the essential parameters necessary to ensure information security:
- Information, access to which is restricted in accordance with laws (state secrets, commercial secrets, personal data).
- Information in the public domain.
- Publicly available information provided on certain conditions: paid information or information with a required access permit, for example, a library ticket.
- Dangerous, harmful, false and other information, whose circulation and distribution are limited either by laws or by corporate standards.
An information carrier is an individual object in the theory and practice of information security. It can have an open and restricted access. When developing the IS concept, protection methods are chosen depending on the carrier type. The main information carriers are:
- Print and electronic media, social networks, other Internet resources.
- Employees who have access to information on the grounds of friendly, family, professional relations.
- Communication means that transmit or store information: phones, PBX, other telecommunications equipment.
- All types of documents: personal, official, state.
- Software as an independent information object, especially when developed specifically for a particular company.
- Electronic information carriers which process the data automatically.
Means of Information Protection
For developing the concepts of IS protection, information protection tools are divided into normative (informal) and technical (formal) ones.
Informal means of protection are documents, rules and measures. Formal means include special technical means and software. Differentiation helps to allocate areas of responsibility when creating IS systems. With the general protection management, administrative staff apply normative methods. Respectively, IT specialists implement technical means.
The fundamentals of information security imply the delineation of powers not only in the use of information, but also in the sphere of its protection. Such a delimitation also requires several levels of control.
Informal means of protection
Informal means of protection are divided into normative, administrative, as well as moral and ethical. The first level of protection includes normative means that regulate information security as a process of company activities.
- Normative means
This category of information security means is represented by legislative acts and regulatory documents applied at the corporate level.
In the world practice, the development of regulatory tools is guided by the standards related to IS protection, the main one being ISO/IEC 27000. The standard was created by two organizations:
- ISO – The International Commission for Standardization which elaborates and approves most of internationally recognized methods for certification of management and production quality.
- IEC – The International Electrotechnical Commission which has made its own proposal on the understanding of IS systems, means and methods of its ensuring.
The updated version of ISO/IEC 27000-2016 offers ready standards and proven methodologies for implementing IS. According to its authors, the idea of information security lies in the systematic and consistent implementation of all stages from the development to post-control.
It is necessary to implement all the recommendations in full in order to obtain a certificate of compliance with the standards in the sphere of information security. If a certificate is not required, you can use any of the earlier versions of the standard from ISO/IEC 27000-2002 for the development of IS systems.
Two documents are developed upon the standard review. The main, but less formal, is the concept of the IS enterprise which defines the measures and methods of implementing the IS system in corporate information systems. The second document that all company employees are obliged to apply is a provision on information security approved by the Board of directors or the executive body.
Apart from corporate provisions, it is necessary to develop the lists with information constituting commercial secrets, annexes to employment contracts, regulating responsibility for the disclosure of confidential data, and other standards and methodologies. Internal rules and regulations should provide implementation mechanisms and sanctions. The sanctions are mostly disciplinary, and the offender must know that the violation of commercial confidentiality entail substantial penalties up and including dismissal.
- Organizational and administrative means
Security staff has a room for creativity in ensuring information security within the administration area. These include architectural and planning solutions that allow you to protect meeting rooms and executive offices from listening, and to set different levels of access to information. An important organizational measure will be the certification of the company's activities according to ISO/IEC 27000, certification of individual hardware and software sets, certification of subjects and objects for compliance with the necessary security requirements, and licensing for working with protected information arrays.
Regulation of employee activities should imply the systemization of requests for Internet access, external e-mail, and other resources. A separate activity will be the reception of an electronic digital signature to enhance the security of financial and other information transmitted to government authorities via e-mail channels.
- Moral and ethical means
Moral and ethical means define personal attitude to confidential or limited information. Increasing awareness among employees about the impact of threats on the company's activities influences the level of their consciousness and responsibility. It is necessary to focus on personal awareness of employees to deal with information violations, including the transfer of passwords, careless use of media, and the dissemination of confidential data in private conversations. It will be useful to establish performance indicators of employees, which will depend on the attitude to the corporate information security system.
Formal protection means
A wide range of technical means to protect IS includes:
Physical means of protection. These include mechanical, electrical, electronic mechanisms that function independently of information systems and create barriers to access to them. Locks, including electronic, screens, and shutters are designed to prevent destabilizing factors from contacting with systems. The group also include means of security systems such as video cameras, DVRs, sensors, which detect the movement or excess in the level of electromagnetic emission in the zone of information retrieval technologies, and listening equipment.
Hardware means of protection. These are electrical, electronic, optical, laser and other devices embedded in information and telecommunications systems. It is necessary to check hardware for compatibility before integrating it into information systems.
Software means are simple and comprehensive complex programs designed to solve private and complex tasks for ensuring information security. An example of comprehensive solutions are DLP systems and SIEM systems. The former serve to prevent leakage, re-formatting and redirection of information flows, while the latter ensure protection against information security incidents. Software requires a lot of power from hardware devices, and additional reserves should be provided during installation.
Specific means of information security include various cryptographic algorithms that enable you to encrypt information on disks and the information redirected via external communication channels. The information can be transformed through software and hardware methods in corporate information systems.
All means that guarantee information security should be used together after a preliminary assessment of information value and its comparison with the cost of resources spent on protection. That is why the proposals on the use of funds should be formulated at the stage of the system development, and be adopted by the management responsible for budget approval.
To ensure security, it is necessary to keep up with all modern developments, protection software and hardware, threats, and make timely changes to your systems for protection against unauthorized access. Only adequate and rapid response to threats will help to achieve a high level of confidentiality in company activities.