INFORMATION SECURITY: Information security (IS) is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security. This triad has evolved into what is commonly termed the Parkerian hexad, which includes confidentiality, possession (or control), integrity, authenticity, availability and utility.
NEED: The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents. The Audit Commission Update report (1998) shows that fraud or cases of IT abuse often occur due to the absence of basic controls, with one half of all detected frauds found by accident. An Information Security Management System (ISMS) enables information to be shared, whilst ensuring the protection of information and computing assets. The Audit Commission Update report shows that in the UK the percentage of organizations reporting incidents of IT fraud and abuse in 1997 rose to 45% from 36% in 1994. While equipment theft is a real problem, the most damaging aspect is the loss of data and software. Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated.
The internet exposes organizations to an increased risk that networks will be accessed improperly, data corrupted and viruses introduced. The percentage of organizations reporting hacking incidents has trebled, with telephone systems as a new target. Not all breaches are the result of crime; inadvertent misuse and human error play their part too. Virus infections are still the single most prevalent form of abuse. More commonplace and just as destructive as crime, are threats like fire, system crashes, and power cuts. Poor supervision of staff and lack of proper authorization procedures are frequently highlighted as the main causes of security incidents. Companies vary in their approach to preventing security breaches: some prohibit everything, making mundane access tasks difficult; others are too lax and permit access to all by all, exposing themselves to a high degree of risk. Business efficiency relies on the right balance and this is where standards can help.
Dependence on information systems and services means organizations are more vulnerable to security threats. The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control. The trend for distributed computing has weakened the effectiveness of central, specialist control.
GOALS OF INFORMATION SECURITY: CONFIDENTIALITY: The confidentiality aspect refers to limiting the disclosure and access of information to only the people who are authorized and preventing those not authorized from accessing it. Through this method, a company or organization is able to prevent highly sensitive and vital information from getting into the hand of the wrong people while still making it accessible to the right people. Encryption: To begin with, encryption of data involves converting the data into a form that can only be understood by the people authorized. In this case, the information is converted in to the cipher text format that can be very difficult to understand. Once all security threats have been dealt with, the information can then be decrypted which means that the data can be converted back to its original form so that it can be understood. The encryption process can involve the use of highly sophisticated and complex computer algorithms. In this case, the algorithms cause a rearrangement of the data bits into digitized signals. If such an encryption process is used, then decryption of the same information requires one to have the appropriate decryption key. The encryption process should be carried out on data at rest; that is data stored on a hard drive or USB flash. Data in motion should also be encrypted. In this case, data in motion refers to all kind of data that is traveling across a network
INTEGRITY: Integrity is another security concept that entails maintaining data in a consistent, accurate and trustworthy manner over the period in which it will be existent. In this case, one has to ensure that data is not changed in the course of a certain period. In addition, the right procedures have to be taken to ensure that unauthorized people do not alter the data. Hashing: Hashing is a kind of cryptographic science that involves the conversion of data in a manner that it is very impossible to invert it. This is mainly done when one is storing data in some storage device so that an individual who gains access to it cannot change it or cause some alterations. Digital signatures: Digital signatures are special types of data safety maintenance where a special kind of signature is required to access some particular information. The signature can be in the form of QR code that must be properly read so as to access data.
CERTIFICATES: These are special types of user credentials that are required so as to gain access to some particular information. In this case, an individual without such certificates cannot access that piece of information. These certificates tend to guarantee some permission and rights. Non-repudiation: Based on information security, non-repudiation is a cryptographic property that provides for the digital signing of a message by an individual who holds a private key to a particular digital signature.