Principle of Information System Security
Information System Security or INFOSEC refers to the process of providing protection to the computers, networks and the associated data. With the advent of technology, the more the information is stored over wide networks, the more crucial it gets to protect it from the unauthorized which might misuse the same. Every organisation has the data sets that contain confidential information about its activities.
The major reason of providing security to the information systems is not just one fold but 3 fold:
Together, these tiers form the CIA triangle that happened to be known as the foremost necessity of securing the information system. These three levels justify the principle of information system security.
Let us go through the same one by one:
- Confidentiality: The main essence of this feature lies in the fact that only the authorized personnel should be allowed the access to the data and system. The unauthorised individuals must be kept away from the information. This is ensured by checking the authorisation of every individual who tries to access the database. For eg. An organisation’s administration must not be allowed to access the private information of the employees.
- Integrity: Integrity is ensured when the presented data is untouched or rather, is not altered by any unauthorized power. The information thus can be referred with the eyes closed. The integrity of the information can be altered in either unintentional or intentional ways. Intentionally, information can be passed through malicious content by any individual. Rather, unintentionally, any authorized individual might himself hamper the information for example, he might delete any specific important part of information.
- Availability: This feature means that the information can be accessed and modified by any authorized personnel within a given time frame. The point here to be noted is that the accessibility of the information is limited. The time frame within which it can be accessed is different for every organisation.
Balancing Information Security and Access:
It is the sole purpose of the organisation to protect the interests of the users and to provide them with appropriate amount of information whenever necessary. Also, at the same time, it is necessary to provide adequate security to the information so that not anyone can access it. The need for maintaining the perfect balance of information security and accessibility arises from the fact that information security can never be absolute.
It would be harmful to provide free access to a piece of information and it would be hard to restrict any accessibility. So, one needs to make sure that the exact required balance is maintained so that both the users and the security professionals are happy.
Tools of Information Security:
There are various tools which are or which can be used by various organisations in order to ensure the maximum information system security. These tools however, do not guarantee the absolute security, but as stated above, helps in forming the crucial balance of information access and security.
Let us study these tools one by one:
- Authentication: This is the foremost important tool that needs to be kept in mind before starting the crucial process of ensuring security. The process of authentication is when the system identifies someone with one or more than one factors. These factors must be unique for most of the users. For example, ID and password combinations, face recognition, thumb impression etc. These factors can not always be trusted as one could lose them or it might be accessed by any outsider. For these circumstances, one can use multi factor authorisation which is done by combining any two or more of the above factors.
- Access Control: After ensuring that the right individual gets the access to information, one has to make sure that only the appropriate information reaches him or her. By using the tool of access control, the system judges that which user must be able to read or write or modify certain piece of information. For this it generally maintains a list of all the users. One could find two type of lists :
- Access Control List (ACL) – This is just the list of individuals who are eligible to access the information
- Role- Based access Control List (RBAC) – This list comprises of the names of authorized personnel and their respective actions they are authorized to perform over the information.
- Encryption: Sometimes the information is transmitted over the internet so the risk of anyone accessing it increases and now the tools have to be strong to avoid it. In this scenario, the information can be easily accessed and modified by anyone. To avoid this, a new tool is put to work, Encryption. Using encryption, one can put the confidential information into bits of unreadable characters that are difficult to decrypt and only the authorised receivers of the information can read it easily.