Lets get started on with the very basic terms that we normally use whenever talking about IS security, but hardly think deep of their actual meanings.
1. Security Management – is a kind of a process that includes proper identification of company’s assets, assigning them values, documenting, implementing security policies, standards, procedures and guidelines to protect these assets from unauthorized disclosure, tempering, or destruction.
2. In order to protect the resources, we need to control access to these resources in various forms.
These controls can broadly be categorized into 3 types – Administrative, Technical and Physical.
Administrative Controls – Creation and publication of policies, standards and procedures, security awareness training, screening and scruteny of security personnel.
Technical Controls – aka. Logical Controls like password management, autherntication methods deployment, host & network based IDS, security devices, their configuration.
Physical Controls – controlling access to facility, locking systems, destroying unnecessary CDs, floppy, other media, perimeter fencing, monitoring CCTV activities, intrusion.
3. CIA triad – The most fundamental purpose of implementing any security procedures at any level – hardware, software, technical, administrative, or physical are the 3 –
a. Confidentiality – meaning that data should not be disclosed to unauthorized subject/software so as to protect its privacy.
b. Integrity – meaning that data should not undergo any change/modification by any unauthorized subject so as to protect its form and content.
c. Availability – meaning that data must be available for view/use to authorized subjects whenever needed e.g. a server would not be available for proessing requests if it was brought down by a DOS attack.
4. Some important words –
a. Vulnerability – It is a weakness in the software/hardware, which may serve as a backdoor for an unauthorized subject to attack/compromise a system’s security. e.g. An open window without panes in the house may leave an open door for entry of unwanted people in the house.
b. Threat – It is that someone or something that might exploit the vulnerability to attack/ compromise the system. It is the potential danger. e.g. For an open window in the house, a thief is a threat agent.
c. Risk – The probabiltiy that the threat agent will exploit the vulnerability to compromise secruity of the system is a risk. e.g. In the house with an open window the theft is the risk. This risk may be higher in case the window opens in one of the rooms.The risk of theft may be lower in case the window opens in the backyard of the house, as the rooms might have further been protected by locks.
d. Exposure – Instance of being susciptible to damages/losses due to an attack by a threat agent. Vulnerabilities in the sytem can cause exposure to losses.