Basic Security Concepts
Three basic security concepts important to information on the internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.
When information is read or copied by someone not authorized to do so, the result is known as loss of confidentiality. For some types of information, confidentiality is a very important attribute. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some locations, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies; debt collectors; businesses that extend credit to their customers or issue credit cards; hospitals, doctors’ offices, and medical testing laboratories; individuals or agencies that offer services such as psychological counseling or drug treatment; and agencies that collect taxes.
Information can be corrupted when it is available on an insecure network. When information is modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized changes are made to information, whether by human error or intentional tampering. Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accounting.
Information can be erased or become inaccessible, resulting in loss of availability. This means that people who are authorized to get information cannot get what they need. Availability is often the most important attribute in service-oriented businesses that depend on information (for example, airline schedules and online inventory systems).
CISSP
Certified Information Systems Security Professional (CISSP) is information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)². The CISSP designation is a globally recognized, vendor-neutral standard for attesting to an IT security professional’s technical skills and experience in implementing and managing a security program.
Security Administration Procedures
Security administration entails the determination of a company’s high-value data and the development, recording, and implementation of policies, operations, standards. Administration techniques that include data categorization and threat assessment can be used to identify possible threats, categorize valuable data, and rate security weaknesses so that effective measures can be implemented.
Security Architecture and Models
This involves the principles, framework, and guidelines followed to design, track, and protect operating systems, hardware, networks, and application software as well as the controls utilized to enforce different degrees of robustness, consistency, and confidentiality.
Access Management Systems and Methodology
Access management systems are a collection of mechanisms that work in unison to build a security infrastructure to guard the high-value data of the IT system.
Software Development Security
This involves the key security concepts related to application development. Application software development security outlines the circumstances where programs are designed and developed and explains the vital part application software plays in providing IT system protection.
Secure Operations
This concerns identifying the controls over equipment, data storage, and the technicians and administrators with access rights to any of these resources. Audit and tracking are the tools and facilities that allow the awareness of security-relevant activity and follow-on actions to discover the essential elements and convey the associated information to the designated individual, team, or mechanism.
Physical Security
Site security addresses security techniques for the entire facility, from the outside perimeter to the inside office space, including all of the IT system resources.
Cryptography
Cryptography involves the concepts, means, and methods of disguising data to preserve its consistency, privacy, and authenticity.
Telecom, LAN and WAN Security
This area involves:
- Network Infrastructure
- Transmission methods
- Transport formats
- Security measures used to provide availability, integrity, and confidentiality
- Validation for transmissions over private and public communications networks and media.
Business Continuity Preparedness
This addresses the protection and restoration of commercial operations in the event of network disruptions.
Law, Investigation and Ethics
This concerns:
- Computer crime regulations
- The procedures taken and mechanisms used to solve information system crime activity