Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).
Information security: a “well-informed sense of assurance that the information risks and controls are in balance.”—Jim Anderson, Emagined Security, Inc.
Computer security began immediately after the first mainframes were developed. Groups developing code-breaking computations during World War II created the first modern computers.Multiple levels of security were implemented. Physical controls limiting access to sensitive military locations to authorized personnel, however these measure were rudimentary in defending against physical theft, espionage, and sabotage
1970s and 80s
Information security began with Rand Report R-609 (paper that started the study of computer security and identified the role of management and policy issues in it). The scope of computer security grew from physical security to include:
- Securing the data
- Limiting random and unauthorized access to data
- Involving personnel from multiple levels of the organization in information security
Networks of computers became more common, as did the need to connect them to each other.Internet became the first global network of network and initially network connections were based on de facto standards.In early Internet deployments, security was treated as a low priority.In 1993, DEFCON conference was established for those interested in information security.
2000 to Present
The Internet brings millions of unsecured computer networks into continuous communication with each other.The ability to secure a computer’s data was influenced by the security of every computer to which it is connected. However growing threat of cyber attacks has increased the awareness of need for improved security wherein Nation-states are engaging in information warfare.
What is Security
It is “A state of being secure and free from danger or harm; the actions taken to make someone or something secure.”
A successful organization should have multiple layers of security in place to protect:
- Physical infrastructure
Is a standard based on Confidentiality, Integrity, and Availability which now viewed as inadequate. The expanded Model consists of a list of critical characteristics of information.
Key Information Security Concepts
List of key concepts in Information Security include Access, Asset, Attack, Control, safeguard, or countermeasure, Exploit, Exposure, Loss, Protection profile or security posture, Risk, Subjects and objects, Threat, Threat agent, Vulnerability
Critical Characteristics of Information
The value of information comes from the characteristics it possesses:
Information Security Model – The McCumber Cube
The Security Systems Development Life Cycle (SecSDLC)
The same phases used in traditional SDLC can be adapted to support implementation of an IS project.It involves identifying specific threats and creating specific controls to counter them. It is a coherent program rather than a series of random, seemingly unconnected actions. The following steps are used in the Design cycle
- Logical Design
- Physical Design
- Maitenance and Change