Concepts of Information Security

Concepts of Information Security
This chapter discusses security policies in the context of requirements for information security and the circumstances in which those requirements must be met, examines common principles of management control, and reviews typical system vulnerabilities, in order to motivate consideration of the specific sorts of security mechanisms that can be built into computer systems—to complement nontechnical management controls and thus implement policy—and to stress the significance of establishing GSSP. Additional information on privacy issues and detailing the results of an informal survey of commercial security officers is provided in the two chapter appendixes.

Organizations and people that use computers can describe their needs for information security and trust in systems in terms of three major requirements:

Confidentiality: controlling who gets to read information;

Integrity: assuring that information and programs are changed only in a specified and authorized manner; and

Availability: assuring that authorized users have continued access to information and resources.

These three requirements may be emphasized differently in various applications. For a national defense system, the chief concern may be ensuring the confidentiality of classified information, whereas a funds transfer system may require strong integrity controls. The requirements for applications that are connected to external systems will differ from those for applications without such interconnection. Thus the specific requirements and controls for information security can vary.