Wednesday, April 05, 2006

Information Security!! What & Why??

I figured that; the best way to understand security is to start as if you do NOT know anything. Trust me, it’s a very nice to start anything. I referred several sites, to find out about security. However, it is really very difficult to find out the actual need for security. Why it is necessary in the first place.

As I continue experimenting … Here are some of the answers I found most useful.

What is Information Security? How does it differ from IT Security?

Information Security is a broader term than IT Security or Internet Security or Enterprise Data Security.

Information Security encompasses of data stored in digital fashion (electronic format), trade secrets, know-how, intellectual property rights, historical data, information on data access, policies and procedures laid down, compliance & standards established within the organization, plans and budgets, financial & management data, brochures, images, logo and designs, employee information and so on and so forth.

Information Security includes the organization's plan towards IT Security, Internet Security, Enterprise Data Security, etc. To put it in other words, it looks at protecting / safeguarding information and information systems from anyone including employees, consultants, suppliers, customers and of course, hackers.

However, often people confuse information security with IT Security. IT Security is a term which is more concerned with the protection of hardware, software and a network of an organization, from the perils of disaster and external attacks (through virus, hacking, etc.,). It is more to do with the electronic data and is covered in the IT Policy of an organization, whereas Information Security Policy goes beyond the network and applies to the organization as a whole.

Internet Security on the other side is more concerned with the internet architecture and covers the protection required upon communication between two computers through the internet / intranet.

Source : IT Toolbox

Why does this concern me?

Information is an asset to all individuals and businesses. Information Security refers to the protection of these assets in order to achieve C - I - A - N - A as the following diagram:

Image Source: Honk Kong Government Website

I am considering two aspects of each … Personal and Business. Examples are a bit crude in nature.

Confidentiality

The protection of information from being disclosed to unauthorized parties.

Personal:

Your personal data submitted to a web site should only be used or accessed exclusively by the designated staff of that company for the purposes agreed. No others can use the data out of curiosity or for illegal purpose.

Business:

Sensitive information such as sales figures or client data should only be accessed by authorized persons like the senior management and the sales team, but not other operation departments.

Integrity

The protection of information from being changed by unauthorised parties.

Personal:

Your personal data submitted to a website should not be altered during data transmission or by the website company.

Business:

Important documents or figures should not be changed by unauthorized persons without any notice.

Availability

Information being made available to authorised parties when requested.

Personal:

You should be able to access and check your personal data kept in a website.

Business:

Authorised senior management should be able to access sales figures when needed; or clients should be able to get their data kept in the company when requested.

Non-Repudiation

Provide proof of the origin such that the sender cannot deny sending the message, and the recipient cannot deny the receipt of the message.

Personal:

When you do electronic transaction at an online shop, the shop cannot deny the receipt of your order.

Business:

When a customer place an order at your online shop, he / she cannot deny

Authentication

A process or method to identify and to prove the identity of a user / party who attempts to send message or access data.

Personal:

When you want your PC not to be accessed by others, you can set login name and password for entering your operating system and so prevent others from accessing the data inside the PC.


Business:

When your online shop wants to verify the customer's identify before he/she can place any order, you can ask him/her to login as a member first.


Next up : I would attemp to understand and then explain PKI ...

-DaNNy



# posted by ~~ DaNNy ~~ : Wednesday, April 05, 2006
Comments: Post a Comment

Subscribe to Post Comments [Atom]





<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]