Introduction
Information security, also known as Infosec, is concerned with more than just protecting data from unauthorized access. Since sensitive data is one of an organization's most valuable assets, it stands to reason that we must prioritize its protection. Information security is the practice of preventing unauthorized access, use, disclosure, interruption, alteration, inspection, recording, or destruction. Information can be both physical and electronic. Information can be anything from your photos to social media messages. Data security management aims to ensure company continuity and minimize corporate damage by avoiding and mitigating the effects of security events.
Multi-tier Classification Systems were developed during the first world war, keeping in mind the sensitivity of the information. Moreover, the classification system's proper alignment was done during the second world war. Alan Turing successfully decrypted Enigma Machine used by germans to encrypt the warfare data.
Objectives of Information security
CIA (Confidentiality, Integrity, Availability) are the three objectives for building information security programs.
Let us discuss these objectives in detail:
-
Confidentiality
Unauthorized individuals, entities, and the process can not disclose or access the information. For example, while we log in to our Gmail or any social media account and if, unfortunately, someone saw our password at that time, we can say that our privacy has been compromised or confidentiality is breached.
-
Integrity
It means that the accuracy and completeness of data are maintained. This means unauthorized ways can not edit confidential data or information. For example, suppose any of your employees leave the Organization. In that case, this information should be updated in all the departments by the authorized person, as accounts and status are 'JOB LEFT' so that completeness and accuracy of data remain maintained. This is also done so that the employee left can not access the Organization's data for unfair means and become unauthorized after leaving the Organization.
-
Availability
When we need information, it should be available at that time. For example, suppose we want to retrieve information about any employee working in the Organization to check whether he has taken more leaves than allowed or not. This process requires the collaboration of various organizational teams like network operations, incident response, development operations, and policy/change management.
The denial of service attack can hamper the availability of data.
Apart from these objectives, information security is governed by one more principle, which is ‘non-repudiation’.
-
Non-repudiation
It means parties can not deny receiving/sending messages or transactions. For example, it is sufficient to demonstrate that the message matches the digital signature signed with the sender's private key in cryptography. Only the sender could have transmitted the message, and no one else could have altered it in transit.
And now we have two prerequisites for Non-repudiation: Data Integrity and Authenticity.
-
Authenticity
This focuses on checking whether the user is what they say who they are or not and whatever input we get/has arrived at the destination is from a trusted source. If followed, this concept ensures that a valid and genuine message is received from a trustworthy source via a proper transmission.
For example, the sender transmits the message in the above example, and a digital signature is constructed using the message's hash value and private key. At the receiver's end, the digital signature is decrypted using the public key, resulting in a hash value, and the message is hashed once more to create the hash value. If the two values match, it is a legitimate transmission with an authentic or genuine message received at the receiver end.
-
Accountability
It means tracing action from one entity uniquely to another should be possible. For example, as we discussed in the integrity example, not every employee is allowed or given access to changed information/ data of other employees. But organizations have a different department for making such changes, and the letter should be signed by higher authorities when they receive a request for a change. For example, the biometric of the person who has been allotted to do changes should be verified. Only then he will be able to make changes to record user details with timestamps. As a result, it will be possible to track the activities back to a particular entity if a change occurs.