Confidentiality, integrity, and availability
Confidentiality
Ensures that only authorised parties with sufficient privileges may view the information
Integrity
Ensures that the data stored on devices is correct and no unauthorised persons or malicious software has altered it.
Availability
Ensures network resources are readily accessible to authorised users
Importance of maintaining CIA:
Maintaining compliance
Maintains trust with internal/external stakeholders
Promotes positive brand image
Avoids security risks and unauthorised access
Some of the consequences are:
Financial
Regulatory fines
Refunds/compensation payments
Loss of earnings
Legal
Lawsuits
Termination of contract
Reputational
Loss of clients
Damage to brand
Layers of security
Organisational procedures
People
Physical
Elements of security
Communications
Hardware
Software
Identification, authentication, authorisation, and accountability (IAAA)
Purpose
IAAA is used to help support confidentiality, integrity, and availability (CIA) security concept
They are a set of primary concepts that aid in understanding computer and network security as well as access control
Functionality
Identification and authentication are a way of identifying a user
Authorisation is the process that determines whether the user has the authority to carry out a specific task
Accounting keeps track of the activities that are performed
Access control list
This is when you control who has access to what information. For example, in school, a student would have fewer computing privileges than a teacher or the IT manager. This ensures that the data stored by the organisation is accessible to the correct people.
Confidentiality
Layers of security that would be applied on something on software would include things like, encryption, passwords, firewalls, and 2FA. These are things that only you should have access to, like you having the encryption key, or you having a secure but rememberable password to you. It is best to have multiple ways of accessing it making it harder for 3rd parties from gaining access to it. Another type of security is a physical way. This could be by keeping important documents in a safe for example where you only have the key, instead of storing them online. You could also go more extreme by having cameras looking upon them, fences, or even security guards.
Integrity
In an organisation, integrity can be shown when understanding who has access to what type of data. This would be when you give certain permissions and restrictions to each type of account on the network. For example, in an organisation, a manager would have a greater access to data of multiple people than an employee due to the varying tasks that each type of person would need to carry out. The organisation would also have other procedures, like a firewall, to prevent an unauthorised user from gaining access to information that they shouldn't. Some of the physical restrictions that would be in place would be things like keeping access to the main server room to a minimum, for example, who has access to the key to enter the room. Another example would be keeping the data on an account that only someone like the IT department has access to.
Availability
This is the concept of authorised users have access to systems when they need it. Say an employees would have access to their office within the hours that they are designated to work, but they can access work on the cloud from any point. Or the IT team could have access to their department at any point encase they have to fix a cyber-attack over the weekend say. These restrictions would ensure that the organisation would know who has access to something at any point, making it easier to track problems when/if the occur. Other examples could include varying people requesting data. Say if an employee is requesting data on another person, the administrator could reject that request due to it breaking the data protection act, but if a manager is requesting that data and it is a valid reason, then that permission can be granted.
No comments:
Post a Comment