Information Security Overview

---

Basic InfoSec Concepts

• CIA Triad
• Threats, Vulnerabilities, Risk, and Impact
• Safeguards

Mechanisms That Ensure Information Security

• Laws and Legal Duties
• Contracts
• Organizational governance documents
  • form the basis for an information security program
  • include:
    • Policies
      • top level of governance documents
      • tells an organization how it must act and the consequences for failing to act properly
      • needs top-level management support
    • Standards
      • state the activities and actions needed to make policy goals
      • do not refer to particular tech, OS, or types of hardware and software
    • Procedures
      • are step-by-step checklists that explain how to meet security goals
      • tailored to certain type of technology
      • can be limited to the activities of a specific department and users
    • Guidelines
      • recommended actions and guides for employees
      • tell about information security concerns and potential solutions
      • flexible for use in many situations
  • Data protection models
    • used to classify different types of information at different levels of sensitivity

US National Security Information

• Executive Order 13526 describes a system for classifying national security information
  • Signed by President Obama in Dec. 2009
  • Establishes 3 classification levels:
    • confidential
      • describes information that could cause damage to U.S. security if disclosed to an unauthorized person
      • lowest level
    • secret
      • describes information that could cause serious damage to U.S. security if disclosed to an unauthorized person
    • top secret
      • information that could cause exceptionally grave damage to U.S. security if disclosed to an unauthorized person
      • highest level
  • sets forth rules to follow when using national security information
  • states how information must be marked and identified
  • gives instructions on how long it must remain classified
  • species when to release such information to the public

Voluntary Organizations

• Individuals and organizations may belong to voluntary membership groups that seek to promote information security
• Group members often have rules that they agree to follow
  • set forth behavior expectations
  • ethical in nature
  • called code of practice or code of ethics
• E.g. Internet Commerce Association (ICA)
  • adopted a code of conduct for fair practice in domain name industry