Information Risk Management: 9 key concepts of information security
Assuring information security is central to the success of any business activity. This is particularly pertinent in the age of modern technology, when information can leak and spread like a viral infection, and politically sensitive issues such as ID theft can bring down powerful individuals, businesses and government parties.
The ISEB Information Risk Management Practitioner syllabus introduces students to the 9 key concepts of information security, encompassing technology, law, best practice and ethics.
As an information security concept, confidentiality relies on the premise that there is some information which should be accessed only by certain people. If this principle is accepted, then we might create in addition information categories that reflect the degree of confidentiality required.
For example, we might argue that medical records should be completely private (available only to the individual and the appropriate medical practitioners), internal (shared with all medical practitioners, and perhaps also with members of the individual’s family) or public.
Maintaining confidentiality is a three-step method:
- authentication (establish the identity of the proposed recipient)
- authorisation (confirm whether the proposed recipient is authorised to receive the information)
- access control (regulate the level of access available to the proposed recipient, e.g. through the use of ‘read-only’ texts)
Within the context of information security and risk management, “integrity” means ensuring that data remains unchanged while in storage or transmission. This affects policies regarding both official records and also communication systems.
When sending an e-mail, we rely on the security of the IT system to ensure that the e-mail reaches the intended recipient intact. When we enter or retrieve data from a spreadsheet, we do not expect the information to change, either by technological fault or through illegitimate interference.
One means of establishing the integrity of data storage or communication systems are computational techniques for verifying data, including comparisons, checksums, message authentication & integrity codes, message digests
“Accountability” holds an unusual position within the world of information security and risk management. Essentially, it is a means of protecting information. However, unlike the digital signatures, passwords and encryption familiar to the technology savvy, accountability deals with the interface between information security, law and ethics.
According to Andreas Schedler (in his article Conceptualizing Accountability) the basic illustration of accountability can be states as follows: "A is accountable to B when A is obliged to inform B about A’s (past or future) actions and decisions, to justify them, and to suffer punishment in the case of eventual misconduct."
In real terms, this means understanding and fulfilling one’s own responsibilities regarding information security. At its simplest, these might include not sharing the contact details of customers with commercial organisations. At higher levels of management, individuals might be responsible for communication or even establishing suitable information security policies.
Within the sphere of corporate governance, accountability also encompasses issues such as: to which individual or organisation a business leader should be accountable; how organisational policies can be regulated; and how much control the government should exercise over the information security policies of individual public sector departments.
As a general concept, “repudiation” means that a party denies the validity of a statement or a contract (for example, by claiming that a signature has been forged). Within the context of information security, “non-repudiation” means that a statement or contact cannot be repudiated. This might be provided by a service that guarantees authentication or proof of the integrity and origin of the data.
Familiar technological means of providing non-repudiation are digital signatures and certificates.
If a toy car says Made in China, we usually take this on trust. If a wine-seller claims that the bottle we have bought is from Cloudy Bay then we would expect this information to be accurate. If we receive a new pin code from the bank, then it is vital that we can rely on the authenticity of the information – that is, assurance that the information exchanged is from the source that it claims to be from.
This assurance can be provided through something that the user knows (e.g. a password or a pin code), something that the user has (e.g. an ID card or a digital certificate) or even something that the user is (e.g. checking fingerprints and iris-scanning).
So much of information security is concerned with protecting sensitive information from illegitimate users that there is a danger of forgetting the importance of protecting unsuspecting users from false or inaccurate information. Within the context of information security, “identification” means the capability to retrieve, edit and report specific data without ambiguity. This capability is usually delivered through the use of unique reference codes, such as ID numbers.
Information reliability is primarily concerned with the information that needs to be retained about the author or source of information to assure its authenticity. This raises issues regarding version control (logging information about the changes made to versions of a document or product), archiving and document reviews.
In terms of information security, “reliability” also means ensuring that information or an information system is protected against tampering and fraud.
“Information assurance” covers all activities that deal with the issues raised by the eight aforementioned information security concepts. This includes:
- Ensuring the integrity, authenticity and reliability of information;
- Providing unambiguous identification and availability of this information;
- Establishing which individuals are authorised to view, edit and transmit the information;
- Protecting sensitive information from illegitimate recipients or interference, and unsuspecting recipients from false information;
- Regulating what legitimate users do with the information to which they have access.