Information Security has four tenets designed to ensure the total integrity of a system: Confidentiality and integrity of data, availability of service, and accountability (CIA2).
--Confidentiality: trust that the system keeps the information only where it is supposed to be, and nowhere else;
--Integrity: it will keep the data true -- what goes in is what comes out, i.e., $4 entered in a database is computed as $4, and is listed in an output or used in a calculation as $4 -- never $40, $4000, 40¢ or four widgets;
--Availability of service: the user can count on the system when they need it. "Availability" doesn't mean the system is available 24 x 7, unless it is supposed to be -- it means the system is available when the user requires it;
--Accountability: the system supports audit mechanisms and can account for who has modified/attempted to modify the data. Inherent in this concept is authentication and non-repudiation;
These CIA2 tenets can be used to check enforcement by and across all of the protection zones. The five security protection zones are: physical (as applied to information security); administration/policies; personnel; communications/network connectivity; and the computer system itself.
Arraying the four tenets across the five protection zones results in the Information Security Protection Matrix.
The Information Security Protection Matrix acts as a defense-in-depth checklist, and each of the 52 security lessons supports at least one intersection in the matrix. Ask yourself what countermeasures you have in place to protect the confidentiality of your physical security enterprise? What practices do you have in place that support the availability of service of your computer system? You will see this matrix repeatedly throughout the year, especially when examining risk assessments. By the end of the year, you will have 52 lessons that examine best practices for a robust secure enterprise. Why 52 weeks? Because security never goes on vacation.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.