Information Security has four tenets designed to ensure the total integrity of a system: Confidentiality and integrity of data, availability of service, and accountability (CIA2).
--Confidentiality: trust that the system keeps the information only where it is supposed to be, and nowhere else;
--Integrity: it will keep the data true -- what goes in is what comes out, i.e., $4 entered in a database is computed as $4, and is listed in an output or used in a calculation as $4 -- never $40, $4000, 40¢ or four widgets;
--Availability of service: the user can count on the system when they need it. "Availability" doesn't mean the system is available 24 x 7, unless it is supposed to be -- it means the system is available when the user requires it;
--Accountability: the system supports audit mechanisms and can account for who has modified/attempted to modify the data. Inherent in this concept is authentication and non-repudiation;
These CIA2 tenets can be used to check enforcement by and across all of the protection zones. The five security protection zones are: physical (as applied to information security); administration/policies; personnel; communications/network connectivity; and the computer system itself.
Arraying the four tenets across the five protection zones results in the Information Security Protection Matrix.
The Information Security Protection Matrix acts as a defense-in-depth checklist, and each of the 52 security lessons supports
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:email@example.com
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in April 2004