Information Security Protection Matrix

Information Security has four tenets designed to ensure the total integrity of a system: Confidentiality and integrity of data, availability of service, and accountability (CIA2).

--Confidentiality: trust that the system keeps the information only where it is supposed to be, and nowhere else;

--Integrity: it will keep the data true -- what goes in is what comes out, i.e., $4 entered in a database is computed as $4, and is listed in an output or used in a calculation as $4 -- never $40, $4000, 40¢ or four widgets;

--Availability of service: the user can count on the system when they need it. "Availability" doesn't mean the system is available 24 x 7, unless it is supposed to be -- it means the system is available when the user requires it;

--Accountability: the system supports audit mechanisms and can account for who has modified/attempted to modify the data. Inherent in this concept is authentication and non-repudiation;

These CIA2 tenets can be used to check enforcement by and across all of the protection zones. The five security protection zones are: physical (as applied to information security); administration/policies; personnel; communications/network connectivity; and the computer system itself.

Arraying the four tenets across the five protection zones results in the Information Security Protection Matrix.

The Information Security Protection Matrix acts as a defense-in-depth checklist, and each of the 52 security lessons supports

    Requires Free Membership to View

at least one intersection in the matrix. Ask yourself what countermeasures you have in place to protect the confidentiality of your physical security enterprise? What practices do you have in place that support the availability of service of your computer system? You will see this matrix repeatedly throughout the year, especially when examining risk assessments. By the end of the year, you will have 52 lessons that examine best practices for a robust secure enterprise. Why 52 weeks? Because security never goes on vacation.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

This was first published in April 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.