Question 1:
Confidentiality: is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. when unauthorized individuals or systems can view information, confidentiality is breached. to protect the confidentiality of information, a number of measures are used, including:
● Information classification
● Secure document storage
● Application of general security policies
● Education of information custodians and end users
● Cryptography (encryption)
Basically, confidentiality prevents unauthorized users to access certain information contains private details. Confidentiality is a set of rules or a promise that limits access or places restrictions on certain types of information.
Integrity: is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its autentic state. Corruption can occur while information is being entered, stored or transmitted.
Availability is characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is assessable to any user; rather, it means availability to authorized users.
To understand this concept fully, consider the contents of library in particular, research libraries that require identification for access to the library as a whole or to certain collections. Library patrons must present the required identification before accessing the collection. Once patrons are granted access, they expect to be able to locate and access resources in appropriate languages and format.
Privacy: Information Privacy is the ability of an individual to control the use and dissemination of information that relates to himself or herself. Confidentiality is a tool for protecting privacy.
Identification: is the first step in access process to ensure that user who trying to access to secured data is authorized.
Authentication: is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic.
Authorization: after the identity of a user is authenticated, process called authorization assures that the user has been specifically and explicitly asset.
Accountability: of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process.
Question 3:
Threat: is a category of objects, persons, or other entities that represents a constant danger to an asset. While each enterprise’s categorization of threats will almost certainly vary. threats are relatively well researched and consequently fairly well understood. To better understand the numerous threats facing an organization, a scheme has been developed to group threats by their respective activities.
Attacks: is an act or event that exploits a vulnerability. A vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls,
Basically, the difference between threat and attack is that attack
tends to be an act which is in process, and threat
tends to be a promise of an attack to come.
Contingency plans:-
Business Impact Analysis: the first phase in the CP process, provides the CP team with information about systems and the threats they face. The BIA is a crucial component of the initial planning stages, as it provides detailed scenarios of the effects that each potential attack could have on the organization.
Incident response plan (IR plan): comparies a detailed set of processes and procedures that anticipate, detect and mitigate the effects of an unexpected event that might compromise information resources and assets. IRP is therefore the preparation for such an event. In CP, an unexpected event is called an incident.
The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be:
1 Helpdesk
2 Intrusion detection monitoring personnel
3 A system administrator
4 A firewall administrator
5 A business partner
6 A manager
7 The security department or a security person.
8 An outside source.
Disaster recovery plan (DR plan): entails the preparation for and recovery from a disaster, whether natural or human-made. In some cases, actual incidents detected by the IR team may escalate to the level of disaster, and the IR plan may no longer be able to handle the effective and efficient recovery from the loss.
Disaster recovery plan is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.
Business continuity plan (BC plan): ensures that critical business function can continue if a disaster occurs. Unlike the DR plan, which is usually managed by IT community of interest, the business continuity plan (BC plan) is most properly managed by CEO of an organization. The BC plan is activated and executed concurrently with the DR plan when the disaster is major or long term and requires fuller and more complex restoration of information and IT resources.
Therefore, When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:
● Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
● Identify, document, and implement to recover critical business functions and processes.
● Organize a business continuity team and compile a business continuity plan to manage a business disruption.
● Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
Question 7:
SETA Elements
The SETA program consists of three elements
1 Security education
2 Security training
3 Security awareness
The organization may not be capable or willing to undertake all three of these elements but may outsource them.
The purpose of SETA is to enhance security by:
● improving awareness of the need to protect system resources
● Developing skills and knowledge so computer users can perform their jobs more securely
● Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems
A Security Education, Training and Awareness (SETA) program can be defined as an educational program that is designed to reduce the number of security breaches that occur through a lack of employee security awareness. A SETA program sets the security tone for the employees of an organization, especially if it is made part of the employee orientation. Awareness programs explain the employee’s role in the area of Information Security. The aim of a security awareness effort is participation. Technology alone cannot solve a problem that is controlled by individuals.
Question 8:
Security framework: is the outline of the more thorough blueprint, which sets out the model to be followed in the creation of the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs and technological controls. to generate a security blueprint, most organisation draw on established security models and practices.
Security model: is a generic blueprint offered by a service organization. some of these models are proprietary and are only available for a significant fee; others are relatively inexpensive, such as ISO standards; and some are free. free models are available from the National Institute of Standards and Technology (NIST) and variety of other sources. the model you choose must be flexible, scalable, robust and sufficiently detailed.
No comments:
Post a Comment