Information security

What does it actually mean to be ‘secure’? Most people would think that security means protecting against unauthorised access but there’s actually a lot more to it.

Often when we talk about security we will start with the CIA triage. This doesn’t refer to the well-known intelligence service; it’s an abbreviation of the following three main features of information security:

• Confidentiality ensures that information is not disclosed to unauthorised persons and processes
• Integrity provides several guarantees:
  • Preventing the modification of information by unauthorised users
  • Preventing the unauthorised or unintentional modification of information by authorised users
  • Preserving internal and external consistency
  • Internal – logical connection within the data in the system
  • External – logical connection between the objects in the real world and their representations in the system
• Availability guarantees that authorised users have uninterrupted access to the system/information

Other evaluation factors

In addition, there are many other factors that we need to consider when evaluating the security of a system. Some of these are:

• Authenticity – confirmation of the origin and identity of an information source
• Identification – confirming the identity of a user
• Authentication – confirmation of the evidence of a user’s identity
• Accountability – assigning responsibility for a user’s actions
• Non-repudiation – a user cannot deny that they have sent a particular message or performed a particular action
• Privacy – protection of individually identifiable information
• Organisational security policy – a high-level statement of the structure, processes and mechanisms covering information security