Information Security Fundamentals

1. Information Assurance Training
INFORMATION SECURITY FUNDAMENTALS
Integrity
3
Availability
4
Accountability
A system should ensure completeness, accuracy and absence of unauthorized modifications in all its
components.
A system should ensure that all system’s components are available and operational when they are
required by authorized users.
An ability of a system to hold users responsible for their actions (e.g. misuse of information).
5
Auditability
6
7
Authenticity/
Trustworthiness
Non‐repudiation
8
Privacy
An ability of a system to conduct persistent, non‐bypassable monitoring of all actions performed by
humans or machines within the system.
An ability of a system to verify identity and establish trust in a third party and in information it
provides.
An ability of a system to prove (with legal validity) occurrence/non‐occurrence of an event or
participation/non‐participation of a party in an event.
A system should obey privacy legislation and it should enable individuals to control, where
feasible, their personal information (user‐involvement).
Facilities
2
People
A system should ensure that only authorized users access information.
Information
(Data)
Confidentiality
Network
(Communications)
Definition
1
Software
Security
Attributes
Technology
Hardware
#
Information System Components
Processes
Security controls strengthen the security attributes inherent in assets, such as facilities and information system
components (i.e., people, technology and information). NIST SP 800‐60 Volume 1 Revision 2 focuses on the categorization
of information systems/information types, based on the impact from changes to the sensitivity level of information types
stored or processed by the information system. A risk assessment determines the risk level of an information system by
estimating the likelihood that a threat agent/actor can exploit a known vulnerability within an asset; and the perceived
impact to the organization if a breach were to occur. The Authorizing Official determines the Maximum Risk Tolerance
Threshold and applies compensating controls to mitigate risk to an acceptable level if necessary.
Assets
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
The goal of Information Security is to protect and defend valuable information assets from motivated threat actors or agents‐‐‐where the source of an attack can be internal or
external, intentional or unintentional, environmental or man‐made. Information Assurance (IA) Professionals recommend security controls to safeguard information system
components‐‐‐Information, People, Processes, Hardware, Software, Network‐‐‐from harm, loss, misconfiguration, misuse or exploitation. An IA Professional determines the
Sensitivity Level of an information system by assigning an impact level of LOW, MODERATE or HIGH to each of the three security attributes associated with "Information" (red X's
above) stored or processed on the information system. NIST SP 800‐60 V2R1 Appendices C, D and E divide Information into Information Types, and the process for determining
sensitivity level is repeated for each Information Type. An IA Professional determines the minimum set of baseline security controls using the high water mark method based on
the highest sensitivity level for all information types stored or processed on the information system. For example, if the impact value associated with the confidentiality security
attribute of an information type is HIGH, then the IA Professional selects a HIGH set of minimum baseline controls from the NIST SP 800‐53 Revision 4 Security Control Catalog.
The "Data" information system component aligns with a broader set of security attributes as well, including Authenticity/Trustworthiness, Non‐repudiation and Privacy (see table
above). For instance, systems that store Personally Identifiable Information (PII) must contain security controls that protect against the loss of PII. NIST SP 800‐53 Rev. 4
Appendix J contains a set of Privacy security controls.
Print Date: 2/22/2014
Page 1 of 1
Contact: James W. De Rienzo