From WikiEducator
Jump to: navigation, search


  • Fundamentals Information Security
Information security is the preservation of confidentiality, integrity and availability of data regardless of the form they may take; electronic, print, or other forms. Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.

Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures.

Relavant Sub topics to be covered in this section includes:

  • Confidentiality
  • Integrity
  • Availability
  • Information Security Requirements

To ensure security in a system, some requirements are imperative. These include Access, Identification, Authentication, Authorization Privacy and Non-Repudiation

  • Access Control

The goal of effective access control is to ensure that the right people have access to the right things based on their job function and placement in an organization, the principles and policies least privilege access and separation of duties and the assignment of roles to each business process. Three types of access control can be implemented. These are administrative, logical and physical controls.

Administrative controls (also called procedural controls) consists of written down policies, procedures, guidelines and standards which form the framework for running the business and managing the people. They inform the people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government organizations are also a form of administrative control since they inform the business.

Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees' job duties change, or they are promoted to a new position, or they transfer to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary or appropriate.

Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls. An important physical control that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual cannot complete a critical task by himself. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator - these roles and responsibilities must be separated from one another.


  • What is a computer

Put your notes, materials and information on the topic here...

  • Types of Computers

Put your notes, materials and information on the topic here...

  • The Computer as a system

Put your notes, materials and information on the topic here...