Pesante (2008), There Are Three Basic Security

¶ … Pesante (2008), there are three basic security threat parameters important to information on the Internet: "confidentiality," "integrity," and "availability." In addition, Pesante addresses three particular concepts that are related to the people to whom information is made available to who need this information for their work in the organization and can be trusted with it: "authentication," "authorization" and "non-repudiation." I think that it is very important to high or very high security requirements in all six areas. Companies should take advantage of all existing opportunities, both in the technical and the non-technical, social / personal area to ensure the highest possible level of information security within their organization. Whereas technical mechanisms are primarily needed to reduce risks resulting from an attack external to the organization, social and personal counter-measures need to be implemented, if the primary source of attack is expected to be internal (see Boran. 1999, p. 6).

Confidentiality: A loss of confidentiality occurs when information is read or copied by someone not authorized to do so. Not only the banking and loan and debt collection business but also in the area of research data, medical and insurance records, corporate investment strategies, and related spheres (see Pesante, p. 1). I consider identification and authentication procedures, access control, secure information exchange and reliability of premier countermeasures against loss of confidentiality. When users or programs communicate with each other, the two parties should need to verify each other's identity, so that they know who they are communicating with. The information transmitted to each other should strictly adhere to expected levels of authenticity, confidentiality and non-repudiation. (See Boran, p. 6).

Integrity: Integrity is of particular importance for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial account. In order to prevent a loss of integrity, i.e., unauthorized changes made to information, whether by human error or intent, companies should ensure that a secure network is available. I n order to protect data against unauthorized manipulation, deletion or other forms of handling, there should integrity-oriented security measures in place, such as a set of access control rules. ). Implementation of accountability and audit trail measures might work very well in this context. Companies need to know who did what, when and where. Under such security measures, users would be responsible and accountable for their actions. Automatic audit trail monitoring and analysis would help to detect security breaches (see Boran, p. 6). I would also recommend the implementation of measures for social/personal interface. For example, organizational roles, responsibility and procedures are required to insure that policies are implemented. Furthermore, companies should implement a security policy that serves as a preventive mechanism for protecting important company data and processes (see Boran, p. 6). A security policy serves as an invaluable tool to communicate a coherent security standard to users, management and technical staff. Such a system should include: information security education of users, managers and system administrators, tools enabling users to implement that policy, strong safeguards, such as passwords and screen locks, person authentication measures, inquisitiveness, monitoring/auditing.

Availability: A loss of availability refers to a situation where people in an organization who are authorized to get information cannot get what they need. Availability is of particular importance in service-oriented businesses depending on information, such as for example, airlines and online inventory systems (see Pesante, p. 1). In order to make sure that information and services are available when needed, companies may implement coordinated counter-measures such as: physical security (access control, secure destruction of media, resource isolation). Companies should make sure that reliability measures (backups, redundancy, hot spares, clusters, RAID, maintenance contracts, off-site duplicates, contingency planning) are in place (see Boran, p. 5).

Authentication: Authentication means the act of proving that a user is the person he or she claims to be (Pesante, p. 2). Organizations can use a variety of "authentication methods" to make sure that only authorized personnel or computer systems carry out a certain activity. To ensure that information is made available only to personnel that can be trusted with it, companies may require a person to prove knowledge of something the user knows (such as a password), something the user has in his or her possession (such as a "smartcard"), or something that is unique to the user and proves the person's identity (such as a fingerprint). (Pesante ibid). Companies can furthermore make use of cryptographic protocols that can be used for chip and terminal access control. Appropriate tools include encryption, digital signatures and access control (see Boran, p. 8). Technical measures, such as resource isolation services from each other might also work very well for authentication (and authorization) purposes. It has the (additional) benefit that a weakness or abuse of one service may not lead to abuse of other services (see Boran, p. 5), that can easily corrupt the information security of the whole organization. Technical control of viruses and/or malicious content should also be mentioned in that context (see Boran. 1999, p. 8.) In addition, companies can use the approach of hardening software by means of securing installation and configuration (see Boran, p. 5) to prevent security breaches. Companies should also make sure to understand which (other) companies, software and network systems configurations are best qualified to securely store and safeguard their own information. To prove the access rights of a terminal or service provider, companies can make use of "terminal authentication." Furthermore, they can use "passive authentication" to prove the authenticity of the data stored in a chip by means of authentication and signature terminals (see Information Security Protection Manual. 2011, p. 9).

Authorization: Authorization goes hand in hand with authentication. It is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program. (Pesante, p. 2). Countermeasures against unauthorized use of information are the following technical mechanisms: Authentication of users and/or computers, encryption measures, access control, resource isolation, hardening by securing installation and configuration, and monitoring. Furthermore, I consider reliability measures of paramount importance in the context of authorization. These should include: backups, redundancy, hot spares, clusters, RAID (a configuration system that uses a number of hard drives to store information across multiple drive units), maintenance contracts, off-site copies, contingency planning and monitoring (see Boran, p. 5).