Saturday, April 17, 2010

Understanding Information Security Part:2

This post defines Information Security and it's three areas.
Information security narrows down the definition of security. The term information security covers a wide array of activities in an organization. It includes not only the products, but also the processes used to prevent unauthorized access to, modification of, and deletion of information.
This area also involves protecting resources by preventing them from being disrupted by situations or attacks that may be largely beyond the control of the person responsible for information security.
From the perspective of a computer professional, you’re dealing with issues that are much bigger than protecting computer systems from viruses. You’re also protecting an organization’s most valuable assets from people who are highly motivated to misuse those assets. Fortunately, most of them are outsiders who are trying to break in, but some of these people may already be inside your organization and discontented in their present situation. Not only do you have to keep outsiders out, but you have to be prepared for the
accountant who has legitimate access to files and wants to strike out because he did not get as good a performance review as he thought he should.Needless to say, this job isn’t getting any easier. Weaknesses and vulnerabilities in most commercial systems are well known and documented, and more become known each day.
Your adversaries can use search engines to find vulnerabilities on virtually any product or operating system. To learn how to exploit the most likely weaknesses that exist in a system, they can buy books on computer hacking, join newsgroups on the Internet, and access websites that offer explicit details. Some are doing it for profit or pleasure, but many are doing it just for the sheer thrill of it. There have been many glamorized characters on television and in movies who break into computer systems and do things they should not. When was the last time you saw a glamorized security administrator on such a show? If you make
things look fun and exciting, there is some part of the audience that will attempt it.
Compounding matters, in many situations you’ll find yourself constantly dealing with inherent weaknesses in the products you use and depend on. You can’t count on the security within an application to be flawless from the moment it is released until the next version comes out three years later. The following sections discuss in detail the aspects you must consider in order to have a reasonable chance of securing your information, networks, and computers.
Make sure you understand that I’m always talking about reasonable.One of the first things you must develop as a security administrator is a bit of paranoia.It’s important to remember that you’re dealing with both system vulnerabilities and human vulnerabilities—although they aren’t the same, they both affect the organization significantly.You must assume that you’re under attack right now, even as you read this post.
Information security includes a number of topics of primary focus, each addressing different parts of computer security. An effective computer security plan and process must evaluate the risks and create strategies and methods to address them. The following sections focus on three such areas:


  •  Physical security

  •  Operational security

  •  Management and policies
Each of these areas is vital to ensure security in an organization. You can think of information security as a three-legged stool: If any one of the legs of your stool breaks, you’ll fall down and hurt yourself. You must look at the overall business and address all the issues that business faces concerning computer security. Figure 1.1 shows how these three components of computer security interact to provide a reasonably secure environment.
Part of your job is to make recommendations to management about needs and deficiencies;to take action to minimize the risks and exposure of your information and systems; and to establish, enforce, and maintain the security of the systems with which you work. This is not a small task, and you must do each and every one of these tasks well in order to have a reasonable chance of maintaining security in your organization.

No comments: