By: Mark Reed

Protecting information and information
systems from unauthorized access, use,
disclosure, disruption, modification, or
destruction.

Confidentiality

Integrity

Availability

Confidentiality means that confidential
information must only be accessed, used,
copied, or disclosed by persons who have been
authorized to do so


Integrity means that data cannot be created,
changed, or deleted without authorization
Data that is stored in a system must be in
agreement with other related data that is stored
on the same system

Availability means that the information, the
computing systems used to process the
information, and the security controls used to
protect the information are all available and
functioning when the information is needed



Risk – the likelihood that something bad will
happen that causes harm to an information
asset
Vulnerability – a weakness that could be used
to endanger or cause harm to an informational
asset
Threat – anything that has the potential to
cause harm


Identify all assets and estimate their value
Assets include people, buildings, hardware,
software, data, and supplies.


Conduct a threat assessment
Threat assessment must include acts of nature,
acts of ware, accidents, and malicious acts
originating from inside or outside the
organization.


Conduct a vulnerability assessment and for
each vulnerability that is found, calculate the
probability that it will be exploited
Evaluate all policies, procedures, standards,
training, physical security, quality control, and
technical security.


Calculate the impact that each threat would
have on each asset
Qualitative analysis can be used such as
informed opinion or quantitative analysis can
be used such as dollar amounts and historical
information


Identify, select and implement the appropriate
controls to provide a proportional response
Consider productivity, cost effectiveness, and
value of the asset


Evaluate the effectiveness of the control
measures
Ensure that the controls provide the required
cost effective protection without loss of
productivity



Administrative – consist of approved written
policies, procedures, standards, and guidelines
Logical – use software and data to monitor and
control access to information and computing
systems (passwords, firewalls, IDS, etc.)
Physical – monitor and control the
environment of the work place and computing
facilities


Information security must protect information
throughout the life span of the information
Information security must be evaluated and
updated and more threats arise