Information Security (Информационная безопасность)

Автор работы: Пользователь скрыл имя, 14 Марта 2013 в 22:15, реферат

Описание работы

Information security means protecting information and information systems from unauthorized access, use, disclosure, modification or destruction.
Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering.
For over twenty years, information security has held confidentiality, integrity and availability as the core principles of information security.

Файлы: 1 файл

Information Security.doc

— 88.00 Кб (Скачать файл)

Resume

Information security means protecting information and information systems from unauthorized access, use, disclosure, modification or destruction.

Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering.

For over twenty years, information security has held confidentiality, integrity and availability as the core principles of information security.

Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds. In information security, integrity means that data cannot be modified without authorization.

When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls. Administrative controls form the framework for running the business and managing people. Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. Physical controls monitor and control the environment of the work place and computing facilities.

Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process

is called encryption

An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification.

 

 

Информационная безопасность подразумевает  защиту информации и информационных систем от несанкционированного доступа, использования, разглашения, изменения  или уничтожения.

С первых дней письма главы  государств и военные начальники поняли, что необходимо создать некоторый механизм, чтобы обеспечить конфиденциальность переписки и иметь какие-то средства обнаружения несанкционированного доступа.

Больше двадцати лет  конфиденциальность, целостность и доступность информации считались основными принципами информационной безопасности.

Конфиденциальность - термин, означающий предотвращение разглашения информации неуполномоченными лицами или системами. Конфиденциальность необходима (но не достаточна) для сохранения личной информации о людях, которые есть в системе.В информационной безопасности целостность означает, что данные не могут быть изменены без разрешения.

Когда управляющие  хотят уменьшить риск, они выбирают один или более из трех различных  видов контроля. Административный контроль формирует основу для ведения бизнеса и управления людьми. Он говорит людям о том, как вести бизнес и как выполнять повседневные операции. Логический контроль (или технический контроль) использует программное обеспечение и данные, чтобы контролировать и управлять доступом к информации и вычислительным системам. Физическое управление контролирует и управляет обстановкой на рабочем месте и вычислительными средствами.

Важным аспектом информационной безопасности и управления риском является определение ценности информации и  определение соответствующих процедур и требований защиты для информации. Не вся информация равноценна, следовательно, не всякая информация требует одинаковой степени защиты. Поэтому требуется, чтобы информации присваивали классификацию безопасности.

Для информационной безопасности используется криптография, чтобы преобразовывать понятную нам информацию в нечитаемую для всех кроме уполномоченного пользователя форму; этот процесс называют кодированием.

 

 

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, modification or destruction.

The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.

Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is collected, processed and stored on electronic computers and transmitted across networks to other computers.

Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.

For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures.

The field of information security has grown and evolved significantly in recent years. As a career choice there are many ways of gaining entry into the field. It offers many areas for specialization including: securing networks and allied infrastructure, securing applications and databases, security testing, information systems auditing and many others.

 

History

Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering.

Julius Caesar is credited with the invention of the Caesar cipher c50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands.

World War II brought about many advancements in information security and marked the beginning of the professional field of information security.

The end of the 20th century and early years of the 21st century saw rapid advancements in telecommunications, computing hardware and software, and data encryption. The availability of smaller, more powerful and less expensive computing equipment made electronic data processing within the reach of small business and the home user. These computers became interconnected through a network generically called the Internet or World Wide Web.

The rapid growth and widespread use of electronic data processing and electronic business conducted through the Internet, along with numerous occurrences of international terrorism, fueled the need for better methods of protecting the computers and the information they store, process and transmit. The academic disciplines of computer security, information security and information assurance emerged along with numerous professional organizations - all sharing the common goals of ensuring the security and reliability of information systems.

For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) as the core principles of information security. Many information security professionals firmly believe that Accountability should be added as a core principle of information security.

 

Basic principles

Key concept: сonfidentiality

Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing important information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.[citation needed]

 

Key concept: integrity

In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on.

 

There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mis-type someone's address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.

 

Key concept: availability

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals.

 

Administrative controls

When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls.

Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control. Some industry sectors have policies, procedures, standards and guidelines that must be followed - the Payment Card Industry Data Security Standard (PCI DSS) required by Visa and Master Card is such an example.

Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls. Administrative controls are of paramount importance.

 

Logical controls

Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.

An important logical control is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees' job duties change, or they are promoted to a new position, or they transfer to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary.

 

Physical controls

Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, fire alarms, fire suppression systems, cameras, security guards, etc. Separating the network and work place into functional areas are also physical controls.

An important physical control that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual can not complete a critical task by himself. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator - these roles and responsibilities must be separated from one another.

 

Security classification for information

An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification.

The first step in information classification is to identify a member of senior management as the owner of the particular information to be classified. Next, develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification.

Some factors that influence which classification information should be assigned include how much value that information has to the organization, how old the information is and whether or not the information has become obsolete. Laws and other regulatory requirements are also important considerations when classifying information.

The type of information security classification labels depend on the nature of the organisation, with examples being:

    • In the business sector, labels such as: Public, Private, Confidential.
    • In the government sector, labels such as: Unclassified,  Restricted, Confidential, Secret, Top Secret and their non-English equivalents.

All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification. The classification a particular information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.

 

Cryptography

Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted can be transformed back into its original usable form by an authorized user. He possesses the cryptographic key, through the process of decryption. Cryptography is used in information security to protect information from unauthorized or accidental disclosure while the information is in transit (either electronically or physically) and while information is in storage.

Cryptography can introduce security problems when it is not implemented correctly. Cryptographic should be implemented after review by independent experts in cryptography. The length and strength of the encryption key is also an important consideration. A key that is weak or too short will produce weak encryption. The keys used for encryption and decryption must be protected with the same degree of rigor as any other confidential information. They must be protected from unauthorized disclosure and destruction and they must be available when needed.

 

Bibliography

  1. Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley
  2. Krutz, Ronald L.; Russell Dean Vines (2003). The CISSP Prep Guide (Gold Edition ed.). Indianapolis, IN: Wiley.
  3. Layton, Timothy P. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications.
  4. McNab, Chris (2004). Network Security Assessment. Sebastopol, CA: O'Reilly.
  5. Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications

 

Информационная безопасность

Информационная безопасность подразумевает защиту информации и  информационных систем от несанкционированного доступа, использования, разглашения, изменения или уничтожения.

Термины информационная безопасность, компьютерная безопасность и защита  информации часто неправильно используются как синонимы. Эти области часто взаимосвязаны и совместно используют общие цели - защита конфиденциальности, целостности и доступности информации; однако, есть некоторые тонкие различия между ними.

Правительство, вооруженные силы, корпорации, финансовые учреждения, больницы и частные фирмы накапливают  большой объем конфиденциальной информации о своих сотрудниках, клиентах, продуктах, исследованиях  и финансовом статусе. Большая часть  этой информации собрана, обработана и хранится на электронно-вычислительных машинах и передана через сети на другие компьютеры.

Если конфиденциальная информация о бизнесе клиентов или финансах или новой линии продуктов  попадет в руки конкурентов, такое  нарушение безопасности может привести к потере бизнеса, судебным процессам или даже банкротству предприятия. Защита конфиденциальной информации является деловым требованием, и во многих случаях также этическим и законным требованием.

Для человека информационная безопасность имеет значительное влияние на личную жизнь, которая рассматривается по-разному в различных культурах.

Область информационной безопасности значительно выросла и развилась в последние годы. Что касается карьеры, есть большой выбор профессий, связанных с этим полем деятельности. Оно предлагает много областей по специализации, включая: обеспечение безопасности сетей и инфраструктуры, с которой они связаны, обеспечение безопасности приложений и баз данных, тестирования на безопасность, аудит информационных систем и многое другое.

 

История

С первых дней письма главы  государств и военные начальники поняли, что необходимо создать некоторый  механизм, чтобы обеспечить конфиденциальность переписки и иметь какие-то средства обнаружения несанкционированного доступа.

Юлию Цезарю приписывают изобретение шифра Цезаря c50 до н.э., который был создан в целях предотвращения чтения чужими людьми его тайной переписки.

Вторая мировая война привнесла  много достижений в область информационной безопасности и положило начало профессиональной деятельности информационной безопасности.

Конец 20-го века и начало лета 21-го века характеризуется прогрессом в  области телекоммуникаций, вычислительной техники и программного обеспечения, шифрования данных. Наличие более  маленького, более мощного и менее дорогого вычислительного оборудования сделало электронную обработку данных в пределах досягаемости малого бизнеса и домашних пользователей. Эти компьютеры стали связываться между собой через сеть, названную Интернетом или Всемирной Паутиной.

Информация о работе Information Security (Информационная безопасность)