Data security

Basic Principles for Ensuring Information Security

    • confidentiality: ensuring that the information is accessible only to authorized persons;
    • integrity: preserving the accuracy and completeness of the information as well as the processing methods;
    • availability: ensuring that authorized users have access to information and associated resources when needed.

Information security is achieved by implementing an appropriate set of policies, practices, procedures, organizational structures, and software functions. These elements must be implemented to the extent that the specific security objectives can be achieved.

It is important for each organization to be able to identify their own security requirements. To this end, organizations must use three main sources:

    • risk assessment: the threats to the resources are identified, the vulnerability to these threats is evaluated, and the probability of their occurrence and the potential impact are estimated;
    • the existing legislation that an organization must comply with;
    • security analysis: the specific set of principles, objectives, and requirements for information processing (read more here: www.computerworld.com/article/2572970/10-steps-to-a-successful-security-policy.html)

In order to analyze the risks, an organization can identify their own security requirements. Such a process generally involves four main stages:

    • identifying the resources to be protected;
    • identifying the risks/threats specific to each resource;
    • risk hierarchy;
    • identification of controls that will eliminate/mitigate risks.

Security analysis should include the following steps:

    • Selection of viable solutions;
    • Establishing the security strategy;
      • Compartmentalization and control of connections:
        • Compartmentalization of communications;
        • Network compartmentalization;
        • Compartmentalization of services and applications used;
      • Defense on levels;
      • Incident response strategy;
      • Resources assignation for security purposes.
    • Establishing security policies:
      • Formal policies: Monitor, Graham-Denning, Bell La-Padula, Biba, Clark-Wilson, Lattice or the Chinese Wall;
      • Particular policies: Internet use, VPN use (read more here: the-bestvpn.com), e-mail use, cryptography use, electronic signature use, password management, etc.;
    • Implementation of security mechanisms and procedures:
      • System documentation:
        • Security policy – approved by management at the highest level;
        • The set of security records (traceability of activities, security incidents, controls, training, audit and evaluation reports, etc.)
        • Completing job descriptions with security duties;
        • Performing the operational procedures of security (process-oriented).
      • Security certification – periodic control of the system’s compliance with the documentation drawn up (internal and external audit);
      • Evaluations of the security system through security tests – evaluation of the level at which the documentation and the functioning of the security mechanisms satisfy the security needs imposed by the environment;
      • Security accreditation – the decision of the competent authority (the owner) to authorize the operation and implicitly assume the remaining risks.

In order to define its security policy, the company must decide:

    • which threats should be eliminated and which can be tolerated;
    • what resources should be protected and at what level;
    • by which means security can be implemented;
    • the price (financial, human, social, etc.) of the security measures that can be accepted.

An important aspect of establishing security mechanisms is the financial part. A control mechanism should not exceed the value of the good to be protected.
Once the objectives of the security policy are set, the next step is to select the security services – the individual functions that increase the security. Each service can be implemented by various methods (security mechanisms). For the implementation, it requires so-called security management functions. Security management consists of controlling and distributing information across systems. The purpose is using security services and mechanisms to report security events that may occur to network administrators.

The next step is the accomplishment of the security model (read more here: en.wikipedia.org/wiki/Information_security#Basic_principles) The security model for a computer system can have several layers representing the security levels that surround the subject which will be protected. Each level isolates the subject and makes it more difficult to access it, in a different way from the underlying one.

Physical security represents the external level of the security model. It consists, in general, of enclosing the computer equipment in another enclosure as well as ensuring the security and access t it. One problem is backups – in the form of backups of data and programs – as well as the security of keeping backup media. The local networks are, in this case, very helpful; the backup copies can be made through the network on a single machine that can be more easily secured.

Physical security must be approached very seriously because all logical security measures, such as setting passwords on the respective system, become insignificant in case of unauthorized access to the equipment.

Another important problem in the physical security of a computer system is the theft of equipment or backup media.

Logical security consists of those logical methods (software) that ensure the control of access to system resources and services. It has, in its turn, several levels divided into two large groups: levels of access security and levels of service security.

Access security includes:

    • access to the system, which is responsible for determining under what conditions and at what time the system is accessible to users. Access to the system may also force a hard disconnection in certain cases (eg account expiration, peak time, etc.);
    • access to the account that checks if the user trying to log in has a valid name and password;
    • access rights (to files, resources, services, etc.) that determine what privileges a given user (or group of users) has.

The service security controls access to the services of a system (computer, network).

    • the control of the services that are responsible for proper functionality and reporting, as well as the activation and deactivation of the various services offered by the respective system;
    • rights to services that determine exactly how a particular account uses a given service (access to files, resources, priority, etc.)

Access to a perfectly secure system should be performed through these security levels described above, from “up” to “down” without allowing any of them to be circumvented.

If you have any questions, please ask below!