Access - a subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Asset - the organizational resource that is being protected.
Attack - an act that is an intentional or unintentional attempt to cause damage or compromise to the information and/or the systems that support it.
Control, Safeguard, or Countermeasure - security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
Exploit - to take advantage of weaknesses or vulnerability in a system.
Exposure - a single instance of being open to damage.
Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain access to a computer or system.
Object - a passive entity in the information system that receives or contains information.
Risk - the probability that something can happen.
Security Blueprint - the plan for the implementation of new security measures in the organization.
Security Model - a collection of specific security rules that represents the implementation of a security policy.
Security Posture or Security Profile - a general label for the combination of all policies, procedures, technologies, and programs that make up the total security effort currently in place.
Subject - an active entity that interacts with an information system and causes information to move through the system for a specific end purpose
Threats - a category of objects, persons, or other entities that represents a potential danger to an asset.
Threat Agent - a specific instance or component of a more general threat.
Vulnerability - weaknesses or faults in a system or protection mechanism that expose information to attack or damage.
Critical Characteristics of Information
The value of information comes from the characteristics it possesses.
Availability – Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.
Accuracy – Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.
Authenticity –The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Confidentiality – The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
Integrity – The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Utility – The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.
Possession – The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
The Systems Development Life Cycle
Information security must be managed in a manner similar to any other major system implemented in the organization.
The best approach for implementing an information security system in an organization with little or no formal security in place is to use a variation of the Systems Development Life Cycle (SDLC): the Security Systems Development Life