Foundations of Information Security
Welcome to the first blog about Foundations of Information Security. This blog is about Chapter 1 – Introduction.
This book is intended for everyone in an organization who wishes to have a basic understanding of information security. Knowledge about information security is important to all employees. It makes no difference if you work in a profit- or non-profit organization because the risks that organizations face are similar for all.
Employees need to know why they have to adhere to security rules on a day-to-day basis. Line managers need to have this understanding as they are responsible for the security of information in their department. This basic knowledge is also important for all business people, including those self-employed without employees, as they are responsible for protecting their own information. A certain degree of knowledge is also necessary at home. And of course, this knowledge forms a good basis for those who may be considering a career as an information security specialist, whether as an IT professional or a process manager.
Everyone is involved in information security, often via security countermeasures. These countermeasures are sometimes enforced by regulatory rules and sometimes they are implemented by means of internal rules. Consider, for example, the use of a password on a computer. We often view such measures as a nuisance as these can take up our time and we do not always understand what the measures are protecting us against. Information security is the trick to find the right balance between a number of aspects:
■ The quality requirements an organization may have for its information;
■ The risks associated with these quality requirements;
■ The countermeasures that are necessary to mitigate these risks;
■ Ensuring business continuity in the event of a disaster;
■ When and whether to report incidents outside the organization.
1.1 WHAT IS QUALITY?
First you have to decide what you think quality is. At its simplest level, quality answers two questions: ‘What is wanted?’ and ‘How do we do it?’ Accordingly, quality’s stomping ground has always been the area of processes. From ISO 9000, to the heady heights of Total Quality Management (TQM), quality professionals specify, measure, improve and re-engineer processes to ensure that people get what they want. So where are we now?
There are as many definitions of quality as there are quality consultants, but commonly accepted variations include:
■ ‘Conformance to requirements’ – P.B. (Phil) Crosby (1926-2001);
■ ‘Fitness for use’ – Joseph Juran (1904 – 2008);
■ ‘The totality of characteristics of an entity that bear on its ability to satisfy stated and implied need’ – ISO 9001-2008;
■ Quality models for business, including the Deming Prize, the EFQM excellence model and the Baldrige award.
The primary objective of this book is to provide awareness for students who want to apply for a basic security examination. This book is based on the international standard ISO 27002:2013. This book is also a source of information for the lecturer who wants to question information security students about their knowledge. Many of the chapters include a case study. In order to help with the understanding and coherence of each subject, these case studies include questions relating to the areas covered in the relevant chapters. Examples of recent events that illustrate the vulnerability of information are also included.
The case study starts at a very basic level and grows during the chapters of the book. The starting point is a small bookstore with few employees and few risks. During the chapters this business grows and grows and, at the end, it is a large firm with 120 bookstores and a large web shop. The business risks faced by this bookshop run like a thread through this book.
This book is intended to explain the differences between risks and vulnerabilities and to identify how countermeasures can help to mitigate most risks. Due to its general character, this book is also suitable for awareness training or as a reference book in an awareness campaign. This book is primarily aimed at profit and non-profit organizations, but the subjects covered are also applicable to the daily home environment as well to companies that do not have dedicated information security personnel. In those situations the various information security activities would be carried out by a single person. After reading the book you will have a general understanding of the subjects that encompass information security. You will also know why these subjects are important and will gain an appreciation of the most common concepts of information security.
Foundations of Information Security
Based on ISO27001 and ISO27001