Estimated reading time: 3.5 minutesInformation Security
is the way to ensure the confidentiality, integrity, and availability of information within an organization. Confidentiality, the information has been protected from authorized entity. Integrity, the information had been protected from unauthorized modification. Availability, the information is there when require accessing by authorizing users. To obtain the CIA, there are many components which are required to implement by the system administrator.Before investing in the controls, you have to identify the threats, risk, and impact to your system. Sometimes the return on investment (ROI) is not relevant to the impact. Threats
are the internal or external actors that can use any vulnerabilities to exploit or physical destruct your critical system. Threats can be terminated by an employee, a cybercriminal, a black-hat hacker, a system failure (event), a usage violation, or natural disaster. Risk
is the successful exploitation of an organization's system from threats. Impacts
are the infections from system exploitation as result in financial loss, damage reputation, or punishment. Below are some controls, methodologies, and guideline for system administrator and information owner to ensure the CIA of their data.Defense in Depth
An approach that uses multiple level protection. If one of the control is failed then other controls are still in place. With defense-in-depth, all critical internet facing servers have been protected by firewall, IDS, IPS. The clients can access the network through segment control (VLAN) and the host-based firewall, up to date anti-virus definition should be activated for every client. The system or network administrator should provide real-time network monitoring in case there is any incidents occur within their network.Authentication
An approach to identify authorized users with multiple levels of the information below:
- Something you know: they are the password, passcode, or PIN.
- Something you have: they are the token device or access card.
- Something you are: they are biometric (or realistic authentication) such as your thumb print, iris, voice, or face recognition.
To ensure the identification and authentication process is reliable, the two-factor or three-factor authentication should be implemented. The two-factor is a combination of “something you know + something you have” while the three-factor is a combination between “something you know + something you have + something you are”Authorization
An approach that ensures the data integrity and the authorized user can access the system resources with their access privilege. User access matrix will provide the baseline for the system administrator to assign or verify the user access right in account creation or modification phase. There are three subcomponents that can help administrator to achieve the data integrity:
- Least privilege: provide the minimum access to organization resources as per their daily job requirement.
- Separation of duties: avoidance of providing a person with full control in a process. To protect the illegal data modification or fraud organization requires assigning few people within a process so that the possibility of fraud will be reduced.
- Data Encryption: ensure the data has been ciphered, stored in a safe place and users cannot direct access to data.
A system that obtains the accountability means that it has the ability to identify the individual user, track and monitoring activity. Every enterprise application or system, the audit trail or audit logs is very important to record every user activities and then can be able to use later by the system administrator to find out the source of some illegal treatment. The audit logs should be regularly reviewed by management in term of detection and prevention.Policy
Beside technical controls, the policy is also the legal notice or agreement between information owner and users. The system owner requires conducting relevant policy or guideline and aware to all employees to know what “DO” and “DON’T”. The fundamental policies to ensure the CIA of information Security are as follows:
- Information Security Policy
- Acceptable Use Policy (AUP)
- Data Recovery Plan (DRP)
- Business Continuity Plan (BCP)
- Access Controls Policy
- Password Policy