domingo, 28 de enero de 2018

Computer and Information Security, TC2027

CIA? Probably ot what you're thinking

In Information Security there are three big goals that every organization should take into consideration, which are:
  • Confidentiality
  • Integrity
  • Availability
The first one, Confidentiality, is to ensure that sensitive information of the organization is accessed only by those authorized to look to that information. There can be different levels of classification to the information, depending on how important it is. For example, someone getting unauthorized access to an email about which type of coffee someone likes, doesn't have the same impact as if the email contained the nuclear launch code. 
There are several ways to keep information confidential, I'm not going to go in depth about these but I can mention the following: secure passwords, two-factor verification or encryption. 

Integrity means to keep the information consistent, for example, if a document is being manipulated by someone, an unauthorized person shouldn't be able to modifiy it, because that document becomes untrustworthy and stops being consistent. This doesn't mean that information's integrity is compromised only if someone external does something to it; it can happen that a person has access and is authorized to certain document, and works on it all day but forgets to save it or loses the most actual version, this affects the documents integrity because it stops being accurate. 

Availability is the cherry on top of the previous concepts. Think about it, you can keep Information in the most secure way, only the ones authorized to the information can access it, it's up to-date, accurate and trustworthy. But what happens if it's stored on a computer that's kept under key and the key is lost, and there is no copy of such key. That totally makes the information useless, the information should be accessed and available whenever it's needed. I may only want to get that information once a month, following this concept, I must be able to access it every single month. 

The CIA concepts are to keep the Information Secure, however, there are many procedures and ways that can be implemented and this doesn't guarantee 100% the information's security. 

CIA's challenges

Organizations must try to implement these concepts on all their information, following many and different steps in order to achieve this. 
Since this means work on information, there are some challenges we're coming up against.
The amount of information produced nowadays is A LOT, thanks to Big Data and IoT, we have a lot of information to handle, and to keep all these information secure is an increasing challenge. 

I remember when I worked on a company as a Staff Consultant, I learned these concepts and we implemented them within the organization, and we helped other organizations to follow these concepts. It required some work to make sure Information was handled properly, I can only imagine what it's like for different organizations that handle way more information, and it makes my head hurt.