IS – Information Security has a specific Vocabulary. Knowledge of Key Terms enables Clearer Articulation of Governance Requirements.
Threat is a Potential Offensive Action that could be taken against an organization. Threats can be Internal or External. They are not always Malicious. An uniformed insider can take offensive actions against the organization without even knowing it. Threats may relate to Specific Vulnerabilities, which then can be Prioritized for Remediation. Each threat should match to a capability that either Prevents the Threat or Limits the Damage it might cause. An occurrence of a Threat is also called an Attack Surface.
Vulnerability is a Weaknesses or Defect in a System that allows it to be Successfully Attacked and Compromised – essentially a Hole in an Organization’s Defenses. Some vulnerabilities are called Exploits. In many cases, Non-Production Environments are more Vulnerable to Threats than Production Environments. Thus, it is Critical to keep Production Data out of Non-Production Environments.
Risk refers both to the Likelihood/Possibility of Loss and to the Thing or Condition that Poses the Potential Loss. Risk can be Calculated for each Possible Threat using the following factors:
- Probability that the threat will occur and its likely frequency
- The type and amount of damage created each occurrence might cause, including damage to reputation
- The effect damage will have on revenue or business operations
- The cost to fix the damage after an occurrence
- The cost to prevent the threat, including by remediation of vulnerabilities
- The goal or intent of the probable attacker
Risks can be prioritized by potential severity of damage to the company, or by likelihood of occurrence, with easily exploited vulnerabilities creating a higher likelihood of occurrence. Often a priority list combines both metrics. Prioritization of risk must be a formal process among the stakeholders.
Risk Classifications
Risk classifications describe the sensitivity of the data and the likelihood that it might be sought after for malicious purposes. Classifications are used to determine who (i.e., people in which roles) can access the data. The highest security classification of any datum within a user entitlement determines the security classification of the entire aggregation.
Risk can be Classified as followed:
- CRD – Critical Risk Data: Personal information aggressively sought for unauthorized use by both internal and external parties due to its high direct financial value. Compromise of CRD would not only harm individuals, but would result in financial harm to the company from significant penalties, costs to retain customers and employees, as well as harm to brand and reputation.
- HRD – High Risk Data: HRD is actively sought for unauthorized use due to its potential direct financial value. HRD provides the company with a competitive edge. If compromised, it could expose the company to financial harm through loss of opportunity. Loss of HRD can cause mistrust leading to the loss of business and may result in legal exposure, regulatory fines and penalties, as well as damage to brand and reputation.
- MRD – Moderate Risk Data: Company information that has little tangible value to unauthorized parties; however, the unauthorized use of this non-public information would likely have a negative effect on the company.
The Four A’s + E
Access: Enable individuals with authorization to access systems in a timely manner. Used as a verb, access means to actively connect to an information system and be working with the data. Used as a noun, access indicates that the person has a valid authorization to the data.
Audit: Review security actions and user activity to ensure compliance with regulations and conformance with company policy and standards. Information security professionals periodically review logs and documents to validate compliance with security regulations, policies, and standards. Results of these audits are published periodically.
Authentication: Validate users’ access. When a user tries to log into a system, the system needs to verify that the person is who he or she claims to be. Passwords are one way of doing this. More stringent authentication methods include the person having a security token, answering questions, or submitting a fingerprint. All transmissions during authentication are encrypted to prevent theft of the authenticating information.
Authorization: Grant individuals privileges to access specific views of data, appropriate to their role. After the authorization decision, the Access Control System checks each time a user logs in to see if they have a valid authorization token. Technically, this is an entry in a data field in the corporate Active Directory indicating that the person has been authorized by somebody to access the data. It further indicates that a responsible person made the decision to grant this authorization because the user is entitled to it by virtue of their job or corporate status.
Entitlement: An Entitlement is the sum total of all the data elements that are exposed to a user by a single access authorization decision. A responsible manager must decide that a person is ‘entitled’ to access this information before an authorization request is generated. An inventory of all the data exposed by each entitlement is necessary in determining regulatory and confidentiality requirements for Entitlement decisions.
