There are only two people in the World I trust-You & Me, and Im not so sure

about you-SHON HARRIS

In the Internet ,Information and Data are constantly generated and

disseminated.

Eliminating threat and making Data available & accessible on priority to

authorised users is the primary need of any Business and primary aim of any
security program.

For an information security manager meeting both User/Client requirement

and security requirement is always near impossible.

IT service providers apply administrative, physical and technical controls to

protect the Confidentiality, Integrity and Availability of Information .While they
are the Control types, the control functionalities based on these types should
be either Deterrent, Preventive, Corrective, Detective, Compensating controls.

The most common ways we protect Data against loss of confidentiality is with
access controls and encryption.

For securing Integrity the most prominent method used is by Hashing using an
hash algorithm.

Some methods that organizations use to protect against loss of availability are
fault tolerant systems, redundancies, and backups. Fault tolerance means that
a system can develop a fault, yet tolerate it and continue to operate.

This is often accomplished with redundant systems such as redundant drives or

redundant servers. Backups ensure that that important data is backed up and
service can be restored if the original data becomes corrupt with the available
backup data.
All of these controls should be majorly devised keeping in mind the business
objective and management intent.

The Confidentiality, Integrity and Availability concept popularly known as the

CIA triad emphasizes on the need for three major facets of data security.

Proper implementation of Communications Security Management and

techniques can prevent, detect, and correct errors so that CIA of transactions
over networks may be maintained.

The threats to confidentiality include Spoofing, Network sniffing ,Social

Engineering, Trojan Attacks

Integrity safeguards involves controls like Need to know basis, Separation of

Duties and Rotation of duties. Threat involves Misappropriation.

Availability is how robustly data is available for authorised people to access it.

The threats normally involve Denial of Service, Loss of Capabilities.

Further resolving these concepts will be to Identify-like the username

Authenticate-Pin,Password

Authorise-to do what with Data/system privileges etc

Accountability: to who is responsible for a set of action.

The CIA triad is the principle or standard that forms the basis for all security
architecture.

Think about Business Proprietary information or Intellectual Property Rights..,if

data secrecy or data integrity is not maintained in such cases then the data has
no value at all.

CIA of data or information becomes all the more important when many of our
business/payment transactions happen online.

After deciding the levels of CIA proper policies, guidelines ,standards and
procedures are to be laid out for a business. The fundamental characteristic of
an Information Security Policy is identifying major functional areas of
information and classifying them according to the required levels of
security.Once policies are framed it is mandatory to get them endorsed by the
senior management. Active participation and Commitment from the senior
management will establish a sense of ownership for security.

Security is a continuously evolving process as Threats and Risk also keep

changing and challenging forever.

The basic intention of the management when devising a security policy is a

clear definition of provisions that are to be made to provide optimised
security.

There is a need for complete and thorough understanding of access control

concepts,methodologies and implementation with all related environments
within the enterprise.

Some of the standards like the ISO/IEC 27000 Series can set the Information
Security Policy for the organisation.
The ISO/IEC 27000 Series is based on the following stages of implementation:

1.Creation of Information Security Infrastructure.

2.Asset Classification and Control.
3.Personal Security
4.Physical & Environmental Security
5.Communications and Operations Management
6.Access Controls
7.System Development & Maintenance
8.Business Continuity Management
9.Compliance

This is just one method that gives us a set of standards to build a security
program with and serves as industry best practices for IS management within
the Organisation.