Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 30

Conceptual Models for Information Security

Оглавление

There are any number of frameworks, often represented by their acronyms, which are used throughout the world to talk about information security. All are useful, but some are more useful than others.

 The CIA triad (sometimes written as CIA) combines confidentiality, integrity, and availability and dates from work being done in the 1960s to develop theoretical models for information systems security and then implement those technologies into operating systems, applications programs, and communications and network systems.

 CIANA combines confidentiality, integrity, availability, nonrepudiation, and authentication. The greater emphasis on nonrepudiation and authentication provides a much stronger foundation for both criminal and civil law to be able to ascertain what actions were taken, by whom, and when, in the context of an incident, dispute, or conflicting claims of ownership or authorship.

 CIANA+PS expands CIANA to include privacy and safety. Cyberattacks in the Ukraine since 2014 and throughout the world from 2017 to present highlightthe need for far more robust operational technology (OT) safety and resiliency. At the same time, regulators and legislators continue to raise the standards for protecting privacy-related data about individuals, with over 140 countries having privacy data protection laws in effect.

 The Parkerian hexad includes confidentiality, integrity, availability, authenticity, utility, and possession or control.

These frameworks, and many more, have their advocates, their user base, and their value. That said, in the interest of consistency, we'll focus throughout this book on CIANA+PS, as its emphasis on both nonrepudiation and authentication have perhaps the strongest and most obvious connections to the vitally important needs of e-commerce and our e-society to be able to conduct personal activities, private business, and governance activities in ways that are safe, respectful of individual rights, responsible, trustworthy, reliable, and transparent.

It's important to keep in mind that these attributes of systems performance or effectiveness build upon each other to produce the overall degree of trust and confidence we can rightly place on those systems and the information they produce for us. We rely on high-reliability systems because their information is correct and complete (high integrity), it's where we need it when we need it (availability), and we know it's been kept safe from unauthorized disclosure (it has authentic confidentiality), while at the same time we have confidence that the only processes or people who've created or modified it are trusted ones. Our whole sense of “can we trust the system and what it's telling us” is a greater conclusion than just the sum of the individual CIANA+PS, Parkerian, or triad attributes.

Let's look further at some of these attributes of information security.

The Official (ISC)2 SSCP CBK Reference

Подняться наверх