Security – ISMS – Framework Focus

Security Framework Focus

Concept – The C-I-A Triad

When building an ISMS, there is a concept that should be followed to design the measures for protecting information. This concept is known as C-I-A or Confidentiality, Integrity and Availability.

The three components can be described as:

• Confidentiality: a system’s ability to ensure that only the correct, authorised user/system/resource can access or use data. This helps ensure information is protected. In a non-security sense, confidentiality is your ability to keep something secret. For example, in the real world, we may obscure the view into your home by putting curtains on the windows. Confidentiality as it relates to using technology may include using VPNs or encryption to ‘hide’ your online traffic from view. In enterprise security, confidentiality is considered breached when an unauthorised person can view, copy and/or change files.

• Integrity: a system’s ability to ensure that systems and information are accurate and correct. This concerns ensuring that the expected, accurate state of that information is maintained. In computer systems, integrity means that the information they store is precise, factual and can be trusted and relied upon. When securing any information system, part of the security framework must concentrate on preventing accidental or deliberate damage to the information.

• Availability: a system’s ability to ensure that information and services are available whenever they are needed. This involves ensuring technology systems and services are up and running. Availability is a term widely used in IT. It generally means the availability of resources to support your operational services. In security, availability means the information and/or your systems are available to people who would normally have access to them. An attack on availability rather than the information itself, could limit user access to some or all of your services. This may mean information is still intact but not accessible.

No security framework is absolutely guaranteed to protect against every threat all of the time. But if the C-I-A triad is used to evaluate risks and vulnerabilities, it should assist in formulating a set of preventive measures. However you proceed, you should aim to build a framework suitable to safeguard several different elements of your technology environment.

The theory is that every potential threat, vulnerability, attack can be distilled down to an attempt to compromise any one function of the triad (and sometimes a combination of them). For example:

• a data breach has impact on the confidentiality of your data;
• accidental data modification degrades the integrity of your data;
• a ransomware incident limits the availability of your information systems and may also lead to a breach of confidentiality of your data.

Understanding what is being threatened will help define how you can build protection against that attack. In the case of ransomware it is easy to view it as an exotic malware attack. But treating it with such a narrow focus could result in incomplete measures to safeguard against this type of attack. However, if viewed as an attack designed to limit availability of data and possibly breach confidentiality, you can take a broader focus for mitigation.

The C-I-A triad applies to an ICMS at a strategy and policy level and can also help you drill down into specific controls. It can be used to evaluate the risk of different types of attack and understand the consequences for each. This holistic approach is important when defining measures to be included in the ISMS framework.

ISMS Topics

A security framework covers systems, guidelines, policies and process for a wide range of topics. Each topic has its own special focus, involving a set of measures designed to handle security for a specific area of an organisation’s technology solutions.

In defining the measures included in an ISMS, the interconnected nature of information systems must be considered. This approach ensures a complete understanding of the risks presented by the linkages that exist – a holistic perspective.

Remember too that security isn’t just about your technology; there are elements of your business operations that will influence what security controls are needed in different areas.

A typical ISMS/framework will cover:

• Organisation Management
• Asset Management
• Information Management
• Access Control
• Physical Security
• Use of ICT Systems
• ICT Operational Management
• Software Development
• Business Continuity and Disaster Recovery

Note that all material developed within a company’s ISMS applies to its employees, contractors and other parties that are engaged to provide services that may have relevance to information management.

The ISMS should also provide a framework for the organisation to interact with its customers and clients. Measures should have particular relevance to the management of information provided by or affected by those partners.

With this in mind, there needs to be consideration given to the topics of:

• Human Resources
• Supplier Relationships