In the previous article in this series, I wrote about beginning the journey to an information security program and outlined some key concepts to think about. In this article, I want to expand on the steps in that journey through an understanding of the key parts, or pillars, of an information security program. We all know the old adage that a house is only as strong as the elements of its foundation. In this article, we will learn a bit more about those elements.
Before going into specifics, however, we need to look at the definitions of two important concepts that impact the way we think about the pillars of a program. These two definitions help specify the objectives of current efforts and clarify our purpose. We discussed this first term at length in the previous article and it is likely what drew you here to begin with: information security. I always defer to the National Institute for Standards and Technology (NIST) for clarification on items like this. According to the NIST Computer Security Resource Center (CSRC), information security is defined as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
The second term of interest is information assurance. Looking to the NIST CSRC again, information assurance is defined as “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” We can see some modest differences here. Information security is keenly focused on confidentiality, integrity, and availability of data whereas information assurance includes some discussion related to the provenance of the data as well. Assurance wanders into areas of proving who provided and who read the data. This has led to some argument over the actual number of pillars to best support a program, three or five. While I see the value in the “extras” found in the assurance model, it is my opinion that at a high level, they can be subsumed into data integrity (more on this later). We’ll limit this discussion to just the CIA model. Let’s look at each of the three, but bear those two “extras” in mind. They aren’t negligible, just a complication we can address in other ways.
According to NIST (the CSRC again) protecting confidentiality is defined as “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” Let’s unpack that a bit:
- “Preserving authorized restrictions on information access and disclosure” - being intentional about allowing access to data for individuals.
- “including means for protecting personal privacy and proprietary information” - making sure to include privacy and business confidential information.
It’s interesting that NIST added that last part. Due to the interpretation of information security as discussed above, one might naturally include privacy and business confidential data. NIST, however, wants to accentuate this. According to NIST, you should make sure you are thinking across all aspects of your business when addressing confidentiality. Be intentional, but thorough, when scoping your information security program.
Again turning to the CSRC, maintaining integrity is the act of “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” This seems rather clear with the interesting addition of the two “extras” called out above. NIST, it seems, considers these parts of data integrity. Authenticity, or the notion that there is confidence in the origin and content of the data (i.e. you received it exactly as the originator intended), is surely an aspect of integrity, although integrity goes beyond the transport and reception of data to the maintenance and further processing of the data as well. Non-repudiation is equally interesting. This refers to being absolutely certain of the provenance of your data and who has read it. Some definitions also include “assurance of the integrity” (see NIST SP 800-57 part 1 rev. 3) so an argument can be made that this, too, could be folded into the “integrity” category. In the end, integrity is simply confidence in the content of your data whether in flight or at rest.
There’s no reason to abandon the CSRC now. Availability entails “Ensuring timely and reliable access to and use of information.” In other words, your information should be available to those that need it whenever they need it. This is the very point of DDOS attacks. The perpetrators wish to attack your program’s availability component and render your information security program ineffective. However, to create and maintain a proper information security program when addressing availability concerns, be sure to consider the security principle of need-to-know. Confidentiality and availability must work together for proper information security.
The Protecting Controls
Now we have an understanding of the three fundamental pillars that support any information security program. We know that we must protect the CIA of all our data (at least all data within the scope of the Information Security Management System or ISMS) and we understand what each of those terms mean. How do we go about that?
This is the business of the three security control types:
Security controls are the tactics we can use to prevent a threat from exploiting a vulnerability. Let’s get those definitions from the NIST CSRC
Threat - “Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”
Vulnerability - “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
In other words, how do we prevent that ransomware from being installed on the CEO’s laptop? We use some or all of our organizational security controls. In the example just cited, we might use technical controls like spam filtering in our email system and content filtering in our corporate firewall to prevent the payload from reaching the laptop. Additionally, we should be leveraging administrative controls such as least privilege so that the email client is not running on the laptop with system administrator privileges. This might prevent the malware from getting installed in certain directories or executing specific commands to damage the system. Finally, we could rely on physical security controls to prevent bad actors from physically accessing the laptop and installing malware. There are any number of tactics associated with each of the three types of controls and, as information security practitioners, we should be using all that we have in our arsenal to mitigate the threats. We will explore controls, their relationship to risk, and ways they can reduce that risk in another article regarding the thought processes of a CISO. For now, just understand that a security program is built upon the pillars of the CIA model and is implemented and protected by diligent use of the three types of security controls.
In our last article, we looked at the path to beginning an information security program, and an organized way to approach that journey. In this article, we have considered the foundational elements of such a program so that we know how to think about the processes and the activities we’ll need in order to create a strong and resilient program based on the CIA triangle. When considering how to design your information security program remember to protect the confidentiality, integrity, and availability of it all through the processes you create. Finally, design those processes using the types of security controls (or tactics, if you prefer) necessary to support the needs of the CIA requirements. This will create a structure to support your processes and generate confidence in their completeness and effectiveness.
For further conversation around information security programs, building an ISMS, or any security-related topics of interest, please send us a note or give us a call so we can speak to our experiences in our own journey and in helping clients with theirs.