At the time of evaluating the security of computer/information systems (IS) of an organization, or to proceed with the implementation of security policies on these IS should know what the terminology used, which areas in which can be applied and what the regulatory and legislative environment in which we can move. First major standards (ISO 27000) and legislation that will help us have an overview of the elements involved in the security infrastructure and controls that can be set are reviewed.
The basic principles and requirements that must be met regarding the safety of IS are reviewed. With all this we can proceed to evaluate our security infrastructure to detect and classify our information assets and verify the degree of compliance with the security requirements or the degree of maturity of the organization regarding the safety of IS.
At international institute of cyber security we talk about main concepts involved in Information Security:
Asset (Asset). Something that has value to an organization. System resource information necessary for proper functioning of the organization and the achievement of the objectives. Information assets may be subject to both internal and external threats. These risks may affect one or more of the three fundamental attributes of an asset: availability (availability), confidentiality and integrity.
Threat (threat). Events that can trigger an incident in the organization, causing damage or tangible or intangible assets in their losses.
Confidentiality (reliability). Refers to the ability to protect, making them invisible or unavailable, data from those who are not authorized to access them.
Availability (availability). It is the ability to access the information assets at the time of need and to use them correctly (those duly authorized).
Management of Information Security (Information security management) is the part of IT management (IT governance) responsible for the protection and security of the information assets of an organization (information assets).
Impact. Consequence for an asset of the materialization of a threat.
Integrity. The ability to prevent the modification of assets by those who are not allowed to be enjoined or modify them incorrectly. This skill involves the ability to reverse or undo the changes.
Risk. There is the possibility that a certain impact occurs on an asset.
Safeguard (countermeasure). Action, process or physical or logical device that reduces the risk.
Information Security (information security), according to the ISO 27001 standard is the preservation of confidentiality, integrity and availability (availability) of information. Other properties involved are authenticity, responsibility (accountability), non-repudiation and reliability (reliability).
Security, in its most general sense means protecting our assets, which means attackers preserve, natural disasters, adverse environmental conditions of power failure, theft or vandalism, etc. Security is at the same time all the measures taken against possible attacks, espionage, sabotage, etc.