Sample by My Essay Writer
1: Goals for Information Security
According to the National Institute for Standards and Technology (2001), there are typically five primary goals for information security. These objectives are set in place to protect from incidents such as an organized cyber attack, an uncontrolled exploit such as a virus or a worm or a natural disaster with significant consequences to the data and system. Despite priority given to each of the objectives, each is interdependent and therefore, nearly always necessary for the execution of the rest. The first, often considered the most important objective is that of availability. This references both the prompt speed of the systems and data, as well as the ability of authorized users to access said systems and data.
The second most desired security objective from an organization is the integrity of a system and the corresponding data. To ensure data integrity, the organization must safeguard the data from any unauthorized alterations “while in storage, during processing or while in transit” (NIST, 2001, p. 9). To achieve system integrity, the organization much ensure that the system has not undergone any unauthorized alteration and performs as intended and unimpaired.
Although in terms of importance, confidentiality is considered the third most important objective to be accomplished by a data security organization, it is considered extremely necessary for certain systems. Confidentiality of data and system information refers to the necessity that potentially sensitive and confidential information is made only available to authorized individuals. To ensure confidentiality of data, the organization must have confidence of its inaccessibility to unauthorized individuals and organizations during processing, transit and while in storage.
Accountability on the individual level is the next objective often established by organizations. To achieve security, organizations often establish accountability by way of policy requirement. It is meant to reinforce “non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after action recovery and legal action” (NIST, 2001, p. 7).
Finally, to establish confidence of both the technical and operational effectiveness of the security system is in place, an organization much ensure that assurance has been accomplished. This essential objective refers to the assurance that the integrity, availability, confidentiality and accountability are in place and are effective. This refers to the correct implementation of functionality, unintentional errors (by users or software) are sufficiently safeguarded and intentional penetration or bypass is met with sufficient resistance.[Need an essay writing service? Find help here.]
2: Categories of Services
In order to provide security, an organization must provide the following services: support , prevention and recovery. Supporting services refer to the implementation of reinforcement of the other two services. Prevention services are put in place for the purpose of preventing a security breach. Finally, since it is essential to have a safety net should prevention services fail, detection and recovery services are put in place to reduce the impact of any breach.
Support services reinforce prevention and recovery services by including identification, cryptographic key management, security administration and system protections under the umbrella of services provided. Identification and naming services are needed to identify subject and objects. This includes users, processes and information resources. Cryptographic keys are necessary for the implementation of cryptographic functions as well as other services. Security administration refers to the security features needed to meet the necessities of an installation and to verify the security of changes to the operational environment. Lastly, system protections are put into place to establish certainty in the relative security of the system’s functional capabilites. This includes “residual information protection (also known as object reuse), least privilege. process separation, modularity, layering and minimization of what needs to be trusted”(NIST, 2001, p. 10). [“Write my essay for me?” Get help here.]
The services included under prevention include protected communications, authentication, authorization, access control enforcement, non-repudiation and transaction privacy. Protected communications refers to the necessity of integrity, availability and confidentiality of information during transit. Trustworthy communications are essential to ensure security in a distributed system. Authentication is a service put into place to ensure the validity of a subject’s identity. Authorization is a service implemented in order to ensure as system’s actions are specified and management are enabled. Access control enforcement is the service that enforces security policy as defined by the system after access had been validated to a subject. The capability of a system’s access control enforcement includes both the strength of its security and the precision in its ability to correctly validate access. Non-repudiation prevents senders from falsely denying that they did or did not send information and prevents receivers from falsely denying that they did or did not receive information. Finally, transaction privacy is put into place to ensure the secrecy of sensitive and/or private information.
Should the prevention services in the system fail, recovery and detection services are put into place to minimize the damage of a breach. The services included under recovery are audit, intrusion detection and containment, proof of wholeness and a restore “secure” state. Auditing refers to the process in recovery wherein the system scrutinizes the security event after detection. This allows the organization to learn the exact nature of the security event and/or potential breach. The purpose of intrusion detection is to detect the security event as quickly as possible and the corresponding containment is to effectively respond to said event. These two actions work in conjunction with on another to provide a single service in order to ensure a breach’s effect is minimized. Proof of wholeness is a service that has the ability to detect whether the data or the system has been potentially corrupted. In the event that the breach was able to effect, it is the function of proof of wholeness to determine the nature of the effect and to what extend it corrupted the system. Finally, a restore and secure state is established so that the system and data can return to its former state before the breach. A restore and secure state addresses any alterations produced by the breach and is meant to ensure that such a breach is incapable of resurfacing. [“Write my essay for me?” Get help here.]
Each one of the categories of service is necessary for an organization to provide security to any system and the corresponding data within.
Federal Emergency Management Agency (FEMA ) (2012, Mar 7). Cyber Incident Annex.
Fischer, E. A. (2014, Dec 12), Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and Proposed Legislation. Congressional Research Service.
Kurtz, P. (2015, May 19). Congress Wants Companies Facing Cyberattacks to Share Data, and It’s Not a Moment Too Soon.
National Institute of Standards and Technology (2001). NIST Special Publication 800-33 – Underlying Technical Models for Information Technology Security.
Richards H. W. (2015, Oct 5). Congressional action on cybersecurity would send strong message to China, Congress Blog.