In Today’s world where all information is digitized, we must always be aware of how information assets are safe to handle. In particular, it is important that the information held by a company is prevented from being damaged or lost and can be used whenever necessary. We will explain in an easy-to-understand manner the definitions of the three elements of information security that should be conscious of when handling information, and the seven elements of information security that combine the newly added four elements, while also touching on the ISO standards certified by the International Organization for Standardization. To do.
What are the three elements of information security?
In digital data and IT systems, security needs to be divided into “information security” and “cyber security“. Information security is the idea of keeping the state of “information (data and infrastructure) safe”, and cyber security is the idea of taking measures against threats that threaten “information security”.
Cyber security is explained in an easy-to-understand manner in “What is security? An easy-to-understand explanation of information security that IT should be aware of”, so please refer to it.
Here, we will look at the three elements that make up information security.
The three elements of information security are called “CIA”, which is an acronym for the following three terms written in English.
- Confidentiality
- Integrity
- Availability
These three elements define the elements that you should be aware of in order to prevent the falsification, loss, and physical damage of important information and to handle the information safely.
Let’s take a look one by one.
What is confidentiality?
Confidentiality is the thorough protection and control of access to information.
High confidentiality can be maintained by being aware that information is not shown or leaked to the outside. Conversely, if anyone has access to the information held within the enterprise, it is less confidential.
If the confidentiality of information is low, it may cause information leakage or information corruption. Techniques such as access control rule settings, password authentication, and encryption of the information itself are used to increase confidentiality.
Information that needs to be more confidential includes, for example:
- Personal information of employees
- Customer information
- New product development information
- Password to access the system
So what exactly should we do to increase confidentiality?
Specific measures include the following.
- Install HDDs that store information in access-controlled locations (data centers, etc.)
- Do not set an easy password such as “123456”
- Don’t leave ID/password in memos
- Do not take information out
- Create a mechanism that allows only authorized persons to access information
What is integrity?
Integrity refers to the retention of accurate information that is not tampered with or overdone. When integrity is lost, the accuracy and reliability of the data are questioned, and data with questionable reliability loses its utility value.
For example, if a company’s website is tampered with, it can lead to a loss of trust in a company.
The following measures can be considered as methods for maintaining integrity.
- Digitally sign information
- Keep access history to information
- Keep a history of information changes
- Determine rules for storing information such as backups
If the information of a general company is not complete, it may cause great confusion and loss not only to the company itself but also to the business partners of the company.
In addition, if the integrity of information cannot be maintained in a society where IoT is widespread, there is a risk of life-threatening damage in medical treatment and smart cars.
What is availability?
Availability is about keeping information available at all times. A system that has access to information when it is needed and that does not interrupt access or data processing until it serves its purpose is a highly available system.
For example, cloud services have access to data and systems 24 hours a day, 365 days a year (excluding maintenance hours). This allows you to access the data stored in the cloud storage at any time on your computer or smartphone, and edit the file at any time.
The following measures can be considered to maintain availability.
- System duplication (multiplexing)
- HDD RAID configuration
- UPS (Uninterruptible Power Supply)
- BCP (Business Continuity Measures)
- Cloud-based system
Availability can also be achieved on-premises. However, the active use of the cloud is increasing due to management and operation costs, man-hours for dealing with troubles, and DX (digital transformation) initiatives that are being promoted by many companies in recent years.
4 new elements included in the 7 elements of information security
Information security has four new elements in addition to the three elements introduced above.
- Authenticity
- Reliability
- Accountability
- Non-repudiation
These are mainly information by making it possible to confirm “whose action” is the action on the information, ensuring that the system behaves as intended, and creating a situation where the information cannot be denied later. It ensures security.
Now let’s take a look at the contents of the four new elements.
What is Authenticity?
Authenticity ensures that the corporate organization, individual, or medium that accesses the information is an “authorized person.” Restricting access to information is also an important factor in information security.
Specific measures to achieve authenticity include the following.
- Digital signature
- Two-step verification
- Multi-factor authentication (including biometrics)
What is Reliability?
Reliability means that data and system-based operations produce the intended results.
Data and systems may not produce the expected results due to human error or program bugs (such as bugs). Information security requires measures to prevent such a situation.
Specific measures to achieve reliability include the following.
- Design the system and software so that they do not malfunction
- Build based on a defect-free design
- Provide a mechanism to prevent data from being tampered with or lost even if a human error (operation error, etc.) occurs.
What is Accountability?
Responsibility traceability is to track the movements of corporate organizations and individuals. This keeps track of what the threat to your data and systems is, or who is doing what.
Specific measures for tracking responsibility include the following.
- access log
- System log
- Digital signature
- Operation history
- login history
What is non-repudiation?
Non-repudiation is to prove that the information is not denied later.
For example, if an organization or individual falsifies or uses information, measures such as keeping a log so that the person cannot deny it later are measures to prevent denial.
Non-repudiation can be achieved by taking responsibility for traceability measures, and digital signatures and various logs are mainly used.
ISO and IEC emphasize the three-element CIA
CIA, which is the three elements of information security, is set as an international standard for information security by organizations such as ISO and IEC. Typical international standards include “ISO / IEC 27001”, and information security standards are internationally unified.
The standards are set by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), and there are the following differences between them.
ISO (International Organization for Standardization): Establishes all international standards, including quality and environment
IEC (International Electrotechnical Commission): Establishes international standards for electrical and electronic technologies
ISO / IEC27001 (JIS Q 27001) summarizes the measures to be taken in information security, and the CIA, which is the three elements of information security, is emphasized. In addition, ISO / IEC27002 (JIS Q 27002) shows the practical norms of information security and shows the concrete implementation method.
Relationship between ISO standard and NIST standard
In addition to the ISO standard, there are NIST standards as standards related to information security. NIST is the National Institute of Standards and Technology, which is run by a government agency in the United States.
There is a CSF in NIST, and it is written as “NIST CSF” as a standard, and NIST CSF formulates cyber security.
There are the following differences between “ISO / IEC 27001” and “NIST CSF”.
ISO / IEC 27001: Information security standards
NIST CSF: A framework for improving cybersecurity
In addition, NIST has standards such as “SP800 -53” and “SP800-171”, both of which are guidelines set by the US federal government for security standards.
The NIST [ SP800-53]: the Security and the Privacy Controls for the Federal Information Systems and the Organizations
NIST SP800-171: Guidelines that require companies that manufacture products and technologies procured by US government agencies to comply with standard security.
Regarding NIST SP800-53, NIST SP800-171 is beginning to be included in the procurement standards of the Ministry of Defense of Japan in the security management standards of cloud services introduced by the Government of Japan.
The ISO standard and the NIST standard set standards for security, although the organizations that set the standards are different.
Attention Zero Trust Security
In recent years, information security measures called “zero trust security” have been attracting attention.
Zero trust security is a security concept that “does not trust any access” and is a security concept that is becoming widespread as information security and cyber security concept.
The background to this is the spread of ICT, remote access for telework, and the expansion of cloud usage. These technologies bring conveniences such as access to corporate information via networks, but at the same time, information connected to the Internet is also under threat. This makes it difficult to protect information with traditional perimeter security and defense in depth.
For example, it is necessary to take security measures for information access from within the company by visualizing (communication verification and logging) in the same way as access from outside the company.
Utilization of the cloud designed for information security
Information security awareness can also be managed in an on-premises environment built in-house. However, it can be said that it is efficient to utilize cloud services in order to reduce the cost of managing the infrastructure in-house and to always keep up with the latest security.
Here, AWS, which is a typical cloud service
Let’s take a look at the main information security environments of AWS and Microsoft Azure.
AWS Information Security
AWS information security monitors, for example, data and access on the network.
We place great importance on user data security and monitor it 24 hours a day. We are monitoring a team of world-class security experts. All data flowing through the network is automatically encrypted at the physical layer, and data in transit and at rest is also encrypted so that only authorized users can access the data.
Information security in Microsoft Azure
Information security in Microsoft Azure is for stored data, for example, when data is written to storage, the data is encrypted with an encryption key, and ID-based access control and audit policies are applied to the key. Security is also strong. In the security log, control log/management log, data plane log, processed event, etc. are prepared.
Summary
Information security has three elements, “CIA”, and seven elements with four elements added to it. Each element is something that you should always be aware of in order to maintain correct information without tampering or mistakes. It is essential for the safe use of information assets that are important to a company, so it must be understood by everyone who accesses information, not just those who manage it.