Fundamental Security Concepts: CIA, NIST, and Access Control
Information security is defined by the CIA Triad, a core model used to govern how data is handled and protected:
Confidentiality: Ensures that data is accessible only to authorized individuals.
Integrity: Guarantees that information is authentic, original, and has not been altered by unauthorized parties. Digital signatures and certificates are primary tools for verifying integrity.
Availability: Ensures that systems and data are consistently accessible to authorized users when needed.
Cybersecurity Frameworks and Defense
Effective defense requires adopting a "hacker mindset" to anticipate threats. The NIST Cybersecurity Frameworkidentifies five essential functions for maintaining a defensive posture:
Identify
Protect
Detect
Respond
Recover
A critical component of recovery is the use of offsite backups, which provide a redundant layer of protection against localized system failures or physical disasters.
Access Control (I.A.A.A.)
Access control is the technical process of managing user permissions through four distinct stages:
Identification: Creating an account to represent a user.
Authentication: Verifying a user's identity by comparing provided credentials against hashed values.
Authorization: Checking permission lists to allow or deny specific actions.
Accounting: Tracking and logging all user activity to ensure accountability (non-repudiation).
Security Control Categories and Types
Security controls are categorized by how they are implemented and the specific function they serve within a security strategy.
Implementation Categories
Managerial: High-level oversight and organizational policies.
Operational: Processes implemented by people, such as training or physical security checks.
Technical: Hardware and software solutions, including firewalls, IPS, and MFA.
Physical: Tangible barriers such as fences, locks, and security cameras.
Control Functions
Controls are further classified by their timing and intent:
Type | Purpose | Examples |
Preventive | Stops an incident before it occurs. | Firewalls, MFA, Hiring policies, Fences. |
Detective | Identifies and logs an incident in progress. | IDS, Honeypots, Audit logs, CCTV. |
Corrective | Limits damage and restores systems. | Patching, Rebooting, Incident Response plans. |
Specialized Controls
Directive: Enforces behavioral rules through Standard Operating Procedures (SOP).
Deterrent: Discourages potential attackers (e.g., warning signs or visible cameras).
Compensating: A temporary or alternative control used when a primary control is unavailable or too expensive to implement.
rganizational Roles and Security Business Units
Managing an information security program requires a structured hierarchy of roles and specialized business units. These ensure that security is integrated into every level of the organization.
Information Security Roles and Responsibilities
Strategic oversight is handled by executive leadership, while technical execution is managed by specialized officers:
Overall Responsibility:
Chief Information Officer (CIO) / Chief Technology Officer (CTO): Responsible for the overall technology strategy and infrastructure.
Chief Security Officer (CSO): Focuses on the physical and digital safety of the organization.
Technical Management:
- Information Systems Security Officer (ISSO): Manages the operational security of specific systems and ensures compliance with managerial policies.
Due Care and Liability:
- Directors and Owners hold the ultimate legal liability. They must exercise Due Care—acting as a reasonable person would to protect the organization and its stakeholders.
Key Security Business Units
Organizations establish specific teams to handle the day-to-day and emergency aspects of digital defense:
Security Operations Center (SOC): A centralized unit that deals with security issues on an organizational and technical level. They monitor for threats 24/7.
DevSecOps: Short for Development, Security, and Operations. This unit integrates security practices into the software development lifecycle rather than treating it as a final step.
Incident Response (CIRT): The Cyber Incident Response Team is responsible for responding to active security breaches, mitigating damage, and investigating the root cause.
Security Competencies
To maintain a robust security posture, an organization must master several core competencies:
Risk Assessment & Testing: Regularly identifying vulnerabilities and assessing the potential impact of threats.
Infrastructure Management: Specifying, sourcing, installing, and configuring secure devices and software.
Access Control: Managing user privileges to ensure the principle of least privilege is maintained.
Auditing: Reviewing logs and events to detect unauthorized changes or suspicious patterns.
Business Continuity & Disaster Recovery: Creating plans to ensure the business remains operational during and after a crisis.
Education: Actively participating in and providing security training and education programs for all employees.
Extended Security Control Categories
Beyond technical and physical implementation, security controls are further defined by their regulatory and psychological impact:
Directive Controls: Mandatory controls implemented to meet regulations and organizational policies. They provide guidance on required behavior.
Deterrent Controls: Deployed to discourage security violations and reduce the likelihood of a deliberate attack by making the "cost" of the attack too high for the intruder.
Recovery Controls: Used specifically to restore systems to a normal state after an incident occurs. Backups are the most common example of this control type.