Because there are so many aspects to overall system security management that have to be considered, basic security protocols and definitions have been established to enable a structured, more modular approach to separating and simplifying the many complex and often overlapping areas involved in security issues, so that forms of system protection could be researched, created and implemented.
A main concept and "starting point" involves the creation of an overall defining Security Policy – for a particular system and circumstance – that helps identify and define the critical assets in a system that are to be protected, an appropriate level of security required to protect those assets, and a proposed set of procedures to follow to help achieve that overall goal, with procedures to be followed in the event of a breach in that policy. It can only be a "best guess" approach toward defining requirements for a given system.
This Policy then helps define acceptable patterns of "normal" behaviour for a given system, both by users of the system and the behaviour of the system itself, and allows for follow up actions to be taken with respect to this, which may include:
Accountability – the determination of who was responsible for the actions
Damage assessment – determine what specific actions caused any damage
Damage recovery – determine what actions are necessary to return the system to normal
System security is often defined in terms of the Security Triad – CIA – Confidentiality, Integrity and Accessibility (via Authorisation), where:
Confidentiality – the requirement for information to be restricted only to those authorised to access it.
Integrity – the requirement that original data remains protected from accidental or deliberate, unauthorised alteration
Accessibility – the requirement that information is always accessible when required, to those authorised for access.
With these concepts in mind, security complexity can be further expanded to include ideas of Trust, Threat, and Vulnerability.
Trust is a local to wide area concept, and mirrors the level of "confidence perception" that could be ascribed to a system or group of systems, and may incorporate many aspects, from System Administrator control, user access, hardware components, interconnected devices, and other interconnected autonomous systems, all of which have to be considered with a degree of "trustworthiness" as to how well a particular part of a system functions in reality, compared to how it is expected to function, usually within a defined boundary.
Threat can be defined as a potential circumstance that causes a system to operate outside of the design limits set out for its original purpose, or required by the Security Policy, and usually take a form that can cause a breach in the Security Triad definitions, by the disclosure, alteration or prevention of access to data.
Vulnerability can be regarded as the level to which a system is capable of suffering from circumstances that affect its normal operation, as defined by its design, or the Security Policy and the Security Triad. System vulnerability can also come in many forms, from badly designed, written and tested software containing https://ico.org.uk/for-organisations/business/"bugs", to what is regarded as the widest reaching potential vulnerability – the human user – because of the potential for damage that can be caused by deliberate action (disgruntled employee, terrorist) or accidental or unwitting damage (deletion of files, victim of social engineering), mainly because most users have higher privilege levels of system access being on the "inside" of a systems technical device security perimeter.
Company legal obligations:
Data protection – looking after the information you hold
If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information. Under the Data Protection Act, you must:
- only collect information that you need for a specific purpose;
- keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it; and
- allow the subject of the information to see it on request.
"Breaches of data protection legislation could lead to your business incurring a fine – up to £500,000 in serious cases. The reputation of your business could also be damaged if inadequate security contributes to high profile incidents of data loss or theft."