Talk:Information security: Difference between revisions

Content deleted Content added

Inline

Revision as of 05:42, 23 February 2010

This is the talk page for discussing improvements to the Information security article.
This is not a forum for general discussion of the article's subject.

Put new text under old text. Click here to start a new topic.
New to Wikipedia? Welcome! Learn to edit; get help.

Article policies

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL

Archives: 1

Computing B‑class

	This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
B	This article has been rated as B-class on Wikipedia's content assessment scale.
???	This article has not yet received a rating on the project's importance scale.

Computer Security: Computing B‑class Top‑importance

This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles

B

This article has been rated as B-class on Wikipedia's content assessment scale.

Top

This article has been rated as Top-importance on the project's importance scale.

This article is supported by WikiProject Computing.

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Template:WP1.0

Archives

1

Progress of rewrite

Found a good citation for history of data classification.

Finished confidentiality, integrity, and availability section.

Reorganized the outline and section headers.

Cleaned up See also section. Everything that was listed there can be found on the two categories listed.

Created Archive of the old Talk page.

May need to think about moving Sources of standards and Professional Organizations down into the External Links section.

This is a lot of work but I'm enjoying it.

WideClyde 05:13, 12 January 2007 (UTC)[reply]

Progress Saturday January 13, 2007 as of 4:30PM MST USA

Thank you. That is a very good suggestion. Finished the three controls section. Fixed some typos. Removed some subsections that were folded into the controls section Switched the underconstruction flag back. I'm going to watch TV the rest of the night.

WideClyde 23:31, 13 January 2007 (UTC)[reply]

Progress Sunday January 14, 2007

Rewrote first paragraph of Introduction. Added two paragraphs to end of History section. Completed Security Classification section. Removed potentially plagiarized paragraph. Revised outline.

WideClyde 02:44, 15 January 2007 (UTC)[reply]

Progress on Monday January 15, 2007

Meetings all day today and meetings all day tomorrow. My brain is fried.

I incorporated a few suggestions. Added a sentience about privacy into the confidentiality section. Does more need to be said about privacy? Added a couple of books, that I have on my bookshelf that I use occasionally, to the Bibliography section. Added paragraph about ISO-17799 to the Risk management section (thanks for the suggestion).

My thoughts about this article are that it should be a high level overview of the field of information security. I've tried not to get too deep into any particular topic in my contributions. I've also tried to avoid any technical jargon. An article like this one could easily become very technical or devote to much space to a particular topic, or it could potentially become more about a closely related sister field. I'm also concerned that the article may be getting too long.

I might take a couple days off - or I might not.

WideClyde 05:09, 16 January 2007 (UTC)[reply]

Privacy is somewhat of a catchall for Confidentiality and restricting access to data, from the legal sense and Bell-LaPadula (security classifactions and clearances, etc.) Luis F. Gonzalez 05:39, 16 January 2007 (UTC)[reply]

Friday January 19, 2007 - 8:45PM MST USA

I have no memory of this past week. I sure hope today is Friday!

I must have filled in the Security classification section and the Access control section. I found the last half of the Access control section to be the most difficult to write so far. The Cryptography section was easy to write; lots of great Wiki links.

I moved Change management and Disaster recovery down into the Process section. I think those will fit in better there.

WideClyde 03:47, 20 January 2007 (UTC)[reply]

Sunday 28 Jan 2007 10:42 EST USA: CIA inadequate model

Hello,

The CIA classic triad is an inadequate model for describing what we protect in information security work. For example, many breaches of security are not covered by confidentiality, integrity or availability. The Parkerian Hexad is a better model and has recently been adopted by the (ISC)^2, the certifying body for CISSPs, as a replacement for the classic triad.

When a British ATM technician was hired by a magazine to demonstrate how he stole debit-card information and PINs from users, he installed a radio transmitter in an ATM and recorded the signals containing bank-account numbers and passwords on his laptop computer. He was arrested and tried for fraud; his defense attorney argured that because he had not looked at the data on his computer, there was no breach of confidentiality. The judge ruled that although that was true, the technician had violated the principle of possession or control: he had gained the power to examine or use those data at will regardless of the data-subjects' wishes. That's an example of a breach of control or possession.

Similiarly, when someone using his own e-mail system writes an e-mail message threatening the President of the US but alters the e-mail headers to forge someone else's identity, that's not a breach of confidentiality or control; it's not a breach of integrity either because the e-mail as written and sent represents exactly what the author intended. It's a breach of authenticity: it is incorrectly attributed to someone else.

Finally, when data are in EBCDIC but should have been in ASCII, the issue is usability, not availability. The data are perfectly available -- they are just not useful in their current format. Similarly, if someone presents a report where all the salaries of employees are written in Greek Drachmas instead of US Dollars, that's useful in Greece but probably not in the US -- but it's not a breach of integrity, nor is it a breach of availability.

See my mods to the entry on Parkerian Hexad.

Best wishes,

Mich

M. E. Kabay, PhD, CISSP-ISSMP

CTO & Prog Dir, MSc in Info Assurance

School of Graduate Studies

Assoc. Prof. & Prog Dir, BSc in Info Assurance

Division of Business & Management P: +1.802.479.7937 NORWICH UNIVERSITY Expect Challenge. Achieve Distinction.

* *

E1: mailto:mekabay@gmail.com E2: mailto:mkabay@norwich.edu for University business W: http://www2.norwich.edu/mkabay/

Network World Fusion Security Management Newsletters

http://www.networkworld.com/newsletters/sec/

Mich kabay 15:44, 28 January 2007 (UTC)[reply]

What an excellent explanation! Thank you!

I think the material that's in that section can probably stay

but it defiantly needs to be amended. Maybe even copy paste from

your post.

WideClyde 03:26, 31 January 2007 (UTC)[reply]

There is a report on an ISC2 blog site that makes it hard to believe that the Parkerian Hexad would be made part of the syllabus. ("If you find a really outrageous quote about infosec, it usually comes from either Donn Parker or Winn Schwartau.") One comment also suggests that Mich Kabay (see comment above) may have coined the name. There are some helpful comments on the strict/loose interpretation of Confidentiality, Integrity, and Availability.

John Y (talk) 22:31, 27 December 2008 (UTC)[reply]

Thursday February 1, 2007

Created new image for 6 atomic elements of information security. Replaced CIA triad image. Renamed and rewrote former confidentiality, integrity and availability section.

Thinking about changing direction a little in Process section. Think it might be better to write about Security planning and implementing a security program.

Maybe should include section on Pre-planning for security incident and response management.

WideClyde 02:58, 2 February 2007 (UTC)[reply]

Corrected date of entry WideClyde 05:10, 3 February 2007 (UTC)[reply]

Friday February 2, 2007

Did some proof reading and editing. Did some cleanup. Slapped a couple of outlines into the Process section. This may be too much for this article.

WideClyde 05:09, 3 February 2007 (UTC)[reply]

Business point of view

I think that this page is acquiring a very "business" oriented point of view. For example, the risk management section talks about "Executive Management" and "when Management does X, they will...". This is quite reasonable for a business, but doesn't really cater for an individual worried about privacy or an operating system designer choosing features.

Also, it is suggested that the CIA Triad "is being replaced by" the hexad. This may be the case in some fields, but certainly not all. I therefore think that the statement is misleading. While the hexad may be considered more appropriate for typical business use, there are few researchers in the field who use it, and few scientific models that consider these 6 aspects to be separate. For example, it is alleged that stealing a laptop breaches my control of the information. But I could equally well say that it is a denial of service attack against the information availability. If someone modifies the info, it's a breach of integrity, and if they read it, it's a breach of confidentiality. It's true that in a business, thinking about countermeasures to "loss of control" might help you write a better security plan. But that doesn't mean the hexad is a more logical structure.

I think the page doesn't cater for people who would like a more scientific/research-oriented perspective on the field. (That's my background.) Perhaps many (or even most) of the people who visit this page are happy with the business point of view, but I'm not sure that that excuses it an encyclopedic article.

John Y 18:32, 17 March 2007 (UTC)[reply]

Parkerian hexad too controversial

The Parkerian hexad is not widely accepted and is too controversial for this article. I reverted back to CIA but did retain a reference to Parkerian hexad.

WideClyde 16:17, 24 March 2007 (UTC)[reply]

Non-repudiation is not part of the CIA triad

Non-repudiation is not part of the CIA triad. Non-repudiation is a legal construct rather than a basic principle of Info Sec. It is further discussed elsewhere in the article. —Preceding unsigned comment added by WideClyde (talk • contribs) 17:13, 3 September 2007 (UTC)[reply]

Agree. While good to reference, it is more aptly suited in describing that cryptography (in conjunction with a PKI infrastructure) enables non-repudiation of actions that further strengthen accountability. --sh3rlockian 01:25, 15 November 2007 (UTC)[reply]

INFOSEC

Hello...would someone please create a separate page on INFOSEC certification? It appears to redirect to this page, but it is not explained at all. This certification is becoming a standard for computer forensics analysts and surely someone can explain in an article what it is.Bob (talk) 02:04, 18 November 2007 (UTC)[reply]

Security Poster Image

How the hell is this a work from the United States government? It's paraphrased from Uncyclopedia: http://uncyclopedia.org/wiki/Everybody 194.81.36.9 (talk) 10:01, 8 January 2008 (UTC)[reply]

Also, "COMMUNICATIO[N]S" is mis-spelled in the image. Proof it's a US Gov't thing? 24.143.66.179 (talk) 23:06, 9 April 2008 (UTC)[reply]

Section on Government Organisations

Would it be useful to add a section on the major national "players" in this field (e.g. AGD / DSD for Australia, NIST / NSA for US etc), along with referencing various schemes they drive (e.g. Common Criteria, FIPS-140, GetSafeOnline? There is a synergy between their work and the "standards" / "regulation" piece. Bill Martin (talk) 11:35, 10 January 2008 (UTC)[reply]

Business Continuity

While I agree that Business Continuity is a generally a component of IT Security as it relates to availability, the collection of 7 questions in this article does not describe Business Continuity Planning as well as the standalone article. Recommend removing it from this article and referencing the other. Jc3 (talk) 19:30, 28 January 2009 (UTC)[reply]

Not congruent

In the part about control area's, they are divided into 3 section's. physical, logical and administrative. but if you look at the caption beneath the text. it's distinguished into 3 other control area's. people physical and organisation.

In my opinion there should be 4 areay's physical, technology, organisation and people. but it's not about my opinion, so there should be made a choice between one of these models.

Pompedom (talk) 15:35, 12 March 2009 (UTC)[reply]

Controversial Distinctions

I am concerned about the distinctions provided in section one. They seem to fall apart. Infinitesteps (talk) 15:43, 14 January 2010 (UTC)[reply]

InfoSec vs IA distinction

I'm not sure what the precise distinction between "Information Security" and "Information Assurance" is supposed to be according to this article. In fact, as an IA professional I am surprised to find that the definition of Information Security contained in this article is actually the same definition that I would use for Information Assurance. Does anyone know what the original distinction was meant to be? If not, I think the distinction should be removed from the article since it raises a question without answering it and leaves the reader with a false perception of Information Assurance as something other than the definition contained here.

InfoSec vs Computer Security

IF, a computer system is an information system. AND IF, information security protects information systems. THEN, computer [system] security is part of information security (not distinct from). Infinitesteps (talk) 15:43, 14 January 2010 (UTC)[reply]

Uh, who writes like that?

"It is also important for authenticity to validate ..."

Authenticity is an abstract noun describing quality, it can't validate anything. Or was it ment to be "it is important for the purpose of authenticity that one validates" Then, authenticity of what? Or just authenticity, like a cosmic thing?

or this:

"Confidentiality is the term used to prevent the disclosure of information ..."

Although the wish to have problems solved by simply using terms is completely understandable, not sure if it works that way.

Seems like the page has a lot of issues with presentation, style and logic. Just calling attention to that.
Sorry if that sounds mean, I actually respect the authors' work. (note: I'm ESL, so I might be deadly wrong in those arguments) Theabsurd (talk) 18:59, 9 February 2010 (UTC)[reply]

Not a concern for most companies?

I have been searching the web for this type of tools that may be available, but seem to be lacking a lot in this field. Does it mean that it is not actually required? Or it has already been implemented by most companies these days?

@@ Line 234: / Line 234: @@
 Sorry if that sounds mean, I actually respect the authors' work. (note: I'm ESL, so I might be deadly wrong in those arguments)
 [[User:Theabsurd|Theabsurd]] ([[User talk:Theabsurd|talk]]) 18:59, 9 February 2010 (UTC)
+== Not a concern for most companies? ==
+I have been searching the web for this type of tools that may be available, but seem to be lacking a lot in this field. Does it mean that it is not actually required? Or it has already been implemented by most companies these days?