Talk:Information security

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Wiki Education Foundation-supported course assignment[edit]

This article was the subject of a Wiki Education Foundation-supported course assignment, between 22 January 2020 and 14 May 2020. Further details are available on the course page. Peer reviewers: Wintersfire.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 23:00, 17 January 2022 (UTC)[reply]

Wiki Education Foundation-supported course assignment[edit]

This article was the subject of a Wiki Education Foundation-supported course assignment, between 16 May 2019 and 24 August 2019. Further details are available on the course page. Student editor(s): Robbinsm1.

Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT (talk) 00:31, 17 January 2022 (UTC)[reply]

Progress of rewrite[edit]

Found a good citation for history of data classification.

Finished confidentiality, integrity, and availability section.

Reorganized the outline and section headers.

Cleaned up See also section. Everything that was listed there can be found on the two categories listed.

Created Archive of the old Talk page.

May need to think about moving Sources of standards and Professional Organizations down into the External Links section.

This is a lot of work but I'm enjoying it.

WideClyde 05:13, 12 January 2007 (UTC)[reply]



Progress Saturday January 13, 2007 as of 4:30PM MST USA[edit]

Thank you. That is a very good suggestion. Finished the three controls section. Fixed some typos. Removed some subsections that were folded into the controls section Switched the underconstruction flag back. I'm going to watch TV the rest of the night.

WideClyde 23:31, 13 January 2007 (UTC)[reply]

Progress Sunday January 14, 2007[edit]

Rewrote first paragraph of Introduction. Added two paragraphs to end of History section. Completed Security Classification section. Removed potentially plagiarized paragraph. Revised outline.

WideClyde 02:44, 15 January 2007 (UTC)[reply]

Progress on Monday January 15, 2007[edit]

Meetings all day today and meetings all day tomorrow. My brain is fried.

I incorporated a few suggestions. Added a sentience about privacy into the confidentiality section. Does more need to be said about privacy? Added a couple of books, that I have on my bookshelf that I use occasionally, to the Bibliography section. Added paragraph about ISO-17799 to the Risk management section (thanks for the suggestion).

My thoughts about this article are that it should be a high level overview of the field of information security. I've tried not to get too deep into any particular topic in my contributions. I've also tried to avoid any technical jargon. An article like this one could easily become very technical or devote to much space to a particular topic, or it could potentially become more about a closely related sister field. I'm also concerned that the article may be getting too long.

I might take a couple days off - or I might not.

WideClyde 05:09, 16 January 2007 (UTC)[reply]

Privacy is somewhat of a catchall for Confidentiality and restricting access to data, from the legal sense and Bell-LaPadula (security classifactions and clearances, etc.) Luis F. Gonzalez 05:39, 16 January 2007 (UTC)[reply]

Friday January 19, 2007 - 8:45PM MST USA[edit]

I have no memory of this past week. I sure hope today is Friday!

I must have filled in the Security classification section and the Access control section. I found the last half of the Access control section to be the most difficult to write so far. The Cryptography section was easy to write; lots of great Wiki links.

I moved Change management and Disaster recovery down into the Process section. I think those will fit in better there.

WideClyde 03:47, 20 January 2007 (UTC)[reply]

Sunday 28 Jan 2007 10:42 EST USA: CIA inadequate model[edit]

Hello,

The CIA classic triad is an inadequate model for describing what we protect in information security work. For example, many breaches of security are not covered by confidentiality, integrity or availability. The Parkerian Hexad is a better model and has recently been adopted by the (ISC)^2, the certifying body for CISSPs, as a replacement for the classic triad.

When a British ATM technician was hired by a magazine to demonstrate how he stole debit-card information and PINs from users, he installed a radio transmitter in an ATM and recorded the signals containing bank-account numbers and passwords on his laptop computer. He was arrested and tried for fraud; his defense attorney argured that because he had not looked at the data on his computer, there was no breach of confidentiality. The judge ruled that although that was true, the technician had violated the principle of possession or control: he had gained the power to examine or use those data at will regardless of the data-subjects' wishes. That's an example of a breach of control or possession.

Similiarly, when someone using his own e-mail system writes an e-mail message threatening the President of the US but alters the e-mail headers to forge someone else's identity, that's not a breach of confidentiality or control; it's not a breach of integrity either because the e-mail as written and sent represents exactly what the author intended. It's a breach of authenticity: it is incorrectly attributed to someone else.

Finally, when data are in EBCDIC but should have been in ASCII, the issue is usability, not availability. The data are perfectly available -- they are just not useful in their current format. Similarly, if someone presents a report where all the salaries of employees are written in Greek Drachmas instead of US Dollars, that's useful in Greece but probably not in the US -- but it's not a breach of integrity, nor is it a breach of availability.

See my mods to the entry on Parkerian Hexad.

Best wishes,

Mich

M. E. Kabay, PhD, CISSP-ISSMP

  • CTO & Prog Dir, MSc in Info Assurance

School of Graduate Studies

  • Assoc. Prof. & Prog Dir, BSc in Info Assurance

Division of Business & Management P: +1.802.479.7937 NORWICH UNIVERSITY Expect Challenge. Achieve Distinction.

  • * *

E1: mailto:mekabay@gmail.com E2: mailto:mkabay@norwich.edu for University business W: http://www2.norwich.edu/mkabay/

  • Network World Fusion Security Management Newsletters

http://www.networkworld.com/newsletters/sec/

Mich kabay 15:44, 28 January 2007 (UTC)[reply]


What an excellent explanation! Thank you!
I think the material that's in that section can probably stay
but it defiantly needs to be amended. Maybe even copy paste from
your post.

WideClyde 03:26, 31 January 2007 (UTC)[reply]

There is a report on an ISC2 blog site that makes it hard to believe that the Parkerian Hexad would be made part of the syllabus. ("If you find a really outrageous quote about infosec, it usually comes from either Donn Parker or Winn Schwartau.") One comment also suggests that Mich Kabay (see comment above) may have coined the name. There are some helpful comments on the strict/loose interpretation of Confidentiality, Integrity, and Availability.
John Y (talk) 22:31, 27 December 2008 (UTC)[reply]

Thursday February 1, 2007[edit]

Created new image for 6 atomic elements of information security. Replaced CIA triad image. Renamed and rewrote former confidentiality, integrity and availability section.

Thinking about changing direction a little in Process section. Think it might be better to write about Security planning and implementing a security program.

Maybe should include section on Pre-planning for security incident and response management.

WideClyde 02:58, 2 February 2007 (UTC)[reply]

Corrected date of entry WideClyde 05:10, 3 February 2007 (UTC)[reply]

Friday February 2, 2007[edit]

Did some proof reading and editing. Did some cleanup. Slapped a couple of outlines into the Process section. This may be too much for this article.

WideClyde 05:09, 3 February 2007 (UTC)[reply]

Business point of view[edit]

I think that this page is acquiring a very "business" oriented point of view. For example, the risk management section talks about "Executive Management" and "when Management does X, they will...". This is quite reasonable for a business, but doesn't really cater for an individual worried about privacy or an operating system designer choosing features.

Also, it is suggested that the CIA Triad "is being replaced by" the hexad. This may be the case in some fields, but certainly not all. I therefore think that the statement is misleading. While the hexad may be considered more appropriate for typical business use, there are few researchers in the field who use it, and few scientific models that consider these 6 aspects to be separate. For example, it is alleged that stealing a laptop breaches my control of the information. But I could equally well say that it is a denial of service attack against the information availability. If someone modifies the info, it's a breach of integrity, and if they read it, it's a breach of confidentiality. It's true that in a business, thinking about countermeasures to "loss of control" might help you write a better security plan. But that doesn't mean the hexad is a more logical structure.

I think the page doesn't cater for people who would like a more scientific/research-oriented perspective on the field. (That's my background.) Perhaps many (or even most) of the people who visit this page are happy with the business point of view, but I'm not sure that that excuses it an encyclopedic article.

John Y 18:32, 17 March 2007 (UTC)[reply]

Parkerian hexad too controversial[edit]

The Parkerian hexad is not widely accepted and is too controversial for this article. I reverted back to CIA but did retain a reference to Parkerian hexad.

WideClyde 16:17, 24 March 2007 (UTC)[reply]

Non-repudiation is not part of the CIA triad[edit]

Non-repudiation is not part of the CIA triad. Non-repudiation is a legal construct rather than a basic principle of Info Sec. It is further discussed elsewhere in the article. —Preceding unsigned comment added by WideClyde (talkcontribs) 17:13, 3 September 2007 (UTC)[reply]

Agree. While good to reference, it is more aptly suited in describing that cryptography (in conjunction with a PKI infrastructure) enables non-repudiation of actions that further strengthen accountability. --sh3rlockian 01:25, 15 November 2007 (UTC)[reply]
Following up on these comments from 2007: I have not found a credible source to verify that non-repudiation should be considered alongside confidentiality, integrity and availability. As it currently stands, it seems to me like it makes the article less clear to readers - if you read through the index it seems like it's CIAR. Considering the fact that there are no credible references in the article, and I was unable to find any in scientific literature, I suggest changing it. My suggestion would be to shorten the text in the "non-repudiation" part, and move it up above the "confidentiality" part, so that it becomes part of the general discussion about what the key concepts should be, rather than being mentioned as one of the key concepts as it currently is. Any objections or other suggestions? Nietvoordekat (talk) 20:05, 6 June 2017 (UTC)[reply]

INFOSEC[edit]

Hello...would someone please create a separate page on INFOSEC certification? It appears to redirect to this page, but it is not explained at all. This certification is becoming a standard for computer forensics analysts and surely someone can explain in an article what it is.Bob (talk) 02:04, 18 November 2007 (UTC)[reply]


Security Poster Image[edit]

How the hell is this a work from the United States government? It's paraphrased from Uncyclopedia: http://uncyclopedia.org/wiki/Everybody 194.81.36.9 (talk) 10:01, 8 January 2008 (UTC)[reply]


Also, "COMMUNICATIO[N]S" is mis-spelled in the image. Proof it's a US Gov't thing? 24.143.66.179 (talk) 23:06, 9 April 2008 (UTC)[reply]

Section on Government Organisations[edit]

Would it be useful to add a section on the major national "players" in this field (e.g. AGD / DSD for Australia, NIST / NSA for US etc), along with referencing various schemes they drive (e.g. Common Criteria, FIPS-140, GetSafeOnline? There is a synergy between their work and the "standards" / "regulation" piece. Bill Martin (talk) 11:35, 10 January 2008 (UTC)[reply]

Business Continuity[edit]

While I agree that Business Continuity is a generally a component of IT Security as it relates to availability, the collection of 7 questions in this article does not describe Business Continuity Planning as well as the standalone article. Recommend removing it from this article and referencing the other. Jc3 (talk) 19:30, 28 January 2009 (UTC)[reply]

Not congruent[edit]

In the part about control area's, they are divided into 3 section's. physical, logical and administrative. but if you look at the caption beneath the text. it's distinguished into 3 other control area's. people physical and organisation.

In my opinion there should be 4 areay's physical, technology, organisation and people. but it's not about my opinion, so there should be made a choice between one of these models.

Pompedom (talk) 15:35, 12 March 2009 (UTC)[reply]

Controversial Distinctions[edit]

I am concerned about the distinctions provided in section one. They seem to fall apart. Infinitesteps (talk) 15:43, 14 January 2010 (UTC)[reply]

InfoSec vs IA distinction[edit]

I'm not sure what the precise distinction between "Information Security" and "Information Assurance" is supposed to be according to this article. In fact, as an IA professional I am surprised to find that the definition of Information Security contained in this article is actually the same definition that I would use for Information Assurance. Does anyone know what the original distinction was meant to be? If not, I think the distinction should be removed from the article since it raises a question without answering it and leaves the reader with a false perception of Information Assurance as something other than the definition contained here.

InfoSec vs Computer Security[edit]

IF, a computer system is an information system. AND IF, information security protects information systems. THEN, computer [system] security is part of information security (not distinct from). Infinitesteps (talk) 15:43, 14 January 2010 (UTC)[reply]

The second part of your premise is false, since information security does not just protect information systems. The conclusion therefore does not follow logically. Nietvoordekat (talk) 12:18, 7 June 2017 (UTC)[reply]

Uh, who writes like that?[edit]

"It is also important for authenticity to validate ..."

Authenticity is an abstract noun describing quality, it can't validate anything. Or was it ment to be "it is important for the purpose of authenticity that one validates" Then, authenticity of what? Or just authenticity, like a cosmic thing?

or this:

"Confidentiality is the term used to prevent the disclosure of information ..."

Although the wish to have problems solved by simply using terms is completely understandable, not sure if it works that way.

Seems like the page has a lot of issues with presentation, style and logic. Just calling attention to that.
Sorry if that sounds mean, I actually respect the authors' work. (note: I'm ESL, so I might be deadly wrong in those arguments) Theabsurd (talk) 18:59, 9 February 2010 (UTC)[reply]

Not a concern for most companies?[edit]

I have been searching the web for this type of tools that may be available, but seem to be lacking a lot in this field. Does it mean that it is not actually required? Or it has already been implemented by most companies these days? —Preceding unsigned comment added by Dci terry (talkcontribs) 05:42, 23 February 2010 (UTC)[reply]

Does a description of 'separation of duties' really belong in the section on 'physical' controls?[edit]

Separation of duty can be implemented as a physical control. For example, there can be two locks on a door, so that both keys (each belonging to a different person) are required before the door can be opened. I have seen a sensitive area protected in this way called a "No Lone Zone". Double lock cabinet example.

But separation of duties can also be a procedural control, when for example two signatures are required on a bank cheque/check. That's procedural because it relies on a person in the bank confirming that both signatures are there before processing it. The reimbursement example given in the article falls into this category too, unless it's computer software that ensures that the person seeking reimbursement and the approver are different people, in which case it becomes a logical control. The separation of database administrator and server administrator is partly procedural (it relies on management appointing different people to these roles), and partly technical (since the server administrator is prevented by the software from modifying the database).

I think it would be best to move the current example into one of the other sections, or to change the example into one that is actually a physical control.

BTW, I think the quality of the article has been improved enormously recently. Thanks to all contributors/editors.

John Y (talk) 12:04, 7 September 2010 (UTC)[reply]

Methods against methodologies[edit]

81.159.229.250 changed methodologies in methods. I believe (see Methodology and related references) that in this case methodologies is more appropriate because Information Assurance has different methodologies (i.e collection of methods, tools, procedures) than Information Security. Even in Information Security (see IT risk) there are different methodologies for example in Risk managements. Because the modification was done by a not registered user, I revert the change. --Pastore Italy (talk) 10:27, 13 October 2010 (UTC)[reply]

Professionalism sections and Template:Computer_Security_Certifications[edit]

There is a debate about the difference between Computer Security, Information Security and Information Assurance; see Information Assurance top for a short explanation.

I think that most certification listed are about Information Assurance and Information Security: look at the certification names.

Computer Security is a more used but limited term.

Information Security is a wider term than Computer security: I proposed to change (at least in the first line of the navbox) the name of this template. Moving the template to a new name "Information Security Certifications" would be better. I do not know if redirect work for transclusions, otherwise we have to change (eventually by a bot) all the references.

I have noticed that not every certification listed in the template transclude the template itself.

According to my opinion at least an article should transclude this template. I saw that Computer security and Computer insecurity do not have a certification/professionalism sections

Information assurance have sections about certifications and I recently have worked on Information security#Professional association and certification.

I think the best solution is to write a new article perhaps Information security certification or better Information security professionalism, moving the current versions of the above mentioned sections dealing with certification and inserting a {{main|Information security certification}} in the articles. Eventually in this new article we can try to categorize the different certifications

I will post a similar sections in the cited articles. I suggest that your welcome comments to be posted in Template_talk:Computer_Security_Certifications

--Pastore Italy (talk) 12:12, 17 December 2010 (UTC)[reply]

On confidentiality[edit]

Somebody recently tweaked the article to say this:

Confidentiality is the term used to describe the breadth of dissemination of information. The more confidential the information, the smaller the pool of those people, processes or systems who have had or should have access to the information.

Which was, I presume, well intentioned; but I doubt it's true. The number of people who should have access to an item may often be (negatively) correlated with confidentiality, but it's not a direct relationship. Let's try some examples:

  • There are thousands of people and systems who could access my (computerised) health records & tax records, but barely anybody can - or should - know my shoe size. Does that make shoe size more confidential than health & tax records?
  • If, say, NATO holds grand strategic plans, then several senior military people in each country (and probably some politicians and supporting agencies) need to be able to see those plans - that's a lot of people. Conversely, only a handful of people might need to know the details of an infantry squad's training plans for next week. Are the squad's training plans more confidential?

Confidentiality is better framed in terms of the impact of disclosure to unauthorised people, or the value of keeping the information from unwanted eyes. bobrayner (talk) 15:05, 5 April 2011 (UTC)[reply]

Which is fine, but it contradicts the definition of confidentiality given by, for instance, ISO and ISACA. I propose that we use these definitions, rather than make up our own. Nietvoordekat (talk) 12:21, 7 June 2017 (UTC)[reply]

Scholars working in the field?[edit]

This section seems like a grab bag, and possibly a vanity section. It's unclear why someone like Deborah Estrin, who's publications list doesn't include the word security since 1989 is in here; or why Lance Cottrell, who did some interesting work in privacy 10 or 15 years ago and has lately been running a company is included.

I nominate this section for deletion, and suggest that if others want to keep it, a set of criteria such as frequency of contribution, impact, innovation, scholarly appointment, etc, be defined for who qualifies as a "scholar working in the field." — Preceding unsigned comment added by Emergentchaos (talkcontribs) 14:41, 21 March 2013 (UTC)[reply]

(I moved this section to the bottom of the page, where it belongs. Please don't top-post.)

That being said, I think I agree with you on the vanity section. If it doesn't run afoul of WP:SPAM, it seems like it comes close. Regardless, what value does it add to the reader's experience, anyway, that a search engine can't provide--and do a better job of it? Heck, I might be able to make a case that I'm a scholar working in the field. It wouldn't improve the article, though, which is why we're here. — UncleBubba T @ C ) 00:02, 22 March 2013 (UTC)[reply]

Ok, since the only 2 people to ever mention this section in the talk page agree it should be removed, and it jumped out at me as out-of-place when I was reading the article (which is pretty good otherwise), I'm going to go ahead and remove it. ChristopheBiocca (talk) 23:22, 3 January 2018 (UTC)[reply]

Accidental violation of integrity[edit]

On integrity, it is said "Integrity is violated when a message is actively modified in transit.". But, AFAIK, integrity is also violated when data is accidentaly damaged. If your notebook accidentaly falls and the hard drive breaks, doesn't that violate the integrity of your files? -- Jorge (talk) 12:17, 19 November 2014 (UTC)[reply]

I have then decided to fix the article myself. -- Jorge (talk) 10:18, 21 November 2014 (UTC)[reply]
Actually, the example you give of a disk failure would be a breach of availability, not of integrity. The data isn't modified; it's gone. The sentence you question is correct as stated, however, I do not believe that it was intended to be a definition of integrity, but merely an example of it. The definition of data integrity is given in the first sentence of the paragraph. Vbscript2 (talk) 08:45, 25 November 2014 (UTC)[reply]

Legality comment in "Key Concepts"[edit]

I have removed this statement from the "Key Concepts" section: "and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations." It had been flagged as citation needed for over 3 years and, in my opinion, it is not accurate either in its claims regarding regulation of computer systems or the claim that legality is a security concern. Legality is an orthogonal concern to information security. Whether something is legal does not necessarily have any effect at all on whether it is secure. Vbscript2 (talk) 09:12, 25 November 2014 (UTC)[reply]

Why? There are laws requiring that data is kept secure, and there are laws against unauthorised access to systems, and so on. Why would legality be orthogonal to security? bobrayner (talk) 20:04, 2 December 2014 (UTC)[reply]

Basic Principles - Confidentiality explanation is missing[edit]

In the Basic Principles Section, it mentions the CIA triad of confidentiality, integrity, and availability.

Immediately following that, there is a description of Integrity and Availability. However, there is no heading, description, or link for "Confidentiality". Voice27 (talk) 00:00, 20 January 2015 (UTC)[reply]

External links modified[edit]

Hello fellow Wikipedians,

I have just added archive links to 2 external links on Information security. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers. —cyberbot IITalk to my owner:Online 10:15, 26 August 2015 (UTC)[reply]

External links modified[edit]

Hello fellow Wikipedians,

I have just modified 3 external links on Information security. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 22:05, 10 April 2017 (UTC)[reply]

Confidentiality section is unclear[edit]

This segment: Information_security#Confidentiality contains the following sentence

Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers

- emphasis added

The use of the word implements is unclear here, and I am hoping the original author or someone who understands it better than me can help clarify/correct this.

Mmkaram (talk) 02:02, 28 August 2021 (UTC)[reply]

I agree that it's not super clear. You can scroll this talk page, there is more discussion about the Confidentiality section. (the talk page per se would need some decluttering) Kerbless (talk) 15:52, 6 February 2023 (UTC)[reply]

Reference 211 is paywalled[edit]

The article text includes this and the 211 reference: Within the need-to-know principle, network administrators grant the employee the least amount of privilege to prevent employees from accessing more than what they are supposed to.[211]

This links content behind a paywall which I can't verify. I don't know how Wikipedia manages this, but my guess is that if it can't be verified, it isn't okay as a reference, and if it can be verified, there should be a note or expert in Talk to confirm this. Eltimbalino (talk) 02:12, 25 October 2022 (UTC)[reply]

I suggest[edit]

Adding: Template:Very long and successively split the page into multiple pages when possible (e.g. create a page for "Integrity in information security)) Kerbless (talk) 15:50, 6 February 2023 (UTC)[reply]

Reference 91 does not work[edit]

Am I stupid or it's broken? Kerbless (talk) 16:51, 6 February 2023 (UTC)[reply]

Wiki Education assignment: Research Process and Methodology - SP23 - Sect 201 - Thu[edit]

This article was the subject of a Wiki Education Foundation-supported course assignment, between 25 January 2023 and 5 May 2023. Further details are available on the course page. Student editor(s): Yg2816 (article contribs).

— Assignment last updated by Yg2816 (talk) 18:33, 4 April 2023 (UTC)[reply]

remove illegal content[edit]

detect malicious content attack ,buit up news software detect malware activicty in computer and phone author by innocentjohnagbaji — Preceding unsigned comment added by 102.89.32.45 (talk) 06:08, 11 June 2023 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Information_security&oldid=1207715037"