Confidentiality seeks to prevent the unauthorized disclosure of information: it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data. An example of a confidentiality attack would be the theft of Personally Identifiable Information (PII), such as credit card information.

Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data.

Availability ensures that information is available when needed. Systems need to be usable (available) for normal business use. An example of attack on availability would be a Denial of Service (DoS) attack, which seeks to deny service (or availability) of a system.

Confidentiality, integrity, and availability are sometimes at opposition: locking your data in a safe and throwing away the key may help confidentiality and integrity, but harms availability. That is the wrong answer: our mission as information security professionals is to balance the needs of confidentiality, integrity, and availability, and make tradeoffs as needed. One sure sign of an information security rookie is throwing every confidentiality and integrity control at a problem, while not addressing availability. Properly balancing these concepts, as shown in Figure 2.3, is not easy, but worthwhile endeavors rarely are.

The CIA triad may also be described by its opposite: Disclosure, Alteration, and Destruction (DAD). Disclosure is unauthorized release of information; alteration is the unauthorized modification of data, and destruction is making systems or data unavailable. While the order of the individual components of the CIA acronym sometimes changes, the DAD acronym is shown in that order.

Identity is a claim: if your name is “Person X,” you identify yourself by saying “I am Person X.” Identity alone is weak because there is no proof. You can also identify yourself by saying “I am Person Y.” Proving an identity claim is called authentication: you authenticate the identity claim, usually by supplying a piece of information or an object that only you possess, such as a password in the digital world, or your passport in the physical world.

Authorization describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. If you are an information security manager for a company with a human resources database, you may be authorized to view your own data and perhaps some of your employees’ data (such as accrued sick time or vacation time). You would not be authorized to view the CIO’s salary.

Accountability holds users accountable for their actions. This is typically done by logging and analyzing audit data. Enforcing accountability helps keep “honest people honest.” For some users, knowing that data is logged is not enough to provide accountability: they must know that the data is logged and audited, and that sanctions may result from violation of policy.

Gross negligence is the opposite of due care. It is a legally important concept. If you suffer loss of PII, but can demonstrate due care in protecting the PII, you are on legally stronger ground, for example. If you cannot demonstrate due care (you were grossly negligent), you are in a much worse legal position.

The most common of the major legal systems is that of civil law, which is employed by many countries throughout the world. The system of civil law leverages codified laws or statutes to determine what is considered within the bounds of law. Though a legislative branch typically wields the power to create laws there will still exist a judicial branch that is tasked with interpretation of the existing laws. The most significant difference between civil and common law is that, under civil law, judicial precedents and particular case rulings do not carry the weight they do under common law.

Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others. As we can see by the short list above, English influence has historically been the main indicator of common law being used in a country. The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws. Though there is typically also a legislative body tasked with the creation of new statutes and laws, judicial rulings can, at times, supersede those laws. Because of the emphasis on judges’ interpretations there is significant possibility that as society changes over time, so too can judicial interpretations change in kind.

Religious law serves as the third of the major legal systems. Religious doctrine or interpretation serves as a source of legal understanding and statutes. However, the extent and degree to which religious texts, practices, or understanding are consulted can vary greatly. While Christianity, Judaism, and Hinduism have all had significant influence on national legal systems, Islam serves as the most common source for religious legal systems. Though there is great diversity in its application throughout the world, Sharia is the term used for Islamic law and it uses the Qur’an and Hadith as its foundation.

Though Customary Law is not considered as important as the other major legal systems described above, it is important with respect to information security. Customary law refers to those customs or practices that are so commonly accepted by a group that the custom is treated as a law. These practices can be later codified as laws in the more traditional sense, but the emphasis on prevailing acceptance of a group is quite important with respect to the concept of negligence, which, in turn, is important in information security. The concept of “best practices” is closely associated with Customary Law.

Criminal law pertains to those laws where the victim can be seen as society itself. While it might seem odd to consider society the victim when an individual is murdered, the goal of criminal law is to promote and maintain an orderly and law abiding citizenry. Criminal law can include penalties that remove an individual from society by incarceration or, in some extreme cases in some regions, death. The goals of criminal law are to deter crime and to punish offenders.

In addition to civil law being a major legal system in the world, it also serves as a type of law within the common law legal system. Another term associated with civil law is tort law, which deals with injury (loosely defined), resulting from someone violating their responsibility to provide a duty of care. Tort law is the primary component of civil law, and is the most significant source of lawsuits that seek damages.

Administrative law or regulatory law is law enacted by government agencies. The executive branch (deriving from the Office of the President) enacts administrative law in the United States. Government-mandated compliance measures are administrative laws.

Evidence is one of the most important legal concepts for information security professionals to understand. Information security professionals are commonly involved in investigations, and often have to obtain or handle evidence during the investigation. Some types of evidence carry more weight than others; however, information security professionals should attempt to provide all evidence, regardless of whether that evidence proves or disproves the facts of a case. While there are no absolute means to ensure that evidence will be allowed and helpful in a court of law, information security professionals should understand the basic rules of evidence. Evidence should be relevant, authentic, accurate, complete, and convincing. Evidence gathering should emphasize these criteria.

Evidence must be reliable. It is common during forensic and incident response investigations to analyze digital media. It is critical to maintain the integrity of the data during the course of its acquisition and analysis. Checksums can ensure that no data changes occurred as a result of the acquisition and analysis. One-way hash functions such as MD5 or SHA-1 are commonly used for this purpose. The hashing algorithm processes the entire disk or image (every single bit), and a resultant hash checksum is the output. After analysis is completed the entire disk can again be hashed. If even one bit of the disk or image has changed then the resultant hash checksum will differ from the one that was originally obtained.

In addition to the use of integrity hashing algorithms and checksums, another means to help express the reliability of evidence is by maintaining chain of custody documentation. Chain of custody requires that once evidence is acquired, full documentation be maintained regarding the who, what, when and where related to the handling of said evidence. Initials and/or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form.

The Fourth Amendment to the United States Constitution protects citizens from unreasonable search and seizure by the government. In all cases involving seized evidence, if a court determines the evidence was obtained illegally then it will be inadmissible in court. In most circumstances in order for law enforcement to search a private citizen’s property both probable cause and a search warrant issued by a judge are required. The search warrant will specify the area that will be searched and what law enforcement is searching for.

Another topic closely related to the involvement of law enforcement in the investigative process deals with the concepts of entrapment and enticement. Entrapment is when law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime. Entrapment can serve as a legal defense in a court of law, and, therefore, should be avoided if prosecution is a goal. A closely related concept is enticement. Enticement could still involve agents of law enforcement making the conditions for commission of a crime favorable, but the difference is that the person is determined to have already broken a law or is intent on doing so. The question as to whether the actions of law enforcement will constitute enticement or entrapment is ultimately up to a jury. Care should be taken to distinguish between these two terms.

One aspect of the interaction of information security and the legal system is that of computer crimes. Applicable computer crime laws vary throughout the world, according to jurisdiction. However, regardless of region, some generalities exist. Computer crimes can be understood as belonging loosely to three different categories based upon the way in which computer systems relate to the wrongdoing: computer systems as targets; computer systems as a tool to perpetrate the crime; or computer systems involved but incidental. The last category occurs commonly because computer systems are such an indispensable component of modern life. The other two categories are more significant:

Trademarks are associated with marketing: the purpose is to allow for the creation of a brand that distinguishes the source of products or services. A distinguishing name, logo, symbol, or image represents the most commonly trademarked items. In the United States two different symbols are used with distinctive marks that an individual or organization is intending to protect. The superscript TM symbol can be used freely to indicate an unregistered mark, and is shown in Figure 2.8.

Patents provide a monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the patent holder’s making the invention public. During the life of the patent, the patent holder can, through the use of civil litigation, exclude others from leveraging the patented invention. Obviously, in order for an invention to be patented, it should be novel and unique. The length that a patent is valid (the patent term) varies throughout the world, and also by the type of invention being patented. Generally, in both Europe and the United States the patent term is 20 years from the initial filing date. Upon expiration of a patent the invention is publicly available for production.

Copyright represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works, and is typically denoted by the circle c symbol as shown in Figure 2.10. The purpose of copyright is to preclude unauthorized duplication, distribution, or modification of a creative work. Note that the form of expression is protected rather than the subject matter or ideas represented. The creator or author of a work is, by default, the copyright holder at the time of creation, and has exclusive rights regarding the distribution of the copyrighted material. Even though there is an implied copyright granted to the author at the time of creation, a more explicit means of copyright exists. A registered copyright is one in which the creator has taken the trouble to file the copyright with the Copyright Office, in the United States, and provides a more formal means of copyright than that of the implied copyright of the author.

Software licenses are a contract between a provider of software and the consumer. Though there are licenses that provide explicit permission for the consumer to do virtually anything with the software, including modifying it for use in another commercial product, most commercial software licensing provides explicit limits on the use and distribution of the software. Software licenses such as end-user license agreements (EULAs) are an unusual form of contract because using the software typically constitutes contractual agreement, even though a small minority of users read the lengthy EULA.

The final form of intellectual property that will be discussed is the concept of trade secrets. Trade secrets are business-proprietary information that is important to an organization’s ability to compete. The easiest to understand trade secrets are of the “special sauce” variety. Kentucky Fried Chicken could suffer catastrophic losses if another fried chicken shop were able to crack Colonel Sanders’ secret blend of 11 herbs and spices that result in the “finger licking goodness” we have all grown to know and love. Although the “special sauces” are very obviously trade secrets, any business information that provides a competitive edge, and is actively protected by the organization can constitute a trade secret. The organization must exercise due care and due diligence in the protection of their trade secrets. Some of the most common protection methods used are non-compete and non-disclosure agreements (NDA). These methods require that employees or other persons privy to business confidential information respect the organization’s intellectual property by not working for an organization’s competitor or disclosing this information in an unauthorized manner. Lack of reasonable protection of trade secrets can make them cease to be trade secrets. If the organization does not take reasonable steps to ensure that the information remains confidential, then it is reasonable to assume that the organization must not derive a competitive advantage from the secrecy of this information.

Though attacks upon intellectual property have existed since at least the first profit driven intellectual creation, the sophistication and volume of attacks has only increased with the growth of portable electronic media and Internet-based commerce. Well-known intellectual property attacks are software piracy and copyright infringement associated with music and movies. Both have grown easier with increased Internet connectivity and growth of piracy enabling sites, such as The Pirate Bay, and protocols such as BitTorrent. Other common intellectual property attacks include attacks against trade secrets and trademarks. Trade secrets can be targeted in corporate espionage schemes and also are prone to be targeted by malicious insiders. Because of the potentially high value of the targeted trade secrets, this type of intellectual property can draw highly motivated and sophisticated attackers.

The European Union has taken an aggressive pro-privacy stance, while balancing the needs of business. Commerce would be impacted if member nations had different regulations regarding the collection and use of personally identifiable information. The EU Data Protection Directive allows for the free flow of information while still maintaining consistent protections of each member nation’s citizens’ data. The principles of the EU Data Protection Directive are:

The Organization for Economic Cooperation and Development (OECD), though often considered exclusively European, consists of 30 member nations from around the world. The members, in addition to prominent European countries, include such countries as the United States, Mexico, Australia, Japan, and the Czech Republic. The OECD provides a forum in which countries can focus on issues that impact the global economy. The OECD will routinely issue consensus recommendations that can serve as an impetus to change current policy and legislation in the OECD member countries and beyond.

An interesting aspect of the EU Data Protection Directive is that the personal data of EU citizens may not be transmitted, even when permitted by the individual, to countries outside of the EU unless the receiving country is perceived by the EU to adequately protect their data. This presents a challenge regarding the sharing of the data with the United States, which is perceived to have less stringent privacy protections. To help resolve this issue, the United States and European Union created the safe harbor framework that will give US based organizations the benefit of authorized data sharing. In order to be part of the safe harbor, US organizations must voluntarily consent to data privacy principles that are consistent with the EU Data Protection Directive.

All governments have a wealth of personally identifiable information on their citizens. The Privacy Act of 1974 was created to codify protection of US citizens’ data that is being used by the federal government. The Privacy Act defined guidelines regarding how US citizens’ personally identifiable information would be used, collected, and distributed. An additional protection was that the Privacy Act provides individuals with access to the data being maintained related to them, with some national security oriented exceptions.

Title 18 United States Code Section 1030, which is more commonly known as the Computer Fraud and Abuse Act, was originally drafted in 1984, but still serves as an important piece of legislation related to the prosecution of computer crimes. The law has been amended numerous times most notably by the USA PATRIOT Act and the more recent Identity Theft Enforcement and Restitution Act of 2008, which is too new to be included in the exam at the time of this writing.

The USA PATRIOT Act of 2001 was passed in response to the attacks on the US that took place on September 11, 2001. The full title is “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act,” but it is often simply called the “Patriot Act.” The main thrust of the Patriot Act that applies to information security professionals addresses less stringent oversight of law enforcement regarding data collection. Wiretaps have become broader in scope. Searches and seizures can be done without immediate notification to the person whose data or property might be getting seized. An additional consideration is the Patriot Act amended the Computer Fraud and Abuse Act to strengthen the penalties for those convicted of attempting to damage a protected computer such that up to 20 years in prison could be served, assuming a second offense.

One of the more important regulations is HIPAA, the Health Insurance Portability and Accountability Act that was developed in the United States in 1996. HIPAA is a large and complex set of provisions that required changes in the health care industry. The Administrative Simplification portion, Title II, contains the information most important to information security professionals and includes the Privacy and Security Rules. The Administrative Simplification portion applies to what are termed covered entities, which includes health plans, healthcare providers, and clearinghouses. See the note below for additional information regarding HIPAA’s applicability.

At present, over 47 US states have enacted breach notification laws (see: http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx). There have been attempts at passing a general federal breach notification law in the United States, but these efforts have been unsuccessful thus far. Although it would be impossible to make blanket statements that would apply to all of the various state laws, there are some themes common to quite a few of the state laws that are quickly being adopted by organizations concerned with adhering to best practices.

A common way of ensuring security is through the use of Service Level Agreements, or SLAs. The SLA identifies key expectations that the vendor is contractually required to meet. SLAs are widely used for general performance expectations, but are increasingly leveraged for security purposes as well. SLAs primarily address availability.

Larger providers and more discerning customers regularly look to attestation as a means of ensuring that some level of scrutiny has been applied to the organization’s security posture. Information security attestation involves having a 3^rd party organization review the practices of the service provider and make a statement about the security posture of the organization. The goal of the service provider is to provide evidence that they should be trusted. Typically, a 3^rd party provides attestation after performing an audit of the service provider against a known baseline. However, another means of attestation that some service providers will offer is in the form of penetration test reports from assessments conducted by a 3^rd party.

Though 3^rd party attestation is commonly being offered by vendors as a way to verify they are employing sound security practices, some organizations still would prefer to derive their own opinion as to the security of the 3^rd party organization. The Right to Penetration Test and Right to Audit documents provide the originating organization with written approval to perform their own testing or have a trusted provider perform the assessment on their behalf. Typically, there will be limitations on what the pen testers or auditors are allowed to use or target, but these should be clearly defined in advance.

The first, and therefore most important, canon of the (ISC)^2® Code of Ethics requires the information security professional to “protect society, the commonwealth, and the infrastructure.”[7] The focus of the first canon is on the public and their understanding and faith in information systems. Security professionals are charged with the promoting of safe security practices and bettering the security of systems and infrastructure for the public good.

Policies are high-level management directives. Policy is mandatory: if you do not agree with your company’s sexual harassment policy, for example, you do not have the option of not following it.

A procedure is a step-by-step guide for accomplishing a task. They are low level and specific. Like policies, procedures are mandatory.

A standard describes the specific use of technology, often applied to hardware and software. “All employees will receive an ACME Nexus-6 laptop with 2 gigabytes of memory, a 2.8 GHZ dual core CPU, and 300-gigabyte disk” is an example of a hardware standard. “The laptops will run Windows 7 Professional, 32-bit version” is an example of a software (operating system) standard.

Guidelines are recommendations (which are discretionary). A guideline can be a useful piece of advice, such as “To create a strong password, take the first letter of every word in a sentence, and mix in some numbers and symbols. ‘I will pass the CISSP® exam in 6 months!’ becomes ‘Iwptcei6m!’ ”

Baselines are uniform ways of implementing a standard. “Harden the system by applying the Center for Internet Security Linux benchmarks” is an example of a baseline (see http://benchmarks.cisecurity.org/en-us/?route=default for the Security Benchmarks division of the Center for Internet Security; they are a great resource). The system must meet the baseline described by those benchmarks.

Security awareness and training are often confused. Awareness changes user behavior; training provides a skill set.

Organizations should conduct a thorough background check before hiring an individual. A criminal records check should be conducted, and all experience, education and certifications should be verified. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process.

Termination should result in immediate revocation of all employee access. Beyond account revocation, termination should be a fair process. There are ethical and legal reasons for employing fair termination, but there is also an additional information security advantage. An organization’s worst enemy can be a disgruntled former employee, who, even without legitimate account access, knows where the “weak spots are.” This is especially true for IT personnel.

Vendors, Consultants and Contractors can introduce risks to an organization. They are not direct employees, and sometimes have access to systems at multiple organizations. If allowed to, they may place an organization’s sensitive data on devices not controlled (or secured) by the organization.

Outsourcing is the use of a third party to provide Information Technology support services that were previously performed in-house. Offshoring is outsourcing to another country.

The Asset value (AV) is the value of the asset you are trying to protect. In this example, each laptop costs $2500, but the real value is the PII. Theft of unencrypted PII has occurred previously, and has cost the company many times the value of the laptop in regulatory fines, bad publicity, legal fees, staff hours spent investigating, etc. The true average Asset Value of a laptop with PII for this example is $25,000 ($2500 for the hardware, and $22,500 for the exposed PII).

The Exposure Factor (EF) is the percentage of value an asset lost due to an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: the laptop and all the data are gone.

The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) times 100% (Exposure Factor), or $25,000.

The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is 11.

The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). In our case, it is $25,000 (SLE) times 11 (ARO), or $275,000.

Some risks may be accepted: in some cases, it is cheaper to leave an asset unprotected due to a specific risk, rather than make the effort (and spend the money) required to protect it. This cannot be an ignorant decision: the risk must be considered, and all options must be considered before accepting the risk.

Mitigating the risk means lowering the risk to an acceptable level. Lowering risk is also called “risk reduction,” and the process of lowering risk is also called “reduction analysis.” The laptop encryption example given in the previous Annualized Loss Expectancy section is an example of mitigating the risk. The risk of lost PII due to stolen laptops was mitigated by encrypting the data on the laptops. The risk has not been eliminated entirely: a weak or exposed encryption password could expose the PII, but the risk has been reduced to an acceptable level.

Transferring the risk is sometimes referred to as the “insurance model.” Most people do not assume the risk of fire to their house: they pay an insurance company to assume that risk for them. The insurance companies are experts in Risk Analysis: buying risk is their business. If the average yearly monetary risk of fire to 1000 homes is $500,000 ($500/house), and they sell 1000 fire insurance policies for $600/year, they will make 20% profit. That assumes the insurance company has accurately evaluated risk, of course.

A thorough Risk Analysis should be completed before taking on a new project. If the Risk Analysis discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.