Premises for information security

Information security means protecting all information, systems, services, and data communication appropriately. Information security concerns us all, whether we are talking aloud or managing it on paper or on the computer. Everyone must follow the basic rules for information security, even if we might think we do not have anything to protect personally.

In information security, the issues are mostly about confidentiality, integrity, availability, and authenticity. This page will discuss these premises of information security.

Confidentiality

Raymond Keskivarsen has a laptop computer at home. His friend Alisa wants to use Raymond’s e-mail account to send a message. How should Raymond proceed in this situation?

a) Raymond should give Alisa his username and password.
b) Raymond should ask Alisa to use her own e-mail account with her own username and password.

The principle of confidentiality means that data (like passwords) and systems (like e-mail) should be used only by persons who are authorised to use them. In the example above, Raymond should not give his password, even to his girlfriend, because that would encroach on the confidentiality of the password he has received from UH. Basically, confidentiality is about not giving outsiders the possibility to change or destroy data, or any access to them at all.

Integrity

Raimo uses an old PC which crashes regularly. A presentation he had been working on went through a complete makeover as a result of these crashes. Once 17 rows went missing from the end of the document, although Raimo thought that he had saved the document a moment before the computer crashed. On another occasion, the numbers in the document’s charts had changed to an unreadable mess.

The principle of integrity means that data and systems should be reliable, correct and up-to-date, and that they will not change or be changed due to hardware or software defects, natural phenomena or human intervention. Integrity can be ensured with e.g. information updates and regular back-up copies.

Availability

A friend of Raymond’s, Alisa Torsioni, must send a transcript of her studies to her own country on the 1st May AT THE LATEST. Since Raymond and Alisa have decided to spend Labour Day together, Alisa does not send her transcript until 1st May at 23.30. It is Alisa’s bad luck that the e-mail system she uses does not respond to her requests at all.

In the example above, Alisa’s data  security is threatened when it comes to availability, since the e-mail system does not respond to her numerous requests.

The availability principle means that the information and services of a system are available to authorized users inside a time period specified beforehand.

Authentication

When Raymond uses the Internet from home, he can use most services without identifying himself as Raymond Keskivarsen. Since UH offers information services like online dictionaries to its students, Raymond does have to identify himself before using those services.

Authentication means reliable identification between system and user. Variable keywords, passwords and certificates are used for authentication.