Security provided by IT Systems can be defined as the IT system’s ability to being able to protect confidentiality and integrity of processed data. as well as to be able to provide availability of system (and subsequently the processed of data). Together they are referred to as the CIA characteristics (= qualities).
The two most regarded standards that specifically treat IT security are the ISO 27001 standard (successor of the ISO 17799) as well as some of the NIST 800 standard series. Both definitions mention other qualities beyond confidentiality, integrity and availability (CIA), however the latter three are generally considered as the foundational security qualities. Additional attributes like authenticity, accountability and non-repudiation can be considered as subsets of the foundational qualities.
Information security is defined as the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved [ISO/IEC 17799:2005]
Information system security is a system characteristic and a set of mechanisms that span the system both logically and physically. The five security goals are integrity, availability, confidentiality, accountability, and assurance.
New Oxford American Dictionary:
Security is the state of being free from danger or threat.
The definition of security as provided by the Oxford dictionary does not translate readily into IT terms. In IT we have accepted that there is no pure risk free state, whatever we do (or not do ) carries a risk.
We suggest that definition of "IT Security" in the context of OSA is:
As you have seen in the definitions above ISO and NIST both talk about information system security and the core of their definitions are pretty similar. But don’t be misled, it takes a whole lot more to assure the security qualities for information in general, than only for an information system. Information can be processed and transferred in many different channels and forms, for example on paper, on the telephone lines or simply in a meeting discussion.
Means to achieve IT Security
Because the threat agents and the threat strengths are often not known or cannot be quantified, it can be very difficult to determine the right level of defense. Another consequence becomes that “Security is an objective perception”.
In a later article we talk a lot more about IT controls and how we determine the right amount and quality.