Security provided by IT Systems can be defined as the IT system’s ability to being able to protect confidentiality and integrity of processed data. as well as to be able to provide availability of system (and subsequently the processed of data). Together they are referred to as the CIA characteristics (= qualities).

Definitions:

The two most regarded standards that specifically treat IT security are the ISO 27001 standard (successor of the ISO 17799) as well as some of the NIST 800 standard series. Both definitions mention other qualities beyond confidentiality, integrity and availability (CIA), however the latter three are generally considered as the foundational security qualities. Additional attributes like authenticity, accountability and non-repudiation can be considered as subsets of the foundational qualities.

ISO 27001

Information security is defined as the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved [ISO/IEC 17799:2005]

NIST 800-30

Information system security is a system characteristic and a set of mechanisms that span the system both logically and physically. The five security goals are integrity, availability, confidentiality, accountability, and assurance.

New Oxford American Dictionary:

Security is the state of being free from danger or threat.

The definition of security as provided by the Oxford dictionary does not translate readily into IT terms. In IT we have accepted that there is no pure risk free state, whatever we do (or not do ) carries a risk.

We suggest that definition of "IT Security" in the context of OSA is:

Security provided by IT Systems can be defined as the IT system’s ability to being able to protect confidentiality and integrity of processed data, provide availability of the system and data, accountability for transactions processed, and assurance that the system will continue to perform to its design goals.

Related concepts

As you have seen in the definitions above ISO and NIST both talk about information system security and the core of their definitions are pretty similar. But don’t be misled, it takes a whole lot more to assure the security qualities for information in general, than only for an information system. Information can be processed and transferred in many different channels and forms, for example on paper, on the telephone lines or simply in a meeting discussion.

The first link below leads to the most extensive taxonomy effort that we have seen. In that paper you will see that trustworthiness is defined as in security plus dependability. In a later article we will discuss the terms trust and trustworthiness.

Other related concepts are threats and risks. In IT security a risk is the potential to lose one or several of the key qualities we have described above, and is mostly defined as product of likelihood multiplied by impact costs. A threat is the source of any risk, in other words something that triggers a risk. To describe a threat we use the terms threat agent and threat strength. For example a threat agent may be a hacker, and his strength is determined by his motivation and his means. Another example of a threat agent could be a member of the operating staff, that acts negligently, the threat strength is inversely related to her motivation to deliver quality work and her know-how.

Means to achieve IT Security

Because the threat agents and the threat strengths are often not known or cannot be quantified, it can be very difficult to determine the right level of defense. Another consequence becomes that “Security is an objective perception”.

Generally when we talk about our protection or defense we refer to a certain amount of counter-measures, we also refer to them as “controls”. A control can be technical such as a firewall or an anti-virus solution, or it can be process such as change management or incident management. Controls can aim at achieving different goals: we distinguish between preventative, detective, and reactive controls. An illustration of these types is a Safe (Preventative), Alarm System (Detective), and Security Guards (Reactive). The control types can be blended for comprehensive protection at reasonable cost. In the example above we may reduce spending on the safe (20mins protection instead of 40) by spending a little more on the alarm system, and increasing the frequency of the guards patrols.

In a later article we talk a lot more about IT controls and how we determine the right amount and quality.

Link

Taxonomy: http://www.cs.ncl.ac.uk/research/pubs/articles/papers/666.pdf

NIST: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

ISO: http://www.iso27001security.com/html/iso27000.html