Overview

The CIA triad

The base of all security measures are the so called security goals. Those 3 main goals are also called the CIA triad:

  • Protect the confidentiality of information – Information is only available to authorized people. As you can imagine, it’s very difficult and sometimes impossible to detect a loss in confidentiality, because data does not show that it’s been read by unauthorized people.
  • Preserve the integrity of data – Data can only be changed in legitimate ways by authorized people. While unauthorized people can easily be blocked by access control mechanisms, it’s not so easy to ensure that authorized people do changes only in legitimate ways (consider an employee of your company who has full access to your databases).
  • Promote the availability of data for authorized use – Authorized people can access data in reasonable time.

 

In addition to those 3 main security goals there are many further goals who can be derived from those main goals. I want to mention the following additional security goals:

  • Authenticity of data – The origin (sender, creator) and also the integrity of the data can be proven
  • Prevent misuse – Prevent authorized people from changing, deleting or sharing data with unauthorized people.
  • Non Repudiation – Communication partners can prove and are not able to deny their identity. It should also be impossible to deny the receiving or sending of data.
  • Legal security – It can be proven that all important laws and contracts are strictly adhered to. This can only be proven by logging all necessary information needed for close reasoning. It important that those logs are available anytime and can’t be manipulated posterior.

 

Limitations

Implementing IT Security in your company has limitations and has to be done as a process. You should be aware of the following limitations:

  1. There is no such thing as absolute Security – The level of Security also depends much on the expenses. While at a low level of security it is possible to increase the level with little expenses, it costs huge amounts of money to increase the security level if you are already at a high level. Therefore it’s good to talk about the Target Security Level and the actual Archived Security Level.
  2. Once you’ve reached your targeted Security level, it won’t last long – Hackers don’t sleep, so there will be always new kinds of threats which make your measures worthless. So you have to adapt.
  3. An archived Security level is only valid for a well defined scope – For implementing a security concept you need to define the system, infrastructure and business processes this concept is valid for. This is called scope in the ISO/IEC 27001. Because companies are changing over time (especially Startups) also your scope will change. So you have to adapt.
  4. Establishing a certain Security level only works in a sensitized environment – When left on their own, people tend to make the worst Security decisions. Many different studies show that people can be easily tricked into give up the secrets which technologies use to secure systems. Therefore the managers and employees need to have awareness.

 

Security is a process

The limitations above show that you can’t just say: “We have implemented IT Security into our company”. You can’t reach the state “Secure”. Security is a variable which needs to be well-maintained.

If you’ve reached your targeted Security level you still have to work to preserve this level. Without any kind of management this is a difficult task – even for very small companies with just two or three employees. Therefore it’s necessary to implement Security as a process into your company. Only this way your can preserve and/or enhance your Security level. A popular way to ensure such a continuous improvement is the PCDA (Plan, do, check, act) cycle. I will go into detail later, but  if you’ve never heard about PCDA you should definitely check out the corresponding Wikipedia page.

PS: Don’t be afraid of the term “process”. I know, you are a Startup and you don’t need all the different kinds of corporate processes, where each process step takes hours, days or weeks and a whole tone of documentation.

I write about a lean security process and this is a very light weight process. Nevertheless it’s important to have some key elements, like a process responsible, process goals, a strategy, a procedure and some kind of monitoring and management.