Introduction to Computer Security

Computers today are very important, and even integral to all aspects of the activities and operations of organizations and even individuals. As we become critically dependent upon computer information system, we recognize that computers and computer-related problems must be understood and managed, the same as any other resource.

Adequately secure systems deter, prevent, or detect unauthorized disclosure, modification, or use of information. Much of today’s information and data requires protection from intruders, as well as from individuals with authorized computer access privileges who attempt to perform unauthorized actions. Protection is achieved not only by technical, physical and personnel safeguards, but also by clearly articulating and implementing policy regarding authorized system use to information users and processing personnel at all levels.

This e-book introduces information and computer systems security concerns and outlines the issues that must be addressed by those responsible to protect information systems within their organizations. It describes essential components of an effective information resource protection process that applies to a stand-alone personal computer or to a large data processing facility.

Security protects an information system from unauthorized attempts to access information or interfere with its operation. It is concerned with:

• Confidentiality: Information is disclosed only to users authorized to access it.

• Integrity: Information is modified only by users who have the right to do so, and only in authorized ways. It is transferred only between intended users and in intended ways.

• Accountability: Users are accountable for their security relevant actions.

• Availability: Use of the system cannot be maliciously denied to authorized users.

Security is enforced using security functionality such as authentication, access control, auditing, encryption and associated administration. In addition, there are constraints on how the system is constructed, for example, to ensure adequate separation of data and functions so objects don't interfere with each other and separation of user's duties so the damage an individual user can do is limited.

Security is pervasive, affecting many components of a system, including some that are not directly security related. Additional components - an authentication service, for instance –provide services that are specific to security.

Eight Elements of Computer Security

The eight elements of computer security are essential to understand and keep in mind when implementing security practices and procedures. Here they are:

1. Computer security should support the mission of the organization.

The purpose of computer security is to protect an organization's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.

2. Computer security is an integral element of sound management.

Information and computer systems are often critical assets that support the mission of an organization. Protecting them can be as critical as protecting other organizational resources, such as money, physical assets, or employees.

3. Computer security should be cost-effective.

The costs and benefits of security should be carefully examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the computer systems and to the severity, probability and extent of potential harm. Requirements for security vary, depending upon the particular computer system. Security benefits do have both direct and indirect costs. Solutions to security problems should not be chosen if they cost more, directly or indirectly, than simply tolerating the problem.

4. Computer security responsibilities and accountability should be made explicit.

The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of computer systems should be explicit and defined.

5. System owners have computer security responsibilities outside their own organizations.

If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure.

6. Computer security requires a comprehensive and integrated approach.

When providing computer security one needs a comprehensive approach that considers a variety of areas both within and outside of the computer security field. This includes interdependencies of security controls and also such factors as system management, legal issues, quality assurance, and internal and management controls. Computer security needs to work with traditional security disciplines including physical and personnel security.

7. Computer security should be periodically reassessed.

System technology and users, data and information in the systems, risks associated with the system and, therefore, security requirements are always changing. In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities.

8. Computer security is constrained by societal factors.

The ability of security to support the mission of the organization(s) may be limited by various factors, such as social issues. For example, security and workplace privacy can conflict. Security measures should be implemented recognizing the rights and legitimate interests of others. Rules and expectations change with regard to the appropriate use of security controls and these changes may either increase or decrease security. The relationship between security and societal norms is not necessarily antagonistic. Security can enhance the access and flow of data and information by providing more accurate and reliable information and greater availability of systems.