IT Security

Security provided by IT systems can be defined as the system's ability to protect confidentiality and integrity of processed data, provide availability of the system and data. Together these are referred to as the CIA characteristics (qualities).

Definitions

ISO 27001

Information security is defined as the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

NIST 800-30

Information system security is a system characteristic and a set of mechanisms that span the system both logically and physically. The five security goals are integrity, availability, confidentiality, accountability, and assurance.

OSA

The IT system's ability to protect confidentiality and integrity of processed data, provide availability of the system and data, accountability for transactions processed, and assurance that the system will continue to perform to its design goals.

Related Concepts

Related concepts include threats and risks. In IT security a risk is the potential to lose one or several of the key qualities described above, and is mostly defined as the product of likelihood multiplied by impact costs. A threat is the source of any risk - something that triggers a risk. To describe a threat we use the terms threat agent and threat strength.

Controls

When we talk about protection or defense we refer to counter-measures, also called 'controls'. A control can be technical (firewall, anti-virus) or process-based (change management, incident management). Controls can be preventative, detective, or reactive. An example: a Safe (Preventative), Alarm System (Detective), and Security Guards (Reactive). Control types can be blended for comprehensive protection at reasonable cost.