IT Security | Open Security Architecture

Security provided by IT systems can be defined as the system's ability to protect confidentiality and integrity of processed data, and provide availability of the system and data. Together these are the CIA characteristics.

Definitions

ISO 27001:2022: Information security is the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
NIST SP 800-53 Rev 5: Information system security encompasses the system characteristics and set of mechanisms that span the system both logically and physically. The security objectives are integrity, availability, confidentiality, accountability, and assurance.
OSA: The IT system's ability to protect confidentiality and integrity of processed data, provide availability of the system and data, accountability for transactions processed, and assurance that the system will continue to perform to its design goals.

Related Concepts

Related concepts include threats and risks. A risk is the potential to lose one or several of the key qualities described above, typically expressed as likelihood multiplied by impact. A threat is the source of any risk -- something that triggers a risk. To describe a threat we use the terms threat agent (who or what), threat vector (how), and threat impact (the consequence).

Controls

When we talk about protection or defence we refer to countermeasures, also called controls. A control can be technical (firewall, encryption, access control) or process-based (change management, incident response, security awareness). Controls can be preventative, detective, or reactive. A classic analogy: a Safe (Preventative), an Alarm System (Detective), and Security Guards (Reactive). NIST 800-53 Rev 5 classifies controls as Technical, Operational, or Management. OSA maps 315 NIST 800-53 Rev 5 controls across 50+ security patterns.