General Information regarding Information Security
General Information regarding Information Security are defined as below:
1. - Federal Information Security Management Act :
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided and managed by agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a ‘risk-based policy for cost-effective security’. FISMA requires agency program officials, chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.
2. – Personally Identifiable Information (PII) :
Personally Identifiable Information (PII), as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent. The effective definitions vary depending on the jurisdiction, and the purposes for which the term is being used. The US government used personally identifiable in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information. The OMB memorandum defines PII as follows: Information which can be used to distinguish or trace an individual when combined with other personal or identifying information which is linked or linkable individual’s identity, such as their name, social security number, or biometric records, alone, or to a specific individual, such as date and place of birth, mother’s, maiden name, etc.
3. – Payment Card Industry Data Security Standard (PCI DSS) :
4. – The Gramm-Leach-Bliley Act (GLBA) :
also known as the Financial Services Modernization Act of 1999.
It is an act of the 106th United States Congress (1999-2001) signed into a law by the President Bill Clinton, which repeals part of the Glass-Steagall Act of 1933, opening up the market among banking companies, securities companies, and insurance companies. The Gramm-Leach-Bliley Act allows commercial banks, investment banks, securities firms, and insurance companies to consolidate. This law also provides regulations regarding the way financial institutions handle private information belonging to their clients.
It includes the following 7 titles:
Facilitating affiliation among banks, securities firms, and insurance company
Unitary savings and loan holding companies
Federal home loan bank system modernization
5. - Health Insurance Portability and Accountability Act (HIPAA) :
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) Website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. This is intended to help people keep their information private, though in practice it is normal for providers and health insurance plans to require the waiver of HIPAA rights as a condition of service.
The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
6. - Vulnerability :
The term vulnerability is a weakness, which allows an attacker to reduce a system’s Information Assurance. Vulnerability is an intersection of three elements: a system susceptibility or flaw, attacker’s access to the flaw, and attacker’s capability to exploit the flaw. To be vulnerable, an attacker must have at least one applicable tool or technique, which can connect to a system weakness. In this frame, vulnerability is also known as the attack surface. A security risk may be classified as vulnerability.
What is CIA Traid?
The CIA Triad is a security model for security policy development. and is utilized to identify problem areas and find out solutions for information security. It consists of three tenets of information security:
1. - Confidentiality:
It is a impediment (prevention) of the intentional or unintentional unauthorized disclosure of contents. Some of the components of telecommunications which helps in ensuring confidentiality are as follows:
Network security protocols
Network authentication services
Data encryption services.
2. - Integrity :
It is defined as a degree to which information is up-to-date and error free. The integrity of data can be ensured through encryption techniques. It is basically a guarantee that the message sent is the message received and the message is not intentionally or unintentionally modified.
Components which are used to ensure integrity are as follows:
Communications security management
Intrusion detection services.
3. - Availability :
It is used to ascertain that connectivity is accessible or not when its needed, permitting authorized users to access the networks or the systems.
Components that are used to ascertain availability are Fault tolerance for data availability like backups, Acceptable logins, Reliable and interoperable security processes.