Wednesday, November 28, 2012

Essential Definitions

[Added direct links to sources]

These definitions together as a group collectively represent important fundamentals - underpinnings - to cloud security, cloud audit, and cloud compliance. If you've heard me speak... you've heard me stick to this script. It hasn't changed. The message is the same. The application and context in which I use them happen to be cloud computing.

Security goals
The five security goals are confidentiality, availability, integrity, accountability, and assurance.
SOURCE:  SP800-27-RevA            
Security
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems.  Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
SOURCE:  CNSSI-4009
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
SOURCE:  SP 800-53; SP 800-53A; SP 800-18SP800-27-RevASP 800-60; SP 800-37; FIPS 200FIPS 19944 U.S.C., Sec. 3542 
The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
SOURCE:  FIPS 140-2 
The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
SOURCE:  CNSSI-4009
Availability
Ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-53; SP 800-53ASP800-27; SP 800-60SP 800-37FIPS 200; FIPS 19944 U.S.C., Sec. 3542 
The property of being accessible and useable upon demand by an
authorized entity.
SOURCE:  CNSSI-4009
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
SOURCE:  SP 800-53SP 800-53ASP 800-18SP800-27SP 800-37SP 800-60FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
SOURCE:  FIPS 140-2 
The property whereby an entity has not been modified in an unauthorized manner.
SOURCE:  CNSSI-4009
Accountability
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.  This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
SOURCE:  SP800-27
Assurance
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
SOURCE:  SP800-27 
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE:  SP 800-37SP 800-53A 
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
SOURCE:  CNSSI-4009
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
SOURCE:  SP 800-37SP 800-53SP 800-53ASP 800-18SP 800-60CNSSI-4009  FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-66; 44 U.S.C., Sec 3542
Continuous Monitoring
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.  The process includes: 1)  he development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.
SOURCE:  CNSSI-4009