2 The Basics of Information Security rapid rate,and specific implementations arise on a seemingly daily basis,much of the theo that discusses how we go about keeping ourselves secure cha ology.If w can gain a nges to wer pace and does not amstauding of the basics of inf rmation security,we are on a strong footing to cope with changes as they come along. WHAT IS SECURITY? Information security is defined as"protecting information and information systems from unauthorized access,use,disclosure,disruption,modification,or destruction," s we want to protect our data and who would seek to misuset In a general sense,security means protecting our assets.This may mean protect ing them from attackers invading our networks,natural disasters,adverse envi ronmental conditions,power failures,theft or vandalism,or other undesirable states.Ultimately,we will attempt to secure ourselves against the most likely forms of attack,to the best extent we reasonably can,given our environment. When we look at what exactly it is that we secure,we may have a broad range of potential assets.We can consider physical ite ms that we might want ure,such as thos of inherent value ose that hav value to our business(eg.,computing hardware).We may also hav items o a more ethereal nature,such as software,source code,or data.In today's com- puting environment,we are likely to find that our logical assets are at least as valuable as,if not more than,our physical assets.Additionally,we must also protect the people who are involved in our operations.People are our single most valuable asset,as we cannot generally conduct business without them. We duplicate our physical and logical assets and keep backun copies of them elsewhere inst astrophe but without the skilled people to operate and maintain our environments,we will swiftly fail. In our efforts to secure our assets,we must also consider the consequences of the security we choose to implement.There is a well-known quote that says, "The only truly secure system is one that is powered off,cast in a block of con- crete and sealed in a lead-lined room with armed guards-and even then I have my doubts"I2I.Although we could certainly say that a system in such a state could be considered reasonably secure,it is surely not usable or productive.As we increase the level of secur we usually dec se the level of productivity. With the our qu the level of security would be very Additionally,when securing an asset,system,or environment,we must also consider how the level of security relates to the value of the item being secured.We can,if we are willing to accommodate the decrease in perfor- mance,apply very high levels of security to every asset for which we are2 The Basics of Information Security rapid rate, and specific implementations arise on a seemingly daily basis, much of the theory that discusses how we go about keeping ourselves secure changes at a much slower pace and does not always keep up with the changes to our technology. If we can gain a good understanding of the basics of information security, we are on a strong footing to cope with changes as they come along. What is security? Information security is defined as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,” according to U.S. law [1]. In essence, it means we want to protect our data and our systems from those who would seek to misuse it. In a general sense, security means protecting our assets. This may mean protect￾ing them from attackers invading our networks, natural disasters, adverse envi￾ronmental conditions, power failures, theft or vandalism, or other undesirable states. Ultimately, we will attempt to secure ourselves against the most likely forms of attack, to the best extent we reasonably can, given our environment. When we look at what exactly it is that we secure, we may have a broad range of potential assets. We can consider physical items that we might want to secure, such as those of inherent value (e.g., gold bullion) or those that have value to our business (e.g., computing hardware). We may also have items of a more ethereal nature, such as software, source code, or data. In today’s com￾puting environment, we are likely to find that our logical assets are at least as valuable as, if not more than, our physical assets. Additionally, we must also protect the people who are involved in our operations. People are our single most valuable asset, as we cannot generally conduct business without them. We duplicate our physical and logical assets and keep backup copies of them elsewhere against catastrophe occurring, but without the skilled people to operate and maintain our environments, we will swiftly fail. In our efforts to secure our assets, we must also consider the consequences of the security we choose to implement. There is a well-known quote that says, “The only truly secure system is one that is powered off, cast in a block of con￾crete and sealed in a lead-lined room with armed guards—and even then I have my doubts” [2]. Although we could certainly say that a system in such a state could be considered reasonably secure, it is surely not usable or productive. As we increase the level of security, we usually decrease the level of productivity. With the system mentioned in our quote, the level of security would be very high, but the level of productivity would be very near zero. Additionally, when securing an asset, system, or environment, we must also consider how the level of security relates to the value of the item being secured. We can, if we are willing to accommodate the decrease in perfor￾mance, apply very high levels of security to every asset for which we are responsible. We can build a billion-dollar facility surrounded by razor wire fences and patrolled by armed guards and vicious attack dogs, and carefully