What is Information Security?CHAPTER 1 whether we see a risk as being present or not If we our example of lost backup tape and stipulate that the unencrypted backup tapes contain only our collection of chocolate chip cookie recipes,we may not actually have a risk.The data being exposed would not cause us a problem,as there was nothing sensitive in it,and we can make additional backups from the source data.In this particular case,we might safely say that we have no risk. Controls In order to help us mitigate risk,we sure that a a given type of threat is counte asures are Controls are divided into three categories:physical administrative. PHYSICAL Physical controls are those controls that protect the physical environment in which our systems sit.or where our data is stored.Such controls also control access in and of such Physical con ogically include tems such as 1 gates,Io rds,guards,and but als e systems that maintain the physical enviro ent such as heating and air conditioning systems,fire suppression systems,and backup power generators. Although at first glance,physical controls may not seem like they would be integral to information security,they are actually one of the more critical con- trols with which we need to be concerned.If we are not able to physically pro- tect our systems and data,any other controls that we can put in place become levant. If an ttacker is able to physically syst a very destroy the system rendering it unava use in the est case.In t ase,n will have access directly to our appl cations and data and will be able to steal our information and resources,or subvert them for his own use. LOGICAL protec ogical controls sometimes called technical controls are those that syster netwo an at process,transmit,and store ou data.Logical controls can include item such as passwords,encryption,logical access controls,firewalls,and intrusion detection systems. Logical controls enable us,in a logical sense,to prevent unauthorized activi- ties from taking place.If our logical controls are implemented properly and are successful,an attacker or unauthorized user cannot access our applications and data without subverting the controls that we have in place. ADMINISTRATIVE Administrative controls are based on rules,laws,policies,procedures,guide- lines,and other items that are "paper"in nature.In essence,administrative What is Information Security? CHAPTER 1 11 impact. If we consider the value of the asset being threatened to be a factor, this may change whether we see a risk as being present or not. If we revisit our example of lost backup tape and stipulate that the unencrypted backup tapes contain only our collection of chocolate chip cookie recipes, we may not actually have a risk. The data being exposed would not cause us a problem, as there was nothing sensitive in it, and we can make additional backups from the source data. In this particular case, we might safely say that we have no risk. Controls In order to help us mitigate risk, we can put measures in place to help ensure that a given type of threat is accounted for. These measures are referred to as controls. Controls are divided into three categories: physical, logical, and administrative. Physical Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. Such controls also control access in and out of such environments. Physical controls logically include items such as fences, gates, locks, bollards, guards, and cameras, but also include systems that maintain the physical environment such as heating and air conditioning systems, fire suppression systems, and backup power generators. Although at first glance, physical controls may not seem like they would be integral to information security, they are actually one of the more critical con￾trols with which we need to be concerned. If we are not able to physically pro￾tect our systems and data, any other controls that we can put in place become irrelevant. If an attacker is able to physically access our systems, he can, at the very least, steal or destroy the system, rendering it unavailable for our use in the best case. In the worst case, he will have access directly to our appli￾cations and data and will be able to steal our information and resources, or subvert them for his own use. Logical Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. Logical controls can include items such as passwords, encryption, logical access controls, firewalls, and intrusion detection systems. Logical controls enable us, in a logical sense, to prevent unauthorized activi￾ties from taking place. If our logical controls are implemented properly and are successful, an attacker or unauthorized user cannot access our applications and data without subverting the controls that we have in place. Administrative Administrative controls are based on rules, laws, policies, procedures, guide￾lines, and other items that are “paper” in nature. In essence, administrative