Information Security Fundamentals: Risk, Access, and Compliance

Posted on Aug 29, 2025 in Business Administration and Innovation Management

Risk Management Principles

Risk: The probability of an unwanted occurrence, such as an adverse event or loss. Risk is calculated as: Threat * Vulnerability.

Risk Management Process

The management of uncertainty within an organization as it relates to information systems. The goal is to maintain a balance between the benefits of information systems (IS) and the risks associated with IS.

Risk Management Phases

The Risk Management process comprises two main stages:

  • Risk Assessment (Phases 1-3)
  • Risk Control (Phase 4)

These stages involve four key activities:

  1. Risk Identification
  2. Risk Analysis
  3. Risk Evaluation
  4. Risk Treatment

Key Risk Terminology

  • Risk Tolerance: The amount of risk an organization is willing to accept for a particular information asset.
  • Residual Risk: The amount of risk remaining after controls or safeguards have been applied to a particular information asset.
  • Risk Appetite: The quantity and nature of overall risk that an organization is willing to accept (approximately the sum of all risk tolerances).

Risk Management Phases in Detail

1. Identify Risk

This phase involves understanding the assets, threats, and vulnerabilities.

  • Classifying Information Assets:
    • U.S. Government: Top Secret, Secret, Confidential
    • Non-Government: Public, For Official Use Only (Internal), Confidential (Sensitive)
  • Human Asset Security Clearances: Authorization levels or classification levels for personnel.
  • Prioritizing Information Assets (Rank Ordering):
    1. List information assets.
    2. Select criteria for evaluation.
    3. Specify the criteria weights.
    4. Assess each asset against the criteria.
    5. Calculate the weighted average.
    6. Rank order assets by score.
  • Threat Assessment: Evaluation of potential threats to information assets.
  • Vulnerability Assessment: Identification of specific avenues that threat agents can exploit to attack an information asset.

At the end of the risk identification process, a prioritized list of assets with their vulnerabilities is achieved.

2. Risk Assessment / Risk Analysis

Assess the relative risk for each vulnerability and assign a risk rating or score to each information asset.

  • Likelihood: The overall rating or probability that a vulnerability will be exploited or attacked.
  • Impact: The potential consequences of a successful attack.
  • Risk Determination: Calculated as Likelihood of threat event occurrence * Impact +/- element of uncertainty.

3. Risk Evaluation

Comparing an information asset’s risk rating to the numerical representation of the organization’s risk appetite to determine if risk treatment is needed.

4. Risk Treatment

Strategies to address identified risks:

  • Mitigate: Reduce the risk by implementing additional controls.
  • Transfer: Offload the risk to another asset, process, or entity (e.g., insurance).
  • Accept: Do nothing more to reduce the risk, acknowledging the potential consequences.
  • Terminate / Avoid: Remove the source of risk from the service or discontinue the activity.

Security Controls

Any action or product that reduces risk through the elimination or lessening of threats or vulnerabilities.

Security Control Categories

  • Administrative: Policies, procedures, regulations, and requirements.
    • Examples: Hiring practices, data classification, Security Education, Training, and Awareness (SETA) programs.
  • Technical: Hardware and software solutions.
    • Examples: Intrusion Detection Systems (IDS), Access Control Lists (ACLs), smartcards, biometric devices.
  • Physical: Tangible items and environmental controls.
    • Examples: Guard dogs, fences, lights, locks.

Common Control Types

  • Preventative: Stop unwanted or unauthorized activity from occurring. Examples: Fences, separation of duties policies.
  • Detective: Discover or detect unwanted or unauthorized activity after it has occurred. Examples: Guards, system log reviews, cameras, reports.
  • Corrective: Return systems to normal and attempt to correct problems resulting from a security incident. Examples: Antivirus software, backup and restore plans.
  • Recovery: Extend corrective controls through more advanced or complex abilities. Examples: Backup/restore systems, antimalware software, alternate process facilities.
  • Deterrent: Discourage unwanted actions. Examples: Locks, guards, and policies.
  • Directive: Direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples: Posters, signs, monitoring, supervision, procedures.
  • Compensating: Aid or provide options to existing controls; can be in addition to, or in place of, another control.

NIST Risk Management Framework

A structured approach to managing security and privacy risks.

  1. Prepare: Essential activities to prepare the organization to manage security and privacy risks.
  2. Categorize: Categorize the system and information processed, stored, and transmitted based on impact analysis.
  3. Select: Select the set of NIST SP 800-53 controls to protect the system based on risk assessment.
  4. Implement: Implement the controls and document how controls are deployed.
  5. Assess: Assess to determine if the controls are in place, operating as intended, and producing the desired results.
  6. Authorize: A senior official makes a risk-based decision to authorize the system.
  7. Monitor: Continuously monitor control implementation and risks to the system.

Access Controls

Mechanisms to regulate user access to assets, control what users can do once given access, and hold users responsible for their actions. By controlling access, the Confidentiality, Integrity, and Availability (CIA) of assets are maintained.

Access Control Process

The process of granting or denying specific requests for access.

Access Control Implementations

  • Administrative: Policies, behavioral controls.
  • Physical: Network segmentation, perimeter security, work area separation.
  • Technical: Firewalls, Intrusion Detection Systems.

Access Control Components

  • Object: A specific resource (e.g., file, database).
  • Subject: A user or process functioning on behalf of a user (e.g., a computer user).
  • Operation: An action taken by the subject over an object (e.g., read, write, execute).

Access Control Approaches

  • Non-Discretionary: Controlled by the organization (e.g., Lattice-Based, Mandatory, Role-Based).
  • Discretionary: Controlled by the user (e.g., file permissions set by the owner).

Access Control Models

  • Discretionary Access Control (DAC):
    • The least restrictive model.
    • Owners have total control over their objects.
    • Relies on a decision by the end-user to set the proper level of security.
  • Mandatory Access Control (MAC):
    • The most restrictive access control model.
    • The user has no freedom to set any controls or distribute access to other subjects.
    • Labels: Every entity (object) is assigned a classification label representing its relative importance. Subjects (users) are assigned a clearance label.
  • Role-Based Access Control (RBAC):
    • Rules are based on organizational roles.
    • Individuals are given access to the resources needed for their specific role.

Four Fundamental Subprocesses of Access Control (IAAA)

1. Identification

The process where the user requests access and provides something that indicates who they are (e.g., User ID, Smart Card).

  • Identity Management: The management of the identity lifecycle for entities.

2. Authentication

A process where the user provides proof to confirm their identity, and it is verified.

Authentication Factors

  • Something You Know (Weakest):
    • Password: A secret word or number combination.
    • Passphrase: Typically longer than a password, a plain language phrase from which a virtual password is derived. Example: “MayTheForceBeWithYouAlways” might be represented as the virtual password “MTFBWYA.”
    • Virtual Password: A stream of characters generated by taking elements from an easily remembered phrase.
  • Something You Have (Stronger):
    • Dumb Cards: An authentication card that contains digital user data, which is compared to user input.
    • Smart Cards: Similar to dumb cards, but contain a computer chip to verify and validate several pieces of information rather than just one.
  • Something You Are (Strongest):
    • Biometric Access Control: Uses physiological characteristics to provide authentication for provided identification (e.g., fingerprint, facial recognition).
      • False Acceptance Rate (FAR): The rate at which unauthorized users are incorrectly verified.
      • False Rejection Rate (FRR): The rate at which authorized users are incorrectly denied.
      • Crossover Error Rate (CER): The point where the false rejection rate equals the false acceptance rate.

Strong Authentication

  • Multifactor Authentication (MFA): The use of two or more authentication factors to add a layer of security.

3. Authorization

Determining whether a subject is allowed to have specific types of access to a particular resource. This includes the process of granting access privileges.

  • Least Privilege: Users should only be given the required functionality needed for their job.

4. Accountability / Audit

A process that monitors, tracks, and records access attempts and use (supported by system logs). It ensures all actions on a system (authorized and unauthorized) can be attributed to an authenticated identity.

Other Mechanisms to Control Access

  • Constrained Interface: Restricts what a user can see or do; the interface is dependent on their privileges (e.g., Canvas).
  • Content-Dependent Control: Restricts access to data based on the content of an object (e.g., a database view, preventing users from seeing all data).
  • Context-Dependent Control: Requires specific activity before granting users access (e.g., data/time restrictions, quizzes on Canvas, or progression through purchasing content before download).
  • Temporal (Time-Based) Control: Access to information is limited by a time of day (e.g., time-release safes).


Zero Trust Architecture

Focuses on protecting assets and services, assuming no inherent trust is granted based on user accounts, physical location, or network connectivity. Every access request is verified.

  • Internal / Trusted Network: A corporate local area network (LAN).
  • Internet / Untrusted Network: Anything beyond the perimeter/gateway router.
  • Demilitarized Zone (DMZ): A buffer zone separating an internal trusted network from the untrusted internet. DMZs host services (e.g., Web, DNS, VPN, Email) to which access is required from the untrusted network.

Firewall Technologies

Firewalls filter or prevent specific information from moving between the untrusted (outside) network and the trusted (inside) network by examining packet headers.

  • Packet Filtering Firewall:
    • Stateless Packet Filtering: Permits or denies packets based on conditions set by the administrator.
      • Static Packet Filtering: A firewall that requires the manual creation, sequencing, and modification of rules.
      • Dynamic Packet Filtering: A firewall type that can react to network traffic and dynamically create or modify its configuration rules.
    • Stateful Packet Filtering / SPI: Keeps a record of the state of the connection using a state table, which expedites filtering and makes decisions based on the connection state and administrator-defined conditions.
  • Application-Aware Firewalls: Identify applications that send packets through the firewall and make decisions about appropriate actions.
  • Web Application Firewall (WAF): A special type of application-aware firewall that performs deep packet inspection of HTTP traffic.

Virtual Private Networks (VPNs)

Private and secure network connections operating over a public and insecure network, using encryption to protect data between endpoints. VPNs securely extend an organization’s internal network connections to remote locations.

Deperimeterization

The concept that there is no clear information security boundary between an organization and the outside world. This means the organization must be prepared to protect its information both inside and outside its digital walls.

Security and Personnel Management

Employee Lifecycle Security

  • Job Descriptions & Interviews: Avoid revealing specific access privileges to potential employees when advertising open positions.
  • Background Checks: Conducted after extending an offer; details and depth vary (e.g., drug history, identity checks, credit history).
  • Employment Contracts: Security policies often require employees to agree in writing (e.g., Non-Disclosure Agreements).
  • New Hire Orientation & Training: Briefing on policies, procedures, and requirements for information security.
  • Evaluating Performance: Incorporate security components into employee performance evaluations.
  • Employee Termination: A critical process to secure assets.
    • Disable the employee’s system access.
    • Return all removable media and technology.
    • Change locks and revoke key cards.
    • Employee escorted from the premises.
    • Conduct an exit interview and gather employment feedback.

Types of Employee Departures

  • Hostile/Involuntary: Termination, downsizing, layoff, resignation.
  • Friendly/Voluntary: Retirement, promotion, relocation (handled amicably).

Exit Interview

A meeting with employees leaving the organization to remind them of contractual obligations and obtain feedback about their tenure.

Non-Traditional Personnel Security

  • Temporary Employees: May not be subject to the same contractual obligations or general policies; access should be limited to only what is necessary to perform duties.
  • Contract Employees: The host company often contracts with a partner organization rather than directly with an individual.
  • Consultants: Contracts should specify all requirements for information or facility access before entering the workplace (e.g., pre-screening, escorting, and Non-Disclosure Agreements).
  • Business Partners: May be related to strategic alliances for information exchange, system integration, or operational discussions. This requires meticulous determination of what information is to be exchanged, with whom, and often involves Non-Disclosure Agreements.

Regulating Behavior for Security

Organizational practices to enforce security and prevent misuse.

  • Separation of Duties: Requiring that critical, significant, and sensitive work tasks be divided into sub-steps, with each completed by a separate individual. This ensures no single individual can commit fraud or make a mistake and cover it up.
  • Two-Person Control: Requiring consensus by a second party before finalizing critical, significant, and sensitive work tasks; guarantees peer review. This ensures no single person has unrestricted access or can unilaterally review or approve work.
  • Job Rotation / Task Rotation: Cross-training employees into multiple roles/tasks. This ensures more than one person can perform each job, enables schedule flexibility, increases workforce competencies, and decreases employee burnout. It also increases the likelihood of timely detection of confidentiality, integrity, or availability (CIA) breaches or fraud, as employees know their work is subject to audit.
  • Mandatory Vacation: Annual vacations lasting at least one week. This ensures more than one person can perform each job, enables schedule flexibility, increases workforce competencies, and decreases employee burnout.
  • Need to Know: Taking steps to ensure that individuals have access to only the data needed for their job, defining what assets they can access. This increases the likelihood that confidentiality is maintained and is a permissions-focused access control.
  • Least Privilege: Taking steps to ensure that individuals or systems have only the privileges needed for their jobs, defining what users can do with an asset once they access it. This increases the likelihood that confidentiality and integrity are maintained and is a privilege-focused access control.

Policies, Laws, and Ethics in Information Security

  • Policies: Managerial directives that specify acceptable and unacceptable employee behavior in the workplace (violations may lead to termination).
  • Laws: Rules that mandate or prohibit certain behavior and are enforced by the state (violations may lead to legal penalties).
  • Ethics: Regulate and define socially acceptable behavior (something ethical isn’t always legal, and something legal isn’t always ethical).

Key Regulations and Standards

  • Health Insurance Portability and Accountability Act (HIPAA): Ensures the security of health data.
  • Federal Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records.
  • Gramm-Leach-Bliley Act (GLBA): Protects the privacy of personal financial and insurance information.
  • Sarbanes-Oxley (SOX): Increased financial recordkeeping requirements, leading to stricter accountability and internal controls on information systems.
  • Payment Card Industry Data Security Standard (PCI DSS): Offers a standard of performance to which organizations processing payment cards must comply. It provides a baseline of technical and operational requirements designed to protect account data.

Data Aggregation and Privacy

  • Aggregate Information: Collective data that relates to a group of people, often anonymized to prevent individual identification.
  • Information Aggregation: Pieces of non-private data that, when combined, may create information that violates privacy.

Unethical and Illegal Behavior

Reasons for such behavior often fall into categories of Ignorance, Accident, and Intent. Unethical computer use often includes:

  • Software license infringement.
  • Illicit use of corporate resources.
  • Misuse of corporate resources.

Deterring Unethical and Illegal Behavior

Prevention is most successful through methods of deterrence: laws, policies, and technical controls. Effective laws and policies must include three things:

  • Fear of penalty.
  • Probability of being apprehended.
  • Likelihood that the penalty will be applied.

Legal and Ethical Concepts

  • Cultural Mores: The fixed moral attitudes or customs of a particular group.
  • Liability: An entity’s legal obligation or responsibility.
  • Restitution: Legal requirement to make compensation or payment resulting from a loss.
  • Due Care: Measures that an organization takes to ensure it is in compliance with a law, regulation, or requirement.
  • Due Diligence: Measures taken to ensure that organizations continue to meet the obligations imposed by laws, regulations, and requirements; it is the management of due care.
  • Jurisdiction: The power to make legal decisions and judgments; the domain or area within which an entity, such as a court or law enforcement agency, is empowered to make legal decisions and perform legal actions.
  • Privacy: In the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, thereby providing confidentiality.

Information Security Finance

Key metrics for assessing financial risk in information security.

  • Asset Value (AV): Calculated from the costs of purchase, maintenance, and usefulness of an asset (monetary value).
  • Exposure Factor (EF): Percentage loss expected from a single realized risk.
  • Single Loss Expectancy (SLE): Exact amount of loss caused to an asset by a specific threat. Formula: SLE = AV * EF.
  • Annualized Rate of Occurrence (ARO): Expected frequency of a specific threat occurrence in a single year.
  • Annualized Loss Expectancy (ALE): Yearly cost of all instances of a specific realized threat against a specific asset. Formula: ALE = SLE * ARO.
  • Annual Cost of Safeguard (ACS): Potential deployment cost of a safeguard (monetary value).
  • Cost-Benefit Analysis (CBA): Evaluates the financial benefit of implementing a safeguard. Formula: CBA = (ALE1 – ALE2) – ACS, where ALE1 is the Annualized Loss Expectancy before the safeguard is applied, and ALE2 is the Annualized Loss Expectancy with the safeguard.