Topic: Foundation Concepts

In Chapter 3 the word “Trust” is defined as related to information security.  Based on your understanding of securing your environment, what are some of the common safeguards your recommend to ensure trust is viable in your organization.

Example: USE ONLY AS EXAMPLE

Hello everyone,

This week we are discussing trust and how is it best defined in relation to information security. Throughout my time in the military, I have heard the phrase, “special trust and confidence” more times than I can count to include during each promotion ceremony for myself or other military members. This phrase is included due to the trust that senior leadership is giving to those promoting service members as they take on additional responsibility and management roles. Additionally, for Federal, State, and Department of Defense employees that require a security clearance to perform certain duties, a similar phrase can be found due to the need to appropriately safeguard information for the sake of national security. While much of the responsibility falls on the individual to remain “trustworthy”, a certain percentage of responsibility must also fall on the company or entity that issues such trust, in the event the trust in the person is either misplaced or misjudged. Therefore, other mechanisms must be set in place to limit the potential for damage in the event an individual is deemed not to be trustworthy. Some common examples include physical security mechanisms such as the use of multi-factor authentication, high-security locks, intrusion detection systems, and the practice of securing any and all sensitive information in safes. (Jacobs, 2015) Additional safeguard include deterrence methods such as administrative policies and having employees sign acceptable use policies. For access to classified or sensitive information, one such safeguard method we learned about in the week one reading was the utilization of the Bell-LaPadula model, of which employed the “no write down, no read up approach”. (Jacobs, 2015) Other safeguard methods include the use of rule-based, role-based, and access control lists to limit the potential for not-trustworthy actions to occur. There is also asymmetric encryption, which utilizes both a public and a private key for the sender and receiver. (Jacobs, 2015)

-Chris

Reference:

Jacobs, S. (2015). Engineering information security: The application of systems engineering concepts to achieve information assurance. John Wiley & Sons, Incorporated.