Information Security

information security bisoft

Information security is a process , designed to achieve a state of security of the IT environment.

Providing information security is essentially a risk management in the information technology and protection of information systems. This process runs as a continuous cycle: from the emergence of a new threat through the stage of its detection and the stage of occurrence of a new defense, to the creation of an updated version of the product. This process runs as a continuous cycle: from the emergence of a new threat through the stage of its detection and the stage of occurrence of a new defense, to the creation of an updated version of the product.
The main goal of information security is to secure and protect the information or to minimize its loss.
Classification of information security can be seen as two main types – administrative and IT security (security of information and communications security):

  • Antivirus (Anti-Malware) protection;
  • application protection;
  • product authentication (authentication);
  • data loss prevention;
  • identity and access management;
  • intrusion detection and prevention;
  • mobile security;
  • network access control;
  • network firewalls;
  • risk management and policies;
  • remote access security;
  • vulnerability management;
  • web protection;
  • wireless security;
There are six security classes – C1, C2, B1, B2, B3, A1.

Class C1:
  • Trusted computing base must manage access of named users to unnamed objects;
  • Users must be identified before they can perform any actions controlled by the trusted computing base;
  • Trusted computing base must maintain the area of its own operation, protected from external influences and monitoring attempts during operation;
  • Hardware and/or software tools must be available that allow regular inspection of the correctness of the trusted computing base hardware components operation;
  • Safeguards must be tested for their compliance in consistency with the system documentation;

Class C2:
  • Access rights must be clear enough for users. All objects must be subject to access control;
  • The removal of an object from the resources of the trusted computing base must eliminate all traces of its use;
  • Each system user must be uniquely identifiable. Any action that is registered must be associated with a specific user;
  • Trusted computing base must develop, support and protect the registration information log, which is associated with access to objects by the controlled base;
  • Testing must confirm the absence of obvious faults in the resources isolation mechanisms and the registration information security;
Class B1:
  • Trusted computing base must manage security markers that are associated with each subject and object;
  • Trusted computing base must ensure implementation of the compulsory management of access for all subjects to all objects;
  • Trusted Computing Base must provide mutual isolation process by means of separating their address spaces;
  • A group of experts competent in the implementation of trusted computing base must implement rigorous analysis and testing description of the architecture, the output object code;
  • There must be formal or informal model of security policy, which is supported by the trusted computing base;
Class B2:
  • The trusted computing base must have trusted communication path for the user who performs the initial identification and authentication operations;
  • Must have registration of events related to the organization of the secret channels for moment of information from memory;
  • Trusted computing base must be internally structured with well distinguished relatively independent modules;
Class B3:
  • In case of random access control, lists of access management with authorized modes must be used;
  • Temporary secret channels must be subject to analysis;
  • The security administrator role must be specified;
  • Stability of trusted computing base to penetration attempts must be demonstrated;
Class A1:
  • Testing must show that the implementation of trusted computing base comply with the high-level formal specifications.
  • Configuration management mechanism must be distributed throughout the life cycle and on all system components associated with the security provision;
  • Compliance between the high level formal specifications and source texts must be described;
The following classification is according to the text in the Orange Book. In the Orange Book trusted system is defined as a system using enough hardware and software means for securing simultaneous processing of information with varying degrees of secrecy by a group of users, without violating the access rights. The classification can be formulated as follows:
• C level – selective access control
• B level – compulsory access control
• A level – verifiable security