Tuesday, March 20, 2007

Data Security - Establish a network of data security personnel

To be successful in information security management. The initiatives need to be implemented from TOP managemen down to executives.

Ideally, a data security partner (DSP) need to be elected from every department so that the data security partners can be trained on all aspects of information security policies , procedures and standards.

The DSPs will then implement all policies, procedures and standards according to their business environment

Data Security - Traceability

Traceability simply means able to track logs & events so as to detect who , why & how an attacker penetrates into a compromised system.

By reviewing logs & events one can also check for unauthorised attempts to login to a system

However, there is real challenge today to retain massive log files & yet made meaningful associations with the log files very now and then

It is a field to learn when it comes to log management. In fact , to decide what to log & what not to log becomes a science to be learnt over experience.

Monday, March 19, 2007

Data Security - Avaliability

Avaliability in data security means able to tolerate the loss of the data / information in instances of disaster.

Again we can divide avaliability into 3 classes :

Class 1 - Tolerance for loss of data / information for more than a week
Class 2 - Tolerance for loss of data/information for more than a day but less than a week
Class 3 - Tolerance for loss of data / information for less than a day

Saturday, March 17, 2007

Data Security - Integrity

Integrity means ensuring data , information is preserved in its original form and
not modified or spoof as in the case of email.

To ensure that we can put in a technical control like using
digital signatures when sending emails

How other ways can we do it , please suggest

Friday, March 16, 2007

Data Security - Confidentiality

Confidentiality (C) means being able to define information into different classifications
and protect it according to the classifications defined.


  • Class 1 - Internal ( can only be viewed by staff of the company and not public)
  • Class 2 - Confidential (can only be viewed by a selected number of staff only)
  • Class 3 - Strictly Confidential( can only be viewed by an even smaller group of staff)

Ideally, Class 2 & Class3 Information need to be encrypted whether it be files on
a server or attatchments in email.

2 products worth mentioning are :

PHP Code encryption

Advance File Encryption

Data Security

Data Security in my point of view is make up of 4 important concepts :

  • Confidentiality(C)
  • Integrity(I)
  • Avaliability(A)
  • Traceability(T)

In short it is known as CIAT, what is your point of view?

Related Tags: , , ,