This is the
talk page for discussing improvements to the
Information security article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google ( books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
Archives: 1 |
This article is rated B-class on Wikipedia's
content assessment scale. It is of interest to multiple WikiProjects. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Text and/or other creative content from this version of Information_security#Professionalism was copied or moved into Information_security_professionalism with this edit. The former page's history now serves to provide attribution for that content in the latter page, and it must not be deleted as long as the latter page exists. |
This article was the subject of a Wiki Education Foundation-supported course assignment, between 22 January 2020 and 14 May 2020. Further details are available on the course page. Peer reviewers: Wintersfire.
Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT ( talk) 23:00, 17 January 2022 (UTC)
This article was the subject of a Wiki Education Foundation-supported course assignment, between 16 May 2019 and 24 August 2019. Further details are available on the course page. Student editor(s): Robbinsm1.
Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT ( talk) 00:31, 17 January 2022 (UTC)
Found a good citation for history of data classification.
Finished confidentiality, integrity, and availability section.
Reorganized the outline and section headers.
Cleaned up See also section. Everything that was listed there can be found on the two categories listed.
Created Archive of the old Talk page.
May need to think about moving Sources of standards and Professional Organizations down into the External Links section.
This is a lot of work but I'm enjoying it.
WideClyde 05:13, 12 January 2007 (UTC)
Thank you. That is a very good suggestion. Finished the three controls section. Fixed some typos. Removed some subsections that were folded into the controls section Switched the underconstruction flag back. I'm going to watch TV the rest of the night.
WideClyde 23:31, 13 January 2007 (UTC)
Rewrote first paragraph of Introduction. Added two paragraphs to end of History section. Completed Security Classification section. Removed potentially plagiarized paragraph. Revised outline.
WideClyde 02:44, 15 January 2007 (UTC)
Meetings all day today and meetings all day tomorrow. My brain is fried.
I incorporated a few suggestions. Added a sentience about privacy into the confidentiality section. Does more need to be said about privacy? Added a couple of books, that I have on my bookshelf that I use occasionally, to the Bibliography section. Added paragraph about ISO-17799 to the Risk management section (thanks for the suggestion).
My thoughts about this article are that it should be a high level overview of the field of information security. I've tried not to get too deep into any particular topic in my contributions. I've also tried to avoid any technical jargon. An article like this one could easily become very technical or devote to much space to a particular topic, or it could potentially become more about a closely related sister field. I'm also concerned that the article may be getting too long.
I might take a couple days off - or I might not.
WideClyde 05:09, 16 January 2007 (UTC)
I have no memory of this past week. I sure hope today is Friday!
I must have filled in the Security classification section and the Access control section. I found the last half of the Access control section to be the most difficult to write so far. The Cryptography section was easy to write; lots of great Wiki links.
I moved Change management and Disaster recovery down into the Process section. I think those will fit in better there.
WideClyde 03:47, 20 January 2007 (UTC)
Hello,
The CIA classic triad is an inadequate model for describing what we protect in information security work. For example, many breaches of security are not covered by confidentiality, integrity or availability. The Parkerian Hexad is a better model and has recently been adopted by the (ISC)^2, the certifying body for CISSPs, as a replacement for the classic triad.
When a British ATM technician was hired by a magazine to demonstrate how he stole debit-card information and PINs from users, he installed a radio transmitter in an ATM and recorded the signals containing bank-account numbers and passwords on his laptop computer. He was arrested and tried for fraud; his defense attorney argured that because he had not looked at the data on his computer, there was no breach of confidentiality. The judge ruled that although that was true, the technician had violated the principle of possession or control: he had gained the power to examine or use those data at will regardless of the data-subjects' wishes. That's an example of a breach of control or possession.
Similiarly, when someone using his own e-mail system writes an e-mail message threatening the President of the US but alters the e-mail headers to forge someone else's identity, that's not a breach of confidentiality or control; it's not a breach of integrity either because the e-mail as written and sent represents exactly what the author intended. It's a breach of authenticity: it is incorrectly attributed to someone else.
Finally, when data are in EBCDIC but should have been in ASCII, the issue is usability, not availability. The data are perfectly available -- they are just not useful in their current format. Similarly, if someone presents a report where all the salaries of employees are written in Greek Drachmas instead of US Dollars, that's useful in Greece but probably not in the US -- but it's not a breach of integrity, nor is it a breach of availability.
See my mods to the entry on Parkerian Hexad.
Best wishes,
Mich
M. E. Kabay, PhD, CISSP-ISSMP
School of Graduate Studies
Division of Business & Management P: +1.802.479.7937 NORWICH UNIVERSITY Expect Challenge. Achieve Distinction.
E1: mailto:mekabay@gmail.com E2: mailto:mkabay@norwich.edu for University business W: http://www2.norwich.edu/mkabay/
http://www.networkworld.com/newsletters/sec/
Mich kabay 15:44, 28 January 2007 (UTC)
WideClyde 03:26, 31 January 2007 (UTC)
Created new image for 6 atomic elements of information security. Replaced CIA triad image. Renamed and rewrote former confidentiality, integrity and availability section.
Thinking about changing direction a little in Process section. Think it might be better to write about Security planning and implementing a security program.
Maybe should include section on Pre-planning for security incident and response management.
WideClyde 02:58, 2 February 2007 (UTC)
Did some proof reading and editing. Did some cleanup. Slapped a couple of outlines into the Process section. This may be too much for this article.
WideClyde 05:09, 3 February 2007 (UTC)
I think that this page is acquiring a very "business" oriented point of view. For example, the risk management section talks about "Executive Management" and "when Management does X, they will...". This is quite reasonable for a business, but doesn't really cater for an individual worried about privacy or an operating system designer choosing features.
Also, it is suggested that the CIA Triad "is being replaced by" the hexad. This may be the case in some fields, but certainly not all. I therefore think that the statement is misleading. While the hexad may be considered more appropriate for typical business use, there are few researchers in the field who use it, and few scientific models that consider these 6 aspects to be separate. For example, it is alleged that stealing a laptop breaches my control of the information. But I could equally well say that it is a denial of service attack against the information availability. If someone modifies the info, it's a breach of integrity, and if they read it, it's a breach of confidentiality. It's true that in a business, thinking about countermeasures to "loss of control" might help you write a better security plan. But that doesn't mean the hexad is a more logical structure.
I think the page doesn't cater for people who would like a more scientific/research-oriented perspective on the field. (That's my background.) Perhaps many (or even most) of the people who visit this page are happy with the business point of view, but I'm not sure that that excuses it an encyclopedic article.
John Y 18:32, 17 March 2007 (UTC)
The Parkerian hexad is not widely accepted and is too controversial for this article. I reverted back to CIA but did retain a reference to Parkerian hexad.
WideClyde 16:17, 24 March 2007 (UTC)
Non-repudiation is not part of the CIA triad. Non-repudiation is a legal construct rather than a basic principle of Info Sec. It is further discussed elsewhere in the article. —Preceding unsigned comment added by WideClyde ( talk • contribs) 17:13, 3 September 2007 (UTC)
Hello...would someone please create a separate page on INFOSEC certification? It appears to redirect to this page, but it is not explained at all. This certification is becoming a standard for computer forensics analysts and surely someone can explain in an article what it is. Bob ( talk) 02:04, 18 November 2007 (UTC)
How the hell is this a work from the United States government? It's paraphrased from Uncyclopedia: http://uncyclopedia.org/wiki/Everybody 194.81.36.9 ( talk) 10:01, 8 January 2008 (UTC)
Also, "COMMUNICATIO[N]S" is mis-spelled in the image. Proof it's a US Gov't thing?
24.143.66.179 (
talk) 23:06, 9 April 2008 (UTC)
Would it be useful to add a section on the major national "players" in this field (e.g. AGD / DSD for Australia, NIST / NSA for US etc), along with referencing various schemes they drive (e.g. Common Criteria, FIPS-140, GetSafeOnline? There is a synergy between their work and the "standards" / "regulation" piece. Bill Martin ( talk) 11:35, 10 January 2008 (UTC)
While I agree that Business Continuity is a generally a component of IT Security as it relates to availability, the collection of 7 questions in this article does not describe Business Continuity Planning as well as the standalone article. Recommend removing it from this article and referencing the other. Jc3 ( talk) 19:30, 28 January 2009 (UTC)
In the part about control area's, they are divided into 3 section's. physical, logical and administrative. but if you look at the caption beneath the text. it's distinguished into 3 other control area's. people physical and organisation.
In my opinion there should be 4 areay's physical, technology, organisation and people. but it's not about my opinion, so there should be made a choice between one of these models.
Pompedom ( talk) 15:35, 12 March 2009 (UTC)
I am concerned about the distinctions provided in section one. They seem to fall apart. Infinitesteps ( talk) 15:43, 14 January 2010 (UTC)
I'm not sure what the precise distinction between "Information Security" and "Information Assurance" is supposed to be according to this article. In fact, as an IA professional I am surprised to find that the definition of Information Security contained in this article is actually the same definition that I would use for Information Assurance. Does anyone know what the original distinction was meant to be? If not, I think the distinction should be removed from the article since it raises a question without answering it and leaves the reader with a false perception of Information Assurance as something other than the definition contained here.
IF, a computer system is an information system. AND IF, information security protects information systems. THEN, computer [system] security is part of information security (not distinct from). Infinitesteps ( talk) 15:43, 14 January 2010 (UTC)
Authenticity is an abstract noun describing quality, it can't validate anything. Or was it ment to be "it is important for the purpose of authenticity that one validates" Then, authenticity of what? Or just authenticity, like a cosmic thing?
or this:
Although the wish to have problems solved by simply using terms is completely understandable, not sure if it works that way.
Seems like the page has a lot of issues with presentation, style and logic. Just calling attention to that.
Sorry if that sounds mean, I actually respect the authors' work. (note: I'm ESL, so I might be deadly wrong in those arguments)
Theabsurd (
talk) 18:59, 9 February 2010 (UTC)
I have been searching the web for this type of tools that may be available, but seem to be lacking a lot in this field. Does it mean that it is not actually required? Or it has already been implemented by most companies these days? —Preceding unsigned comment added by Dci terry ( talk • contribs) 05:42, 23 February 2010 (UTC)
Separation of duty can be implemented as a physical control. For example, there can be two locks on a door, so that both keys (each belonging to a different person) are required before the door can be opened. I have seen a sensitive area protected in this way called a "No Lone Zone". Double lock cabinet example.
But separation of duties can also be a procedural control, when for example two signatures are required on a bank cheque/check. That's procedural because it relies on a person in the bank confirming that both signatures are there before processing it. The reimbursement example given in the article falls into this category too, unless it's computer software that ensures that the person seeking reimbursement and the approver are different people, in which case it becomes a logical control. The separation of database administrator and server administrator is partly procedural (it relies on management appointing different people to these roles), and partly technical (since the server administrator is prevented by the software from modifying the database).
I think it would be best to move the current example into one of the other sections, or to change the example into one that is actually a physical control.
BTW, I think the quality of the article has been improved enormously recently. Thanks to all contributors/editors.
John Y ( talk) 12:04, 7 September 2010 (UTC)
81.159.229.250 changed methodologies in methods. I believe (see Methodology and related references) that in this case methodologies is more appropriate because Information Assurance has different methodologies (i.e collection of methods, tools, procedures) than Information Security. Even in Information Security (see IT risk) there are different methodologies for example in Risk managements. Because the modification was done by a not registered user, I revert the change. -- Pastore Italy ( talk) 10:27, 13 October 2010 (UTC)
There is a debate about the difference between Computer Security, Information Security and Information Assurance; see Information Assurance top for a short explanation.
I think that most certification listed are about Information Assurance and Information Security: look at the certification names.
Computer Security is a more used but limited term.
Information Security is a wider term than Computer security: I proposed to change (at least in the first line of the navbox) the name of this template. Moving the template to a new name "Information Security Certifications" would be better. I do not know if redirect work for transclusions, otherwise we have to change (eventually by a bot) all the references.
I have noticed that not every certification listed in the template transclude the template itself.
According to my opinion at least an article should transclude this template. I saw that Computer security and Computer insecurity do not have a certification/professionalism sections
Information assurance have sections about certifications and I recently have worked on Information security#Professional association and certification.
I think the best solution is to write a new article perhaps Information security certification or better Information security professionalism, moving the current versions of the above mentioned sections dealing with certification and inserting a {{main|Information security certification}} in the articles. Eventually in this new article we can try to categorize the different certifications
I will post a similar sections in the cited articles. I suggest that your welcome comments to be posted in Template_talk:Computer_Security_Certifications
-- Pastore Italy ( talk) 12:12, 17 December 2010 (UTC)
Somebody recently tweaked the article to say this:
Which was, I presume, well intentioned; but I doubt it's true. The number of people who should have access to an item may often be (negatively) correlated with confidentiality, but it's not a direct relationship. Let's try some examples:
Confidentiality is better framed in terms of the impact of disclosure to unauthorised people, or the value of keeping the information from unwanted eyes. bobrayner ( talk) 15:05, 5 April 2011 (UTC)
This section seems like a grab bag, and possibly a vanity section. It's unclear why someone like Deborah Estrin, who's publications list doesn't include the word security since 1989 is in here; or why Lance Cottrell, who did some interesting work in privacy 10 or 15 years ago and has lately been running a company is included.
I nominate this section for deletion, and suggest that if others want to keep it, a set of criteria such as frequency of contribution, impact, innovation, scholarly appointment, etc, be defined for who qualifies as a "scholar working in the field." — Preceding unsigned comment added by Emergentchaos ( talk • contribs) 14:41, 21 March 2013 (UTC)
(I moved this section to the bottom of the page, where it belongs. Please don't top-post.)
Ok, since the only 2 people to ever mention this section in the talk page agree it should be removed, and it jumped out at me as out-of-place when I was reading the article (which is pretty good otherwise), I'm going to go ahead and remove it. ChristopheBiocca ( talk) 23:22, 3 January 2018 (UTC)
On integrity, it is said "Integrity is violated when a message is actively modified in transit.". But, AFAIK, integrity is also violated when data is accidentaly damaged. If your notebook accidentaly falls and the hard drive breaks, doesn't that violate the integrity of your files? -- Jorge ( talk) 12:17, 19 November 2014 (UTC)
I have removed this statement from the "Key Concepts" section: "and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations." It had been flagged as citation needed for over 3 years and, in my opinion, it is not accurate either in its claims regarding regulation of computer systems or the claim that legality is a security concern. Legality is an orthogonal concern to information security. Whether something is legal does not necessarily have any effect at all on whether it is secure. Vbscript2 ( talk) 09:12, 25 November 2014 (UTC)
In the Basic Principles Section, it mentions the CIA triad of confidentiality, integrity, and availability.
Immediately following that, there is a description of Integrity and Availability. However, there is no heading, description, or link for "Confidentiality". Voice27 ( talk) 00:00, 20 January 2015 (UTC)
Hello fellow Wikipedians,
I have just added archive links to 2 external links on
Information security. Please take a moment to review
my edit. If necessary, add {{
cbignore}}
after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}}
to keep me off the page altogether. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true to let others know.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers. — cyberbot II Talk to my owner:Online 10:15, 26 August 2015 (UTC)
Hello fellow Wikipedians,
I have just modified 3 external links on Information security. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers.— InternetArchiveBot ( Report bug) 22:05, 10 April 2017 (UTC)
This segment: Information_security#Confidentiality contains the following sentence
Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers
- emphasis added
The use of the word implements is unclear here, and I am hoping the original author or someone who understands it better than me can help clarify/correct this.
Mmkaram ( talk) 02:02, 28 August 2021 (UTC)
The article text includes this and the 211 reference: Within the need-to-know principle, network administrators grant the employee the least amount of privilege to prevent employees from accessing more than what they are supposed to.[211]
This links content behind a paywall which I can't verify. I don't know how Wikipedia manages this, but my guess is that if it can't be verified, it isn't okay as a reference, and if it can be verified, there should be a note or expert in Talk to confirm this. Eltimbalino ( talk) 02:12, 25 October 2022 (UTC)
Adding: Template:Very long and successively split the page into multiple pages when possible (e.g. create a page for "Integrity in information security)) Kerbless ( talk) 15:50, 6 February 2023 (UTC)
Am I stupid or it's broken? Kerbless ( talk) 16:51, 6 February 2023 (UTC)
This article was the subject of a Wiki Education Foundation-supported course assignment, between 25 January 2023 and 5 May 2023. Further details are available on the course page. Student editor(s): Yg2816 ( article contribs).
— Assignment last updated by Yg2816 ( talk) 18:33, 4 April 2023 (UTC)
detect malicious content attack ,buit up news software detect malware activicty in computer and phone author by innocentjohnagbaji — Preceding unsigned comment added by 102.89.32.45 ( talk) 06:08, 11 June 2023 (UTC)
one website online 197.218.69.129 ( talk) 05:34, 15 May 2024 (UTC)
This is the
talk page for discussing improvements to the
Information security article. This is not a forum for general discussion of the article's subject. |
Article policies
|
Find sources: Google ( books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
Archives: 1 |
This article is rated B-class on Wikipedia's
content assessment scale. It is of interest to multiple WikiProjects. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Text and/or other creative content from this version of Information_security#Professionalism was copied or moved into Information_security_professionalism with this edit. The former page's history now serves to provide attribution for that content in the latter page, and it must not be deleted as long as the latter page exists. |
This article was the subject of a Wiki Education Foundation-supported course assignment, between 22 January 2020 and 14 May 2020. Further details are available on the course page. Peer reviewers: Wintersfire.
Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT ( talk) 23:00, 17 January 2022 (UTC)
This article was the subject of a Wiki Education Foundation-supported course assignment, between 16 May 2019 and 24 August 2019. Further details are available on the course page. Student editor(s): Robbinsm1.
Above undated message substituted from Template:Dashboard.wikiedu.org assignment by PrimeBOT ( talk) 00:31, 17 January 2022 (UTC)
Found a good citation for history of data classification.
Finished confidentiality, integrity, and availability section.
Reorganized the outline and section headers.
Cleaned up See also section. Everything that was listed there can be found on the two categories listed.
Created Archive of the old Talk page.
May need to think about moving Sources of standards and Professional Organizations down into the External Links section.
This is a lot of work but I'm enjoying it.
WideClyde 05:13, 12 January 2007 (UTC)
Thank you. That is a very good suggestion. Finished the three controls section. Fixed some typos. Removed some subsections that were folded into the controls section Switched the underconstruction flag back. I'm going to watch TV the rest of the night.
WideClyde 23:31, 13 January 2007 (UTC)
Rewrote first paragraph of Introduction. Added two paragraphs to end of History section. Completed Security Classification section. Removed potentially plagiarized paragraph. Revised outline.
WideClyde 02:44, 15 January 2007 (UTC)
Meetings all day today and meetings all day tomorrow. My brain is fried.
I incorporated a few suggestions. Added a sentience about privacy into the confidentiality section. Does more need to be said about privacy? Added a couple of books, that I have on my bookshelf that I use occasionally, to the Bibliography section. Added paragraph about ISO-17799 to the Risk management section (thanks for the suggestion).
My thoughts about this article are that it should be a high level overview of the field of information security. I've tried not to get too deep into any particular topic in my contributions. I've also tried to avoid any technical jargon. An article like this one could easily become very technical or devote to much space to a particular topic, or it could potentially become more about a closely related sister field. I'm also concerned that the article may be getting too long.
I might take a couple days off - or I might not.
WideClyde 05:09, 16 January 2007 (UTC)
I have no memory of this past week. I sure hope today is Friday!
I must have filled in the Security classification section and the Access control section. I found the last half of the Access control section to be the most difficult to write so far. The Cryptography section was easy to write; lots of great Wiki links.
I moved Change management and Disaster recovery down into the Process section. I think those will fit in better there.
WideClyde 03:47, 20 January 2007 (UTC)
Hello,
The CIA classic triad is an inadequate model for describing what we protect in information security work. For example, many breaches of security are not covered by confidentiality, integrity or availability. The Parkerian Hexad is a better model and has recently been adopted by the (ISC)^2, the certifying body for CISSPs, as a replacement for the classic triad.
When a British ATM technician was hired by a magazine to demonstrate how he stole debit-card information and PINs from users, he installed a radio transmitter in an ATM and recorded the signals containing bank-account numbers and passwords on his laptop computer. He was arrested and tried for fraud; his defense attorney argured that because he had not looked at the data on his computer, there was no breach of confidentiality. The judge ruled that although that was true, the technician had violated the principle of possession or control: he had gained the power to examine or use those data at will regardless of the data-subjects' wishes. That's an example of a breach of control or possession.
Similiarly, when someone using his own e-mail system writes an e-mail message threatening the President of the US but alters the e-mail headers to forge someone else's identity, that's not a breach of confidentiality or control; it's not a breach of integrity either because the e-mail as written and sent represents exactly what the author intended. It's a breach of authenticity: it is incorrectly attributed to someone else.
Finally, when data are in EBCDIC but should have been in ASCII, the issue is usability, not availability. The data are perfectly available -- they are just not useful in their current format. Similarly, if someone presents a report where all the salaries of employees are written in Greek Drachmas instead of US Dollars, that's useful in Greece but probably not in the US -- but it's not a breach of integrity, nor is it a breach of availability.
See my mods to the entry on Parkerian Hexad.
Best wishes,
Mich
M. E. Kabay, PhD, CISSP-ISSMP
School of Graduate Studies
Division of Business & Management P: +1.802.479.7937 NORWICH UNIVERSITY Expect Challenge. Achieve Distinction.
E1: mailto:mekabay@gmail.com E2: mailto:mkabay@norwich.edu for University business W: http://www2.norwich.edu/mkabay/
http://www.networkworld.com/newsletters/sec/
Mich kabay 15:44, 28 January 2007 (UTC)
WideClyde 03:26, 31 January 2007 (UTC)
Created new image for 6 atomic elements of information security. Replaced CIA triad image. Renamed and rewrote former confidentiality, integrity and availability section.
Thinking about changing direction a little in Process section. Think it might be better to write about Security planning and implementing a security program.
Maybe should include section on Pre-planning for security incident and response management.
WideClyde 02:58, 2 February 2007 (UTC)
Did some proof reading and editing. Did some cleanup. Slapped a couple of outlines into the Process section. This may be too much for this article.
WideClyde 05:09, 3 February 2007 (UTC)
I think that this page is acquiring a very "business" oriented point of view. For example, the risk management section talks about "Executive Management" and "when Management does X, they will...". This is quite reasonable for a business, but doesn't really cater for an individual worried about privacy or an operating system designer choosing features.
Also, it is suggested that the CIA Triad "is being replaced by" the hexad. This may be the case in some fields, but certainly not all. I therefore think that the statement is misleading. While the hexad may be considered more appropriate for typical business use, there are few researchers in the field who use it, and few scientific models that consider these 6 aspects to be separate. For example, it is alleged that stealing a laptop breaches my control of the information. But I could equally well say that it is a denial of service attack against the information availability. If someone modifies the info, it's a breach of integrity, and if they read it, it's a breach of confidentiality. It's true that in a business, thinking about countermeasures to "loss of control" might help you write a better security plan. But that doesn't mean the hexad is a more logical structure.
I think the page doesn't cater for people who would like a more scientific/research-oriented perspective on the field. (That's my background.) Perhaps many (or even most) of the people who visit this page are happy with the business point of view, but I'm not sure that that excuses it an encyclopedic article.
John Y 18:32, 17 March 2007 (UTC)
The Parkerian hexad is not widely accepted and is too controversial for this article. I reverted back to CIA but did retain a reference to Parkerian hexad.
WideClyde 16:17, 24 March 2007 (UTC)
Non-repudiation is not part of the CIA triad. Non-repudiation is a legal construct rather than a basic principle of Info Sec. It is further discussed elsewhere in the article. —Preceding unsigned comment added by WideClyde ( talk • contribs) 17:13, 3 September 2007 (UTC)
Hello...would someone please create a separate page on INFOSEC certification? It appears to redirect to this page, but it is not explained at all. This certification is becoming a standard for computer forensics analysts and surely someone can explain in an article what it is. Bob ( talk) 02:04, 18 November 2007 (UTC)
How the hell is this a work from the United States government? It's paraphrased from Uncyclopedia: http://uncyclopedia.org/wiki/Everybody 194.81.36.9 ( talk) 10:01, 8 January 2008 (UTC)
Also, "COMMUNICATIO[N]S" is mis-spelled in the image. Proof it's a US Gov't thing?
24.143.66.179 (
talk) 23:06, 9 April 2008 (UTC)
Would it be useful to add a section on the major national "players" in this field (e.g. AGD / DSD for Australia, NIST / NSA for US etc), along with referencing various schemes they drive (e.g. Common Criteria, FIPS-140, GetSafeOnline? There is a synergy between their work and the "standards" / "regulation" piece. Bill Martin ( talk) 11:35, 10 January 2008 (UTC)
While I agree that Business Continuity is a generally a component of IT Security as it relates to availability, the collection of 7 questions in this article does not describe Business Continuity Planning as well as the standalone article. Recommend removing it from this article and referencing the other. Jc3 ( talk) 19:30, 28 January 2009 (UTC)
In the part about control area's, they are divided into 3 section's. physical, logical and administrative. but if you look at the caption beneath the text. it's distinguished into 3 other control area's. people physical and organisation.
In my opinion there should be 4 areay's physical, technology, organisation and people. but it's not about my opinion, so there should be made a choice between one of these models.
Pompedom ( talk) 15:35, 12 March 2009 (UTC)
I am concerned about the distinctions provided in section one. They seem to fall apart. Infinitesteps ( talk) 15:43, 14 January 2010 (UTC)
I'm not sure what the precise distinction between "Information Security" and "Information Assurance" is supposed to be according to this article. In fact, as an IA professional I am surprised to find that the definition of Information Security contained in this article is actually the same definition that I would use for Information Assurance. Does anyone know what the original distinction was meant to be? If not, I think the distinction should be removed from the article since it raises a question without answering it and leaves the reader with a false perception of Information Assurance as something other than the definition contained here.
IF, a computer system is an information system. AND IF, information security protects information systems. THEN, computer [system] security is part of information security (not distinct from). Infinitesteps ( talk) 15:43, 14 January 2010 (UTC)
Authenticity is an abstract noun describing quality, it can't validate anything. Or was it ment to be "it is important for the purpose of authenticity that one validates" Then, authenticity of what? Or just authenticity, like a cosmic thing?
or this:
Although the wish to have problems solved by simply using terms is completely understandable, not sure if it works that way.
Seems like the page has a lot of issues with presentation, style and logic. Just calling attention to that.
Sorry if that sounds mean, I actually respect the authors' work. (note: I'm ESL, so I might be deadly wrong in those arguments)
Theabsurd (
talk) 18:59, 9 February 2010 (UTC)
I have been searching the web for this type of tools that may be available, but seem to be lacking a lot in this field. Does it mean that it is not actually required? Or it has already been implemented by most companies these days? —Preceding unsigned comment added by Dci terry ( talk • contribs) 05:42, 23 February 2010 (UTC)
Separation of duty can be implemented as a physical control. For example, there can be two locks on a door, so that both keys (each belonging to a different person) are required before the door can be opened. I have seen a sensitive area protected in this way called a "No Lone Zone". Double lock cabinet example.
But separation of duties can also be a procedural control, when for example two signatures are required on a bank cheque/check. That's procedural because it relies on a person in the bank confirming that both signatures are there before processing it. The reimbursement example given in the article falls into this category too, unless it's computer software that ensures that the person seeking reimbursement and the approver are different people, in which case it becomes a logical control. The separation of database administrator and server administrator is partly procedural (it relies on management appointing different people to these roles), and partly technical (since the server administrator is prevented by the software from modifying the database).
I think it would be best to move the current example into one of the other sections, or to change the example into one that is actually a physical control.
BTW, I think the quality of the article has been improved enormously recently. Thanks to all contributors/editors.
John Y ( talk) 12:04, 7 September 2010 (UTC)
81.159.229.250 changed methodologies in methods. I believe (see Methodology and related references) that in this case methodologies is more appropriate because Information Assurance has different methodologies (i.e collection of methods, tools, procedures) than Information Security. Even in Information Security (see IT risk) there are different methodologies for example in Risk managements. Because the modification was done by a not registered user, I revert the change. -- Pastore Italy ( talk) 10:27, 13 October 2010 (UTC)
There is a debate about the difference between Computer Security, Information Security and Information Assurance; see Information Assurance top for a short explanation.
I think that most certification listed are about Information Assurance and Information Security: look at the certification names.
Computer Security is a more used but limited term.
Information Security is a wider term than Computer security: I proposed to change (at least in the first line of the navbox) the name of this template. Moving the template to a new name "Information Security Certifications" would be better. I do not know if redirect work for transclusions, otherwise we have to change (eventually by a bot) all the references.
I have noticed that not every certification listed in the template transclude the template itself.
According to my opinion at least an article should transclude this template. I saw that Computer security and Computer insecurity do not have a certification/professionalism sections
Information assurance have sections about certifications and I recently have worked on Information security#Professional association and certification.
I think the best solution is to write a new article perhaps Information security certification or better Information security professionalism, moving the current versions of the above mentioned sections dealing with certification and inserting a {{main|Information security certification}} in the articles. Eventually in this new article we can try to categorize the different certifications
I will post a similar sections in the cited articles. I suggest that your welcome comments to be posted in Template_talk:Computer_Security_Certifications
-- Pastore Italy ( talk) 12:12, 17 December 2010 (UTC)
Somebody recently tweaked the article to say this:
Which was, I presume, well intentioned; but I doubt it's true. The number of people who should have access to an item may often be (negatively) correlated with confidentiality, but it's not a direct relationship. Let's try some examples:
Confidentiality is better framed in terms of the impact of disclosure to unauthorised people, or the value of keeping the information from unwanted eyes. bobrayner ( talk) 15:05, 5 April 2011 (UTC)
This section seems like a grab bag, and possibly a vanity section. It's unclear why someone like Deborah Estrin, who's publications list doesn't include the word security since 1989 is in here; or why Lance Cottrell, who did some interesting work in privacy 10 or 15 years ago and has lately been running a company is included.
I nominate this section for deletion, and suggest that if others want to keep it, a set of criteria such as frequency of contribution, impact, innovation, scholarly appointment, etc, be defined for who qualifies as a "scholar working in the field." — Preceding unsigned comment added by Emergentchaos ( talk • contribs) 14:41, 21 March 2013 (UTC)
(I moved this section to the bottom of the page, where it belongs. Please don't top-post.)
Ok, since the only 2 people to ever mention this section in the talk page agree it should be removed, and it jumped out at me as out-of-place when I was reading the article (which is pretty good otherwise), I'm going to go ahead and remove it. ChristopheBiocca ( talk) 23:22, 3 January 2018 (UTC)
On integrity, it is said "Integrity is violated when a message is actively modified in transit.". But, AFAIK, integrity is also violated when data is accidentaly damaged. If your notebook accidentaly falls and the hard drive breaks, doesn't that violate the integrity of your files? -- Jorge ( talk) 12:17, 19 November 2014 (UTC)
I have removed this statement from the "Key Concepts" section: "and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations." It had been flagged as citation needed for over 3 years and, in my opinion, it is not accurate either in its claims regarding regulation of computer systems or the claim that legality is a security concern. Legality is an orthogonal concern to information security. Whether something is legal does not necessarily have any effect at all on whether it is secure. Vbscript2 ( talk) 09:12, 25 November 2014 (UTC)
In the Basic Principles Section, it mentions the CIA triad of confidentiality, integrity, and availability.
Immediately following that, there is a description of Integrity and Availability. However, there is no heading, description, or link for "Confidentiality". Voice27 ( talk) 00:00, 20 January 2015 (UTC)
Hello fellow Wikipedians,
I have just added archive links to 2 external links on
Information security. Please take a moment to review
my edit. If necessary, add {{
cbignore}}
after the link to keep me from modifying it. Alternatively, you can add {{
nobots|deny=InternetArchiveBot}}
to keep me off the page altogether. I made the following changes:
When you have finished reviewing my changes, please set the checked parameter below to true to let others know.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers. — cyberbot II Talk to my owner:Online 10:15, 26 August 2015 (UTC)
Hello fellow Wikipedians,
I have just modified 3 external links on Information security. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018.
After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than
regular verification using the archive tool instructions below. Editors
have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the
RfC before doing mass systematic removals. This message is updated dynamically through the template {{
source check}}
(last update: 18 January 2022).
Cheers.— InternetArchiveBot ( Report bug) 22:05, 10 April 2017 (UTC)
This segment: Information_security#Confidentiality contains the following sentence
Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers
- emphasis added
The use of the word implements is unclear here, and I am hoping the original author or someone who understands it better than me can help clarify/correct this.
Mmkaram ( talk) 02:02, 28 August 2021 (UTC)
The article text includes this and the 211 reference: Within the need-to-know principle, network administrators grant the employee the least amount of privilege to prevent employees from accessing more than what they are supposed to.[211]
This links content behind a paywall which I can't verify. I don't know how Wikipedia manages this, but my guess is that if it can't be verified, it isn't okay as a reference, and if it can be verified, there should be a note or expert in Talk to confirm this. Eltimbalino ( talk) 02:12, 25 October 2022 (UTC)
Adding: Template:Very long and successively split the page into multiple pages when possible (e.g. create a page for "Integrity in information security)) Kerbless ( talk) 15:50, 6 February 2023 (UTC)
Am I stupid or it's broken? Kerbless ( talk) 16:51, 6 February 2023 (UTC)
This article was the subject of a Wiki Education Foundation-supported course assignment, between 25 January 2023 and 5 May 2023. Further details are available on the course page. Student editor(s): Yg2816 ( article contribs).
— Assignment last updated by Yg2816 ( talk) 18:33, 4 April 2023 (UTC)
detect malicious content attack ,buit up news software detect malware activicty in computer and phone author by innocentjohnagbaji — Preceding unsigned comment added by 102.89.32.45 ( talk) 06:08, 11 June 2023 (UTC)
one website online 197.218.69.129 ( talk) 05:34, 15 May 2024 (UTC)