Data security

In Information system security, the data security is the branch which is interested mainly in the Donnée S, in complement of the aspects of Data processing.

Recall on the Given S Data-processing S

Since the beginning of the History (appearance of the writing), the man handles Information S, which result in Donnée S, more in less Structurée S.

The advent of the Informatique since the end of the Années 1940 with the the United States introduced a form Numérique data, recorded S on supports electronic S. This evolution is comparable with the advent of the Imprimerie at the 15th century in the years 1450.

At the base, the support of the Donnée S is the memory of the Ordinateur, on which the elementary instructions of the Computer programs operate.

It is not possible to treat the data security, without pointing out this fundamental aspect:

the Donnée S are treated with Computer materials and Operating systems .

On the various types of Computer materials (with their peripheral S), of the Supercomputer S with the Microcomputer S, while passing by the host Computers and the open Systems, one always finds the various forms of mediums physique following:

• the Memory of the Computer,
• the disc S, cupboards (peripheral S), for the Safeguard and the Storage,
• systems of Filing…

The Donnée S can circulate between these systems in networks physique of communication: Telecommunication networks, Lans, telecommunication networks by satellites…

On the physical supports, one must establish systems which manage the accesses to the Donnée S and their treatment: the logical accesses of these systems can be of type sequential or indexed, the files being generally replaced by Databases allowing accesses and more advanced updates.

The Management systems of databases (DBMS) are Software level basic, and make it possible the Ordinateur to manage these various types of treatment on the data.

The levels are distinguished:

• Conceptual,
• Logical,
• Physical.

Short history of the data security

During last years, the Universalization, especially under its economic aspects and financial, generated computing projects of dimension Mondiale.

One will note in particular the data-processing Passage to the year 2000 (Y2K), which required the checking and the conversion from 300 to 600 billion lines of potentially affected program in the world (estimate of the Gartner Group).

In Europe, the building site of the passage to the Euro represented a cost appreciably equivalent to that of the Passage to the year 2000 on the perimeter Européen. The project proceeded in two phases: first phase beginning 1999 with the passage with the Euro of the financial Gone S and the financial applications of the Undertaken S, the second phase, by far most important, the Conversion of the majority of the others Computer applications, which could in general be carried out only in 2000 and 2001, for questions of constraints compared to the data-processing Passage at the year 2000 (Y2K), and compared to the countable Exercices.

In these two projects, the requirements of Interworking and the Computer data played a crucial role, since it was about the format of the fields Date (a Métadonnée) and currency in the Système S and the data-processing recordings.

From the point of view of the Computer material, in Europe, the data-processing Passage to the year 2000 represented an impact more important than the passage to the Euro. In other words, one could say that the Passage to the year 2000 comprised more technical aspects, whereas the passage to the Euro represented rather functional stakes.

In 1991, the Department of Defense of the USA developed common Criteria of safety (see TCSEC), and simultaneously the European organizations laid down a security policy of the information systems (ITSEC).

The Stake X of the data security

On the level of the Nobody S and Organization S

The Enjeu X of the data security are as follows (this list is far from being exhaustive):

• Individual freedoms: Protection of the Private life (see Private life and data-processing),

• Office automation: safety of the Given S Recorded S on the Hard drive of the Microcomputer (emails, repertory S, file S Document S, given Spreadsheet S and presentations…),

• Communication: targeting of the internal and external Recipients according to their Interest S, unnecessarily not to reveal too many Information S not structured on Internet,

• Hygiene and safety: identification of the Given S necessary to the procedures of Protection of the Health of the Employed S,

• Secrecy the professional: protection of the Intellectual capital of the company

• Marketing: identification of the sensitive Gone S, competing Day before,

• Research and development: alignment of the process of R & D on the Need S for the market, identified and validated by the Marketing: security of the data resulting from the Day before in company, the Technological survey, and development of the Intellectual capital of the company.

• Example in chemistry: Card of data of safety, for the Chemical substances for the industry of the tire, the car…

• Traceability of the documents and Liability for the defective products: to be able to give the Preuve of the quality of a product.

• Purchases: requests for purchase (in the Aeronautical , the car… for example), criteria used for the choice of the suppliers.

The data security implies certain ways of structuring the data.

At the Macroeconomic level

In Engineering of the systems, the Enjeu X of data security are very important today, because of the multiple interconnections between systems heterogeneous and distributed, that it is in the Control systems Industriel S, in the Transport systems, the applications of Gouvernance of company and integrated management, in the applications of Ingénierie of knowledge, in the decisional Systèmes, the systems of the Financial markets…

These systems meet today in very different organizations: Company S, Public services, International institutions, territorial Central administrations and (Area S and City S), Centers of studies and research, University S, Universities, Chambers of commerce and of industry. One speaks sometimes about Recipients (translation of English stakeholder , literally, hunter of stakes).

One will find an illustration of the diversity of the physical systems concerned in the article Cohérence of the data in universe distributed.

To deepen:

• On the various aspects of safety, to see the article Safety .
• On the related aspects with the communication, to see Communication ,
• On the dependant stakes specifically with the interconnection of the physical systems, one can consult the article Interopérabilité .
• On the risks, to see Risk .

With the advent of technologies of the collective intelligence and knowledge (TICC, expression of Bernard Besson), there are Risque S of loss of Compétence S in the companies, if the Usage S of information are not well defined compared to the context, and if the Communication is badly controlled.

See:

• Use
• Communication
• human context of the communication, and model employees in communication,

The most important Enjeu is above all human: it is a question of preserving the Intellectual capital .

In technical terms, one speaks about a classification of the " active " , essential especially for the Engineering of knowledge.

These Enjeu X is such as they raise questions of Souveraineté.

Recall of the concepts of safety of information system

Aspects of the Information system security

See also: Information system security

One distinguishes in safety from information several aspects, which are related to the data besides:

• the Confidentiality,
• the integrity,
• the Availability.

The standard ISO 13335 (which exists only in English) also mentions the Not-repudiation, the Gestion of the proof (imputability), and the Authentification:

• the Authentification corresponds to the one of the three phases of the access control, which is field of the Confidentialité; there is also a concept of authenticity which is not directly related to the access control: it is a question for that which consults a data, of being convinced of the identity of the transmitter or the creator of the data.
• the Not-repudiation aims at preventing that the author of a data can claim then that he is not the author; it implies the integrity, but extends beyond.
• the Gestion of the proof (Imputability) relates to all the aspects of the Information system security.

Fundamental concepts

See also: common Criteria

The common Criteria (in English common criteria ), defined in the international level, must be documented in the form of Profils of protection, those being information Essentielle S to make sure of the Sécurité of information, with the more high level.

See also: Profile of protection

In Urbanization of the information systems, in precondition to the establishment of any cartography of the data, it is necessary to proceed to the “alignment strategic” , in which the definition of the Profil of protection is one of principal the prérequis.

Actors of the Information system security

See also: Third of confidence

The professionals of the Information system security recognize three types of actors of safety:

• authority of certification,
• authority of recording,
• the operator of certification.

In 1991, the Europe defined a standard of organization of security policy, ITSEC, which did not obtain the statute of international Norme (ISO).

In each large company, one finds a Responsable for the information system security (RSSI), which depends Hiérarchiquement on the data-processing director or the director of the Sécurité according to the cases. If the RSSI depends hierarchically on the director of the Sécurité, it has functional relationships to (or them) directing data processing (and reciprocally).

The organization

See also: Security policy of the information systems

The organization of the data security is an essential part of the information system security. It must be defined in a Security policy of the information systems.

This policy must indicate the respective roles of the actors of the company and the Tiers of confidence in the process of Certification.

A total analysis by the data will make it possible to decline the PSSI in specialized policies (computing system, networks…).

The project of security of the data

Identification and evaluation of the sensitive Given S

To make safe the sensitive Given S, it is first of all necessary to have Conscience active S of the company to protect, and their value.

Various classifications of the credits exist, without there being standardization of all the types of credits.

We give here a short list proposed by the standard ISO 13335-1 (concepts and models of computer security), of which we point out that it was not translated into French:

• Nobody S,
• Capacity required a produced, a service,
• Active physiques,
• Information S/Given S (structured or not),
• Active intangible.

About the people, one will notice that, beyond the medical condition, the Savoir-faire is greater interest for the company. Its evaluation is capital in Ingénierie of knowledge.

The traditional accounting methods badly take into account this type of capital (see Capital).

The economic model of Intelligence considers that the enrichment and the protection of the informational Patrimoine gather the following key points:

• the ethical :

• the protection of the private life and the individual data,
• the application of a deontology in the collection of information and practices of influence,
• the application of a rigor d" ontological in the subcontracting of information and the influence.

• the Knowledge S and the Competence S:

• identification and the evaluation of knowledge and competences,
• protection (right, intellectual property…),
• control of the TIC.

• the Creation of value, with several types of values:

• Shareholder,
• Customer,
• Personal,
• Community,
• Partners (development of the innovation).

• the Image:

• Perception,
• Evaluation,
• Promotion.

The methods of To that the of economic Intelligence and Ingénierie of knowledge also propose standard questionnaires making it possible to index the elements of the memory of company, to evaluate them and to structure them of process trade, simultaneously with the processes of administrative management.

These are all these credits that it is a question of making safe. The most recent studies on the immaterial capital , in particular the study of the CIGREF carried out in 2006, show that the reliability and the auditability of the data are a requirement of the evaluation of the immaterial capital of the companies, therefore of the evaluation of the Return on investment of the projects of Ingénierie of knowledge, and Création of value.

Choice of the Third of confidence

See also: Third of confidence

Within the framework of the Stratégie of the organization, and its Security policy of the information systems, persons in charge of IF must take care with the greatest care with the choice of the Tiers of confidence according to the Profil of protection proposed.

Design of the protected architecture of data

See also: Profile of protection

Opinion even of the experts, there exists a relation between the safety and the architecture of the information systems.

The evaluation and the implementation of the Profil of protection require to examine the common Criteria, by positioning them on the adequate level of the information system. The use of a Méta-model of town planning can help to find reference marks common to evaluate and implement a profile of protection, because the impacts of the security can be on all the levels, Computer material, to all the layers of software and with the networks.

The projects of Information system, possibly the building site of Urbanization of the information system if there exists, will have to integrate the Donnée S corresponding to the Sécurité of information.

To answer the Stake X of level Microeconomic, it is necessary to implement standards of Gestion of the recordings (record management, to see Liste of ISO standards by fields). It is necessary to structure the Donnée S which index the Document S, Essentiellement the customer S, the produced S and the service S (Métadonnée S), and to make so that these Donnée S has comparable structures to be able to make dialog the applications of administrative management and the applications of Ingénierie of knowledge (Documentation, sites Web, forum S, not structured said information).

Example: the process purchase must be able to identify with much precision, on the level of the request for purchase, the documents of specification of the components of an engine of plane which one wishes to buy with a supplier. It is of the traceability, the analysis of the life cycle, the evaluation of the price (operating burnup), of the liability for the defective products, and also of the image.

The use of a Infrastructure of public key (PKI) will not bring a real safety, in the applications in complex networks, only if it is associated with the use of a Registre of metadata. With the element identifier, one will be able to associate the electronic Certificat.

Organization of the program

See also: Security policy of the information systems

A good data security will be obtained by the installation of a Security policy of the information systems (see the detailed article).

The standard ISO 13335, elaborate in 1996, gave already the broad outlines of a program of management of the Sécurité, which was being a important Enjeu at this time.

Such a program is at several levels of the organizations:

• the level groups , with:
• a person in charge appointed for the Safety in general,
• a person in charge appointed for the Computer security in particular; this last is called Responsable for the information system security, or in summary RSSI; this last works out the procedures of Computer security, which are the translation of the procedures of safety of the other fields (hygiene and safety for example).

• the level department (or business links),

• the level field or project, or the administrator is found.

In general, on the lower levels of the Hierarchy, the person charged with the Sécurité does not have this only task. It is generally about a correspondent, who has others Responsabilité S in parallel.

The program can be Efficace only if one sets up a Steering committee. The contemporary methods of discussion are the forum S. the computer security should thus be the particular forum object, whose roles are:

• to identify the requirements,
• to advise the leaders on the Decision S to take, and make recommendations,
• to describe the procedures,
• to conceive the program of Safety of information,
• to review the actions.

Such a forum could include/understand the representatives or corresponding safety, which have as a role to examine the bonds with other programs. One can quote:

• the general Safety and the Risk S: functional aspects of safety and taking into account of the context,
• the Communication: taking into account of the specific risks related to the Communication,
• the quality: aspects standardization,
• the Responsibility sociétale: purely functional aspects.

Some aspects of the data security

Requirement S of safety

Generally, the requirements of Information system security are analyzed with the scale Evaluation Insurance Level.

For the civil applications, the safety requirements do not exceed in general level EAL 4+.

For the military applications, the safety requirements go from the EAL 5 to 7.

The total Sécurité of an information system will be that of the weakest link, and will be well represented by the safety of the Databases or that of the interfaces between the applications. It is thus crucial to be interested to the EAL of DBMS and the systems of interfacing (data-processing Bus, EAI).

In the case of the Free software, security levels of the databases employed (MySQL,…) are in general rather low in scale EAL, because of the least financial power of the communities of free software.

Protection of the informational Inheritance

See also: informational Inheritance

An effective protection of the informational Patrimoine requires before a a whole thorough study of the framework Juridique. It is very important to become aware that there exists a hierarchy in the regulation. For example, in the European Union, the European directives take precedence over the laws of the Member States (Hiérarchie of the standards).

One must cross this legal study with:

• the definition of the profiles of people who handle electronic Documents on the same whole of Donnée S with a common level of Computer security (in particular the Confidentialité),
• identification of the sensitive Donnée S (" actifs").

It is necessary to structure well at the same time the Donnée S and the Communautés of practice, which in common have the sphere of activity and the security level. It is an important aspect of the Content management.

One must use the Métadonnées in a way standardized with a Registre of metadata. One must examine how each element in safety intervenes, as well as associated refinements, such as for example: identifier and electronic Certificate associated, nature of the document, range of the document, rights, goes down for hearing, etc

Management of the proof

See also: Management of the proof

( records management in English).

In practice, the data security must be implemented by actions concerning the Recording of the electronic data.

See also: Recording of the data

Safety of the recordings

The Donnée S which make it possible to manage the Sécurité, been dependant on the Profil of protection to choose (or selected), must be positioned in the Information system in such a way that the recording carried out can provide the Preuve actions of a person or a Entreprise and corresponding Affaire S.

The management of the Preuve is the object Norme, the standard ISO 15489 (in English and French).

See also: ISO 15489

Recording of the data and management of the proof

The safety and the recording of the data and the Gestion of the proof are thus in very close relation.

There cannot be good Gestion of the proof, without a good Recording of the data throughout the life cycle and of the associated processes (Filière S). Thus, it is necessary to describe in a very precise way the Impact S on the following operations:

• Safeguard, Storage,
• Filing.

These process is moreover high importance in Informatique, because they contain the capital knowledge known as explicit, in language of Ingénierie of knowledge.

In the final analysis, one cannot obviously uncouple completely the aspects Donnée S and Data processing, so that the choice of the architecture of data strongly impacts the physical architecture of the Ordinateur, and in particular his capacity to carry out processes in Multitâches (see also Multiprocesseurs). This is why it is preferable to study the security of the data within the framework of a step of Urbanisation of the information systems.

Protection of the personal data

There exists in the European Union payments on the protection of the private life, in particular directive 95/46 of October 24th 1995 on the data protection. G29 is a European group charged to coordinate the authorities of data protection of the European Union.

Referential integrity

See also: referential Integrity

Standardization and Certification

Standardization

The applicable Norme S are:

• ISO 13335 on the definitions, concepts and models,
• ISO 15408 on the requirements, and the common Criteria.

On the Metadata in particular, to see Standardization of the metadata.

On the Management of the proof or Imputability ( records management in English), to see ISO 15489 and Metadata and traceability.

The standard ISO 27000 is a general standard on the information system security.

Certification

For the application of the standard ISO 15408, in France, there exist 6 CESTI (centers of evaluation of the safety of information technologies) in charge of the evaluation:

• Algoriel,
• AQL (Silicomp),
• ECA LETI,
• CEACI,
• Oppida,
• Serma technologies.

In last authority, it is the DCSSI which validates approval and delivers the Certificat.

References

• National defense and collective security , February 2006,

• Intelligence of the risks, Safety, Safety, Environment, Management IFIE 2006. Bernard Besson and Jean-Claude Possin

• To prevent the risks. To act as responsible organization . Andree Charles, Farid Baddache. Editions AFNOR. 2006. ISBN 2-1247-5519-6.

• Function Risk manager , Catherine Véret, Richard Mekouar, Dunod, ISBN 2 10 048697 7, 2005

• 100 questions to include/understand and act. Risk management . Jean-Paul Louisot, with the participation of Jacques Lautour. AFNOR and CARM Institute (Circle of the Businesses in Risk Management). 2005 - ISBN 2-12-475087-9

• economic Model of intelligence , AFDIE, Economica, Bernard Besson, Dominique Fonvielle, 2004.

• the economic audit of intelligence, to set up and to optimize a device coordinated of collective intelligence , Bernard Besson and Jean-Claude Possin, ISBN 2 10 006699 4, Dunod, 2002,

• Convaincre to urbanize IF , Jean-Christophe Bonne and Aldo Maddaloni, Lavoisier, 2004.

• Management of the risk. Comprehensive approach . AFNOR. 2002. ISBN. 2-12-169211-8

• Treated new risks - Precaution, crisis, insurance , Olivier Godard, Claude Henry, Patrick Lagadec, Erwann Michel Kerjen, current Folio new 2002.

• Re-examined French of marketing, n° 200 , December 2004.

See too

• CNIL

In anglophone Wikipedia:

• the category,
• the article,
• the article

On the Stake X related to the context of communication

• Responsibility sociétale for company
• Safety and Interworking, to also see ADELE
• Risk S; Threat; Vulnerability
• Communication
• Coherence of the data in universe distributed
• Use
• Intellectual capital

On the Information system security

• Certificate electronic
• electronic Signature
• Certification
• Third of confidence
• common Criteria
• Profile of protection

On the strategic Project management

• Alignment
• Urbanization (data-processing)
• Méta-model of town planning

On the standardization

• Standard
• List of ISO standards by fields
• ISO 13335
• ISO/CEI 17799
• ISO/CEI 27001

External bonds

• DCSSI - http://www.ssi.gouv.fr/fr/dcssi/

• Bernard Carayon - economic Site of intelligence
• CLUSIF - https://www.clusif.asso.fr
• CLUSIS (Swiss), on the standard ISO/CEI 17799 - http://www.ysosecure.com/doc-pdf/presentation-clusis-ISO-17799.pdf
• Wiki on the computer security
• MITER, supplier of the Department of Defense of the the United States

http://www.mitre.org/news/the_edge/february_01/highlights.html

http://www.mitre.org/work/tech_papers/tech_papers_98/nims_information/nims_info.pdf (1998)

• Anglo-Saxon Gate of safety http://www.infosyssec.org/infosyssec/security/secpol1.htm

Random links:

Jules Favre | Tympanon | Ferdinand Lassalle | Culture (ethology) | Steve Bendelack | Thomas_Berger

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org