Protection against unauthorized access to, or alteration of, information and system resources including CPUs, storage devices
- preventing unauthorized access; integrity
- preventing or detecting unauthorized modification of information.
- determining whether a user is who they claim to be.
* access control - ensuring that users can access the resources, and only the resources, that they are authorised to.
- proof that a message came from a certain source.
* availability - ensuring that a system is operational and accessible to authorised users despite hardware or software failures or attack.
* privacy - allowing people to know and control how information is collected about them and how it is used.
Security can also be considered in the following terms:
* physical security - who can touch the system to operate or modify it, protection against the physical environment - heat, earthquake, etc.
* operational/procedural security - who is authorised to do or responsible for doing what and when, who can authorise others to do what and who has to report what to who.
* personnel security - hiring employees, background screening, training, security briefings, monitoring and handling departures.
* System security - User access and authentication controls, assignment of privilege, maintaining file and filesystem integrity, backup
, monitoring processes, log-keeping, and auditing
* network security
- protecting network and telecommunications equipment, protecting network servers and transmissions, combatting eavesdropping, controlling access from untrusted networks, firewalls, and intrusion detection. Encryption
is one important technique used to improve data security.
OWASP is the free
application security community.