Information Security Management - Practices
The next general management practice is Information Security Management. For purposes of the exam, you simply need to recall the definition of the Information Security Management practice. The Information Security Management practice is there to protect the information needed by the organization to conduct its business. So, what is Information Security Management really all about then? It is all about understanding and managing risks to your Confidentiality, Integrity, Availability, Authentication and Non-repudiation of your information systems.
If you think about it this way, Information Security is all about cybersecurity. It is about preventing things like data breaches, and hackers from attacking your organization. When you think about confidentiality, you want to make sure your data remains confidential, which means it is safe from prying eyes. This usually done by encrypting your data, and that way, somebody can't just go in and look at it or worse, steal it. About the integrity of your data, focus on making sure the data doesn't change, either while it is in transit, in use, or even when it's only being stored. To do this, you usually do a hashing function against the information, and that gives you a digital fingerprint to know whether a file has been changed by a malicious attacker.
When it comes to availability, think about things like making sure that a customer can get access to the data when and where they need it. So, if you had a website that had great confidentiality and great integrity, but you could never access it, then it has horrible availability and it means that service is going to fail. Availability is also really important. The way to get good availability is by making sure you have redundant and highly available systems, such as ones that have multiple connections to the outside world. You might want to have 2 internet connections, or 2 sets of switches, or 2 sets of servers, so in an event that one goes down, the other one can still carry the load.
Authentication is concerned with making sure that you are who you say you are, when you're requesting access to the information. The most common form of authentication is a username and password, but there are lots of other ways to do authentication. These days, it is now more common to use biometric systems as human biometrics are unique to each person such as thumbprints, face or eye recognition. There are also systems where when you login with your username and password, it emails back a code to your email or phone, which you have to access and then put the code which you received in your inbox to access the system. This is also called 2-factor authentication of 2FA. The whole idea of authentication is proving you are who you say you are.
With non-repudiation, you're trying to make sure that you are who you say you are, and you can't say you didn't do what you did. Non-repudiation is really focused on the fact of if you took an action on a website, you have no way to say you didn't do it. There are lots of ways to ensure non-repudiation, and most of them involve having some form of proper authentication. For example, if you wanted to have non-repudiation of an email you sent, you can digitally sign it with you private key, and it means that nobody else could've signed it with that private key, because you're the only one who has it. So even if you said you didn't send that email, your recipient has proof that you in fact were the one who sent it and no one else. And that's the concept of non-repudiation.
For the ITIL 4 exam, you only need to know the purpose of Information Security Management. That purpose is to protect the information needed by the organization to conduct its business. This is something you want to make sure you have down in your notes, and you're memorizing before the exam.