In this video, Marc Menninger decribes four key concepts of an IT security career. Explore CIA, which stands for confidentiality, integrity, and availability, sometimes referred to as the CIA Triangle or CIA Triad. Understand how to determine security best practices. Learn about the concept of defense in depth. And finally, Marc explains policies, standards, procedures, and guidelines.
- [Instructor] There are four key concepts you are likely to encounter in an IT security career. I'll introduce CIA, best practices, defense in depth, and policies, standards, procedures, and guidelines in this video. If you are planning a career in the industry the more you know about these concepts the better. Let's start with the concept of CIA, and no, this isn't the Central Intelligence Agency. In the IT security world CIA stands for Confidentiality, integrity, and availability, and may sometimes be referred to as the CIA triangle or CIA triad.
It isn't unusual to see job listings requiring applicants have a fundamental understanding of CIA. CIA is often considered the foundational concept of IT security, because if you're missing any one of the components, the C, I, or A, you can't have strong security. In a nutshell, confidentiality refers to keeping secret information secret, integrity means protecting information from being changed or damaged, and availability means ensuring information is available when needed.
Companies and organizations will expect you to understand and apply the CIA concept in your role supporting the security program. The next key concept is best practices. IT security job listings may say something like the candidate must know security best practices. Best practices refers to the methodologies generally recognized to achieve strong security within an organization. But if you'd like to find the definitive source for IT security best practices you're going to have a challenge, because there really isn't any.
True, you can do a web search and find plenty of sites talking about security best practices, but their interpretation of best practices may not match other sources. Everyone seems to have their own opinion about what best practices are. My advice to anyone wanting to understand security best practices is to start by studying IT security frameworks, such as ISO/IEC 270001/270002, NIST special publication 800-53, CIS critical security controls, and PCI Data Security Standard.
Links to these frameworks are available in the handout for this video. These frameworks are internationally recognized security standards that will cover what most people consider to be security best practices. After you're familiar with those you can conduct your own web research to fill in any gaps. Another key concept you'll likely encounter in your IT security career is the concept of defense in depth. Defense in depth is the classic military idea of having many lines of defense to protect from the same form of attack.
That's why castles will have moats, high walls, and archers to protect against enemy armies. Similarly, organizations want to have many ways to protect against security threats in case any one of them fail. This is also referred to as the belt and suspenders approach. So an example of defense in depth to protect against malware would be anti-malware controls on firewalls and mail servers, network monitors to detect malware traffic signatures, and anti-malware software on all servers and work stations.
And the final IT security key concept is policies, standards, procedures, and guidelines. Many IT security jobs will require you to support, enforce, develop, or implement security policies, standards, guidelines, and even procedures. They may sound similar, but they're really quite different. Policies are general statements from management about security rules that need to be followed, standards are specific mandatory security controls, procedures are step-by-step instructions for implementing the standards and policies, and guidelines are recommended actions to follow.
The more you work with security policies, standards, and guidelines the more clearly you'll recognize the differences between them. You'll certainly run across other security concepts in your career, but in this video I've covered four of the most common that you'll be expected to know and may be asked about.
Marc closes with a few pieces of career advice specific to the world of information security, which will help you succeed in this dynamic and high-demand industry.
- IT security key concepts
- The job marketplace (government vs. healthcare, etc.)
- IT security success traits
- Career specializations
- IT security certifications
- Getting experience
- Marketing yourself