Today, IT system and software security has become critically important, because increasingly sophisticated technologies and ever-greater interconnectivity is empowering malicious users whose actions can have a dramatic impact on the privacy of both enterprises and individuals. Security expertise addresses these concerns specifically, throughout the software engineering life-cycle, with audit based security requirements engineering, security policy modelling, secure architecture design, security-oriented code analysis and preparation for security certification, such as the Common Criteria.
The security of information systems is the set of measures and controls that are put in place to ensure confidentiality, integrity, and availability of the information being processed and/or stored by the information systems. These measures and controls span across various domains such as technical, organizational, legal, and societal. A security infrastructure is deployed to assure the protection of information systems by mitigating risks to the information assets. It is developed to meet the objectives of the security policy that is defined on the basis of the risks analysis carried-out in line with the threats analysis. There is no single security mechanism that can answer all the security requirements. A range of these mechanisms include ciphering (cryptography), access control, trusted functionalities, security monitoring, incidence response, and audit trails.
The notion of trust in the information systems has been receiving increasing attention ever since the open environments are gaining grounds in the computing world. The comoditisation of the computing resources offers fascinating prospects for the individuals and businesses, where they can use inexpensive computing environments at no total cost of ownership (TCO). However, the downsides of this paradigm are the concerns related to data protection and privacy issues. The stakes are much higher when it comes to the personal, social, financial, or business interests. It is therefore necessary to develop trust between the providers and consumers of information services in the cyberspace. Trust is no doubt a subjective judgement of humans, technology can nevertheless play a significant role in resolving trust issues by providing reliable means such as security testing (e.g. penetration testing), and monitoring of service level agreements (SLA).
It is important to remember that security is not a product, it is a process that should be regularly revised and updated. It is the quality of security services that constitute the basis of trust in the information systems.
This area is very wide, is related to many disciplines. CETIC takes into account the security dimension through its various expertises.