Overview
Français
ABSTRACT
This article deals with the notion of safety and security as understood for software.
After an introduction that presents the risks involved in programmed systems, it explains the need to distinguish between the fields of information systems and scientific and technical software.
The article is then devoted to the challenges and objectives of cybersecurity and presents recent feedback on the subject. It addresses risk avoidance methods based on intrusive testing, risk analysis or management of the software development process. The main risk mitigation solutions are also presented.
The article concludes by reviewing the normative and certification aspects related to the security of information technology.
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Frédérique VALLÉE: Agrégée in mathematics – Doctorate in statistics - Expert in programmed system dependability and consultant
INTRODUCTION
The safety of a system corresponds to the non-occurrence of events that could diminish or damage the integrity of the system and its environment, throughout the duration of the system's activity, whether successful, degraded or failed. Security covers both random (danger) and deliberate (threat) events.
Nowadays, virtually all sectors of activity, whether industrial or service, require high-level safety systems. These systems - particularly autonomous systems, which are increasingly entrusted with tasks for which humans are no longer in the loop - are highly constrained. They have to be developed at the lowest possible cost, are often at the frontiers of technological knowledge, and have little feedback from experience. Achieving these sometimes contradictory performances requires not only the use of specific tools, but also the rigorous implementation of an organization adapted to the objectives sought.
Nowadays, software plays a key role in embedded systems and in so-called control systems: it's software that starts or brakes cars, it's software that regulates the distribution of electricity on the national grid, it's software that dispatches telephone calls, and it's software that controls automated manufacturing in factories. It drives drones, and there are plans to entrust it with the driving of autonomous vehicles in the near future.
Since the advent of office automation, software has also been at the heart of the information system that no company can do without today. Today, this system enables companies to harmoniously manage customers, purchasing, production, accounting, personnel, and so on. In recent years, the need for widespread teleworking has further accentuated and complicated this relationship of dependence between the company and its information system.
Whether their main function is administrative or technical, programmed systems can, if they malfunction or are inadequately protected, cause human, material or economic disasters of varying scale. As computer technology is quite different from other technologies, it soon became clear that specific techniques were needed to manage the risks associated with these systems.
This article presents IT risks in general, then reviews the differences to be taken into account when managing the security of information systems and that of scientific and technical systems. It then looks more specifically at the techniques used for information systems, with aspects relating to scientific and technical systems covered in a second article
The Ultimate Scientific and Technical Reference
KEYWORDS
safety | risk management | information systems | cybersecurity | intrusive testing
EDITIONS
Other editions of this article are available:
This article is included in
Safety and risk management
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
IT security for risk management
IT risks
Bibliography
Websites
CLUSIF – French information systems security club
AFAI – French IT audit and consulting association
ANSSI – Agence nationale de la sécurité des systèmes d'information (French...
Standards and norms
- Risk management – Vocabulary – Guidelines for use in standards - ISO 73 Guide ISO 7312-09 -
- Information Technology – Safety technology – Information security management systems –Requirements - ISO CEI 27001-22 -
- Information Technology – Safety technology – Code of practice for information security management - ISO CEI 27002-22 -
- Information Technology – Safety technology – Guidelines for...
The Ultimate Scientific and Technical Reference
