CS507 - Information Systems - Lecture Handout 31

User Rating:  / 0

Related Content: CS507 - VU Lectures, Handouts, PPT Slides, Assignments, Quizzes, Papers & Books of Information Systems

Control Adjustment

This phase involves determining whether any controls can be designed, implemented, operated. The cost of devising controls should not exceed the expected potential benefit being enchased and the potential loss being avoided. The above decision takes into account consideration of various factors like personal judgment of the situation, any information gained on desired/non-existing controls during the previous phases, seeking demands of users for an ideal control environment.

Existing controls should not be totally discarded while adjusting controls. They can either be terminated totally due to the threats not being there any more and existence of better controls either modified for betterment. This phase should consider the security to be cost effective, and integrated.

Security to be cost effective

IT Guideline on security issued by IFAC states:

“Different levels and types of security may be required to address the risks to information. Security levels and associated costs must be compatible with the value of the information.”

An organization should consider various factors to make security cost effective. These factors include criticality of information assets, devising safeguards, cost of implementation of safe guards, an optimum balance between the harm arising from a security breach and the costs associated with the safeguards.

Level of integration of security

There should be harmonization of security systems with information systems. This would help achieving consistency in the security framework. Where information systems have some level of integration, the security system should have a corresponding level of integration by accepting the level of communication and interaction which is allowable in the IS itself.

Roles & Responsibility

For security to be effective, it is imperative that individual roles, responsibilities are clearly communicated and understood by all. Organizations must assign security related functions in the appropriate manner to nominated employees. Responsibilities to consider include:

  1. Executive Management — assigned overall responsibility for the security of information;
  2. Information Systems Security Professionals — responsible for the design, implementation, management, and review of the organization’s security policy, standards, measures, practices, and procedures;
  3. Data Owners — responsible for determining sensitivity or classification levels of the data as well as maintaining accuracy and integrity of the data resident on the information system;
  4. Process Owners — responsible for ensuring that appropriate security, consistent with the organization’s security policy, is embedded in their information systems;
  5. Technology providers — responsible for assisting with the implementation of information security;
  6. Users — responsible for following the procedures set out in the organization’s security policy; and
  7. Information Systems Auditors — responsible for providing independent assurance to management on the appropriateness of the security objectives.

Report Preparation

It is the final phase. The report documents the findings of the review and makes recommendations. The critical part is to get the management accepted the importance of exposures identified. It is the responsibility of the security administrator to prove the possibility and benefits of the safeguards being recommended.

Meaning of threat

In literal terms, an expression of an intention to inflict pain, injury, evil, or punishment, and an indication of impending danger or harm. Threat in day to day life is defined as an unwanted (deliberate or accidental) event that may result in harm to an asset. Often, a threat is exploiting one or more known vulnerabilities.

Identification of threats

Threats can be identified on the basis of nature of Threat which can either be accidental-natural occurrences/force major, or deliberate-intentional act of harm or on the basis of sources of threat which can either be internal-threat caused within the organization, or external-threat from some one outside the organization.

Types of Threat

Threats can be divided in to two broad categories

  1. Physical threat
    This refers to the damage caused to the physical infrastructure of the information systems.
    Examples are natural disasters (Fire, earth quake, flood), pollution, energy variations and physical Intrusion.
  2. Logical
    This refers to damage caused to the software and data without physical presence. Examples are viruses and worms, logical intrusion commonly referred to as hacking.

Physical threats

The risks of physical damage render the computer hardware becomes useless due to the damage caused to it by natural disasters (Fire, earth quake, flood), pollution-Dust, energy Variations. Reasonable measures should be taken to avoid undesirable consequences. Frequency/Probability of such past occurrences should be established for suitable remedial measures to be taken.

Energy Variations

They can disrupt not only the hardware but also the operational systems and applications systems.
The total power needs of an organization need to be carefully assessed and provided for. Power supply must be monitored to ascertain the range of voltage fluctuations and take suitable steps to upgrade voltage control equipment.
Energy variations can be of various types.

Surges or spikes – sudden increase in power supply
Sags or brown outs – sudden decrease in power supply
Black outs – Total Loss of power or power failure whether scheduled or un-scheduled

There can be various remedies to avoid the damages caused by the power variations. Un-interruptible power supplies (UPS) can be used to help avoid the turning on and off of electrical equipment.
Voltage regulators and circuit breakers can also be used to avoid undesirable results.
The design of security system must also provide for the total loss of power. Certain systems should not fail and should keep working in case of total loss. Power doors can be deactivated manually, should the staff want to exit manually. Alarms and fire extinguisher systems should not fail in the even of total power loss.