CS507 - Information Systems - Lecture Handout 29

User Rating:  / 0

Related Content: CS507 - VU Lectures, Handouts, PPT Slides, Assignments, Quizzes, Papers & Books of Information Systems

Security of Information System

The information systems are vulnerable to modification, intrusion or malfunctioning. Hence they need to be secured from all these threats be devising a sound security system.

“Information assets are secure when the expected losses that will occur from threats eventuating over sometime are at an acceptable level.”

Security Issues

Some losses will inevitably occur in all environments. So eliminating all possible losses is either impossible or too costly. Level of losses should be specified. The level of losses decided should be linked with a time period in which the occurrence would be tolerated. The definition mentions threats, which can be either

  • Physical, (e.g. Theft, rain, earthquake, disasters, fire) or
  • Logical (e.g intrusion, virus, etc)

Examples of intrusion

The security might be required to stop unauthorized access to the financial system of a bank from executing fraudulent transactions. The purpose of intrusion may not only be to damage the database of the company but may be limited to stealing customer list for personal use transferring money illegally. An employee before leaving the company may have to be stopped from data manipulation, though he is having authorized access to the system.

Management’s responsibility

Executive management has a responsibility to ensure that the organization provides all users with a secure information systems environment. Importance for security should be sponsored by the senior management. This would make employees/users of IS, feel the importance of secure environment in which the IS works and operates un-tampered.

Importance of Security

Sound security is fundamental to achieving this assurance. Furthermore, there is a need for organizations to protect themselves against the risks inherent with the use of information systems while simultaneously recognizing the benefits that can accrue from having secure information systems. Thus, as dependence on information systems increases, security is universally recognized as a pervasive, critically needed, quality.

Security Objective

Organization for Economic Cooperation & Development, (OECD) in 1992 issued “Guidelines for the Security of Information Systems”. These guidelines stated the security objective as

“The protection of the interests of those relying on information, and the information systems and communications that delivers the information, from harm resulting from failures of availability, confidentiality, and integrity.”

The security objective uses three terms

  • Availability – information systems are available and usable when required;
  • Confidentiality – data and information are disclosed only to those who have a right to know it; and
  • Integrity – data and information are protected against unauthorized modification (integrity).

The relative priority and significance of availability, confidentiality, and integrity vary according to the data within the information system and the business context in which it is used.

Scope of Security

The concept of security applies to all information. Security relates to the protection of valuable assets against loss, disclosure, or damage. Valuable assets are the data or information recorded, processed, stored, shared, transmitted, or retrieved from an electronic medium. The data or information must be protected against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure.

Types of Information Assets

The question is what needs to be protected in an Information systems environment? In a manual environment, usually the records kept in hard form are the main information assets to be safeguarded against various threats. In computerized environments the sensitivity of the record being kept is enhanced. Information Assets can be classified as follows:

Security Policy

The organization that is concerned with protecting its information assets and information system should devise a security policy to be communicated formally to all concerned in an organization. The security policy should support and complement existing organizational policies. The thrust of the policy statement must be to recognize the underlying value of, and dependence on, the information within an organization.

Contents of Security Policy

Security policy is a critical document which should be designed to include almost all aspects of security issues.

  • The importance of information security to the organization;
  • A statement from the chief executive officer in support of the goals and principles of effective information security;
  • Specific statements indicating minimum standards and compliance requirements for specific areas:
    • Assets classification;
    • Data security;
    • Personnel security;
    • Physical, logical, and environmental security;
    • Communications security;
    • Legal, regulatory, and contractual requirements;
    • System development and maintenance life cycle requirements;
    • Business continuity planning;
    • Security awareness, training, and education;
    • Security breach detection and reporting requirements; and
    • Violation enforcement provisions
      • Definitions of responsibilities and accountabilities for information security, with appropriate separation of duties;
      • Particular information system or issue specific areas; and
      • Reporting responsibilities and procedures

Now the question that arises is how a security policy is to be devised. The organizations interested in raising the security levels of their information system undergo what is commonly termed as “Security Program” or “Security Review”. This can be seen as a first attempt to devise a formal security policy for the organization.

Security Program

“A security program is a series of ongoing regular periodic reviews conducted to ensure that assets associated with the information systems function are safeguarded adequately.”

The first security review conducted is often a major exercise

Conducting Security Program

There are certain steps which need to be undertaken for conducting a security program.

Preparation of Project Plan

In this phase the review objectives of the security program are specified. The scope of the work to be done needs to be defined at the outset. Since there are possibilities of getting bogged down into the unnecessary details? This would help avoid too much of unnecessary work which may be undertaken with little benefit ahead.

Major components of the project plan

  • Objectives of the review: There has to be a definite set of objectives for a security review e.g. to improve physical security over computer hardware in a particular division, to examine the adequacy of controls in the light of new threat to logical security that has emerged, etc.
  • Scope of the review: if the information system is an organization wide activity, what needs to be covered has to be defined, e.g. scope will determine the location and name of computers to be covered in the security review, etc.
  • Tasks to be accomplished – In this component, specific tasks under the overall tasks are defined e.g. compiling the inventory of hardware and software may be one of many specific tasks to be undertaken for security review.
  • Organization of the project team – A team is organized based on the needs of the security review.
  • Resources budget – What resources are required for conducting security review.
  • Schedule for task completion – Dates by which the tasks should be completed along with the objectives to be achieved.

Identification of Assets

Identifying assets is the primary step in determining what needs to be protected. The classification of information assets is already stated above. Unless the assets are defined, the related risks cannot be determined that easily.

Ranking of Assets

The assets identified earlier should be given a rank according to the importance they have. Following are the critical issues

  • Who values the asset? – Various interested groups (end user, programmer, etc) may be asked to rank the assets in accordance with the criticality of usage and importance to them and to the organization e.g
    • a scale between 0 to 10 can be used for this purpose.
    • Degrees of importance may be defined as very critical, critical, less critical, etc.
  • How the asset is lost? – a customer master file might be accidentally damaged but the impact of being stolen would be higher.
  • Period of obsolescence – within what time the asset becomes of no use without being used. As time passes by, assets keep losing value which also affects the security review.

Threat Identification

“A threat is some action or event that can lead to a loss.”

During this phase, various types of threats that can eventuate and result in information assets being exposed, removed either temporarily or permanently lost damaged destroyed or used for un-authorized purposes are identified.