ZeePedia

Security of Information System: Security Issues, Objective, Scope, Policy, Program

<< Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat >>
img
VU
Information System (CS507)
LESSON 29
Security of Information System
The information systems are vulnerable to modification, intrusion or malfunctioning. Hence they need to
be secured from all these threats be devising a sound security system.
"Information assets are secure when the expected losses that will occur from threats eventuating over
sometime are at an acceptable level."
28.1 Security Issues
Some losses will inevitably occur in all environments. So eliminating all possible losses is either impossible
or too costly. Level of losses should be specified. The level of losses decided should be linked with a time
period in which the occurrence would be tolerated. The definition mentions threats, which can be either
·  Physical, (e.g. Theft, rain, earthquake, disasters, fire) or
·  Logical (e.g intrusion, virus, etc)
Examples of intrusion
The security might be required to stop unauthorized access to the financial system of a bank from executing
fraudulent transactions. The purpose of intrusion may not only be to damage the database of the company
but may be limited to stealing customer list for personal use transferring money illegally. An employee
before leaving the company may have to be stopped from data manipulation, though he is having
authorized access to the system.
Management's responsibility
Executive management has a responsibility to ensure that the organization provides all users with a secure
information systems environment. Importance for security should be sponsored by the senior management.
This would make employees/users of IS, feel the importance of secure environment in which the IS works
and operates un-tampered.
Importance of Security
Sound security is fundamental to achieving this assurance. Furthermore, there is a need for organizations to
protect themselves against the risks inherent with the use of information systems while simultaneously
recognizing the benefits that can accrue from having secure information systems. Thus, as dependence on
information systems increases, security is universally recognized as a pervasive, critically needed, quality.
28.2 Security Objective
Organization for Economic Cooperation & Development, (OECD) in 1992 issued "Guidelines for the
Security of Information Systems". These guidelines stated the security objective as
"The protection of the interests of those relying on information, and the information systems and
communications that delivers the information, from harm resulting from failures of availability,
confidentiality, and integrity."
The security objective uses three terms
·  Availability ­ information systems are available and usable when required;
·  Confidentiality ­ data and information are disclosed only to those who have a right to know it;
129
img
VU
Information System (CS507)
and
·
Integrity ­ data and information are protected against unauthorized modification (integrity).
The relative priority and significance of availability, confidentiality, and integrity vary according to the data
within the information system and the business context in which it is used.
28.3 Scope of Security
The concept of security applies to all information. Security relates to the protection of valuable assets
against loss, disclosure, or damage. Valuable assets are the data or information recorded, processed, stored,
shared, transmitted, or retrieved from an electronic medium. The data or information must be protected
against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure.
Types of Information Assets
The question is what needs to be protected in an Information systems environment? In a manual
environment, usually the records kept in hard form are the main information assets to be safeguarded
against various threats. In computerized environments the sensitivity of the record being kept is enhanced.
Information Assets can be classified as follows:
28.4 Security Policy
The organization that is concerned with protecting its information assets and information system should
devise a security policy to be communicated formally to all concerned in an organization. The security
policy should support and complement existing organizational policies. The thrust of the policy statement
must be to recognize the underlying value of, and dependence on, the information within an organization.
Contents of Security Policy
Security policy is a critical document which should be designed to include almost all aspects of security
issues.
·  The importance of information security to the organization;
·  A statement from the chief executive officer in support of the goals and principles of effective
information security;
·  Specific statements indicating minimum standards and compliance requirements for specific areas:
· Assets classification;
· Data security;
· Personnel security;
· Physical, logical, and environmental security;
· Communications security;
· Legal, regulatory, and contractual requirements;
· System development and maintenance life cycle requirements;
· Business continuity planning;
· Security awareness, training, and education;
· Security breach detection and reporting requirements; and
· Violation enforcement provisions
·  Definitions of responsibilities and accountabilities for information security, with appropriate
separation of duties;
·  Particular information system or issue specific areas; and
·  Reporting responsibilities and procedures
130
img
VU
Information System (CS507)
Now the question that arises is how a security policy is to be devised. The organizations interested in raising
the security levels of their information system undergo what is commonly termed as "Security Program" or
"Security Review". This can be seen as a first attempt to devise a formal security policy for the organization.
28.5 Security Program
"A security program is a series of ongoing regular periodic reviews conducted to ensure that assets
associated with the information systems function are safeguarded adequately."
The first security review conducted is often a major exercise
Conducting Security Program
There are certain steps which need to be undertaken for conducting a security program.
Preparation of Project Plan
In this phase the review objectives of the security program are specified. The scope of the work to be done
needs to be defined at the outset. Since there are possibilities of getting bogged down into the unnecessary
details? This would help avoid too much of unnecessary work which may be undertaken with little benefit
ahead.
Major components of the project plan
· Objectives of the review: There has to be a definite set of objectives for a security review e.g. to improve
physical security over computer hardware in a particular division, to examine the adequacy of controls in
the light of new threat to logical security that has emerged, etc.
· Scope of the review: if the information system is an organization wide activity, what needs to be covered
has to be defined, e.g. scope will determine the location and name of computers to be covered in the
security review, etc.
· Tasks to be accomplished ­ In this component, specific tasks under the overall tasks are defined e.g.
compiling the inventory of hardware and software may be one of many specific tasks to be undertaken
for security review.
· Organization of the project team ­ A team is organized based on the needs of the security review.
· Resources budget ­ What resources are required for conducting security review.
· Schedule for task completion ­ Dates by which the tasks should be completed along with the objectives
to be achieved.
28.6 Identification of Assets
Identifying assets is the primary step in determining what needs to be protected. The classification of
information assets is already stated above. Unless the assets are defined, the related risks cannot be
determined that easily.
Ranking of Assets
131
img
VU
Information System (CS507)
The assets identified earlier should be given a rank according to the importance they have. Following are the
critical issues
· Who values the asset? ­ Various interested groups (end user, programmer, etc) may be asked to rank the
assets in accordance with the criticality of usage and importance to them and to the organization e.g
­ a scale between 0 to 10 can be used for this purpose.
­ Degrees of importance may be defined as very critical, critical, less critical, etc.
· How the asset is lost? ­ a customer master file might be accidentally damaged but the impact of being
stolen would be higher.
· Period of obsolescence ­ within what time the asset becomes of no use without being used. As time
passes by, assets keep losing value which also affects the security review.
Threat Identification
"A threat is some action or event that can lead to a loss."
During this phase, various types of threats that can eventuate and result in information assets being
exposed, removed either temporarily or permanently lost damaged destroyed or used for un-authorized
purposes are identified.
132
Table of Contents:
  1. Need for information, Sources of Information: Primary, Secondary, Tertiary Sources
  2. Data vs. Information, Information Quality Checklist
  3. Size of the Organization and Information Requirements
  4. Hierarchical organization, Organizational Structure, Culture of the Organization
  5. Elements of Environment: Legal, Economic, Social, Technological, Corporate social responsibility, Ethics
  6. Manual Vs Computerised Information Systems, Emerging Digital Firms
  7. Open-Loop System, Closed Loop System, Open Systems, Closed Systems, Level of Planning
  8. Components of a system, Types of Systems, Attributes of an IS/CBIS
  9. Infrastructure: Transaction Processing System, Management Information System
  10. Support Systems: Office Automation Systems, Decision Support Systems, Types of DSS
  11. Data Mart: Online Analytical Processing (OLAP), Types of Models Used in DSS
  12. Organizational Information Systems, Marketing Information Systems, Key CRM Tasks
  13. Manufacturing Information System, Inventory Sub System, Production Sub System, Quality Sub system
  14. Accounting & Financial Information Systems, Human Resource Information Systems
  15. Decision Making: Types of Problems, Type of Decisions
  16. Phases of decision-making: Intelligence Phase, Design Phase, Choice Phase, Implementation Phase
  17. Planning for System Development: Models Used for and Types of System Development Life-Cycle
  18. Project lifecycle vs. SDLC, Costs of Proposed System, Classic lifecycle Model
  19. Entity Relationship Diagram (ERD), Design of the information flow, data base, User Interface
  20. Incremental Model: Evaluation, Incremental vs. Iterative
  21. Spiral Model: Determine Objectives, Alternatives and Constraints, Prototyping
  22. System Analysis: Systems Analyst, System Design, Designing user interface
  23. System Analysis & Design Methods, Structured Analysis and Design, Flow Chart
  24. Symbols used for flow charts: Good Practices, Data Flow Diagram
  25. Rules for DFD’s: Entity Relationship Diagram
  26. Symbols: Object-Orientation, Object Oriented Analysis
  27. Object Oriented Analysis and Design: Object, Classes, Inheritance, Encapsulation, Polymorphism
  28. Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
  29. Security of Information System: Security Issues, Objective, Scope, Policy, Program
  30. Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat
  31. Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation
  32. Physical vs. Logical access, Viruses, Sources of Transmissions, Technical controls
  33. Antivirus software: Scanners, Active monitors, Behavior blockers, Logical intrusion, Best Password practices, Firewall
  34. Types of Controls: Access Controls, Cryptography, Biometrics
  35. Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit
  36. Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment
  37. Control Analysis: Likelihood Determination, Impact Analysis, Risk Determination, Results Documentation
  38. Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
  39. Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks
  40. Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates
  41. Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government
  42. Supply Chain Management: Integrating systems, Methods, Using SCM Software
  43. Using ERP Software, Evolution of ERP, Business Objectives and IT
  44. ERP & E-commerce, ERP & CRM, ERP– Ownership and sponsor ship
  45. Ethics in IS: Threats to Privacy, Electronic Surveillance, Data Profiling, TRIPS, Workplace Monitoring