Security of Information System: Security Issues, Objective, Scope, Policy, Program

<< Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing

Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat >>

Information System (CS507)

LESSON 29

Security of Information System

The information systems are vulnerable to modification, intrusion or malfunctioning. Hence they need to

be secured from all these threats be devising a sound security system.

"Information assets are secure when the expected losses that will occur from threats eventuating over

sometime are at an acceptable level."

28.1 Security Issues

Some losses will inevitably occur in all environments. So eliminating all possible losses is either impossible

or too costly. Level of losses should be specified. The level of losses decided should be linked with a time

period in which the occurrence would be tolerated. The definition mentions threats, which can be either

· Physical, (e.g. Theft, rain, earthquake, disasters, fire) or

· Logical (e.g intrusion, virus, etc)

Examples of intrusion

The security might be required to stop unauthorized access to the financial system of a bank from executing

fraudulent transactions. The purpose of intrusion may not only be to damage the database of the company

but may be limited to stealing customer list for personal use transferring money illegally. An employee

before leaving the company may have to be stopped from data manipulation, though he is having

authorized access to the system.

Management's responsibility

Executive management has a responsibility to ensure that the organization provides all users with a secure

information systems environment. Importance for security should be sponsored by the senior management.

This would make employees/users of IS, feel the importance of secure environment in which the IS works

and operates un-tampered.

Importance of Security

Sound security is fundamental to achieving this assurance. Furthermore, there is a need for organizations to

protect themselves against the risks inherent with the use of information systems while simultaneously

recognizing the benefits that can accrue from having secure information systems. Thus, as dependence on

information systems increases, security is universally recognized as a pervasive, critically needed, quality.

28.2 Security Objective

Organization for Economic Cooperation & Development, (OECD) in 1992 issued "Guidelines for the

Security of Information Systems". These guidelines stated the security objective as

"The protection of the interests of those relying on information, and the information systems and

communications that delivers the information, from harm resulting from failures of availability,

confidentiality, and integrity."

The security objective uses three terms

· Availability information systems are available and usable when required;

· Confidentiality data and information are disclosed only to those who have a right to know it;

129

Information System (CS507)

and

Integrity data and information are protected against unauthorized modification (integrity).

The relative priority and significance of availability, confidentiality, and integrity vary according to the data

within the information system and the business context in which it is used.

28.3 Scope of Security

The concept of security applies to all information. Security relates to the protection of valuable assets

against loss, disclosure, or damage. Valuable assets are the data or information recorded, processed, stored,

shared, transmitted, or retrieved from an electronic medium. The data or information must be protected

against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure.

Types of Information Assets

The question is what needs to be protected in an Information systems environment? In a manual

environment, usually the records kept in hard form are the main information assets to be safeguarded

against various threats. In computerized environments the sensitivity of the record being kept is enhanced.

Information Assets can be classified as follows:

28.4 Security Policy

The organization that is concerned with protecting its information assets and information system should

devise a security policy to be communicated formally to all concerned in an organization. The security

policy should support and complement existing organizational policies. The thrust of the policy statement

must be to recognize the underlying value of, and dependence on, the information within an organization.

Contents of Security Policy

Security policy is a critical document which should be designed to include almost all aspects of security

issues.

· The importance of information security to the organization;

· A statement from the chief executive officer in support of the goals and principles of effective

information security;

· Specific statements indicating minimum standards and compliance requirements for specific areas:

· Assets classification;

· Data security;

· Personnel security;

· Physical, logical, and environmental security;

· Communications security;

· Legal, regulatory, and contractual requirements;

· System development and maintenance life cycle requirements;

· Business continuity planning;

· Security awareness, training, and education;

· Security breach detection and reporting requirements; and

· Violation enforcement provisions

· Definitions of responsibilities and accountabilities for information security, with appropriate

separation of duties;

· Particular information system or issue specific areas; and

· Reporting responsibilities and procedures

130

Information System (CS507)

Now the question that arises is how a security policy is to be devised. The organizations interested in raising

the security levels of their information system undergo what is commonly termed as "Security Program" or

"Security Review". This can be seen as a first attempt to devise a formal security policy for the organization.

28.5 Security Program

"A security program is a series of ongoing regular periodic reviews conducted to ensure that assets

associated with the information systems function are safeguarded adequately."

The first security review conducted is often a major exercise

Conducting Security Program

There are certain steps which need to be undertaken for conducting a security program.

Preparation of Project Plan

In this phase the review objectives of the security program are specified. The scope of the work to be done

needs to be defined at the outset. Since there are possibilities of getting bogged down into the unnecessary

details? This would help avoid too much of unnecessary work which may be undertaken with little benefit

ahead.

Major components of the project plan

· Objectives of the review: There has to be a definite set of objectives for a security review e.g. to improve

physical security over computer hardware in a particular division, to examine the adequacy of controls in

the light of new threat to logical security that has emerged, etc.

· Scope of the review: if the information system is an organization wide activity, what needs to be covered

has to be defined, e.g. scope will determine the location and name of computers to be covered in the

security review, etc.

· Tasks to be accomplished In this component, specific tasks under the overall tasks are defined e.g.

compiling the inventory of hardware and software may be one of many specific tasks to be undertaken

for security review.

· Organization of the project team A team is organized based on the needs of the security review.

· Resources budget What resources are required for conducting security review.

· Schedule for task completion Dates by which the tasks should be completed along with the objectives

to be achieved.

28.6 Identification of Assets

Identifying assets is the primary step in determining what needs to be protected. The classification of

information assets is already stated above. Unless the assets are defined, the related risks cannot be

determined that easily.

Ranking of Assets

131

Information System (CS507)

The assets identified earlier should be given a rank according to the importance they have. Following are the

critical issues

· Who values the asset? Various interested groups (end user, programmer, etc) may be asked to rank the

assets in accordance with the criticality of usage and importance to them and to the organization e.g

a scale between 0 to 10 can be used for this purpose.

Degrees of importance may be defined as very critical, critical, less critical, etc.

· How the asset is lost? a customer master file might be accidentally damaged but the impact of being

stolen would be higher.

· Period of obsolescence within what time the asset becomes of no use without being used. As time

passes by, assets keep losing value which also affects the security review.

Threat Identification

"A threat is some action or event that can lead to a loss."

During this phase, various types of threats that can eventuate and result in information assets being

exposed, removed either temporarily or permanently lost damaged destroyed or used for un-authorized

purposes are identified.

132

Table of Contents: