Chapter Two

Fundamentals of Information Systems

Security
Components of Information System Security
✓ The basic components of information security are Confidentiality, Integrity and
Availability (C.I.A).
✓ These three components are the fundamental objectives of computer network and
Information security.
A. Confidentiality
✓ Confidentiality ensures that only those with the rights and privileges to access information
are able to do so.
✓ When unauthorized individuals or systems can view information, confidentiality is
breached.
✓ To protect the confidentiality of information, you can use a number of measures, including
the following:
➢ Information classification
➢ Secure document storage
➢ Application of general security policies
➢ Education of information custodians and end users
B. Integrity
✓ The integrity of information is threatened when the information is exposed to corruption,
damage, destruction or other disruption of its authentic state.
✓ Key methods for assuring information integrity are: -
o file hashing: -in which a file is read by a special algorithm that uses the value of the
bits in the file to a single large number called a hash value. the hash value for any
combination of bits is unique. If the system performs the same hashing algorithm on
a file and obtains different number that all that value for that file, that file has been
compromised and the integrity of the information is lost.
o Look for changes in file integrity as shown by the size of the file.

1
C. Availability
✓ Enable authorized users’ persons or computer systems to access information without
interference or obstruction and to receive it in the required format.
✓ Factors that affect the availability of information and information security system(threats):
➢ Files stored in personal directories may not be available to other
employee value needed.
➢ Hardware failures could affect the availability of company resource
➢ A failure in the data circuit could prohibit system access
➢ Upgrades in the software may prohibit access

Principles of IS Security
✓ Information security principles denote the basic guideline that should be used
when designing a secure system.
✓ There are many best practices in information security that are specific to certain
industries or business but some apply broadly.
1. Balance protection with utility: - deals in information system security the way of
finding a balance between resource availability, the confidentiality and integrity of
the resources. Rather than trying to protect against all kinds of threats focus on
insulating the most vital systems and then finding acceptable ways to protect the rest
without making them useless.
2. Split up the users and resources: - for an information system to work it most know
who is allowed to see and do particular things this means that a system administrator
needs to assign access by a person’s job types and may need to further refine those
limits according to organizational separations.
3. Assign minimum privileges: -an individual should be assigned the minimum
privileged needed to carry out his or her responsibilities, if a person’s responsibilities
change so will the privilege assigning minimum privilege reduce the chance just from
design will walk out the door with all the marketing data. The principle of least
privilege stipulates, “Do not give any more privileges than absolutely necessary to do
the required job”. The principle of least privilege is a preventive control, because it
reduces the number of privileges that may be potentially abused and therefore limits
the potential damage. Examples
✓ Giving users read only access to shared files if that’s what they need, and
making sure write access is disabled
✓ Not allowing help desk staff to create or delete user accounts if all that they
may have to do is to reset a password
✓ Not allowing software developers to move software from development servers
to production servers
4. Use independent defenses: - using one really good defense such as authentication
protocols is only good until someone breaches it. when several independent defenses
are employed an attacker must use several different strategies to get through them.
Introducing this type of complexity doesn’t provide 100% protection against attacks
but it does reduce the chances of successful attacks.

2
 5. Plan for failures: - this will help minimize its actual consequences should it occur.
having backup systems in place before hand allows constantly monitor security
measures and react quickly to a breach. If the break is not serious the business or
organizations can keep operating on backup while the problem is addressed.
6. Record: - a security system will never be breached but when a security break does take
place the event should be recorded. In fact, IT staff often record as much as they can
even when a breach isn’t happening. Sometimes the causes of breaches aren’t apparent
after the fact. So, it is important to have data to track backwards. Data from breaches
will eventually help to improve the system and prevent future attacks- even if it doesn't
initially make sense.
7. Run frequent tastes: - hackers are constantly running their craft. which means
information security must evolve to keep up.IT professionals run tests conduct risk
assessments reread the disaster recovery plan, check the business continuity plan in
case of attack and then do it all over again.it limits according to organizational
separations.

IS Security Protection Mechanisms

Technical controls
✓ Access controls, firewalls, dial-up protection, intrusion detection systems, scanning and
analysis tools, and encryption systems

Management control
✓ policy and education, training, and awareness efforts, etc.

3
Introduction to Information Security Policy
IS Security Policy
✓ Is a document or set of documents that states an organizations intention and
decisions on what and how electronic information should be secured.
✓ A statement of what is and what is not allowed
✓ It is also a set of rules laid down by the security authority governing the use and provisions
of security services and facilities.
✓ The meaning of security policy depends on the context of in which it is used.

➢ Government agencies
➢ Credit card agencies
➢ The foundation for the information security architecture and blueprint: policy,
standard and practices
➢ The creation and maintenance of these elements require coordinated planning.
(strategic and contingency planning)
➢ Policies: - Like laws, they define what is right, what is wrong, what the penalties
are for violating policy and what the appeal process is.
✓ Put in place to support the mission, vision and strategic planning of an organization.
✓ Standards: - mode detailed statements of what must be done to comply with policy.
➢ Have the same requirements for compliance as policies
➢ May be informal or part of an organizational culture
4
 ➢ May be also published, scrutinized and ratified by group, as in formal
Practices, Procedures and Guidelines: - effectively explain how to comply with policy

IS Security: Policies and Procedures

✓ Policy is a high-level statement of enterprise beliefs, goals, and procedures and
the general means for their attainment
✓ Standards are mandatory requirements that support individual policies
✓ Procedures are mandatory step-by-step, detailed actions required to complete a task
successfully
✓ Guidelines are similar to standards but are not mandatory

5
 ✓ An information protection program should be part of an overall asset protection program
✓ Information security policies, standards and procedures enable organizations to
➢ Ensure that their security policies are properly addressed
➢ Every employee knows what s/he needs to do to ensure the information security
of the company
➢ Similar responses is given for every problem

Developing policies: A good policy

should

✓ Be easy to understand (By all people who will have to read the policy)
✓ Be applicable (Don’t copy others’ policy word by word since it may not be applicable to
you)
✓ Be do-able (The restrictions should not stop work!)
✓ Be enforceable (If it cannot be enforced, it will probably remain on paper)
✓ Be phased in (Organizations need time to digest policy)
✓ Be proactive (Say what needs to be done rather than what is not allowed)
✓ Avoid absolute (Be diplomatic)

6
 ✓ Meet business objectives Should lower the security risks to a level acceptable by the
organization without hampering the work of the organization to an unacceptable level

Developing policies: There are three

types (Tiers) of policies

✓ Global policies (Tier 1)

➢ Used to create the organization’s overall vision and direction
✓ Topic specific policies (Tier 2)
➢ Address particular subject of concern → Ex. Antivirus, E-mail
✓ Application-specific policies (Tier 3)
➢ Decisions taken by management to control particular applications→Ex.
Accounting system

Information Classification Policy

Why classify?
✓ Among the information available in the enterprise there are (approx.)

➢
10% confidential information
➢
80% internal use information
➢ 10% public information
✓ It would be a big a waste of resources to give the same level of security for all the
information
✓ You don’t put everything you own in a safe!

What is a confidential information?

✓ Information, if disclosed, could
➢ Violate privacy of individuals
➢ Reduce company’s competitive advantage
➢ Cause damage to the organization

Developing standards
✓ Standards define what is to be accomplished in specific terms
✓ Every industry has standards that try to ensure some quality of product or service, or
enable interoperability
✓ Many industry standards have information security issues→ Ex. Banking, Healthcare
✓ Some of the standards become national regulations and organizations will have to follow
that
✓ Organizations can also develop their own standards (enterprise
standards)

7
 ✓ Standards are easier to update than global policies
✓ Standards have to be reviewed regularly (every year for example)

Standards must be
✓ Reasonable
✓ Flexible
✓ Current
✓ Practical
✓ Applicable
✓ Reviewed regularly
Standards should enable the enterprise to fulfill its business objectives while minimizing the
security risks

Developing Procedures
✓ Developing a procedure should be faster than developing a policy since it does not need
to be approved by management
✓ The best way to write a procedure is to use a technical writer (different from the subject
matter expert – SME)

Procedure writing process

✓ Interview with the SME
✓ Preparation of a draft
✓ Review of the draft by the SME
✓ Update of the procedures based on the comments
✓ Final review by SME
✓ Update of the procedures based on the comments
✓ Testing of the procedures
✓ Publishing of the procedure

Elements of Policies
✓ Set the tone of Management
✓ Establish roles and responsibility
✓ Define asset classifications
✓ Provide direction for decisions
✓ Establish the scope of authority
✓ Provide a basis for guidelines and procedures
✓ Establish accountability
✓ Describe appropriate use of assets
✓ Establish relationships to legal requirements

8
 Why do we need a security policy?
✓ Provides a comprehensive framework for the selection and implementation of security
measures
✓ Communication means among different stakeholders
✓ Management of resources→ people, skills, money, time
✓ Conveys the importance of security to all members of the organization
✓ Helps create a “security culture”
✓ Shared beliefs and values concerning security
✓ Legal obligation
✓ Helps promote “trust relationships” between the organizations and its business
partners / clients

Types of Security Policy?

✓ Computer-Oriented:

✓ Information Security Policies that implement access control (Discretionary

Access Control, Mandatory Access Control)
✓ Operating Systems
✓ Networks
✓ Application
✓ Human Oriented:
✓ Scope: Department, Organization
✓ Applied by IS Users
✓ Individual:
✓ Application or System (E.G. Email Policy)
✓ “Use Policies”
✓ Modular:
✓ Comprehensive document with multiple annexes containing specific (e.G. Per
application or system) policies
✓ Can be in hypertext form
✓ Comprehensive:
✓ One document addressing all applications, processes and systems
✓ Big volume, not easy to use
✓ Contain high level security guidelines

What Makes A Security Policy Effective (Criteria)?

✓ Dissemination (Distribution): - the organization must be able to demonstrate that the

policy has been made readily available for review by the employee. Common
dissemination techniques include hard copy and electronic distribution.
✓ Review (Reading): -the organizations must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for illiterate, non-English reading and

9
 reading impaired employees, common techniques include according the policy in English
and other language.
✓ Comprehension (Understanding): -the organization must be able to demonstrate that the
employee understood the requirements and content of the policy. Common techniques
include quizzes and other assessments.
✓ Compliance (Agreement): -The organization must be able to demonstrate that the
employees agree to comply with the policy through act or affirmation. Common techniques
includes logon banners which require a specific action(mouse click or keystroke) to
acknowledge agreement or signed document clearly indicating the employee has read
understood and to comply with the policy.
✓ Uniform Enforcement: - The organization must be able to demonstrate that the policy has
been uniformly enforced regardless of employee status or assignment
Who involved In Policy?
✓ Security experts
➢ Design, review and update the policy
✓ System / network administrators
➢ Implement security controls, guidelines
✓ Management
➢ Set security goals
➢ Provide resources
✓ Users
➢ Follow security procedures
➢ Auditors
➢ Monitor compliance

Designing a Security Policy

✓ Economy of mechanism: the design of security measures should be as
➢ simple as possible
➢ Simpler to implement and to verify
➢ Fewer vulnerabilities
✓ Open design: the design should be open rather than secret (e.g., encryption algorithms)
✓ Isolation

➢ Public access should be isolated from critical resources (no connection between
public and critical information)
➢ Users files should be isolated from one another (except when desired)
➢ Security mechanism should be isolated (i.e., preventing access to those
mechanisms)
✓ Encapsulation: similar to object concepts (hide internal structures)
✓ Least common mechanism: a design should minimize the function shared by different
users (providing mutual security; reduce deadlock)
✓ Layering (defense in depth): use of multiple, overlapping protection approaches
10
✓ Separation of privilege: multiple privileges should be needed to do achieve access (or
complete a task)
✓ Least privilege: every user (process) should have the least privilege to perform a task
✓ Psychological acceptability: security mechanisms should not interfere unduly with the
work of users

11
Step 1 – Collect Background Information
✓ Obtain existing policies.
✓ Identify what levels of control are needed.
✓ Identify who should write the policies
Step 2 – Perform Risk Assessment
✓ Justify the Policies with Risk Assessment
✓ Identify the critical functions
✓ Identify the critical processes
✓ Identify the critical data
✓ Assess the vulnerabilities
Step 3 – Create a Policy Review Board
✓ The Policy Development Process
✓ Write the initial “Draft”
✓ Send to the Review Board for Comments
✓ Incorporate Comments
✓ Resolve Issues Face-to-Face
✓ Submit “Draft” Policy to Cabinet for Approval

12
Step 4 – Develop the Information Security Plan
✓ Establish goals
✓ Define roles
✓ Define responsibilities
✓ Notify the User community as to the direction
✓ Establish a basis for compliance, risk assessment, and audit of information security
Step 5 – Develop Information Security Policies, Standards, and Guidelines
✓ Policies: High level statements that provide guidance to workers who must make present
and future decision
✓ Standards: Requirement statements that provide specific technical specifications
✓ Guidelines: Optional but recommended specifications
Step 6 – Implement Policies and Standards
✓ Distribute Policies.
✓ Obtain agreement with policies before accessing the Systems.
✓ Implement controls to meet or enforce policies.
Step 7 – Awareness and Training
✓ Makes users aware of the expected behavior
✓ Teaches users How & When to secure information
✓ Reduces losses & theft
✓ Reduces the need for enforcement
Step 8 – Monitor for Compliance
✓ Management is responsible for establishing controls.
✓ Management should REGULARLY review the status of controls.
✓ Enforce “User Contracts” (Code of Conduct).
✓ Establish effective authorization approval.
✓ Establish an internal review process.
✓ Internal Audit Reviews.
Step 9 – Evaluate Policy Effectiveness
✓ Evaluate
✓ Document
✓ Report
Step 10 – Modify the Policy
Policies must be modified due to:
✓ New Technology
✓ New Threats
✓ New or changed goals
13
 ✓ Organizational changes
✓ Changes in the Law
✓ Ineffectiveness of the existing Policy

Approaches to Information Security Implementation

Bottom-Up Approach
✓ Grassroots effort -systems administrators drive
✓ Key advantage: technical expertise of individual administrators
✓ Seldom works
✓ Lacks number of critical features:
➢ Participant support
➢ Organizational staying power

Top Down Approach

✓ An alternative approach, which has a higher probability of success.
✓ Initiated by upper management who issue policy, procedures, and processes; dictate the
goals and expected outcomes of the project; and determine who is accountable for each of
the required actions.
✓ Has strong upper-management support, a dedicated champion, dedicated funding, clear
planning, and the opportunity to influence organizational culture.
✓ Also involves a formal development strategy referred to as a systems development life
cycle.

Approaches to Information Security Implementation: see the direction of the left and right side
arrows to show where planning is sourced and from which direction the pressure for success is
driven.

14
The Security Systems Development Life Cycle

✓ The same phases used in traditional SDLC

✓ Need to be adapted to support implementation of an IS project
✓ Security SDLC is a coherent program not series of random, seemingly unconnected
actions:
➢ Investigation,
➢ Analysis,
➢ design (logical and physical),
➢ Implementation, and
➢ Maintenance and change

Investigation
✓ Begins with a directive from upper management, dictating the process, outcomes, and
goals of the project, as well as the constraints placed on the activity.
✓ Teams of responsible managers, employees, and contractors are organized, problems
are analyzed, and scope is defined.
✓ Finally, an organizational feasibility analysis is performed to determine whether the
organization has the resources and commitment necessary to conduct a successful
security analysis and design.

Analysis
✓ The documents from the investigation phase are studied
✓ A preliminary analysis of existing security policies or programs, along with
documented current threats and associated controls is conducted.
✓ An analysis of relevant legal issues that could impact the design of the security solution
made.
✓ The risk management task – identifying, assessing and evaluating the levels of risk
facing the organization – also begins in this stage.

Logical Design
✓ Creates and develops the blueprints for security, and it examines and implements key
policies that influence later decisions
✓ Incident response actions planned to be taken in the event of partial or catastrophic loss:
continuity planning, incident response and disaster recovery
✓ Feasibility analysis to determine whether project should be continued or outsourced.

15
Physical Design
✓ The security technology needed to support the blueprint outlined in the logical design is
evaluated, alternative solutions are generated, and a final design is agreed upon.
✓ The security blueprint may be revisited to keep it synchronized with the changes needed
when the physical design is completed.
✓ Criteria needed to determine the definition of successful solutions is also prepared.
✓ The designs for physical security measures to support the proposed technological
solutions also made.
✓ A feasibility study to determine the readiness of the organization for the proposed project
done.
✓ The design is presented to champion and users.

Implementation
✓ Security solutions are acquired, tested, implemented, and tested again.
✓ Personnel issues evaluated; specific training and education programs conducted.
✓ Entire tested package is presented to management for final approval.

Maintenance and Change

✓ Perhaps the most important phase, given the everchanging threat environment.
✓ Often, repairing damage and restoring information is a constant duel with an unseen
adversary.
✓ Information security profile of an organization requires constant adaptation as new
threats emerge and old threats evolve.

IS security professionals in an organization

✓ It takes the top management and a wide range of professionals to support a diverse
information security program.
✓ To develop and execute specific security policies and procedures, additional administrative
support and technical expertise is required.
✓ Chief Information Officer (CIO), Vice President of Information, VP of Information
Technology, and VP of Systems, is primarily responsible for advising the Chief Executive
Officer, President, or company owner on the strategic planning that affects the management
of information in the organization.

Information Security Project Team

✓ The champion: A senior executive who promotes the project and ensures its support, both
financially and administratively, at the highest levels of the organization.
✓ The team leader: A project manager, who may be a departmental line manager or
staff unit manager, who understands project management, personnel management, and
information security technical requirements.

16
✓ Security policy developers: Individuals who understand the organizational culture,
policies, and requirements for developing and implementing successful policies.
✓ Risk assessment specialists: People who understand financial risk assessment techniques,
the value of organizational assets, and the security methods to be used.
✓ Security professionals: Dedicated, trained, and well-educated specialists in all aspects of
information security from both technical and nontechnical standpoints.
✓ Systems administrators: People with the primary responsibility for administering the
systems that house the information used by the organization.
✓ End users: Those whom the new system will most directly impact. Ideally, a selection of
users from various departments, levels, and degrees of technical knowledge assist the team
in focusing on the application of realistic controls applied in ways that do not disrupt the
essential business activities they seek to safeguard.

17