An information system (IS) is an interconnected set of components used to collect, store,

process and transmit data and digital information. At its core, it is a collection of hardware,
software, data, people and processes that work together to transform raw data into useful
information.

Information systems can be categorized into several types based on their functions, scope,
and target users. Here are some common types of information systems:

1. Transaction Processing Systems (TPS): TPSs process and record transactions such as
sales, purchases, payments, and inventory movements. They facilitate the day-to-day
operations of an organization by ensuring accurate and timely processing of transactions.

2. Management Information Systems (MIS): MISs provide managers and decision-makers

with summarized, structured, and timely information to support planning, control, and
decision-making processes. They generate reports, dashboards, and analytics based on data
from various sources within the organization.

3. Decision Support Systems (DSS): DSSs assist managers and professionals in making
semi-structured and unstructured decisions by providing analytical tools, models, and
simulations. They integrate data from internal and external sources to support complex
decision-making processes.

4. Executive Information Systems (EIS): EISs are specialized information systems designed
to meet the strategic information needs of top executives and senior management. They
provide summarized, high-level information and key performance indicators (KPIs) to
support strategic planning and decision-making.
5. Enterprise Resource Planning (ERP) Systems: ERP systems integrate and automate core
business processes such as finance, human resources, supply chain management, and
manufacturing. They enable real-time visibility, standardization, and coordination of business
activities across departments and functions.

6. Customer Relationship Management (CRM) Systems: CRM systems manage

interactions and relationships with customers, prospects, and stakeholders throughout the
customer lifecycle. They store customer data, track sales leads, manage marketing campaigns,
and support customer service activities.

7. Knowledge Management Systems (KMS): KMSs capture, organize, and disseminate

knowledge and expertise within an organization. They facilitate knowledge creation, sharing,
and collaboration among employees to enhance organizational learning and innovation.

8. Geographic Information Systems (GIS): GISs capture, store, analyze, and visualize
spatial and geographic data to support decision-making in areas such as urban planning,
environmental management, and resource allocation.

9. Expert Systems (ES): ESs emulate the decision-making abilities of human experts in
specific domains by incorporating expert knowledge and rules into a computer-based system.
They provide advice, recommendations, and problem-solving capabilities to users.

10. Collaboration Systems

: Collaboration systems enable communication, coordination, and collaboration among
individuals and groups within an organization. They include tools such as email, instant
messaging, video conferencing, document sharing, and project management platforms.

Each type of information system serves specific organizational needs and functions,
contributing to operational efficiency, strategic planning, and competitive advantage.
Organizations often integrate multiple information systems to support various business
processes and objectives.
When talking about network security, the CIA triad is one of the most important models
which is designed to guide policies for information security within an organization.

CIA stands for :

Confidentiality
Integrity
Availability

These are the objectives that should be kept in mind while securing a network.

Confidentiality

Confidentiality means that only authorized individuals/systems can view sensitive or

classified information. The data being sent over the network should not be accessed by
unauthorized individuals. The attacker may try to capture the data using different tools
available on the Internet and gain access to your information. A primary way to avoid this is
to use encryption techniques to safeguard your data so that even if the attacker gains access to
your data, he/she will not be able to decrypt it. Encryption standards include AES(Advanced
Encryption Standard) and DES (Data Encryption Standard). Another way to protect your data
is through a VPN tunnel. VPN stands for Virtual Private Network and helps the data to move
securely over the network.

Integrity

The next thing to talk about is integrity. Well, the idea here is to make sure that data has not
been modified. Corruption of data is a failure to maintain data integrity. To check if our data
has been modified or not, we make use of a hash function.

We have two common types: SHA (Secure Hash Algorithm) and MD5(Message Direct 5).
Now MD5 is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1. There are also
other SHA methods that we could use like SHA-0, SHA-2, and SHA-3.

Let’s assume Host ‘A’ wants to send data to Host ‘B’ to maintain integrity. A hash function
will run over the data and produce an arbitrary hash value H1 which is then attached to the
data. When Host ‘B’ receives the packet, it runs the same hash function over the data which
gives a hash value of H2. Now, if H1 = H2, this means that the data’s integrity has been
maintained and the contents were not modified.
Availability

This means that the network should be readily available to its users. This applies to systems
and to data. To ensure availability, the network administrator should maintain hardware, make
regular upgrades, have a plan for fail-over, and prevent bottlenecks in a network. Attacks
such as DoS or DDoS may render a network unavailable as the resources of the network get
exhausted. The impact may be significant to the companies and users who rely on the
network as a business tool. Thus, proper measures should be taken to prevent such attacks.
Information security

is the practice of protecting information by mitigating information risks. It involves the

protection of information systems and the information processed, stored and transmitted by
these systems from unauthorized access, use, disclosure, disruption, modification or
destruction. This includes the protection of personal information, financial information, and
sensitive or confidential information stored in both digital and physical forms. Effective
information security requires a comprehensive and multi-disciplinary approach, involving
people, processes, and technology.

Information Security is not only about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use,
disclosure, disruption, modification, inspection, recording or destruction of information.
Information can be a physical or electronic one. Information can be anything like Your details
or we can say your profile on social media, your data on mobile phone, your biometrics etc.
Thus Information Security spans so many research areas like Cryptography, Mobile
Computing, Cyber Forensics, Online Social Media, etc.

During First World War, Multi-tier Classification System was developed keeping in mind the
sensitivity of the information. With the beginning of Second World War, formal alignment of
the Classification System was done. Alan Turing was the one who successfully decrypted
Enigma Machine which was used by Germans to encrypt warfare data.

Effective information security requires a comprehensive approach that considers all aspects
of the information environment, including technology, policies and procedures, and people. It
also requires ongoing monitoring, assessment, and adaptation to address emerging threats and
vulnerabilities.

Why we use Information Security the need?

We use information security to protect valuable information assets from a wide range of
threats, including theft, espionage, and cybercrime. Information security is necessary to
ensure the confidentiality, integrity, and availability of information, whether it is stored
digitally or in other forms such as paper documents. Here are some key reasons why
information security is important:

Protecting sensitive information: Information security helps protect sensitive information

from being accessed, disclosed, or modified by unauthorized individuals. This includes
personal information, financial data, and trade secrets, as well as confidential government and
military information.

Mitigating risk: By implementing information security measures, organizations can mitigate

the risks associated with cyber threats and other security incidents. This includes minimizing
the risk of data breaches, denial-of-service attacks, and other malicious activities.
Compliance with regulations: Many industries and jurisdictions have specific regulations
governing the protection of sensitive information. Information security measures help ensure
compliance with these regulations, reducing the risk of fines and legal liability.

Protecting reputation: Security breaches can damage an organization’s reputation and lead to
lost business. Effective information security can help protect an organization’s reputation by
minimizing the risk of security incidents.

Ensuring business continuity: Information security helps ensure that critical business
functions can continue even in the event of a security incident. This includes maintaining
access to key systems and data, and minimizing the impact of any disruptions.

Information Security programs are build around 3 objectives, commonly known as CIA –
Confidentiality, Integrity, Availability.

Confidentiality – means information is not disclosed to unauthorized individuals, entities and

process. For example if we say I have a password for my Gmail account but someone saw
while I was doing a login into Gmail account. In that case my password has been
compromised and Confidentiality has been breached.

Integrity – means maintaining accuracy and completeness of data. This means data cannot be
edited in an unauthorized way. For example if an employee leaves an organisation then in that
case data for that employee in all departments like accounts, should be updated to reflect
status to JOB LEFT so that data is complete and accurate and in addition to this only
authorized person should be allowed to edit employee data.

Availability – means information must be available when needed. For example if one needs
to access information of a particular employee to check whether employee has outstanded the
number of leaves, in that case it requires collaboration from different organizational teams
like network operations, development operations, incident response and policy/change
management.

Denial of service attack is one of the factor that can hamper the availability of information.
Apart from this there is one more principle that governs information security programs. This
is Non repudiation.

Non repudiation – means one party cannot deny receiving a message or a transaction nor can
the other party deny sending a message or a transaction. For example in cryptography it is
sufficient to show that message matches the digital signature signed with sender’s private key
and that sender could have a sent a message and nobody else could have altered it in transit.
Data Integrity and Authenticity are pre-requisites for Non repudiation.

Authenticity – means verifying that users are who they say they are and that each input
arriving at destination is from a trusted source.This principle if followed guarantees the valid
and genuine message received from a trusted source through a valid transmission. For
example if take above example sender sends the message along with digital signature which
was generated using the hash value of message and private key. Now at the receiver side this
digital signature is decrypted using the public key generating a hash value and message is
again hashed to generate the hash value. If the 2 value matches then it is known as valid
transmission with the authentic or we say genuine message received at the recipient side

Accountability – means that it should be possible to trace actions of an entity uniquely to that
entity. For example as we discussed in Integrity section Not every employee should be
allowed to do changes in other employees data. For this there is a separate department in an
organization that is responsible for making such changes and when they receive request for a
change then that letter must be signed by higher authority for example Director of college and
person that is allotted that change will be able to do change after verifying his bio metrics,
thus timestamp with the user(doing changes) details get recorded. Thus we can say if a
change goes like this then it will be possible to trace the actions uniquely to an entity.

advantages to implementing an information classification system in an organization’s

information security program:
Improved security: By identifying and classifying sensitive information, organizations can
better protect their most critical assets from unauthorized access or disclosure.

Compliance: Many regulatory and industry standards, such as HIPAA and PCI-DSS, require
organizations to implement information classification and data protection measures.

Improved efficiency: By clearly identifying and labeling information, employees can quickly
and easily determine the appropriate handling and access requirements for different types of
data.

Better risk management: By understanding the potential impact of a data breach or

unauthorized disclosure, organizations can prioritize resources and develop more effective
incident response plans.

Cost savings: By implementing appropriate security controls for different types of

information, organizations can avoid unnecessary spending on security measures that may not
be needed for less sensitive data.

Improved incident response: By having a clear understanding of the criticality of specific

data, organizations can respond to security incidents in a more effective and efficient manner.

There are some potential disadvantages to implementing an information classification system

in an organization’s information security program:

Complexity: Developing and maintaining an information classification system can be

complex and time-consuming, especially for large organizations with a diverse range of data
types.

Cost: Implementing and maintaining an information classification system can be costly,

especially if it requires new hardware or software.

Resistance to change: Some employees may resist the implementation of an information

classification system, especially if it requires them to change their usual work habits.

Inaccurate classification: Information classification is often done by human, so it is possible

that some information may be misclassified, which can lead to inadequate protection or
unnecessary restrictions on access.
Lack of flexibility: Information classification systems can be rigid and inflexible, making it
difficult to adapt to changing business needs or new types of data.

False sense of security: Implementing an information classification system may give

organizations a false sense of security, leading them to overlook other important security
controls and best practices.

Maintenance: Information classification should be reviewed and updated frequently, if not it

can become outdated and ineffective.

Uses of Information Security :

Information security has many uses, including:

Confidentiality: Keeping sensitive information confidential and protected from unauthorized

access.

Integrity: Maintaining the accuracy and consistency of data, even in the presence of malicious
attacks.

Availability: Ensuring that authorized users have access to the information they need, when
they need it.

Compliance: Meeting regulatory and legal requirements, such as those related to data privacy
and protection.

Risk management: Identifying and mitigating potential security threats to prevent harm to the
organization.

Disaster recovery: Developing and implementing a plan to quickly recover from data loss or
system failures.

Authentication: Verifying the identity of users accessing information systems.

Encryption: Protecting sensitive information from unauthorized access by encoding it into a

secure format.

Network security: Protecting computer networks from unauthorized access, theft, and other
types of attacks.
Physical security: Protecting information systems and the information they store from theft,
damage, or destruction by securing the physical facilities that house these systems.

Issues of Information Security :

Information security faces many challenges and issues, including:

Cyber threats: The increasing sophistication of cyber attacks, including malware, phishing,
and ransomware, makes it difficult to protect information systems and the information they
store.

Human error: People can inadvertently put information at risk through actions such as losing
laptops or smartphones, clicking on malicious links, or using weak passwords.

Insider threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.

Legacy systems: Older information systems may not have the security features of newer
systems, making them more vulnerable to attack.

Complexity: The increasing complexity of information systems and the information they
store makes it difficult to secure them effectively.

Mobile and IoT devices: The growing number of mobile devices and internet of things (IoT)
devices creates new security challenges as they can be easily lost or stolen, and may have
weak security controls.

Integration with third-party systems: Integrating information systems with third-party

systems can introduce new security risks, as the third-party systems may have security
vulnerabilities.

Data privacy: Protecting personal and sensitive information from unauthorized access, use,
or disclosure is becoming increasingly important as data privacy regulations become more
strict.

Globalization: The increasing globalization of business makes it more difficult to secure

information, as data may be stored, processed, and transmitted across multiple countries with
different security requirements.