INFORMATION SYSTEM SECURITY (Prepared by Ms.

Mjema)
Information system security is protecting information (data) and information
systems from unauthorized access, use, disclosure, disruption, modification, or
destruction.
Information Security management is a process of defining the security controls
in order to protect the information assets.
Analysts should be involved with the security of database and network systems.
Security responsibility covers a number of areas such as;
The primary involvement is in application security- which includes access security,
data security, and functional screen security.
 Access security- regulates who is authorized to use an application.
 Data security - covers transaction data and stored data across the
Web system, and how to validate and secure it.
 Functional screen security- involves determining what features and
functions are made available to which users within an application.
In addition, the analyst must also participate in network design decisions and
decisions about what hardware and operating system conventions should be
implemented to help protect the systems from vulnerabilities in browsers, servers,
protocols, and firewalls.

Security measure organisation must take to ensure information system are secured;
these measures are security trios which are Confidentiality, Integrity and Availability
Confidentiality
Means protecting information and information systems from unauthorized access.
Organisation should be able to restrict access to those who are allowed to access
information of information system. everyone else should be disallowed from
accessing. This is the essence of confidentiality. For example, for systems which are
centralized and implemented in network environment in a special room called server
room or data centre, access to the room/centre should be restricted only to
authorized user in order to protect those systems.
Integrity
Integrity is the assurance that the information being accessed has not been altered
and truly represents what is intended. Just as a person with integrity means what he
or she says and can be trusted to consistently represent the truth, information
integrity means information truly represents its intended meaning. Information can
lose its integrity through malicious intent, such as when someone who is not
authorized makes a change to intentionally misrepresent something. An example of
this would be when a hacker is hired to go into the university’s system and change a
grade.
Integrity can also be lost unintentionally, such as when a computer power flow
corrupts a file or someone authorized to make a change accidentally deletes a file or
enters incorrect information.
Availability
Information availability is the third part of the CIA trios. Availability means that
information can be accessed and modified by anyone authorized to do so in an
appropriate timeframe. Depending on the type of information, appropriate timeframe
can mean different things. For example, banking systems for deposit and withdraw
money inside banks where a banker do transactions for a customers, these kind of
system are required to me up and running for a certain time may be from 8: 30 AM
to 04:30 PM depending on working hours for a specific bank so these system are
expected to be off on 04:30 PM. But in other case the same banking system for
deposit and withdrawing money in ATM system, these systems are supposed to be
up and running which means available all the time means 24/7.
To ensure the confidentiality, integrity, and availability of information, organizations
can choose from a variety of tools or security controls.
1. Authentication
The most common way to identify someone is through their physical appearance,
but how do we identify someone sitting behind a computer screen or at the ATM?
Tools for authentication are used to ensure that the person accessing the
information is, indeed, who they present themselves to be.
Authentication can be accomplished by identifying someone through one or more of
three factors:
 something they know
 something they have
 something they are.
For example, the most common form of authentication today is the user ID and
password.
 In this case, the authentication is done by confirming something that the user
knows (their ID and password). But this form of authentication is easy to
compromise (see sidebar) and stronger forms of authentication are
sometimes needed.
 Identifying someone by something they have, such as a key or a card.
 The final factor, something you are, is much harder to compromise. This
factor identifies a user through the use of a physical characteristic, such as an
 eye-scan or fingerprint. Identifying someone through their physical
characteristics is called biometrics.
2. Access Control
Once a user has been authenticated, the next step is to ensure that they can only
access the information resources that are appropriate. This is done through the use
of access control. Access control determines which users are authorized to read,
modify, add, and/or delete information.
3. Encryption
Many times, an organization needs to transmit information over the Internet or
transfer it on external media such as a CD or flash drive. In these cases, even with
proper authentication and access control, it is possible for an unauthorized person to
get access to the data.
Encryption is a process of encoding data upon its transmission or storage so that
only authorized individuals can read it.
This encoding is accomplished by a computer program, which encodes the plain text
that needs to be transmitted; then the recipient receives the encrypted text and
decodes it (decryption). In order for this to work, the sender and receiver need to
agree on the method of encoding so that both parties can communicate properly.
Both parties share the encryption key, enabling them to encode and decode each
other’s messages. This is called symmetric key encryption. This type of
encryption is problematic because the key is available in two different places.
An alternative to symmetric key encryption is public key encryption.
Public key encryption means two keys are used which a public key and a
private key, to send an encrypted message. This is done by a sender obtaining
the public key, encode the message and send it. The recipient then uses the
private key to decode it.
The public key can be given to anyone who wishes to send the recipient a
message. Each user simply needs one private key and one public key in order
to secure messages. The private key is necessary in order to decrypt something sent
with the public key.
4. Backups
Another essential tool for information security is a comprehensive backup plan for
the entire organization. Not only should the data on the corporate servers be backed
up, but individual computers used throughout the organization should also be
backed up. A good backup plan should consist of several components.
 Regular backups of all data
The frequency of backups should be based on how important the data is to the
company, combined with the ability of the company to replace any data that is
 lost. Critical data should be backed up daily, while less critical data could be
backed up weekly.
 Offsite storage of backup data sets
If all of the backup data is being stored in the same facility as the original copies
of the data, then a single event, such as an earthquake, fire, or tornado, would
take out both the original data and the backup! It is essential that part of the
backup plan is to store the data in an offsite location.
 Test of data restoration
On a regular basis, the backups should be put to the test by having some of the
data restored. This will ensure that the process is working and will give the
organization confidence in the backup plan.

5. Firewalls
Another method that an organization should use to increase security on its network
is a firewall. A firewall can exist as hardware or software (or both).
 Hardware firewall- is a device that is connected to the network and filters
the packets based on a set of rules.
 Software firewall- runs on the operating system and intercepts packets as
they arrive to a computer.
A firewall protects all company servers and computers by stopping packets from
outside the organization’s network that do not meet a strict set of criteria. A firewall
may also be configured to restrict the flow of packets leaving the organization. This
may be done to eliminate the possibility of employees watching YouTube videos or
using social media from a company computer.
Demonstration of firewall
 6. Virtual Private Networks
Using firewalls and other security technologies, organizations can effectively protect
many of their information resources by making them invisible to the outside world.
But what if an employee working from home requires access to some of these
resources? What if a consultant is hired who needs to do work on the internal
corporate network from a remote location? In these cases, a virtual private network
(VPN) is needed.
A VPN allows a user who is outside of a organisation network to take a bypass
around the firewall and access the internal network from the outside. Through a
combination of software and security measures, this lets an organization allow
limited access to its networks while at the same time ensuring overall security.

Definition of VPN (Virtual Private Network)

Means extends a private network across a public network, and enables users to send
and receive data across shared or public networks as if their computing devices were
directly connected to the private network. Applications running on a computing
device.
Demonstration of VPN
Administrative Controls which include
 Developing and publishing of policies, standards, procedures, and guidelines.
 Screening of personnel.
 Conducting security-awareness training.
Security Policies, Procedures, Standards, Guidelines, and Baselines
Policies
A security policy is an overall general statement produced by senior management (or
a selected policy board or committee) that dictates what role security plays within
the organization.

A well-designed policy should address the following;

 What is being secured? - Typically, an asset.
 Who is expected to comply with the policy? - Typically, employees.
 Where is the vulnerability, threat or risk? - Typically, an issue of integrity or
responsibility.
Standards
Standards refer to mandatory activities, actions, rules, or regulations.
Standards can give a policy its support and reinforcement in direction.
Standards could be internal, or externally mandated (government laws and
regulations).
Procedures
Procedures are detailed step-by-step tasks that should be performed to achieve a
certain goal.
Example; a procedure can be written on how to install operating systems, configure
security mechanisms, implement access control lists, set up new user accounts,
assign computer privileges, audit activities, destroy material, report incidents, and
much more.
 Procedures are considered the lowest level in the policy chain because they
are closest to the computers and users (compared to policies) and provide
detailed steps for configuration and installation issues.
 Procedures spell out how the policy, standards, and guidelines will actually be
implemented in an operating environment.
 If a policy states that all individuals who access confidential information must
be properly authenticated, the supporting procedures will explain the steps
 for this to happen by defining the access criteria for authorization, how access
control mechanisms are implemented and configured, and how access
activities are audited.
Guidelines
Guidelines are recommended actions and operational guides to users, IT staff,
operations staff, and others when a specific standard does not apply.
Guidelines can deal with the methodologies of technology, personnel, or physical
security.
Web Security
Web systems need to provide security architectures similar to those of any network
system. But Web services are designed somewhat differently from those of regular
Internet networks. Specifically, Web systems require verification of who is ordering
goods and paying for them and have an overall need to maintain confidentiality.
Finally, the issue of availability and accountability of Web systems to generate
revenues and services to customers and consumers goes well beyond the general
information services offered by traditional public Internet systems.
Due to drastic growth of internet usage compare to the beginning when internet was
invented in 1990, the result of this increase is that users will be downloading and
executing programs from within their own Web browser applications. In many cases,
users will not even be aware that they are receiving programs from another Web
server. Since the frequency of downloading software has risen, analysts need to
ensure that applications operating over the Internet are secure and not vulnerable to
problems associated with automatic installation of active content programs.
Furthermore, analysts need to participate in deciding whether the Web system will
provide active content to its users. This means that user systems, especially external
ones, may have safeguards against downloading active contents on their respective
network system.
Examples of Web Security Needs
This example demonstrates the crucial importance of confidentiality, integrity and
availability in application security. Suppose a company is engaged in the process of
selling goods. In this scenario, a consumer will come to the Web site and examine
the goods being offered, eventually deciding to purchase a product offering. The
consumer will order the product by submitting a credit card number. Below are the
security requirements for the applications.
• Confidentiality: The application must ensure that the credit card number is kept
confidential.
• Integrity: The system will need to ensure that the correct goods and process are
charged to the consumer. Furthermore, the Web system must validate that the
correct goods are shipped within the time frame requested on the order (if one is
provided).
A second example of Web security entails a company providing information on books
and journals. The information is shared with customers who subscribe to the service.
• Confidentiality: In this example there is no credit card, but customer information
must be kept confidential because customers need to sign on to the system.
• Integrity: The system needs to ensure that the correct information is returned to
the customer based on the query for data. The system must also provide
authentication and identification of the customer who is attempting to use the
system.
Availability
Availability is at the heart of security issues for Web systems. Plain and simple: if the
site is not available there is no business. Web systems that are not available begin to
impact consumer and customer confidence, which eventually affect business
performance.
The first step in ensuring availability is to understand exactly what expectations the
user community has for the site’s availability. Recall that the user community
consists of two types of users: internal users and customers.
There are two issues of availability that must be addressed with customers:
1. Service: analysts need to know how often customers expect the service to be
available. It is easy to assume “all the time,” but this may not be practical for many
sites. For example, banks often have certain hours during which on-line banking is
not available because the file systems are being updated. In such a case, it is the
users’ expectations that should receive the analyst’s attention. It matters little what
the organization feels is a fair downtime in service; analysts must respond to the
requirements of the user base. Just having the Web site available is only one part of
the system. Analysts must be aware that all of the other components will also need
to be available to assist in the complete processing of the order.
2. The issue of availability is linked to order fulfilment, at least in the minds of
customers. Failure to have product available can quickly erode consumer and client
confidence. For example, some online company has failed and closed because they
failed to fulfil orders at various times, especially Christmas or any high time season.
Once a company earns a reputation for not fulfilling orders, that reputation can be
difficult to change.
Web Application Security
If Web systems are to be secure, the analyst must start by establishing a method of
creating application security. Because Web systems are built under the helps of
object-oriented development, software applications are often referred to as software
components. These software components can reside in a number of different places
on the network and provide different services as follows:
• Web Client Software.
• Data Transactions.
• Web Server Software.
Web Client Software Security
Communications security for Web applications covers the security of information that
is sent between the user’s computer (client) and the Web server. This information
might include sensitive data such as credit card data, or confidential data that is sent
in a file format. Most important, however, is the authentication of what is being sent
and the ability of the applications to protect against malicious data that can hurt the
system. The advent of executable content applications that are embedded in Web
pages has created many security risks. These executable components allow
programs to be dynamically loaded and run on a local workstation or client
computer.
Security measure for web client software.
Authentication: A Way of Establishing Trust in Software Components
Authentication provides a means of dealing with illegal intrusion or untrustworthy
software. When dealing with authentication, the analyst must focus on the type of
middleware component architecture being used.
The security issues relate to both the author of the system, which entailed
protecting the Web system from receiving malicious software from a client, and the
spreading of problem software to users. In summary, the most important issues for
the analyst to understand are:
1. How internal users might obtain malicious software within the network domain.
2. How users through the Web software might return something inadvertently.
3. The challenge of what technology application technologies have to offer to users
that might not be accepted through their standard configurations (like turning off
JavaScript).
4. What dangers there are to providing active content because the system might
become infected and thus be a carrier of viruses and other damaging software to its
most valued entity, its external users.
Securing Data Transactions
This section focuses on security issues related to protecting the data transaction.
The data transaction is perhaps the most important component of the Web system.
Data transaction protection is implemented using various protocols such as
encryption and authentication. Furthermore, there are protocols that operate only on
certain types of transactions, such as payments. The issue of securing data
transactions is complex, and this section will provide the types of protocols available
and how analysts can choose the most appropriate data security protocol to fit the
needs of the application they are designing.
Securing the Web Server
The security issues governing the Web server are multifaceted. The security
components include the Web server software, the databases, and the applications
that reside on them. That also include a middle layer that provides communication
between the tiered servers.