Information Security and Assurance

1
Foundation of Information Security

Foundation of Information Security

Learning Objectives

At the end of the module the student is expected to:

1. Understand the importance information security

2. Know the importance of prevention, detection and response

3. Understand the CIA Triad and its importance to security

4. Understand the dilemma of computer security

5. Enumerate and understand the different laws/act of US under privacy

legislation

6. Understand the Dimensions of Computer security

Introduction
Information security is a process that moves through phases building and

strengthening itself along the way. Computer security, also known

as cybersecurity or IT security, is the protection of information systems from

theft or damage to the hardware, the software, and to the information on

them, as well as from disruption or misdirection of the services they provide.

Security is about the protection of assets. A rough classification of protection

measures distinguishes between the following:

Course Module
 Prevention – taking measures that prevent your assets from being damaged;

Detection – taking measures that allow you to detect when an asset has been

damaged, how it has been damaged, and who has caused the damage;

Reaction / Response – taking measures that allow you to recover your

assets or to recover from damage to your assets.

Prevention

Make no mistake, organization must prepare for the cyber battles by

sharpening skills. Information security professionals must continuously

master / enhance their capabilities by working smarter not harder. It is always

better to prevent, then to pursue and prosecute. Preventing an incident

requires careful analysis and planning.

Information is an asset that requires protection commensurate with its value.

Security measures must be taken to protect information from unauthorized

modification, destruction, or disclosure whether accidental or intentional.

Areas to consider

Security Policy:

The first objective in developing a prevention strategy is to determine “what”

must be protected and document these “what’s” in a formal policy. The policy

must define the responsibilities of the organization, the employees and

 Information Security and Assurance
3
Foundation of Information Security

management. It should also fix responsibility for implementation,

enforcement, audit and review.

Security Awareness:

Security awareness is a process that educates employees on the importance

of security, the use of security measures, reporting procedures for security

violations, and their responsibilities as outlined in the information security

policy. Security awareness programs should be utilized for this purpose. The

program should be a continuous process that maintains an awareness level

for all employees. The program should be designed to address organization

wide issues as well as more focused specialized training needs. The program

should stress teamwork and the importance of active participation. To

motivate individuals, a recognition process should be adopted to give out

awards or rewards for employees that perform good security practices.

Access Controls:

Access is the manner by which the user utilizes the information systems to

get information. Naturally all users should not have the ability to access all

systems and its information. Access should be restricted and granted on a

need to know basis.

Course Module
 Detection

Detection of a system compromise is extremely critical. With the ever increasing

threat environment, no matter what level of protection a system may have, it will get

compromised given a greater level of motivation and skill. There is no full proof

“silver bullet” security solution. A defense in layers strategy should be deployed so

when each layer fails, it fails safely to a known state and sounds an alarm. The most

important element of this strategy is timely detection and notification of a

compromise. Intrusion detection systems (IDS) are utilized for this purpose.

Reaction / Response

For the detection process to have any value there must be a timely response. The

response to an incident should be planned well in advance. Making important

decisions or developing policy while under attack is a recipe for disaster. Many

organizations spend a tremendous amount of money and time preparing for disasters

such as tornados, earthquakes, fires and floods. The fact is, the chances are greater

that a computer security incident will occur than any one of these scenarios.

Equivalent if not more effort and resources should be expanded on a computer

security incident response plan.

Examples: Consider this example

Prevention: locks at doors, window bars, walls round the property.

Detection: stolen items are missing, burglar alarms, closed circuit TV.

Reaction: call the police, replace stolen items, makes an insurance claim.
 Information Security and Assurance
5
Foundation of Information Security

CIA Triad

Confidentiality, integrity and availability, also known as the CIA triad, is a

model designed to guide policies for information security within an

organization. The model is also sometimes referred to as the AIC triad

(availability, integrity and confidentiality) to avoid confusion with the Central

Intelligence Agency. The elements of the triad are considered the three most

crucial components of security.

Confidentiality is a set of rules that limits access to information, Integrity is the

assurance that the information is trustworthy and accurate, and Availability is

a guarantee of reliable access to the information by authorized people.

Confidentiality

Confidentiality is synonymous with privacy. Confidentiality measures prevent

data from falling into the hands of people who do not have authorization to

access said information. In organizations that store large amounts of

information, data may be classified based on how detrimental it would be to

the organization in the case of a data breach. This process may help direct

development of varying levels of security.

Course Module
 Everyday examples of confidentiality measures include bank card pin

numbers, routing numbers on checks and email passwords. Two-factor

authentication, which means using a combination of confidentiality measures

such as a password and finger print identification, is common in the

professional world. Other aspects of confidentiality include limiting how many

places data is stored and the frequency with which data is transmitted. Air

gapped computers, disconnected storage devices and keeping only hard

copies of documents are all stronger types of confidentiality measures.

Integrity

In the IT world, integrity is all about making sure information is accurate and

always stays that way. Common measures to protect integrity include file

permissions and version controls to prevent accidental changes or deletion.

Ensuring integrity also requires protection against non-human-related errors

such as server crashes. Most importantly, information must be backed up to

allow quick recovery when disasters happen.

Availability

Ensuring availability requires routine maintenance and upgrading of

hardware, software and operating system environments. Maintaining

adequate bandwidth to limit bottlenecks and developing a comprehensive

disaster recovery plan, which includes consideration of natural disasters like

floods and fires, is also necessary to ensure availability. Firewalls and proxy

servers are additional tools that fall under the umbrella of protecting

information availability.
 Information Security and Assurance
7
Foundation of Information Security

Dilemma of computer security

As the number of users relying on computer security has grown from

a few organizations dealing with classified data to everyone connected to the

Internet, the requirements on computer security have changed radically.

Security unaware users have specific security requirements but no

security expertise. A security-unaware user cannot make educated decisions

about security products and will have to pick standard ‘best practice’

solutions. Standard solutions may not address the user’s specific

requirements.

Data Privacy and Data Security

Data security is commonly referred to as the confidentiality,

availability, and integrity of data. In other words, it is all of the practices and

processes that are in place to ensure data isn't being used or accessed by

unauthorized individuals or parties. Data security ensures that the data is

accurate and reliable and is available when those with authorized access

need it.

Data privacy is suitably defined as the appropriate use of data. When

companies and merchants use data or information that is provided or

entrusted to them, the data should be used according to the agreed purposes
Course Module
Ways to secure data
• Locked servers

• Removable hard drives that are locked when not in use

• Hard disk drives requiring special tools for detachment

• Physical cages around computers that prohibit access

• Password protect files

Privacy Legislation

Fair Credit Reporting Act – 1970

The Fair Credit Reporting Act (FCRA) is the act that regulates the collection

of credit information and access to your credit report. It was passed

in 1970 to ensure fairness, accuracy and privacy of the personal information

contained in the files of the credit reporting agencies.

Freedom of Information Act – 1970

The Freedom of Information Act (FOIA), is a federal freedom of

information law that allows for the full or partial disclosure of previously

unreleased information and documents controlled by the United States

government.

Federal Privacy Act – 1974

The Privacy Act of 1974 , a United States federal law, establishes a Code of

Fair Information Practice that governs the collection, maintenance, use, and
 Information Security and Assurance
9
Foundation of Information Security

dissemination of personally identifiable information about individuals that is

maintained in systems of records by federal agencies.

Video Privacy Protection act – 1988

The Video Privacy Protection Act (VPPA) was a bill passed by the United

States Congress in 1988 and signed into law by President Ronald Reagan. It

was created to prevent what it refers to as "wrongful disclosure of video tape

rental or sale records [or similar audio visual materials, to cover items such

as video games and the future DVD format.

Computer Matching and Privacy Protections Act – 1988

These provisions add procedural requirements for agencies to follow when

engaging in computer-matching activities, provide matching subjects with

opportunities to receive notice and to refute adverse information before

having a benefit denied or terminated, and require that agencies engaged in

matching activities establish Data Protection Boards to oversee those

activities.

Dimensions of Computer Security

Until the era of the information society, information was a concern mainly for

organizations whose line of business demanded a high degree of security.

However, the growing use of information technology is affecting the status of

information security so that it is gradually becoming an area that plays an

Course Module
 important role in our everyday lives. As a result, information security issues

should now be regarded on a par with other security issues.

Focus of Control
In this section we must focus on what is important to manage. We need to

priorities area in terms of security measures. Top Management must provide

the direction where to go and IT experts must suggest ways on how to

improve security measures.

The following are items that needs important attention in terms of data.

1. format and content of data items

2. operations that may be performed on a data item

3. users who are allowed to access a data item

The Man–Machine Scale

In section focuses on hardware model of a computer system. Since hardware

is the interface of all uses, we must consider ways to secure it. Take note that

it’s not only hardware but also software must be considered.

 Information Security and Assurance
11
Foundation of Information Security

Hardware and Software levels

1. Users run application programs that have been tailored to meet specific

application requirements.

2. The application programs may make use of the services provided by a

general purpose software package such as a database management system

(DBMS), an object reference broker (ORB), or a browser.

3. The services run on top of the operating system, which performs file and

memory management and controls access to resources such as printers and

I/O devices.

4. The operating system may have a kernel (micro-kernel, hypervisor) that

mediates every access to the processor and to memory.

5. The hardware, i.e. processors and memory, physically stores and

manipulates the data held in the computer system.

Complexity vs Assurance

Course Module
 In securing systems and application, management must decide on whether

they prepare complexity vs assurance. Hackers are developing smarter tools

to penetrate to organizations systems, so systems developers must outsmart

them by creating complex application, in this way organization are sure to

secure its valuable data and information, on the other hand, is complexity the

right way to protect our data and information, or we just need to ensure that

all components of the systems are working in this way we can say assurance

of system is a must, we must check all areas in the system leaving no stone

un-turn. Management together with IT experts must look closely on this

matter.

Centralized or Decentralized Controls

If there is a single central entity in charge of security, then it is easy to achieve

uniformity, but this central entity may become a performance bottleneck.

Conversely, a distributed solution may be more efficient but we have to take

additional care to guarantee that the different components define and enforce

the policy consistently.