Copyright Warning

INFO5301

Information Security Management

Semester 1, 2020
Lecture 1
Information System Security: Nature and Scope

1
 Why study information security?

Why study information security?

• Growing importance of IT security and new career

opportunities
• Increasing demand by Government and private
industry
• Remuneration for information security jobs continue
to outperform the market

2
 Umbrella of Information Security

Becoming an Information Security Specialist

• Work towards getting the right certification (CISSP,

CISM, SABSA, GIAC….)
• Increase your skills in risk management, disaster
recovery, standards and compliance
• If so inclined…build a home lab.
• Get involved in a project working with strategic
partners
• Consider an internship in IS
• Take a second look at government jobs
• Adopt a multidisciplinary approach
6

3
 Information System Security :
Nature and Scope

Learning Objectives

Understanding….
• information systems in organisations
• roles of information systems in organisations
• types of information systems
• technical, formal, and informal controls
• importance of coordinating and maintaining the integrity of
operations within and between the three levels of systems

4
 Organisations and information systems

• An organisation is a series of information handling

activities
• As organisations grow…
• Information handling becomes cumbersome and
increasingly important
• Greater amount of information is collected, stored, and
released
• Information handling is carried out at three levels–
technical, formal, and informal

Types of Information Systems

Formal System

• Defines all major ‘official’ information handling of the

organisation
• Rule based and tends to bring about uniformity
• Following the formal system is important
• Misinterpretation of the formal system can be detrimental
• Computerisation of major information flow to bring about
efficiencies and effectiveness is possible - but not enough

10

10

5
 Types of Information Systems
Informal System

• Represents organisation’s sub-culture where meanings

are established, intentions are understood, beliefs are
formed, commitments and responsibilities are made,
altered and discharged
• A natural means to augment the formal systems
• Groups with overlapping memberships are possible as
size of organisation grows
• Challenges of differences in opinions, goals, and
objectives

11

11

Types of Information Systems

Technical System

• Technology enabled / automated parts of the formal system

• Presupposes the existence of a formal system
• Could be problematic if formal system DO NOT exist
• Plays a supportive role to the formal system

12

12

6
 Types of Information Systems
Co-ordination between Systems

Informal System

Formal System

Technical
System

13

13

Types of Information Systems

Co-ordination between Systems…contd.

• Technical system is bound by formal system of rules and

regulations
• Technical system plays subservient role
• Beware of consequences of excessive bureaucratic red-
tape of the formal systems and their relationship to the
informal systems

14

14

7
 Information Security in 3-Systems Model

• Information Systems security is about maintaining integrity

of the three systems
• Managing security is the implementation of a range of
controls
• Control = “the use of interventions by a controller to
promote a preferred behavior of a system being
controlled”

15

15

Information Security in 3-Systems Model

Types of Controls

• Technical control, e.g., limit access to computer rooms

• Formal control, e.g., organisational hierarchy

• Informal control, e.g., information security awareness program

16

16

8
 Information Security in 3-Systems Model
Technical Controls

• Authentication and access control

• Firewalls and De-Militarised Zones

• Network segmentation

• End-point security
• Malicious content control

• Implementation of technological solutions is dependent upon

cost justifying the controls

17

17

Information Security in 3-Systems Model

Effectiveness of Technical Controls

• Technical controls alone are often not enough

• consider constituting well thought baseline organisational

controls

18

18

9
 Information Security in 3-Systems Model
Formal Controls
• Support technological controls
• Approach at organisational level
• Implementing structured IS management
• Giving strategic direction
• Representation from a wide range of functional areas
• Hiring and termination standards
• Fair Practices and moral leadership
• Protect management from claims of negligent duty
• Compliance with the requirements of data protection legislation

19

19

Information Security in 3-Systems Model

Informal Controls
• Security awareness is a cost effective control
• Increased awareness should be supplemented with an
ongoing education and training program
• Training and awareness are extremely important in
developing ‘trusted’ core of members of the firm
• An environment of developing a common belief system

20

20

10
 Institutionalising Information Security

• Organisational structure
• Policy and Procedural framework
• Linking access rights to the hierarchical level
• For efficiency and effectiveness purposes
• The reality is more complex than formal or the technical
aspects of the system
• Maintaining consistency in communication
• Ensuring proper interpretation of information
• Ethics and trust

21

21

Reference Links:
• https://www.schneier.com
• https://krebsonsecurity.com/
• https://www.securityfocus.com/
• https://www.isaca.org/
• https://slashdot.org/
• https://www.asd.gov.au/
• https://www.oaic.gov.au/
• https://www.auscert.org.au/
• https://www.nist.gov/topics/cybersecurity
• https://www.helpnetsecurity.com
• Vendor sites such as Cisco, Juniper, Symantec, McAfee,
IBM, etc. 22

22

11
 References – Lecture 1

Principles of Information Security Systems – Texts and Cases –

Gurpreet Dhillon
Chapter 1 :
Information System Security: nature and scope

23

23

Discussion Questions

24

24

12
 Q 1) Even though information system security goes way beyond the
security of the technical edifice, applications and organisation
resources can only be protected by using the latest security
gadgets. Isn’t this a contradiction in itself?

Discuss.

25

25

Q 2) The advent of internetworked organizations and the increased

reliance of companies on the Internet to conduct their business
has increased the chances of abuse.

Is this the case? Discuss

26

26

13
 Q 3) Do we really need to understand and place high importance on the
informal controls prior to establishing security rules?
why? / why not?

27

27

Q 4) Over engineering a solution or over bureaucratisation of the

formal systems have consequences for security and integrity of
operations.
Comment

28

28

14