Name of the Faculty : Dr.Poongodi.

J
Subject Name and Code : CW3551- Data and Information security
Branch & Department : B.Tech CSBS
Year & Semester : IV / VII
Academic Year : 2024-2025(Odd)

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 1

 CW3551 DATA AND INFORMATION
SECURITY
UNIT UNIT NAME BOOK
Michael E Whitman and Herbert J
1 INTRODUCTION Mattord, “Principles of
Information Security, Course
Technology, 6th Edition, 2017.
2 SECURITY INVESTIGATION (Unit I & II)

3 DIGITAL SIGNATURE AND AUTHENTICATION

4 E-MAIL AND IP SECURITY

5 WEB SECURITY
TOTAL:45 PERIODS
REFERENCE:
1. Allen B. Downey, “Think Stats: Exploratory Data Analysis in Python”, Green Tea Press,2014.

CW3551 / DIS / KITE 2

UNIT I INTRODUCTION 9

History, What is Information Security?, Critical Characteristics of

Information, NSTISSC Security Model, Components of an Information

System, Securing the Components, Balancing Security and Access, The

SDLC, The Security SDLC

CW3551 / DIS / KITE 3

 History of Information Security

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 5
 What is Information Security ?
• Information Security is a process of securing your personal data from

unauthorized access, usage, revelation, interruption, modification, or deletion

of data.

• Information Security aims to safeguard the confidentiality, availability, and

integrity of data and stop online threats like hacking and data breaches.

CW3551 / DIS / KITE 6

 Why Information Security is needed?

• Protecting Confidential Information

• Maintaining Business Continuity
• Protecting Customer Trust
• Preventing Cyber-attacks
• Protecting Employee Information

CW3551 / DIS / KITE 7

 Definition of Information Security

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 8

 History of Information Systems
The history of information security begins with computer security.

•The need for computer security that is, the need to secure physical locations,
hardware, and software from threats arose during World War II when the first
mainframes, developed to aid computations for communication code breaking were
put to use.
•Multiple levels of security were implemented to protect these mainframes and
maintain the integrity of their data.
•Access to sensitive military locations, for example, was controlled by means of
badges, keys, and the facial recognition of authorized personnel by security guards.
CW3551 / DIS / KITE 9
CW3551 / DIS / KITE 10
The 1960s

• During the Cold War, many more mainframes were brought online to accomplish more
complex and sophisticated tasks.
• It became necessary to enable these mainframes to communicate via a less cumbersome
process than mailing magnetic tapes between computer centers.
•In response to this need, the Department of Defense’s Advanced Research Project Agency
(ARPA) began examining the feasibility of a redundant, networked communications system
to support the military’s exchange of information.
•Larry Roberts, known as the founder of the Internet, developed the project—which was
called ARPANET—from its inception.

CW3551 / DIS / KITE 11

CW3551 / DIS / KITE 12
The 1970s and 80s

• During the next decade, ARPANET became popular and more widely used, and the
potential for its misuse grew.
• Because of the range and frequency of computer security violations and the explosion
in the numbers of hosts and users on ARPANET, network security was referred to as
network insecurity
• In 1978, a famous study entitled “Protection Analysis: Final Report” was
published. It focused on a project undertaken by ARPA to discover the vulnerabilities
of Operating System security.

CW3551 / DIS / KITE 13

• The movement toward security that went beyond protecting physical locations
began with a single paper sponsored by the Department of Defense, the Rand
Report R-609, which attempted to define the multiple controls and mechanisms
necessary for the protection of a multilevel computer system.

• In 1967, systems were being acquired at a rapid rate and securing them was a
pressing concern for both the military and defense contractors.

• Multiplexed Information and Computing Service (MULTICS) was the first

operating system to integrate security into its core functions. It was a mainframe,
time-sharing operating system.

• In mid-1969, not long after the restructuring of the MULTICS project, created a
new

CW3551 / DIS / KITE 14

 Computer Network Vulnerabilities
Radiation
Taps
Taps Radiation Radiation
Radiation
Radiation Crosstalk Crosstalk

Communication
lines Switching
Processor
center

Hardware
Files Improper connections
Theft Cross coupling
Operator
Copying Systems Programmer Remote
Replace supervisor
Unauthorized access Disable protective features Consoles
Reveal protective measures
Provide “ins”
Hardware Reveal protective measures
Failure of protection circuits
Maintenance Man Access
contribute to software failures
Disable hardware devices Attachment of recorders
Software Use stand-alone utility programs Bugs User
Failure of protection features Identification
Access control Authentication
Bounds control Subtle software
etc. modifications

CW3551 / DIS / KITE 15

• operating system called UNIX. While the MULTICS system implemented multiple
security levels and passwords, the UNIX system did not.
• In the late 1970s, the microprocessor brought the personal computer and a new age of
computing. The PC became the workhorse of modern computing.
•This decentralization of data processing systems in the 1980s gave rise to networking—
that is, the interconnecting of personal computers and mainframe computers, which
enabled the entire computing community to make all their resources work together.

CW3551 / DIS / KITE 16

The 1990s
•This gave rise to the Internet, the first global network of networks
• The Internet was made available to the general public in the 1990s, having previously been the
domain of government, academia, and dedicated industry professionals.
•The Internet brought connectivity to virtually all computers that could reach a phone line or an
Internet-connected local area network (LAN).
• As networked computers became the dominant style of computing, the ability to physically
secure a networked computer was lost, and the stored information became more exposed to
security threats.

CW3551 / DIS / KITE 17

2000 to Present
•Today, the Internet brings millions of unsecured computer networks into continuous
communication with each other.
•Recent years have seen a growing awareness of the need to improve information
security, as well as a realization that information security is important to national
defense.
•The growing threat of cyber attacks have made governments and companies more
aware of the need to defend the computer-controlled control systems of utilities and
other critical infrastructure.

CW3551 / DIS / KITE 18

Name of the Faculty : Dr.Poongodi.J
Subject Name and Code : CW3551- Data and Information security
Branch & Department : B.Tech CSBS
Year & Semester : IV / VII
Academic Year : 2024-2025(Odd)

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 1

 Value of Information is depends on the characteristics it possesses,

C.I.A- Confidentiality, Integrity, Availability

• C.I.A. Triangle- Concept developed by the computer security industry as a

standard; Models critical elements of information.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 2

 List of Characteristics

1.Availability
2.Accuracy
3.Authenticity
-Spoofing
-Phishing
4.Confidentiality
5.Integrity
6.Utility
7.Possession
23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 3
 1.Availability

• An attribute of information that describes how data is accessible and correctly

formatted for use without interference or obstruction.

• Allows authorized persons or computer systems access to information in the required

format.

• Authorized only users have access to information when and where needed as well as
the data needs to in the correct format

• Example: Library I.D.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 4

 2.Accuracy

• An attribute of information that describes how data is free of errors

and has the value that the user expects.
• Accurate, Valid.

• Wrong data is worse than no data

• Free from errors with the value the end user expects.

• Example: Checking account.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 5

 3.Authenticity
• An attribute of information that describes how data is genuine or
original rather than reproduced or fabricated.
• Quality of being original or Genuine rather than a copy or
fabrication.

• Eg: Email Spoofing

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 6

 Spoofing

• Sending an e-mail with a modified field such as the address from the

sender

• Tricks people into opening e-mail

• Gives an attacker access to data

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 7

 Phishing

• Attacker attempts to obtain personal or financial information using

fraudulent means

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 8

 6.Utility

• An attribute of information that describes how data has value or

usefulness for an end purpose
• Usability or Purpose of the data or information

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 9

 5.Integrity

• An attribute of information that describes how data is whole,

complete, and uncorrupted.

• means maintaining accuracy and completeness of data. This means

data cannot be edited in an unauthorized way

• Quality, completeness or state of the data

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 10

 4.Confidentiality
• An attribute of information that describes how data is protected from
disclosure or exposure to unauthorized individuals or systems.
• Only those with the rights or privileges access it

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 11

 7.Possession
• An attribute of information that describes how the data’s ownership or control is
legitimate or authorized.

• Having Ownership or control of information

 A breach of confidentiality always results in a breach of possession
 But a breach of possession does not always result in a beach of confidentiality
 Example –Someone steals a tape backup containing encrypted data. The theft is a
breach of possession, but since the data is encrypted, the data will remain
confidential(until the code is broken)

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 12

 Conclusion

• These critical characteristics form the foundation of robust

information security practices, safeguarding data, and maintaining
trust in the digital age.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 13

Name of the Faculty : Dr.Poongodi.J
Subject Name and Code : CW3551- Data and Information security
Branch & Department : B.Tech CSBS
Year & Semester : IV / VII
Academic Year : 2024-2025(Odd)

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 1

 NSTISSC Security Model

• CNSS was originally called the National Security Telecommunications and

Information Systems Security Committee (NSTISSC)
• comprehensive information security model and has become a widely
accepted evaluation standard for the security of information systems.
• It was established by President Bush under National Security Directive 42
(NSD 42)entitled, “National Policy for the Security of National Security
Telecommunications and Information Systems", dated 5 July 1990.
• The NSTISSC provides a forum for the discussion of policy issues, sets
national policy, and propagate direction, operational procedures and guidance
for the security of national security systems through the NSTISSC Issuance
System.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE

 The NSTISSC Security Model provides a more detailed perspective on security.
While the NSTISSC Model covers the three dimensions of Information security, its
omits discussion of detailed guidelines and policies that direct the implementation of
controls
McCumber Cube shows threedimensions. The 3 dimensions of each axis become a
3*3*3 cube with 27 cells representing areas that must be addressed to secure todays
information systems.
• The basic objective of NSTISSC model is to secure data in 3 probable ways:
Using security services.
maintaining Information states
setting security counter measure

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 3

 NSTISSC Security Model

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 4

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 5
23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 6
1. Confidentiality-Policy and Storage
In this Process the University has certain Policies and Guide lines to an Enrolled student and
Staffs.All the relevant data associated is kept confidential only accessible to authorized personal only
and secure storage solution is provided by the University to safeguard its and student's data
2. Confidentiality-Policy and Processing
In this Process an authorized personal is appointed to process data's whenever required. That personal
has to maintain Confidentiality of data and work according to university policies. The example for it can
be submission of Assignment Electronically which is meant for lecturer only.
3. Confidentiality-Policy and Transmission
In the Process only keeping data Confidential and personal working under policies is not enough as
secure medium is required for transmission of that data when a user request to access .The University is
required to use all necessary measures to secure a transmission.
4. Confidentiality-Education and Storage
Only a particular student enrolled in particular subject should get the subject materials of enrolled subject
.That is use of educational data and storage of material should be kept confidential for the actual
students not all.
23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 7
5. Confidentiality-Education and Processing
The lecturer needs to update slides or educational materials constantly update any new materials
and sent to the particular subject enrolled students

6. Confidentiality-Education and Transmission

Data and information related to the subject be kept secure by applying a range of measures like
only enrolled students attend classes as card swap will only open lecture room doors.

7. Confidentiality-Technology and Storage

The Use of database system to store and transfer data to only students that are to use.

8. Confidentiality-Technology and Processing

Advance processing system as speech to text collects data and store in the university database.
This method maintains confidentiality as system automatically integrates data from one to other
form

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 8

9. Confidentiality-Technology and Transmission
The use of optical fiber to transfer data between terminals decreases chances of data being
stolen, corrupt Similarly using cryptography in transmission insures secure data.

10. Integrity-Policy and Storage

Data to be uploaded in the electronic format, lecturer and the university personal should check
the files for corrupted or damaged. The policy to upload files should be maintained.

11. Integrity-Policy and Processing

Processing should be done by personal that is aware of university policies and is knowledge able
enough not to do mistake in data while processing.

12. Integrity -Policy and Transmission

The correct electronic data is accessible to students at particular time using wire or wireless
method.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 9

 13. Integrity -Education and Storage
The lecturer provides up to date data on university database for students to use it
without any mistakes on information they get.

14. Integrity -Education and Processing

Educational data and material while processing should not be altered and checked
before finalizing upload to system.

15. Integrity -Education and Transmission

Only the accurate and useful data be uploaded to student database as no incorrect
data lead to problem in university.

16. Integrity -Technology and Storage

The subject materials related to particular subject is stored in university database
system after being checked and verified as correct and useful to students.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 10

 17. Integrity – Technology and Processing
Some system or software is used to check uploading data for its authenticity.

18. Integrity -Technology and Transmission

The data on university network should be correct and not misleading and be available only
after finalizing its integrity of use.

19. Availability-Policy and Storage

The university students should get the data any time form university database .The data
should comply with all the rules and policies set by university.

20. Availability-Policy and Processing

The data on university system should be allowed to be edited by a responsible person
whenever some issues are found on available data.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 11

21. Availability-Policy and Transmission
Change in data by lecturer on their subject should be immediately available to use by
students and should not violate any rules and policies.
22. Availability-Education and Storage
Material stored in university database need to be updated and ready to use by student at
any moment
23. Availability-Education and Processing
If any changes are to be made in lecture slides or any data. Authorized personal need to
access itand ready to be used.
24. Availability –Education and Transmission
Always ready to use data should be in system so that students can utilize and download
wheneverthey require.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 12

25. Availability-Technology and Storage
26. Availability-Technology and Processing
27. Availability-Technology and Transmission
All necessary documents need to be accessible to students and lecturer to download or
modify based on privileges at any time they want.

23-07-2024 CW35551/DIS/III CSBS/V-SEM/KG-KITE 13

 KGiSL Institute of Technology
(Approved by AICTE, New Delhi; Affiliated to Anna University, Chennai)
Recognized by UGC, Accredited by NBA (IT)
365, KGiSL Campus, Thudiyalur Road, Saravanampatti, Coimbatore – 641035.

Department of Computer Science and Business

systems
Name of the Faculty : Dr.Poongodi.J
Subject Name & Code : CW3551- Data and Information security
Branch & Department : CSBS
Year & Semester : 2023 / V
Academic Year :2024-25
 Components
of an
Information System
• An information system is a system that accepts data resources as
input and processes them into information products as output.

 1. Computer Hardware

 2. Computer Software

 3. Databases

 4. Network

 5. Human Resources

 6.Procedures
• An Information system is a combination of hardware and
software and telecommunication networks that people build to
collect, create and distribute useful data, typically in an
organization.

• It defines the flow of information within the system.

• The objective of an information system is to provide appropriate

information to the user, to gather the data, process the data and
communicate information to the user of the system.
• An information system depends on the
-- hardware (machines),
-- software (programs),

-- data (data and knowledge basis), and

-- networks (communications media and network support)

-- resources of people (end users and IS specialists),

to perform input, processing, output, storage, and
control activities that convert data resources into information products.
1. Computer Hardware:

o Physical equipment used for input, output and processing.

o The hardware structure depends upon the type and size of the
organization.

o It consists of an input and an output device, operating system,

processor, and media devices.

o This also includes computer peripheral devices.

2. Computer Software:

o The programs/ application program used to control and coordinate the

hardware components.

o It is used for analyzing and processing of the data.

o These programs include a set of instruction used for processing

information.

o Software is further classified into 3 types:

• System Software

• Application Software

• Procedures
3. Databases:

o Data are the raw facts and figures that are unorganized that are
later processed to generate information.
o Softwares are used for organizing and serving data to the user,
managing physical storage of media and virtual resources.

o As the hardware can’t work without software the same as

software needs data for processing.

o Data are managed using Database management system.

o Database software is used for efficient access for required

data, and to manage knowledge bases.
4. Network:

o Networks resources refer to the telecommunication networks like the

intranet, extranet and the internet.

o These resources facilitate the flow of information in the organization.

o Networks consists of both the physical devices such as networks cards,

routers, hubs and cables and software such as operating systems, web
servers, data servers and application servers.

o Telecommunications networks consist of computers, communications

processors, and other devices interconnected by communications media and
controlled by software.

o Networks include communication media, and Network Support.

5. Human Resources:

o It is associated with the manpower required to run and manage the system.

o People are the end user of the information system, end-user use information
produced for their own purpose, the main purpose of the information system
is to benefit the end user.

o The end user can be accountants, engineers, salespersons, customers, clerks,

or managers etc.

o People are also responsible to develop and operate information system.

o They include systems analysts, computer operators, programmers, and

managerial techniques.
6.Procedures:

o A procedure is a series of documented actions taken to achieve

something.

o A procedure is more than a single simple task.

o A procedure can be quite complex and involved, such as

performing a backup, shutting down a system, patching
software.
 KGiSL Institute of Technology
(Approved by AICTE, New Delhi; Affiliated to Anna University, Chennai)
Recognized by UGC, Accredited by NBA (IT)
365, KGiSL Campus, Thudiyalur Road, Saravanampatti, Coimbatore – 641035.

Department of Computer Science and Business

systems
Name of the Faculty : Dr.Poongodi.J
Subject Name & Code : CW3551- Data and Information security
Branch & Department : CSBS
Year & Semester : 2023 / V
Academic Year :2024-25
CW3551 / DIS / KITE 2
 Securing
The Components

CW3551 / DIS / KITE 3

Securing the Components are done by using CIA,
CIA:
• 1.Message Confidentiality
> Connection Confidentiality
> Connectionless Confidentiality
> Traffic-flow Confidentiality
• 2.Data Integrity
> Connection integrity with recovery
> Selective-field connection integrity
> Connectionless integrity
> Selective-field connectionless integrity
• 3.Authentication
• 4.Non-repudiation
• 5.Access Control
CW3551 / DIS / KITE 4
1.Message Confidentiality:

• The principle of confidentiality defines that only the sender

and the intended recipient should be capable to create the

element of the message.

• It protects the transmitted data from passive attack.

CW3551 / DIS / KITE 5

• Passive Attack

CW3551 / DIS / KITE 6

• Active Attack:

CW3551 / DIS / KITE 7

CW3551 / DIS / KITE 8
• Connection Confidentiality − The protection of all user

information on a connection.

• Connectionless Confidentiality − The security of all user data in

an individual data block.

• Traffic-flow Confidentiality − The protection of the

information that can be derived from observation of traffic flows.

CW3551 / DIS / KITE 9

2.Data Integrity:

• Data integrity is designed to secure information from

modification, insertion, deletion and rehashing by any entity.

• Data integrity can be used to a flow of message, an individual

message or a selected portion inside a message.

• Data integrity can be used to support total stream protection.

CW3551 / DIS / KITE 10

There are various types of data integrity which are as follows :

• Connection integrity with recovery − It supports for the integrity of all

user information on a connection and identify any modification, insertion,
deletion or replay of any information within a whole data sequence, with
recovery attempted.

• Connection integrity without recovery − It supports only detection without

recovery.

• Selective-field connection integrity − It supports for the principle of

selected areas within the user information of a data block shared over a
connection and creates the form of decision of whether the selected fields
have been changed, inserted, removed
CW3551 / DIS /or
KITEreplayed. 11
• Connectionless integrity − It supports for the integrity of an
individual connectionless data block and can take the form of
detection of data modification. Moreover, it is a limited form of
replay detection can be provided.

• Selective-field connectionless integrity − It supports for the

integrity of selected fields within an individual connectionless data
block and takes the form of determination of whether the selected
areas have been changed.

CW3551 / DIS / KITE 12

3.Authentication :
• The authentication service is concerned with likely
that a connection is authentic.
• In the case of a single message, including a warning
or alarm signal, the function of the authentication
service is to persuade the recipient that the message is
from the source that it declare to be from.

CW3551 / DIS / KITE 13

4.Non-repudiation:
• Nonrepudiation avoids either sender or receiver from adverse a
transmitted message.
• Therefore, when a message is sent, the receiver can validate
that the asserted sender actually sent the message.
• Likewise, when a message is received, the sender can validate
that the asserted receiver actually received the message.

CW3551 / DIS / KITE 14

5. Access Control:

• The principle of access control decides who should be

capable to access information or system through
communication link.

• It supports the avoidance of unauthorized use of a

resource.

CW3551 / DIS / KITE 15

 KGiSL Institute of Technology
(Approved by AICTE, New Delhi; Affiliated to Anna University, Chennai)
Recognized by UGC, Accredited by NBA (IT)
365, KGiSL Campus, Thudiyalur Road, Saravanampatti, Coimbatore – 641035.

Department of Computer Science and Business

systems
Name of the Faculty : Dr.Poongodi.J
Subject Name & Code : CW3551- Data and Information security
Branch & Department : CSBS
Year & Semester : 2023 / V
Academic Year :2024-25
 Securing
the Components
Securing the components in information security is crucial to
safeguarding an organization's sensitive data, assets, and
systems from unauthorized access, misuse, or damage.
some key components are as follows,
1.Network Security
2.Endpoint Security
3.Data Security
4.Application Security
5.Identity and Access Management (IAM)
6.Physical Security
7.Security Awareness Training
8.Incident Response and Disaster Recovery
1.Network Security:

• Use firewalls, intrusion detection/prevention systems

(IDS/IPS), and secure routers/switches to control network
traffic.

• Implement Virtual Private Networks (VPNs) to encrypt data

transmitted over public networks.

• Regularly update and patch network devices to address

vulnerabilities.

• Segment networks to limit the impact of a security breach.

2.Endpoint Security:

• Employ strong authentication mechanisms, such as multi-

factor authentication (MFA), to control access to devices.

• Use endpoint protection software (antivirus, antimalware) and

keep it up to date.

• Enable full-disk encryption to protect data on devices,

especially laptops and mobile devices.

• Apply security policies to enforce device and data usage rules.

3.Data Security:
• Implement data classification and label sensitive information
appropriately.
• Use encryption to protect data both in transit and at rest.
• Implement access controls to limit data access to authorized
personnel only.
• Regularly back up critical data and test data restoration
procedures.
4.Application Security:
• Conduct regular security assessments (e.g., code reviews,
penetration testing) on applications.
• Apply secure coding practices to develop resilient software.
• Keep applications and their components (libraries,
frameworks) up to date with security patches.
• Utilize Web Application Firewalls (WAFs) to protect web
applications from common threats.
5.Identity and Access Management (IAM):
• Implement a robust IAM framework to manage user identities and
access privileges.
• Enforce the principle of least privilege, ensuring users only have
access to what is necessary.
• Monitor user activity and enable user activity logging for auditing
purposes.
• Consider using Single Sign-On (SSO) to reduce the number of
passwords and potential attack vectors.
6.Physical Security:

• Restrict physical access to critical infrastructure and data

centers.

• Use surveillance cameras and access control systems to

monitor and control entry points.

• Implement secure disposal procedures for hardware and

storage media.
7.Security Awareness Training:
– Train employees regularly on security best practices, social
engineering awareness, and phishing prevention.

– Foster a security-conscious culture within the organization.

8.Incident Response and Disaster Recovery:

• Develop and regularly test incident response and disaster

recovery plans.

• Establish clear procedures for identifying, containing, and

mitigating security incidents.

• Implement robust backup and recovery solutions to

restore systems and data in case of emergencies.
 KGiSL Institute of Technology
(Approved by AICTE, New Delhi; Affiliated to Anna University, Chennai)
Recognized by UGC, Accredited by NBA (IT)
365, KGiSL Campus, Thudiyalur Road, Saravanampatti, Coimbatore – 641035.

Department of Computer Science and Business

systems
Name of the Faculty : Dr.Poongodi.J
Subject Name & Code : CW3551- Data and Information security
Branch & Department : CSBS
Year & Semester : 2023 / V
Academic Year :2024-25
Balancing Security
and Access of
Information
Balancing Security:

• Security should be considered a balance between protection

and availability

• It is impossible to obtain perfect security –it is absolute, it is a

process

• To achieve balance, the level of security must allow reasonable

access, yet protect against threats.
Access Control:

• Access Control is an approach of security that controls access

both physically and virtually unless authentication credentials
are supported.

• An Access Control system generally involves locked gates,

doors or barriers which can be opened using identity
authentication approaches such as RFID access cards, pin
codes, face recognition, finger prints or smartphones to enable
entry to a building or specific area.
• Access control includes data and physical access protections
that strengthen cybersecurity by handling user authentication
to systems.

• Managing access defines setting and enforcing suitable user

authorization, authentication, role-based access control
policies (RBAC), attribute-based access control policies
(ABAC).
• Access control authentication devices evolved to contains id
and password, digital certificates, security tokens, smart cards
and biometrics.

• Access control is the ability to allow or deny the use of a

specific resource by a specific entity.
• Access control structure can be used in handling physical
resources (including a movie theatre, to which only ticket-
holders must be admitted), logical resources (a bank account,
with a limited number of people authorized to create a
withdrawal), or digital resources.

• Digital resources involves a private text files on a computer,

which only specific users should be able to read.
 KGiSL Institute of Technology
(Approved by AICTE, New Delhi; Affiliated to Anna University, Chennai)
Recognized by UGC, Accredited by NBA (IT)
365, KGiSL Campus, Thudiyalur Road, Saravanampatti, Coimbatore – 641035.

Department of Computer Science and Business

systems
Name of the Faculty : Dr.Poongodi.J
Subject Name & Code : CW3551- Data and Information security
Branch & Department : CSBS
Year & Semester : 2023 / V
Academic Year :2024-25
CW3551/ DIS/ KITE 2
 Software
Development Life
Cycle (SDLC)

CW3551/ DIS/ KITE 3

Software development life cycle (SDLC)
• Software development life cycle (SDLC) is the term used in the
software industry to describe the process for creating a new software
product.
• Software developers use this as a guide to ensure software is
produced with the lowest cost and highest possible quality in the
shortest amount of time.
• Software Development Life Cycle (SDLC) is a process used by the
software industry to design, develop and test high quality software.

CW3551/ DIS/ KITE 4

CW3551/ DIS/ KITE 5
How was the SDLC created?

• In the 1950s and 1960s, computer science progressed rapidly.

• Prior to the 1950s, computing was not elaborate enough to

necessitate a detailed approach like the SDLC.

• As the complexity and scale of programming grew, the concept

of structured programming emerged.

• Over time, structured programming demanded more tactical

development models, thus sparking the beginnings of the
SDLC.
CW3551/ DIS/ KITE 6
Why is the SDLC important?
• It provides a standardized framework that defines activities and
deliverables
• It aids in project planning, estimating, and scheduling
• It makes project tracking and control easier
• It increases visibility on all aspects of the life cycle to all
stakeholders involved in the development process
• It increases the speed of development
• It improves client relations
• It decreases project risks
• It decreases project management expenses and the overall cost
of production
CW3551/ DIS/ KITE 7
The stages or phases of SDLC are as follows:

Stage 1: Planning and requirement analysis

Stage 2: Defining Requirements

Stage 3: Designing the Software

Stage 4: Developing the project

Stage 5: Testing

Stage 6: Deployment

Stage 7: Maintenance
CW3551/ DIS/ KITE 8
Stage1: Planning and requirement analysis:

Planning:

• During the planning phase, the development team collects

input from stakeholders involved in the project; customers,
sales, internal and external experts, and developers.

• This input is synthesized into a detailed definition of the

requirements for creating the desired software.

• The team also determines what resources are required to satisfy

the project requirements, and then infers the associated cost.
CW3551/ DIS/ KITE 9
Required Analysis:

• Business Requirements

• Stakeholder Requirements

• Solution Requirements

-- Functional Requirements

-- Non-Functional Requirements

• Transition Functional Requirements

CW3551/ DIS/ KITE 10

Stage 2 : Defining Requirements:

• Once the requirement analysis is done the next step is to clearly

define and document the product requirements and get them
approved from the customer or the market analysts.

• This is done through an SRS (Software Requirement

Specification) document which consists of all the product
requirements to be designed and developed during the project
life cycle.
CW3551/ DIS/ KITE 11
Defining Requirements:

• Enterprise Analysis

• Business Analysis Planning & Monitoring

• Elicitation

• Requirements Analysis

• Requirements Management & communication

• Solution Assessment &Validation

CW3551/ DIS/ KITE 12

Stage 3: Designing the Software:
• Based on the requirements specified in SRS, usually more than
one design approach for the product architecture is proposed and
documented in a DDS - Design Document Specification.

• This DDS is reviewed by all the important stakeholders and

based on various parameters as risk assessment, product
robustness, design modularity, budget and time constraints, the

best design approach is selected for the product.

CW3551/ DIS/ KITE 13
Stage 4: Building or Developing the Product:
• In this stage of SDLC the actual development starts and the
product is built. The programming code is generated as per
DDS during this stage.

• Developers must follow the coding guidelines defined by their

organization and programming tools like compilers,
interpreters, debuggers, etc. are used to generate the code.

CW3551/ DIS/ KITE 14

Stage 5: Testing the Product:
• This stage is usually a subset of all the stages as in the modern
SDLC models, the testing activities are mostly involved in all
the stages of SDLC.

• However, this stage refers to the testing only stage of the

product where product defects are reported, tracked, fixed and
retested, until the product reaches the quality standards defined
in the SRS.

CW3551/ DIS/ KITE 15

Stage 6: Deployment in the Market and Maintenance:

• Once the product is tested and ready to be deployed it is

released formally in the appropriate market.

• Then based on the feedback, the product may be released as it

is or with suggested enhancements in the targeting market
segment.

• After the product is released in the market, its maintenance is

done for the existing customer base.

CW3551/ DIS/ KITE 16

Stage7: Maintenance:

• Once when the client starts using the developed systems, then
the real issues come up and requirements to be solved from
time to time.

• This procedure where the care is taken for the developed

product is known as maintenance.

CW3551/ DIS/ KITE 17

CW3551/ DIS/ KITE 18
 KGiSL Institute of Technology
(Approved by AICTE, New Delhi; Affiliated to Anna University, Chennai)
Recognized by UGC, Accredited by NBA (IT)
365, KGiSL Campus, Thudiyalur Road, Saravanampatti, Coimbatore – 641035.

Department of Computer Science and Business

systems
Name of the Faculty : Dr.Poongodi.J
Subject Name & Code : CW3551- Data and Information security
Branch & Department : CSBS
Year & Semester : 2023 / V
Academic Year :2024-25
The Security
SDLC
• An SDLC is a methodology for the design and implementation
of an information system.

• The traditional SDLC consists of six general phases.

• The Security System Development Life Cycle (SSDLC) is a

framework used to manage the development, maintenance, and
retirement of an organization’s information security systems.
• The SSDLC is a cyclical process that includes the following phases:

1. Planning

2. Analysis

3. Design

4. Implementation

5. Maintenance

6. Retirement
1. Planning:

• During this phase, the organization identifies its information

security needs and develops a plan to meet those needs.

• This may include identifying potential security risks and

vulnerabilities, and determining the appropriate controls to
mitigate those risks.
2. Analysis:

• During this phase, the organization analyzes its information

security needs in more detail and develops a detailed security

requirements specification.
3. Design:

• During this phase, the organization designs the security system

to meet the requirements developed in the previous phase.

• This may include selecting and configuring security controls,

such as firewalls, intrusion detection systems, and encryption.

4. Implementation:

During this phase, the organization develops, tests, and

deploys the security system.

5. Maintenance:

• After the security system has been deployed, it enters

the maintenance phase, where it is updated,

maintained, and tweaked to meet the changing needs

of the organization.
6.Retirement:

• Eventually, the security system will reach the end of its useful

life and will need to be retired.

• During this phase, the organization will plan for the

replacement of the system, and ensure that data stored in it is

properly preserved.
• Phases involved in SecSDLC are:
1. System Investigation
2. System Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance
1. System Investigation:

• This process is started by the officials/directives

working at the top level management in the
organization.

• The objectives and goals of the project are considered

priorly in order to execute this process.
2. System Analysis:

• In this phase, detailed document analysis of the documents

from the System Investigation phase are done.

• Already existing security policies, applications and software

are analyzed in order to check for different flaws and
vulnerabilities in the system.

• Upcoming threat possibilities are also analyzed. Risk

management comes under this process only.
3. Logical Design:

• The Logical Design phase deals with the development of tools

and following blueprints that are involved in various
information security policies, their applications and software.

• Backup and recovery policies are also drafted in order to

prevent future losses.

• It is analyzed whether the project can be completed in the

company itself or it needs to be sent to another company for
the specific task.
4.Physical Design:

• The technical teams acquire the tools and blueprints needed for
the implementation of the software and application of the
system security.

• During this phase, different solutions are investigated for any

unforeseen issues which may be encountered in the future.

• They are analyzed and written down in order to cover most of

the vulnerabilities that were missed during the analysis phase.
5.Implementation:

• The solution decided in earlier phases is made final whether

the project is in-house or outsourced.

• The proper documentation is provided of the product in order

to meet the requirements specified for the project to be met.

• Implementation and integration process of the project are

carried out with the help of various teams aggressively testing
whether the product meets the system requirements specified
in the system documentation.
6. Maintenance:

• After the implementation of the security program it must be

ensured that it is functioning properly and is managed
accordingly.

• The security program must be kept up to date accordingly in

order to counter new threats that can be left unseen at the time
of design.
Advantages :
• Improved security: By following the SSDLC, organizations can
ensure that their information security systems are developed,
maintained and retired in a controlled and structured manner, which
can help to improve overall security.

• Compliance: The SSDLC can help organizations to meet compliance

requirements, by ensuring that security controls are implemented to
meet relevant regulations.

• Risk management: The SSDLC provides a structured and controlled

approach to managing information security risks, which can help to
identify and mitigate potential risks.
• Better project management: The SSDLC provides a structured and
controlled approach to managing information security projects,
which can help to improve project management and reduce risks.

• Increased efficiency: By following the SSDLC, organizations can

ensure that their resources are used efficiently, by ensuring that the
development, maintenance and retirement of information security
systems is planned and managed in a consistent and controlled
manner.
• Disadvantages of using the SSDLC framework include:
• Cost: Implementing the SSDLC framework can be costly, as it
may require additional resources, such as security experts, to
manage the process.
• Time-consuming: The SSDLC is a cyclical process that
involves multiple phases, which can be time-consuming to
implement.
• Complexity: The SSDLC process can be complex, especially
for organizations that have not previously used this
framework.
• Inflexibility: The SSDLC is a structured process,
which can make it difficult for organizations to
respond quickly to changing security needs.
• Limited Adaptability: The SSDLC is a predefined
process, which is not adaptable to new technologies,
it may require updating or revising to accommodate
new technology.