Information Security

and Management
COURSE OVERVIEW
This course focuses on the managerial aspects of information security and assurance. Topics covered
include access control models, information security governance, and information security program assessment
and metrics. Coverage on the foundational and technical components of information security is included to
reinforce key concepts. The course includes up-to-date information on changes in the field, such as national
and international laws and international standards like the ISO 27000 series.

COURSE OUTCOMES
At the end of the course, the students should be able to:

1. Identify and prioritize information assets, identify and prioritize threats to information assets.
2. Define information security strategy and architecture.
3. Plan for and respond to intruders in an information system.
4. Describe legal and public relations implications of security and privacy issues.
5. Present a disaster recovery plan for recovery of information assets after an incident

Module 1: Introduction to Information Security

Learning Outcomes:
At the end of the module, the students are able to:
• Define information security
• Recount the history of computer security, and explain how it evolved into information security
• Define key terms and critical concepts of information security
• List the phases of the security systems development life cycle
• Describe the information security roles of professionals within an organization

Introduction

James Anderson, executive consultant at Emagined Security, Inc., believes information security in an
enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” He is
not alone in his perspective. Many information security practitioners recognize that aligning information
security needs with business objectives must be the top priority.

The History of Information Security

The history of information security begins with the concept of computer security. The need for computer
security arose during World War II when the first mainframe computers were developed and used to aid
computations for communication code breaking, as shown in Figure 1-1. Multiple levels of security were
implemented to protect these devices and the missions they served. This required new processes as well as
tried-and-true methods needed to maintain data confidentiality. Access to sensitive military locations, for
example, was controlled by means of badges, keys, and the facial recognition of authorized personnel by
security guards. The growing need to maintain national security eventually led to more complex and
technologically sophisticated computer security safeguards.
What Is Security?

Security is protection. Protection from adversaries—those who would do harm, intentionally or

otherwise—is the ultimate objective of security. National security, for example, is a multilayered system that
protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of
security for an organization also requires a multifaceted system. A successful organization should have multiple
layers of security in place to protect its operations, physical infrastructure, people, functions, communications,
and information.

The Committee on National Security Systems (CNSS) defines information security as the protection of
information and its critical elements, including the systems and hardware that use, store, and transmit the
information.11 Figure 1-5 shows that information security includes the broad areas of information security
management, data security, and network security. The CNSS model of information security evolved from a
concept developed by the computer security industry called the C.I.A. triangle. The C.I.A. triangle (see Figure 1-
6) has been the standard for computer security in both industry and government since the development of the
mainframe. This standard is based on the three characteristics of information that give it value to organizations:
confidentiality, integrity, and availability.
 C.I.A Triad Principle

Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to
guide policies for information security within an organization. The model is also sometimes referred
to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central
Intelligence Agency.

Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure

confidentiality are designed to prevent sensitive information from reaching the wrong people while
making sure that authorized people can access it. It is common for data to be categorized according
to the amount and type of damage that could be done should it fall into unintended hands. More or
less stringent measures can then be implemented according to those categories.

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its
entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data
cannot be altered by unauthorized people (for example, in a breach of confidentiality). These
measures include file permissions and user access controls. Version control may be used to prevent
erroneous changes or accidental deletion by authorized users from becoming a problem.

Availability is best ensured by rigorously maintaining all hardware, performing hardware

repairs immediately when needed and maintaining a correctly functioning operating system
environment that is free of software conflicts. It’s also important to keep current with all necessary
system upgrades. Providing adequate communication bandwidth and preventing the occurrence of
bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can
mitigate serious consequences when hardware issues do occur.

Key Information Security Concepts

This module uses many terms and concepts that are essential to any discussion of information security.
Some of these terms are illustrated in Figure 1-7; all are covered in greater detail in subsequent modules.
Access A subject or object’s ability to use, manipulate, modify, or affect another subject or object.
Authorized users have legal access to a system, whereas hackers must gain illegal access to a system.
Access controls regulate this ability.

Asset The organizational resource that is being protected. An asset can be logical, such as a Web site,
software information, or data; or an asset can be physical, such as a person, computer system,
hardware, or other tangible object. Assets, particularly information assets, are the focus of what
security efforts are attempting to protect.

Attack An intentional or unintentional act that can damage or otherwise compromise information
and the systems that support it. Attacks can be active or passive, intentional or unintentional, and
direct or indirect. Someone who casually reads sensitive information not intended for his or her use
is committing a passive attack. A hacker attempting to break into an information system is an
intentional attack. A lightning strike that causes a building fire is an unintentional attack. A direct
attack is perpetrated by a hacker using a PC to break into a system. An indirect attack is a hacker
compromising a system and using it to attack other systems—for example, as part of a botnet (slang
for robot network).

Control, safeguard, or countermeasure Security mechanisms, policies, or procedures that can

successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve security
within an organization.

Exploit A technique used to compromise a system. This term can be a verb or a noun. Threat agents
may attempt to exploit a system or other information asset by using it illegally for their personal gain.
Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually
in software, that is either inherent in the software or created by the attacker.

Exposure A condition or state of being exposed; in information security, exposure exists when a
vulnerability is known to an attacker.

Loss A single instance of an information asset suffering damage or destruction, unintended or

unauthorized modification or disclosure, or denial of use. When an organization’s information is
stolen, it has suffered a loss.

Protection profile or security posture The entire set of controls and safeguards, including policy,
education, training and awareness, and technology, that the organization implements to protect the
asset. The terms are sometimes used interchangeably with the term security program, although a
security program often comprises managerial aspects of security, including planning, personnel, and
subordinate programs.

Risk The probability of an unwanted occurrence, such as an adverse event or loss. Organizations
must minimize risk to match their risk appetite—the quantity and nature of risk they are willing to
accept.

Subjects and objects A computer can be either the subject of an attack—an agent entity used to
conduct the attack—or the object of an attack: the target entity, as shown in Figure 1-8. A computer
can also be both the subject and object of an attack. For example, it can be compromised by an attack
(object) and then used to attack other systems (subject).
 Threat a category of objects, people, or other entities that represents a danger to an asset.
Threats are always present and can be purposeful or undirected. For example, hackers purposefully
threaten unprotected information systems, while severe storms incidentally threaten buildings and
their contents.

Threat agent the specific instance or a component of a threat. For example, the threat of “trespass
or espionage” is a category of potential danger to information assets, while “external professional
hacker” (like Kevin Mitnick, who was convicted of hacking into phone systems) is a specific threat
agent. A lightning strike, hailstorm, or tornado is a threat agent that is part of the threat known as
“acts of God/acts of nature.”

Vulnerability A weakness or fault in a system or protection mechanism that opens it to attack or

damage. Some examples of vulnerabilities are a flaw in a software

Critical Characteristics of Information

The value of information comes from the characteristics it possesses. When a characteristic of information
changes, the value of that information either increases or, more commonly, decreases. Some characteristics
affect information’s value to users more than others, depending on circumstances. For example, timeliness of
information can be a critical factor because information loses much or all of its value when delivered too late.

Availability enables authorized users—people or computer systems—to access information

without interference or obstruction and to receive it in the required format. Consider, for example,
research libraries that require identification before entrance. Librarians protect the contents of the
library so that they are available only to authorized patrons. The librarian must accept a patron’s
identification before the patron has free access to the book stacks. Once authorized patrons have
access to the stacks, they expect to find the information they need in a usable format and familiar
language. In this case, the information is bound in a book that is written in English.

Accuracy Information has accuracy when it is free from mistakes or errors and has the value that
the end user expects. If information has been intentionally or unintentionally modified, it is no longer
accurate. Consider a checking account, for example. You assume that the information in your account
is an accurate representation of your finances. Incorrect information in the account can result from
external or internal errors. If a bank teller, for instance, mistakenly adds or subtracts too much
money from your account, the value of the information is changed. Or, you may accidentally enter an
incorrect amount into your account register. Either way, an inaccurate bank balance could cause you
to make other mistakes, such as bouncing a check.
 Authenticity of information is the quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is in the same state in which it was
created, placed, stored, or transferred. Consider for a moment some common assumptions about e-
mail.

Confidentiality Information has confidentiality when it is protected from disclosure or exposure to

unauthorized individuals or systems. Confidentiality ensures that only users with the rights and
privileges to access information are able to do so. When unauthorized individuals or systems can
view information, confidentiality is breached. To protect the confidentiality of information, you can
use several measures, including the following:
• Information classification
• Secure document storage
• Application of general security policies
• Education of information custodians and end users

Integrity Information has integrity when it is whole, complete, and uncorrupted. The integrity of
information is threatened when it is exposed to corruption, damage, destruction, or other disruption
of its authentic state. Corruption can occur while information is being stored or transmitted. Many
computer viruses and worms are designed with the explicit purpose of corrupting data.

Utility The utility of information is the quality or state of having value for some purpose or end. In
other words, information has value when it can serve a purpose. If information is available but is not
in a meaningful format to the end user, it is not useful.

Possession The possession of information is the quality or state of ownership or control. Information
is said to be in one’s possession if one obtains it, independent of format or other characteristics. While
a breach of confidentiality always results in a breach of possession, a breach of possession does not
always lead to a breach of confidentiality.

Discussions:
• Security means safeguarding the things that has significant value to people. It could be a property
or something that has sentimental value. It could be tangible or intangible. Similar to computer
systems, even the basic computer system needs to be secured since it may contain important and
confidential data.
• Asset value can be determined based on the item’s characteristic; it can be by its size, weight,
antiquity, rareness and uniqueness. It could be an information that provides continuous growth to
an organization.
• Being vulnerable is being weak; such weakness may to lead to abuse or exploitation that might
compromise the well-being and security of an entity.
• Threats are acting agents or events that can significant harm to a computer system. Threats can be
man-made or natural disasters.
• An attack is intentional act of compromising and exploiting the weakness of a computer system.
Hacking is the common known computer attacks.
• To minimize or to lessen that weakness of a system requires strict mitigation control.
• Confidentiality simply states that computer system’s data must not be disclosed to unauthorized
user or personnel in the organization. This principle ensures that data in the computer system are
free from public disclosure.
• Integrity, this principle states that data in the computer system must remain accurate, exact and
free from unauthorized modifications or alterations.
• Availability simply means that the data and other resources in computing environment of an
organization must always be available to the user.
ACVITIY 1.1 – INFORMATION SECURITY
Instructions:
A. Discuss the CIA Triad Principle
B. Discuss each Critical Characteristics of Information.

Notes:

• Use the activity sheet provided in NEO LMS.

• Check for plagiarism. Scan your answers at https://plagiarismdetector.net/
o Acceptance Rating: 80% to 100% Uniqueness.
o Include the “Screen Shot” of the result in the activity sheet.
o Activities without plagiarism scan report will not be accepted.
• Submit the activity in google drive in PDF Format:
o Filename: MOD1-ACT1-ITSM -INITIALS
• Five (5) points deductions will be given to each submission protocol violations:
i. Not using of activity worksheets.
ii. Incorrect Filenames Format: ACTIVITY-TITLE-INITIALS.PDF
iii. Any similar outputs or "Copy and Paste" from the internet will be marked as
CHEATING and will be graded ZERO (0).
iv. Late Submission

Components of an Information System

As shown in Figure 1-10, an information system (IS) is much more than computer hardware; it is the entire
set of people, procedures, and technology that enable business to use information. The six critical components
of hardware, software, networks, people, procedures, and data enable information to be input, processed,
output, and stored. Each of these IS components has its own strengths and weaknesses, as well as its own
characteristics and uses. Each component of the information system also has its own security requirements.

Software The software component of an IS includes applications, operating systems, and assorted
command utilities. Software is perhaps the most difficult IS component to secure. The exploitation of
errors in software programming accounts for a substantial portion of the attacks on information. The
information technology industry is rife with reports warning of holes, bugs, weaknesses, or other
fundamental problems in software. In fact, many facets of daily life are affected by buggy software,
from smartphones that crash to flawed automotive control computers that lead to recalls.

Hardware is the physical technology that houses and executes the software, stores and transports
the data, and provides interfaces for the entry and removal of information from the system. Physical
security policies deal with hardware as a physical asset and with the protection of physical assets
from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of an information system. Securing the
physical location of computers and the computers themselves is important because a breach of
physical security can result in a loss of information. Unfortunately, most information systems are
built on hardware platforms that cannot guarantee any level of information security if unrestricted
hardware access is possible.

Data stored, processed, and transmitted by a computer system must be protected. Data is often the
most valuable asset of an organization and therefore is the main target of intentional attacks. Systems
developed in recent years are likely to make use of database management systems. When used
properly, they should improve the security of the data and the applications that rely on the data.
Unfortunately, many system development projects do not make full use of the database management
 system’s security capabilities, and in some cases the database is implemented in ways that make
them less secure than traditional file systems
People Though often overlooked in computer security considerations, people have always been a
threat to information security. Legend has it that around 200 B.C., a great army threatened the
security and stability of the Chinese empire. So ferocious were the Hun invaders that the Chinese
emperor commanded the construction of a great wall that would defend against them. Social
engineering can prey on the tendency to cut corners and the commonplace nature of human error. It
can be used to manipulate people to obtain access information about a system.

Procedures are another frequently overlooked component of an IS. Procedures are written
instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s
procedures, it poses a threat to the integrity of the information. Most organizations distribute
procedures to employees so they can access the information system, but many of these companies
often fail to provide proper education for using the procedures safely. Educating employees about
safeguarding procedures is as important as physically securing the information system.

Networks Networking is the IS component that created much of the need for increased computer
and information security. When information systems are connected to each other to form local area
networks (LANs), and these LANs are connected to other networks such as the Internet, new security
challenges rapidly emerge. The physical technology that enables network functions is becoming
more accessible to organizations of every size. Applying the traditional tools of physical security,
such as locks and keys, to restrict access to the system’s hardware components is still important.
However, when computer systems are networked, this approach is no longer enough. Steps to
provide network security are essential, as is implementing alarm and intrusion systems to make
system owners aware of ongoing compromises.

Balancing Information Security and Access

Even with the best planning and implementation, it is impossible to obtain perfect information security.
Recall James Anderson’s statement from the beginning of this module, which emphasizes the need to balance
security and access. Information security cannot be absolute: it is a process, not a goal. You can make a system
available to anyone, anywhere, anytime, through any means.

To achieve balance—that is, to operate an information system that satisfies the user and the security
professional—the security level must allow reasonable access, yet protect against threats. Figure 1-11 shows
some of the competing voices that must be considered when balancing information security and access.
Approaches to Information Security Implementation
The implementation of information security in an organization must begin somewhere, and cannot
happen overnight. Securing information assets is an incremental process that requires coordination, time, and
patience. Information security can begin as a grassroots effort in which systems administrators attempt to
improve the security of their systems. This is often referred to as a bottom-up approach. The key advantage of
the bottom-up approach is the technical expertise of individual administrators. By working with information
systems on a day-to-day basis, these administrators possess in-depth knowledge that can greatly enhance the
development of an information security system.

The top-down approach has a higher probability of success. With this approach, the project is initiated by
upper-level managers who issue policies, procedures, and processes; dictate the goals and expected outcomes;
and determine accountability for each required action. This approach has strong upper-management support,
a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means
of influencing organizational culture.

The Systems Development Life Cycle

An SDLC is a methodology for the design and implementation of an information system. Using a methodology
ensures a rigorous process with a clearly defined goal and increases the probability of success. Once a
methodology has been adopted, the key milestones are established and a team is selected and made accountable
for accomplishing the project goals.

The traditional SDLC consists of six general phases. If you have taken a system analysis and design course, you
may have been exposed to a model consisting of a different number of phases. SDLC models range from three to
twelve phases, all of which have been mapped into the six presented here. The waterfall model pictured in Figure 1-
13 illustration.

A traditional form of the SDLC is not the only approach in widespread use. Other approaches to the
development process include iterative and incremental, the spiral method, rapid application development (RAD),
JAD, agile (extreme programming), V-shaped, and many other practices.
Investigation The first phase, investigation, is the most important. What problem is the system being
developed to solve? The investigation phase begins by examining the event or plan that initiates the
process. During this phase, the objectives, constraints, and scope of the project arespecified.

Analysis The analysis phase begins with the information gained during the investigation phase. This
phase consists primarily of assessments of the organization, its current systems, and its capability to
support the proposed systems. Analysts begin by determining what the new system is expected to
do and how it will interact with existing systems. This phase ends with documentation of the findings
and an update of the feasibility analysis.

Logical Design In the logical design phase, the information gained from the analysis phase is used to
begin creating a systems solution for a business problem. In any systems solution, the first and
driving factor must be the business need. Based on the business need, applications are selected to
provide needed services, and then the team chooses data support and structures capable of providing
the needed inputs. Finally, based on all of this, specific technologies are delineated to implement the
physical solution. The logical design, therefore, is the blueprint for the desired solution. The logical
design is implementation independent, meaning that it contains no reference to specific technologies,
vendors, or products.

Physical Design During the physical design phase, specific technologies are selected to support the
alternatives identified and evaluated in the logical design. The selected components are evaluated
based on a make-or-buy decision—the option to develop components in-house or purchase them
from a vendor.

Implementation In the implementation phase, any needed software is created. Components are
ordered, received, and tested. Afterward, users are trained and supporting documentation created.
Once all components are tested individually, they are installed and tested as a system.

Maintenance and Change The maintenance and change phase is the longest and most expensive of
the process. This phase consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle. Even though formal development may conclude during this phase,
the life cycle of the project continues until the team determines that the process should begin again
from the investigation phase.
Discussions:
• Information system (IS) The entire set of software, hardware, data, people, procedures, and
networks that enable the use of information resources in the organization
• Bottom-up approach a method of establishing security policies that begins as a grassroots effort
in which systems administrators attempt to improve the security of their systems. This method
starts from the lower management to the upper management of an organization.
• Top-down approach a methodology of establishing security policies that is initiated by upper
management. This method starts from the upper management to the lower management of an
organization.
• Security systems development life cycle (SecSDLC) a methodology for the design and
implementation of security systems based on the systems development life cycle. The two life
cycles contain the same general phases.
• Systems development life cycle (SDLC) a methodology for the design and implementation of an
information system. The SDLC contains different phases depending on the methodology deployed,
 but generally, the phases address the investigation, analysis, design, implementation, and
maintenance of an information system.
• Methodology A formal approach to solving a problem based on a structured sequence of
procedures.
• Waterfall model a type of SDLC in which each phase of the process “flows from” the information
gained in the previous phase, with multiple opportunities to return to previous phases and make
adjustments.

ACVITIY 1.2 – SDLC and SecSDLC

Instructions:
1. Complete the table below by providing the correct information peritem.
A. Provide sample activities that can be conducted in eachphases.
B. Give examples on how to provide security for the activities that you enumerated.

Notes:

• Use the activity sheet provided in NEO LMS.

• Check for plagiarism. Scan your answers at https://plagiarismdetector.net/
o Acceptance Rating: 80% to 100% Uniqueness.
o Include the “Screen Shot” of the result in the activity sheet.
o Activities without plagiarism scan report will not be accepted.
• Submit the activity in google drive in PDF Format:
o Filename: MOD1-ACT2-ITSM -INITIALS
• Five (5) points deductions will be given to each submission protocol violations:
i. Not using of activity worksheets.
ii. Incorrect Filenames Format: ACTIVITY-TITLE-INITIALS.PDF
iii. Any similar outputs or "Copy and Paste" from the internet will be marked as
CHEATING and will be graded ZERO (0).
iv. Late Submission

PHASES ACTIVITIES SECURITY

Investigation

Analysis

Logical Design

Physical Design

Implementation

Maintenance and Change

Security Professionals and the Organization

It takes a wide range of professionals to support a diverse information security program. As noted earlier
in this chapter, information security is best initiated from the top down. Senior management is the key
component and the vital force for a successful implementation of an information security program. However,
administrative support is also essential to developing and executing specific security policies and procedures,
and of course, technical expertise is essential to implementing the details of the information security program.
The following sections describe typical information security responsibilities of various professional roles in an
organization.
Senior Management

The senior technology officer is typically the chief information officer (CIO), although other titles
such as vice president of information, VP of information technology, and VP of systems may be used. The
CIO is primarily responsible for advising the chief executive officer, president, or company owner on
strategic planning that affects the management of information in the organization. The CIO translates the
strategic plans of the organization as a whole into strategic information plans for the information systems
or data processing division of the organization. Once this is accomplished, CIOs work with subordinate
managers to develop tactical and operational plans for the division and to enable planning and
management of the systems that support the organization

The chief information security officer (CISO) has primary responsibility for the assessment,
management, and implementation of information security in the organization. The CISO may also be
referred to as the manager for IT security, the security administrator, or by a similar title. The CISO usually
reports directly to the CIO, although in larger organizations, one or more layers of management might
exist between the two.

Information Security Project Team

The information security project team should consist of people who are experienced in one or
multiple facets of the required technical and nontechnical areas. Many of the same skills needed to manage
and implement security are also needed to design it. Members of the security project team fill the following
roles:
• Champion: A senior executive who promotes the project and ensures its support, both
financially and administratively, at the highest levels of the organization.
• Team leader: A project manager who may also be a departmental line manager or staff unit
manager, and who understands project management, personnel management, and
information security technical requirements.
• Security policy developers: People who understand the organizational culture, existing
policies, and requirements for developing and implementing successful policies.
• Risk assessment specialists: People who understand financial risk assessment techniques,
the value of organizational assets, and the security methods to be used.
• Security professionals: Dedicated, trained, and well-educated specialists in all aspects of
information security from both a technical and nontechnical standpoint.
• Systems administrators: People with the primary responsibility for administering systems
that house the information used by the organization.
• End users: Those whom the new system will most directly affect. Ideally, a selection of users
from various departments, levels, and degrees of technical knowledge assist the team in
focusing on the application of realistic controls that do not disrupt the essential business
activities they seek to safeguard.

Data Responsibilities

The three types of data ownership and their respective responsibilities are outlined below:

• Data owners: Members of senior management who are responsible for the security and use
of a particular set of information. The data owners usually determine the level of data
classification (discussed later), as well as the changes to that classification required by
organizational change. The data owners work with subordinate managers to oversee the
day-to-day administration of the data.
• Data custodians: Working directly with data owners, data custodians are responsible for
the information and the systems that process, transmit, and store it. Depending on the size
of the organization, this may be a dedicated position, such as the CISO, or it may be an
additional responsibility of a systems administrator or other technology manager. The
 duties of a data custodian often include overseeing data storage and backups, implementing
the specific procedures and policies laid out in the security policies and plans, and reporting
to the data owner
• Data users: Everyone in the organization is responsible for the security of data, so data
users are included here as individuals with an information security role

Discussions:
• Chief information officer (CIO) An executive-level position that oversees the organization’s
computing technology and strives to create efficiency in the processing and access of the
organization’s information.
• Chief information security officer (CISO) typically considered the top information security
officer in an organization. The CISO is usually not an executive-level position, and frequently the
person in this role reports to the CIO.
• Project team a small functional team of people who are experienced in one or multiple facets of
the required technical and nontechnical areas for the project to which they are assigned.
• Data custodians People who are responsible for the storage, maintenance, and protection of
information.
• Data owners People who own the information and thus determine the level of classification for
their data and approve its access authorization.
• Data users People who work with the information to perform their daily jobs and support the
mission of the organization.

ACVITIY 1.3 – FILM SHOWING

Instructions:
1. Watch the movie entitled “Die Hard 4 - Live Free or Die Hard”
2. After watching the movie, submit a reflection paper: 600 words minimum and 800 wordsmaximum.

Notes:

• Use the activity sheet provided in NEO LMS.

• Check for plagiarism. Scan your answers at https://plagiarismdetector.net/
o Acceptance Rating: 80% to 100% Uniqueness.
o Include the “Screen Shot” of the result in the activity sheet.
o Activities without plagiarism scan report will not be accepted.
• Submit the activity in google drive in PDF Format:
o Filename: MOD1-ACT3-ITSM -INITIALS
• Five (5) points deductions will be given to each submission protocol violations:
i. Not using of activity worksheets.
ii. Incorrect Filenames Format: ACTIVITY-TITLE-INITIALS.PDF
iii. Any similar outputs or "Copy and Paste" from the internet will be marked as
CHEATING and will be graded ZERO (0).
iv. Late Submission

Module Recap
• Information security evolved from the early field of computer security.
• Security is protection from danger. There are many types of security: physical security, personal
security, operations security, communications security, national security, and network security, to
name a few.
• Information security is the protection of information assets that use, store, or transmit information
 through the application of policy, education, and technology.
• The critical characteristics of information, including confidentiality, integrity, and availability (the
C.I.A. triangle), must be protected at all times. This protection is implemented by multiple measures
that include policies, education, training and awareness, and technology.
• Information systems are made up of the major components of hardware, software, data, people,
procedures, and networks.
• Upper management drives the top-down approach to security implementation, in contrast with the
bottom-up approach or grassroots effort, in which individuals choose security implementation
strategies.
• The traditional systems development life cycle (SDLC) is an approach to implementing a system in an
organization. It has been adapted to provide the outline of a security systems development life cycle
(SecSDLC).
• Software assurance is a methodological approach to the development of software that seeks to build
security into the development life cycle rather than address it at later stages.
 • Data owners, who are responsible for the security and use of a particular set of information
• Data custodians, who are responsible for the storage, maintenance, and protection of the information
• Data users, who work with the information to perform their daily jobs and support the mission of the
organization

Express your ideas

Based on the discussion, answer the following questions:
A. What are the three components of the C.I.A. triangle? What are they used for?
B. Describe the critical characteristics of information. How are they used in the study of computer
security?
C. Identify the six components of an information system. Which are most directly affected by the study
of computer security? Which are most commonly associated with its study?
D. Why is a methodology important in the implementation of information security? How does a
methodology improve the process?
E. Which members of an organization are involved in the security systems development life cycle? Who
leads the process?

Notes:

• Use the activity sheet provided in NEO LMS.

• Check for plagiarism. Scan your answers at https://plagiarismdetector.net/
o Acceptance Rating: 80% to 100% Uniqueness.
o Include the “Screen Shot” of the result in the activity sheet.
o Activities without plagiarism scan report will not be accepted.
• Submit the activity in google drive in PDF Format:
o Filename: MOD1-EXP-ITSM -INITIALS
• Five (5) points deductions will be given to each submission protocol violations:
i. Not using of activity worksheets.
ii. Incorrect Filenames Format: ACTIVITY-TITLE-INITIALS.PDF
iii. Any similar outputs or "Copy and Paste" from the internet will be marked as
CHEATING and will be graded ZERO (0).
iv. Late Submission

Reference
1. Michael E. Whitman and Herbert J. Mattord (2014). Principles of Information Security Fifth Edition,
Cengage Learning.