Information Security

• According to James Anderson, executive

consultant at Emagined Security, Inc.,
Information security in an enterprise is a “well-
informed sense of assurance that the
information risks and controls are in balance.”
 What is Security
• Security is “the quality or state of being secure
—to be free from danger.”
• In other words, protection against adversaries
—from those who would do harm,
intentionally or otherwise—is the objective.
 Security concepts
A successful organization should have the following multiple layers of security in
place to protect its operations:
• Physical security, to protect physical items, objects, or areas from unauthorized
access and misuse
• Personnel security, to protect the individual or group of individuals who are
authorized to access the organization and its operations
• Operations security, to protect the details of a particular operation or series of
activities
• Communications security, to protect communications media, technology, and
content
• Network security, to protect networking components, connections, and contents
• Information security, to protect the confidentiality, integrity and availability of
information assets, whether in storage, processing, or transmission. It is achieved
via the application of policy, education, training and awareness, and technology.
 Critical Characteristics of Information
• Availability enables authorized users—persons or computer systems—to
access information without interference or obstruction and to receive it in
the required format
• Information has accuracy when it is free from mistakes or errors and it has
the value that the end user expects.
• Authenticity of information is the quality or state of being genuine or
original, rather than a reproduction or fabrication.
• Information has confidentiality when it is protected from disclosure or
exposure to unauthorized individuals or systems.
• Information has integrity when it is whole, complete, and uncorrupted
• The utility of information is the quality or state of having value for some
purpose or end. Information has value when it can serve a purpose.
• The possession of information is the quality or state of ownership or control
 CNSS/NSTISSC Security Model
This document presents a comprehensive information
security model and has become a widely accepted
evaluation standard for the security of information
systems.
The model, created by John McCumber in 1991,
provides a graphical representation of the architectural
approach widely used in computer and information
security; it is now known as the McCumber Cube
McCumber Cube
 McCumber Cube
• To ensure system security, each of the 27
areas must be properly addressed during the
security process
• For example, the intersection between
technology, integrity, and storage requires a
control or safeguard that addresses the need
to use technology to protect the integrity of
information while in storage.
 Components of IS
• Software
• Hardware
• Data
• People
• Procedures
• Networks
 Balancing IS and Access
• Information security cannot be absolute: it is a
process, not a goal.
• To achieve balance—that is, to operate an
information system that satisfies the user and
the security professional—the security level
must allow reasonable access, yet protect
against threats.
 System Development Life Cycle
• The systems development life cycle (SDLC) is a
methodology for the design and
implementation of an information system
• A methodology is a formal approach to
solving a problem by means of a structured
sequence of procedures.
• The traditional SDLC consists of six general
phases
Phases of SDLC
 Phases of SDLC
• Investigation
The investigation phase begins with an
examination of the event or plan that initiates
the process.
 During the investigation phase, the
objectives, constraints, and scope of the
project are specified.
 Phases of SDLC
• Analysis
This phase consists primarily of assessments of the
organization, its current systems, and its capability to support
the proposed systems.
• Logical Design
The logical design is, the blue print for the desired solution.
The logical design is implementation independent, meaning
that it contains no reference to specific technologies, vendors,
or products.
Instead, it defines how the proposed system will solve the
problem at hand.
 Phases of SDLC
• Physical Design
Specific technologies are selected to support the
alternatives identified and evaluated in the
logical design
• Implementation
Needed software is created. Components are
ordered, received, and tested.
Afterward, users are trained and supporting
documentation created.
 Phases of SDLC
• Maintenance and Change
This phase consists of the tasks necessary to support
and modify the system for the remainder of its useful
life cycle.
At periodic points, the system is tested for compliance
and the feasibility of continuance versus
discontinuance is evaluated.
When a current system can no longer support the
evolving mission of the organization, the project is
terminated and a new project is implemented.
 Security Systems Development Life Cycle

• SSDLC is also a trial and error process

• The SecSDLC unifies the SDLC process and

makes it a coherent program rather than a
series of random seemingly unconnected
actions