Introduction to Information

Security
Objectives
• Understand the definition of information security
• Comprehend the history of computer security and
how it evolved into information security
• Understand the key terms and concepts of
information security
• Outline the phases of the security systems
development life cycle
• Understand the roles of professionals involved in
information security within an organization
 Introduction

• Information security: a “well-informed sense of

assurance that the information risks and controls are in
balance.” —Jim Anderson, Inovant (2002)
 The History of Information Security

• Began immediately after the first mainframes were

developed

• Groups developing code-breaking computations during

World War II created the first modern computers

• Physical controls to limit access to sensitive military

locations to authorized personnel

• Rudimentary in defending against physical theft, espionage,

and sabotage
 The 1960s
• Advanced Research Procurement Agency (ARPA) began to
examine feasibility of redundant networked
communications

• Larry Roberts developed ARPANET from its inception

 The 1970s and 80s

• ARPANET grew in popularity as did its potential for misuse

• Fundamental problems with ARPANET security were
identified

• No safety procedures for dial-up connections to

ARPANET

• Non-existent user identification and authorization to

system

• Late 1970s: microprocessor expanded computing capabilities

and security threats
 R-609

• Information security began with Rand Report R-609 (paper

that started the study of computer security)

• Scope of computer security grew from physical security to

include:

• Safety of data
• Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an
organization
 The 1990s
• Networks of computers became more common; so too did
the need to interconnect networks

• Internet became first manifestation of a global network of

networks

• In early Internet deployments, security was treated as a low

priority
 The Present
• The Internet brings millions of computer networks into
communication with each other—many of them unsecured

• Ability to secure a computer’s data influenced by the

security of every computer to which it is connected
 What is Security?

• “The quality or state of being secure—to be free from

danger”
• A successful organization should have multiple layers
of security in place:
• Physical security
• Personal security
• Operations security
• Communications security
• Network security
• Information security
 What is Information Security?

• The protection of information and its critical elements,

including systems and hardware that use, store, and
transmit that information

• Necessary tools: policy, awareness, training, education,

technology

• C.I.A. triangle was standard based on confidentiality,

integrity, and availability

• C.I.A. triangle now expanded into list of critical

characteristics of information
 Critical Characteristics of Information

• The value of information comes from the

characteristics it possesses:
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
Critical Characteristics of Information
• Availability- allows users to access the information in the required
format, without interruption or obstruction.

• Accuracy - free from error or mistake and have the value desired by
the end-user.

• Authenticity - the information is being originally created, placed,

stored, or transferred.

• Confidentiality - - the quality or state of avoidance of disclosure or

access to unauthorized individuals or systems.

• Integrity-the quality or state of being whole, complete, and

uncorrupted

• Utility-the quality or state of having value for a specific purpose.

• Possession - the quality or state of ownership or control of particular
object or item.
 NSTISSC Security Model
Figure 1-4 – NSTISSC Security
Model
 Components of an Information System

• Information System (IS) is entire set of software,

hardware, data, people, procedures, and networks
necessary to use information as a resource in the
organization
Figure 1-5 – Subject and Object of
Attack
 Securing Components

• Computer can be subject of an attack and/or the

object of an attack

• When the subject of an attack, computer is used as

an active tool to conduct attack

• When the object of an attack, computer is the

entity being attacked
 Balancing Information Security and
Access
• Impossible to obtain perfect security—it is a
process, not an absolute

• Security should be considered balance between

protection and availability

• To achieve balance, level of security must allow

reasonable access, yet protect against threats
Figure 1-6 – Balancing Security and
Access
 Approaches to Information Security
Implementation: Bottom-Up Approach
• Grassroots effort: systems administrators attempt
to improve security of their systems

• Key advantage: technical expertise of individual

administrators

• Seldom works, as it lacks a number of critical

features:
• Participant support
• Organizational staying power
 Approaches to Information Security
Implementation: Top-Down Approach

• Initiated by upper management

• Issue policy, procedures and processes
• Dictate goals and expected outcomes of project
• Determine accountability for each required action
• The most successful also involve formal
development strategy referred to as systems
development life cycle
 The Systems Development Life Cycle
• Systems development life cycle (SDLC) is methodology and
design for implementation of information security within an
organization
• Methodology is formal approach to problem-solving based on
structured sequence of procedures
• Using a methodology
• ensures a rigorous process
• avoids missing steps

• Goal is creating a comprehensive security posture/program

• Traditional SDLC consists of six general phases
 The Security Systems Development Life Cycle
• The same phases used in traditional SDLC may be
adapted to support specialized implementation of
an IS project

• Identification of specific threats and creating

controls to counter them

• SecSDLC is a coherent program rather than a series

of random, seemingly unconnected actions
 Investigation Phase
• Identifies process, outcomes, goals, and constraints
of the project

• Begins with enterprise information security policy

• Organizational feasibility analysis is performed
 Analysis Phase
• Documents from investigation phase are studied
• Analyzes existing security policies or programs,
along with documented current threats and
associated controls

• Includes analysis of relevant legal issues that could

impact design of the security solution

• The risk management task begins

 Logical Design Phase
• Creates and develops blueprints for information
security

• Incident response actions planned:

• Continuity planning
• Incident response
• Disaster recovery
• Feasibility analysis to determine whether project
should continue or be outsourced
 Physical Design Phase
• Needed security technology is evaluated,
alternatives generated, and final design selected

• At end of phase, feasibility study determines

readiness of organization for project
 Implementation Phase
• Security solutions are acquired, tested,
implemented, and tested again

• Personnel issues evaluated; specific training and

education programs conducted

• Entire tested package is presented to management

for final approval
 Maintenance and Change Phase
• Perhaps the most important phase, given the ever-
changing threat environment

• Often, reparation and restoration of information is

a constant duel with an unseen adversary

• Information security profile of an organization

requires constant adaptation as new threats
emerge and old threats evolve
 Security Professionals and the Organization

• Wide range of professionals required to support a

diverse information security program

• Senior management is key component; also,

additional administrative support and technical
expertise required to implement details of IS
program
 Security Professionals and the Organization
Senior Management
•Chief Information Officer (CIO)
• Senior technology officer
• Primarily responsible for advising senior executives on
strategic planning
•Chief Information Security Officer (CISO)
• Primarily responsible for assessment, management, and
implementation of IS in the organization
• Usually reports directly to the CIO
Security Professionals and the Organization
Information Security Project Team
A number of individuals who are experienced in one or
more facets of technical and non-technical areas:
• Champion
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
Security Professionals and the Organization

Information Security Project Team

•guarantees
Champion - a senior executive who supports the project and
its financial as well as administrative support at the
organization’s highest level.

•manager
Team leader - a project manager, who may be a departmental line
or staff unit manager, who knows the technical aspects of project
management, personnel management, and information security.

•organizational
Security policy developers - people who understand the
culture, strategies and policies for effective policy creation
and implementation.

•principles
Risk assessment specialists - people who understand the
of financial risk assessment, the importance of organizational
assets, and the methods of security to be used.
Security Professionals and the Organization

Information Security Project Team

•Security professionals - committed, skilled, and well-

educated experts from both technical and non-technical standpoints in
all areas of information security.

•Systems administrators -persons primarily responsible for

managing the systems which house the information used by the
organization.

•End users - those will most significantly impact the new system.
Ideally, a variety of users from different departments, levels and
degrees of technical expertise help the team focus on applying
practical controls that are applied in ways that do not interfere with the
critical business activities they aim to safeguard.
 Data Ownership
• Data Owner: responsible for the security and use of
a particular set of information

• Data Custodian: responsible for storage,

maintenance, and protection of information

• Data Users: end users who work with information

to perform their daily jobs supporting the mission
of the organization
 Communities Of Interest

• Group of individuals united by similar

interest/values in an organization

• Information Security Management and

Professionals

• Information Technology Management and

Professionals

• Organizational Management and Professionals

 Key Terms
• Access • Security Blueprint
• Asset • Security Model
• Attack
• Control, Safeguard or • Security Posture or
Countermeasure Security Profile
• Exploit • Subject
• Exposure
• Threats
• Hacking
• Object • Threat Agent
• Risk • Vulnerability
 Summary

• Information security is a “well-informed sense of assurance that the

information risks and controls are in balance.”

• Computer security began immediately after first mainframes were

developed

• Successful organizations have multiple layers of security in place:

physical, personal, operations, communications, network, and
information.

• Security should be considered a balance between protection and

availability

• Information security must be managed similar to any major system

implemented in an organization using a methodology like SecSDLC
END OF LESSON