Activities for Systems Security - Essay Example

Student’s Name: Instructor’s Name: Subject: Date: Activities for Systems Security Activity 1: a, b, and c. The advancement in the field of information Technology has completely liberalized the way people communicate. Companies, organizations, and institutions of higher learning are among the largest beneficiaries of this technology change. In this regard, there is insatiable demand for both the computer-related equipment and the basic internet infrastructure. As a consequence, a number of issues with respect computer and data/information security are becoming imminent coupled by the efficiency of these IT resources. It is therefore worth to note that computer systems security controls are important in today’s world of computing. In the context of the provided case in this study, two X-Window computers, four PCs, and one Macintosh computer are provided to a group of thirty Full Time Postgraduate Students. In terms of proportionality, these resources are in short supply as well as exclusively in public domain. As earlier mentioned, the security IT security issues of concern revolves around three main areas; physical, human, and electronic. Physical security comes into focus as the computer equipment and other resources may be stolen by the staff, students, and/or other employees within the institution. The human security related issues revolve around the possibility of information security being sabotaged by either the students, staff, and/or other technicians entrusted with custody or usage of such information. On the other hand, IT security form an electronic point of view relates to the probability of having remote malicious attacks being propagated by cyber criminals. In this regard, various information assets within the organization are a target of hackers; physical assets, human assets, and electronic assets. The physical assets are for instance the monitors, printers, flash discs, hard drives, CPU, network cables among others. Subsequently, human assets include the students, staff, or technicians in particular from the IT department who are entrusted with the custody or usage of information stored in the organization’s IT resources. On the other hand, the electronic assets include the specific and general software installed in the computers as well as information/data stored in back-up drives. In addition, information across the network is also critical and should be protected alongside the other assets. Nevertheless, in order to institute proper Information/Computer security, it is important to be conversant with a number of common IT Security terminologies as explained below, Threats –these are probable sources of an incident attack that may bring about adverse changes to an information asset. Vulnerability –refers to the weakness of information assets in terms of controlling or preventing attack by a threat. Impact –refers to a measure of the effect of an event. Risk –it is the combination/integration of the likelihood of an event and its impact. Control –are ways of a managing risk, including procedures, policies, practices, guidelines, organizational structures or practices, which can be technical, administrative, legal, or management in nature. In order for information security policies instituted by an institution to succeed, it is necessary to incorporate or liaise with all other relevant departments in the formulation of such policies. In particular, this should be done while drafting the business strategic plans. Besides, adoption of internationally recognized Information Security Standards for instance ISO 17799: 2005 Code of Practice for Information Security Management may come in handy. Activity 2a The rapid development in IT is characterized by rampant emergence of cyber crime/attacks. Such crimes are propagated by hackers (Black and Grey or White) who pose as genuine users and thereby install malicious software remotely in the network system. In carrying out such attacks, various tools, programs, and/or other means are used which include botnets, Denial of Service attacks, spoofing, spamming, social engineering, phishing, spamming, worms, Trojans, and viruses among others. Although different reasons for propagating cyber attacks prevail, most of the common ones are for instance stealing trade secrets for financial gain, to destroy data/information intentionally, slow-down the network system, and illegitimately spying private communications over the computer network. Activity 2b Threats –these are probable sources of an incident attack that may bring about adverse changes to an information asset. Vulnerability –refers to the weakness of information assets in terms of controlling or preventing attack by a threat. In the context of this case study, a number of vulnerabilities exist. First is lack of standardization or uniformity of equipment used. Thus, there may be compatibility problems when Information Security policies and procedures are being implemented in the entire computer infrastructure. Second source of vulnerability is lack of proper governance of the information assets which most of them are in public domain. This may lead into lack of accountability for their protections, incomplete/inaccurate asset inventories, lack of risk analysis and security controls, design and implementation. Activity 2 c Protect –this refers to the measures targeting t[o control incidences of attacks or events. This may be done by instituting security practices, procedures, and policies. Detect –this refers to having in place ways for establishing occurrence of threats and impacts of any security breach. The Information Security system is capable of reporting on timely basis any attacks as when it occurs. React –it is the direct response of the security infrastructure to the attacks by threats. In case where the system is sufficiently configured, it treats/neutralizes the threats on the spot. Activity 2 d and e Nowadays, one of the most applicable international Information Security standards is the ISO 17799:2005 Code of Practice for Information Security Management. Others are for instance ISO/IEC 27001: 2005, ISO/IEC 27011:2008 Information technology. Security Techniques. Information Security Management guidelines for telecommunications organizations based on ISO/IEC 27002. Activity 3 a A probable damage an internal security threat can cause an organization is for instance unauthorized access into the Information system and subsequent manipulation of stored data/ information as well as distribution of such information to illegitimate users. This can be reduced by making use of cryptographic techniques to encrypt information not intended to be in public domain. Besides, instituting rigorous validation/authentication procedures would come in handy at controlling unauthorized access. Activity 3 b Aspects of the organization that requires protection refers to the various information assets within the institution and they include the human holdings, physical holdings, and electronic holdings. Activity 3 d Most of the barriers to Information Security in today’s organizations depend on the type of industry, organi8zation culture, and type of workforce within the organization. In case the employees resist technological change, it is not possible to successfully implement IT Security policies. Besides, the management can contribute to such resistance when they fail to involve the entire workforce within the organization in formulating the IT Security policies. Another barrier may result form financial problems that the organization may encounter in implementing and/or procuring the necessary security framework. Nevertheless, an organization can overcome such barriers by recruiting skilled individuals in the respective fields of security who will provide the necessary human capacity and thus improve the Information Security infrastructure. Activity 4 b Existing vulnerabilities within this project are for instance the heterogeneity of student’s integrity, insufficient investment in relevant Information security controls, ignorance and idle curiosity by users of information. Activity 4 c In the context of this organization, a number of information security threats exist which may take advantage of security vulnerabilities thus causing security incidents. One probable threat is the IT personnel, staff, and students who may sabotage information security thereby destroying information/data stored in the computer system, unauthorized access to information/data and subsequent misuse/ mis-configuration of the systems security functions, installation of malicious programs, and quantum computing among others. Activity 4 d Risk determination phase –is a six-step process and involves threat identification, identification of vulnerabilities, identifying current threat control measures, determining likelihood of occurrence of threats, determining severity of resulting impact, and determining risk level for threat/vulnerability pair considering current control measures Activity 4 e The occurrence of security threats and/or incidences of attacks causes various security impacts and in most cases negative ones. Direct monetary losses results as a result of theft unauthorized modification of information/data and/or the computer equipment. Besides, integrity and privacy of information/data is lost. In comparison, the organization may incur huge financial costs in the process of recovering stolen information/data and/or the equipment. It is for that reason that prevention of ball these security threats is the best way to avoid the financial losses. Nevertheless, a few security control measures can be employed by the organization in safeguarding its information system and they include but not limited to, investing in systematic and comprehensive Information Security Management System for instance ISO/IEC 27000-series and NIST SP800, system integrity controls, data integrity controls, data confidentiality controls, and information security awareness, training and education among others. Activity 6a Disadvantages of threat prevention strategies include; incurring huge financial costs in contracting expert’s knowledge and training the staff, a complete overhaul of the current information system so as to render it compatible with the new information security system. Advantages of threat prevention strategies include; improved system integrity controls, data integrity controls and data confidentiality, efficient network/computer functionality as well as efficiency. Activity 6b Advantages of disaster prevention strategies include safe protection of the information assets and prolonged life of the information resources. Disadvantages of disaster prevention strategies include huge financial costs in installing the necessary equipment such as fire-proof and burglar-proof alarm systems, as well as in employing physical security personnel. Activity 7b Security resource encompasses techniques aimed at .ensuring that data/information asset within an information system cannot be accessed by unauthorized individual as well as it cannot be compromised. Activity 7c Consistent awareness, training and education of the personnel within an organization are necessary so as to ensure that they are up to date with the advancements technology. Any new techniques applicable in improving computer security are tapped at the onset. Activity 8a The planning theory offers insight into how the management can cope with issues of system security as and when they arise. Besides, it offers generic model for dealing with information security issues as well as viable approaches. Activity 8b Technical security standard are for instance the use of encryption algorithms (cryptography), password-based access control packages, logical access control systems, and sufficient naming of system resources (databases and files). Activity 8c Technical security planning should entail the following seven principles which include 1. Recognizing that Information Security planning is an integral part of the business strategy. 2. Information security impacts directly on the whole organization 3. An enterprise risk management defines information security requirements 4. Information security accountabilities need to be defined, documented, and acknowledged. 5. Information security must put into consideration internal and external stakeholders. 6. Information security needs understanding and commitment Activity 9a In order to improve the current information security regime, an information security management that is risk-based requires to be done as illustrated below, Activity 9b In order for the success of information security plan and policies to succeed in safeguarding information assets/resources, it must be in line with various regulatory requirements as well as internationally recognized security standards for instance ISO 17799, Information Technology Code of Practice for Information Security Management and ACSI 33 Australian Government Information and Communication Technology Security Manual as applicable. Activity 9c Baseline project plan for the new system security regime should encompass three phases based on Risk Assessment methodology, System documentation –identification of information assets which encompasses system environment and special considerations as well as information sharing/system interconnection Risk determination phase –is a six-step process and involves threat identification, identification of vulnerabilities, identifying current threat control measures, determining likelihood of occurrence of threats, determining severity of resulting impact, and determining risk level for threat/vulnerability pair considering current control measures. Safeguard determination –is 4-step process entailing identification of aimed at reducing the risk level of a particular threat/vulnerability pair, determining residual likelihood of threat occurrence when the recommended control measure is implemented, determining residual impact severity of the existing vulnerabilities, and determining the overall residual risk level of the system. Activity 9d Internal stakeholders are for instance the employers and any other personnel within the organization. They need to be involved in information security decision making so that implementation of information security becomes successful. Besides, sensitive data relating to the employees/staff should be held in top secret by the organization. Activity 9e External stakeholders are of significant value to the organization and are for inst6ance customers, suppliers and business partners. Information security decisions impacts directly on them and therefore they must be considered based on the fact that the competitiveness and ultimate success of a business needs their commitment and support. An organization should ensure that their interests are protected, there is consistent data protection in the entire chain of supplies engaged in delivering products/services and that trust is maintained between the community at large and the organization. Activity 11a In order for the success of information security plan and policies to succeed in safeguarding information assets/resources, it must be in line with various regulatory requirements as well as internationally recognized security standards for instance ISO 17799, Information Technology Code of Practice for Information Security Management and ACSI 33 Australian Government Information and Communication Technology Security Manual as applicable. Activity 11b Industry hardware and software security products are in most cases manufactured and released by the relevant companies as service packs and/or security updates. For instance, Microsoft release security updates of it Windows Operating System in form of service Packs e.g service Pack 3 for Windows XP. Other software based security products are for instance Norton Antivirus and Kaspersky among others. Activity 12a Operational security requirements entails the daily security operation controls –processes and procedures- which covers personnel security, physical and environmental protection, production, input/output controls, response capabilities, contingency planning; hardware, OS and System software maintenance controls; data integrity/validation controls, documentation, security awareness and training. Information security policy of the project organization should cover the entire operations of the organization and external parties connected to the organization’s network, third parties via which services are received or provided or for which office space has been provided within the organization’s premises as required, the entire network infrastructure and IT resources without exception. Such security policy may be administrative e.g. information security strategy, risk analysis, sanctions policy, contingency plan; physical e.g. facility access controls, facility security plan, access control and validation procedures etc; technical -access and audit controls, encryption and decryption among others such as wireless security policy, remote access policy, and VPN policy. Read More