Security of Information in Government Organizations - Essay Example

?Security of Information in Government Organizations Table of Contents Security of Information in Government Organizations Table of Contents 2 Introduction 3 Information Security 3 Information Security In Government Organizations 5 Human Information Asset 5 Physical Information Asset 7 Technical Information Asset 9 Information Asset Classification 9 Confidentiality 9 Availability 10 Integrity 10 Risks In Information Security Of Government Organizations 11 Type of Risks 12 Implication Of Threat In Government Organizations 13 Counter Measures For The Threats Of Information Security 14 Technical Counter Measures 16 Physical Counter Measures 16 Personnel Countermeasures 17 Conclusion 20 References 21 Bibliography 25 Introduction The paper is based on the importance and critical aspects of information security in government organizations. Through information security, government organizations can secure information from broad variety of threats so as to certify steadiness, lesser risks and higher commercial prospects. The purpose of information security for government organizations is to confirm stability of governance and decrease information loss or damage by inhibiting and reducing the effect of security misconducts or breaches. Important aspects of information security such as asset classification, types of threats and implication of those threats are described in this paper. Through proper technical, physical and personnel countermeasures government organizations can maintain the integrity, availability and confidentiality of information (Aoufi, 2011). Information Security Information is regarded as asset to a government’s commercial trade and therefore need appropriate protection. For any government organization, assets need to be safeguarded. An outbreak of government information can result in adverse outcomes. No organization owns staffs or consumers, but information is possessed by every organization whether it is public or private. That’s why information is regarded as intangible asset with significant qualities of having the capability to deliver monetary advantages to its proprietors. Information exists in an organization in any format be it printed format, written format, electronic format, video format, and web content format. Whatever format government organizations store their information, it needs to be protected properly (Aoufi, 2011). ISO 27002 claims that information safety is the central aspect of government’s information security that guarantees three features which are: integrity, availability and confidentiality of asset (Aoufi, 2011). Integrity is about protecting the truthfulness and extensiveness of information. This feature denotes to the necessity that information is secured from improper change Availability is certifying that only approved employers have access to information and associated assets when needed. This property refers to the protection of information from denial of service Confidentiality guarantees that information is accessible merely to those approved employers. This feature denotes to the security of information from illegal leak (Aoufi, 2011) There are no priorities regarding the importance about those three features. The importance of each of the features relies on the perspective of how they are implemented in government organizations. For example, information which is categorized as public is needed to assure availability and integrity and confidentiality is not needed (Aoufi, 2011). Information Security In Government Organizations Information security in government organizations are the promise that information, resources and facilities are protected against concession and people are secured in contradiction of workplace violence. Through information security government can guarantee its own security that supports the health, protection, economic welfare and safety of citizens. Security arises by forming trust among government, citizens and people within government organizations. Within government organizations there is need to certify that people having access to governmental data, resources and facilities are honest, dependable and faithful. At the governmental level, security extortions, risks and occurrences must be handled proactively to safeguard the government’s critical resources, data and assets (Treasury Board of Canada Secretariat, 2009). In any department of government organization, administration of information security needs continuous evaluation of risks observation of internal management controls relating prevention of risks and reaction and recovery of data when needed (Treasury Board of Canada Secretariat, 2009) Human Information Asset According to ISO 27001, government organizations must manage system entree authorization for new comers, movers and leavers and carry out appropriate security consciousness exercise and instructive activities (IsecT Ltd, 2011). The activities for each level are different for example: Before employment: In this level, security responsibilities must be considered by government organizations through suitable job explanation and pre-employment selection while enrolling permanent staffs, workers and short-term staffs (IsecT Ltd, 2011). In the course of employment: During employment, government’s role of human information security must be clear. The personnel and third party operators must be attentive and trained in security processes. An official corrective procedure is essential to manage any security breaches (IsecT Ltd, 2011). End or transformation of employment: In case an employee leaves or gets transfer from a position in a government organization, the modification in accessibility of information must be managed (for instance, abstraction of access right of information or giving authority to use additional information among others) (IsecT Ltd, 2011). The following table represents the human resource security responsibilities in government organizations: Before Employment Responsibility of Government Organizations Security roles and duties for employee should be recognized Personnel screening should be executed before entering in government organization The terms and conditions of occupation must certify the obligation of employee for information security In the Course of Employment Government organizations should ensure that employees obey with security rules and techniques Employees should receive suitable information security education Any break in information security should be appraised by organization End or Transformation of Employment Employment transformation or end should be documented Employee should give back government asset on termination and all permission of accessing information must be removed or assessed. Source: (Province of British Columbia, 2011). Physical Information Asset Government organizations understand that practical method for information security is crucial for protecting critical data but, government also needs to administer security of physical information asset. Simple change in security activities can make a huge modification to the organization’s capability for preventing information breaches. The government organizations must use high-tech solutions to secure services and manage the right to use information for authorized employees. Physical information security gap resulting from old equipment or shortage of capital can result in possible weakness for government system (Verizon, 2010). Physical information can be secured by appropriate outline and plan of services and the practice of measure to interrupt and inhibit illegal access to government information. It contains events to identify attempted or real illegal access, and stimulate an appropriate response. Physical information security delivers events to defend employees (Attorney-General's Department, 2010). The objective of physical security is to prevent illegal physical access, alteration, and intervention of government information. Serious and sensitive information must be in-housed in safe areas and should be protected by clear safe perimeter, with suitable safety barriers. It can ensure security against illegal access or damage of government documents, data and services. The protection executed by government organizations must be proportionate with the measured risks and the cataloging of the information. Government organization needs to use security edge to protect fields which include information processing services (Calder & Watkins, 2008). Information in government organizations comprises of cybernetic assets and dealings, but security faults may loiter in physical establishment. Electronic defenses are constantly progressing to strengthen security tasks of government documents, but once offenders get clear physical access to information, storage device, or network, the electronic defense becomes unusable. Thus, observing and administration of physical information asset is a vital component of information security (Caudill, 2008). For any government’s information system there can be three security scenarios of physical information asset: Perimeter Control: Billions of Pounds worth government records or intellectual assets can be stolen from data center or taken from organization’s critical server. Thus, physical perimeter control for information is necessary. Therefore, government organizations carry out physical scrutiny on workers, suppliers and visitors. As use of computer and storage devices increases and their size decreases, risks of information loss has also increased and thus, governments’ attempt for complete physical scrutiny has become more difficult (Caudill, 2008). Detection and Review: Detection and review process that syndicate physical and electronic systems can detect security deficiency and underutilized assets. For example, information stored physically may be run out of power, disconnected, or broken and information which is recorded electronically may be accessed through unauthorized people by network intrusion (Caudill, 2008). Process Assurance: Connecting the identity of information electronically and physically is vital when devices are fixed or upgraded or completed its usefulness. Physical asset detection helps organizations to keep computing information asset up-to-date, protected and useful. Hard disks are especially at risk when it becomes useless because it may contain sensitive information. Thus, physical procedures must ratify the chain of supervision and ultimate damage because electronic methods are inadequate with unreadable physical drives (Caudill, 2008). Technical Information Asset Technology asset usually defines electronic devices where information assets are located, transported or handled. Technical assets normally comprise of hardware, software, applications, computer servers and organization’s internal networks. Information Asset Classification To decide the actions needed for effectively securing information asset, it should be categorized. Organizations are accountable for certifying that each information asset is assessed against three criteria which are: Confidentiality Confidentiality denotes the sensitivity of information and the access measures needed to defend the information (Sinclair Community College, 2010). Confidentiality can be demarcated as: Private information where access is constrained to particular list of individuals. Examples of his type of information are: payroll record (salary, wages), heath data and credit card number among others Sensitive information where utilization of data is protected from periodical disclosure and access is limited to particular employers only. Examples of sensitive information are: financial data, personal identification number and students’ records among others Public information where, data are freely available but controlled by government organizations such as recruitment leaflets, government organizations’ website, public college announcements among others (Sinclair Community College, 2010) For confidential information, the access control is necessary. Government organizations need to decide as to which persons possess the authority for using information asset and have the right to operate or modify data (Sinclair Community College, 2010). Availability Availability is a measure of criticality. This criterion denotes the importance of availability of information asset to approved citizen. Availability is measured on the basis of reliability and timely access to information (Sinclair Community College, 2010). Availability can be defined as: Vital, where information is essential for organizations and temporary suspension of this information may cause negative impression Critical, where information need for routine tasks and must be available throughout regular working time or during registering, recording or reporting Important, where information must be available throughout regular working time and temporary suspension of this information more than 1 day can result in harmful impact Repetitive, where information is available regularly and extended temporary suspension of this information does not impact significantly (Sinclair Community College, 2010) Integrity Integrity is used for principal information classification. This criterion denotes the correctness of information asset. Integrity refers the up-to-date information. Integrity of information asset is defined as high, standard or little (Information Management Branch, 2005). Risks In Information Security Of Government Organizations In any government organization, the information security management comprises of four basic steps which are: Source: (Mcleod & Schell, 2008). For any information of government organization, the risks can arise internally, externally, fortuitously and deliberately. Internal and External Risk: The internal risk for information of any government organization comprises of organization’s own employees, part-time employees, counselors, suppliers and organization’s business associates. Several surveys depicted that almost 49% of organizations faced information security problems and incidents because of authentic users. It has been estimated that maximum cyber-crimes in organizations are committed by employees. The internal risks of information are potentially more serious compared to external threats because only employees know intimate facts about organization’s information system and they can use it illegally (Mcleod & Schell, 2008). Fortuitous and Deliberate Risks: Every unfortunate incident with respect to governmental information is not conducted deliberately. Certain risks can arise fortuitously by employees inside organization. Thus, information security must be designed to prevent or reduce the probability of fortuitous damage (Mcleod & Schell, 2008). Type of Risks One of the most common risks faced by government organizations are computer viruses and malware among others. Virus or malware comprises of software and programs which include certain binary codes which invade organization’s information system and conduct illicit activities, not intended by organization. There are other risks for government information besides malware and viruses, such as Trojan horses, worms, spyware and adware (Mcleod & Schell, 2008). Virus is a program which can reproduce itself without being detected by the people and it can hide in other programs and computer’s boot sectors. Trojan horse is unable to reproduce or distribute itself automatically like virus, people spread it as computer function and when the function is used, it results in undesirable modifications in the information system functionality. Worm cannot reproduce itself like virus, but it has the ability to distribute it through e-mail. Spyware and Adware have evolved in recent days. Spyware can collect information from organization’s system and Adware can create invasive advertising message (Mcleod & Schell, 2008). Information security risk can be referred as possible unwanted consequence of breaking the rule of information system. The risks regarding government information is characterized by unofficial leak and theft of data, unauthorized access of information, illegal destruction and rejection of service, and unofficial alteration of record (Mcleod & Schell, 2008). Unofficial leak and theft of information occur when the database and information library are made accessible for people who are not eligible or have the right to access. As a consequence, it can lead to loss of data and money. Unauthorized access arises when persons who are not eligible to access organization’s information are capable to access it. Generally, hackers can conduct this kind of act who sees breaking organization’s information system as a challenge. Hacker can enter organization’s computer network and gain access to the information system. Hackers are expert operators of software and application who can break any information system and use them illicitly (Clarke & Knake, 2010). Illegal destruction and rejection of service can injure the hardware and software system. Unofficial modifications can occur to organization’s data and records. This can lead to wrong decision by organization because changed data or records are very hard to detect (Mcleod & Schell, 2008). Implication Of Threat In Government Organizations The international connectivity has made government information riskier than before. Computer oriented attacks on government’s information regarding nuclear launches, energy networks, telecommunication, military data, and financial services can strictly interrupt the national defense structure and social facilities. The above risks can generate unsafe or forcible impacts on government and can put national security in danger. In this increasing electronic economy system, computer attacks on government organizations are gradually used for political, monetary or military motives. For government organizations, information security can be harmed by three ways which are: ‘internet connectivity’, ‘wireless networking’, and ‘mobile computing’. Identity theft or theft of information is major cause for anxiety for the government as well as private organizations. It can lead to economic loss, information loss, loss of reliability and status. Critical information on telecommunication, shipping, energy, business deals, and money can be affected by people inside or outside of organizations (Mahindra Special Services Group, 2010). Counter Measures For The Threats Of Information Security For every government organization, it is vital to counter the threats on information security. Several government administrations have developed standards which are envisioned to act as rules for organizations looking for information security. Organizations are not mandated to follow the standards; rather standards are planned to offer organizations with support in establishing a tight security for information protection. For instance, “United Kingdom’s BS7799” provides a set of standard controls for organizations. It was issued on 1995 by the ‘British Standard Institute’ and afterwards distributed as ISO 17799 standards in the year 2000. After the incident of 9/11 and the realizing the persistent characteristics of internet which give prospects for cyber-crime, governments of both the UK and the USA developed standards and approved regulations intended for addressing the growing significance of information security in government organizations (Mcleod & Schell, 2008). According to ‘Anti-Terrorism Crime and Security Act’ (ATCSA) of UK, in 2001 The internet service providers (ISPs) are mandated to keep information regarding all communication dealings for 12 months Government establishments are allowed to reveal information regarding individual or organization’s financial matters to examine offense or terrorism Responsibility of self-assurance is not applicable for public organizations even there is only doubt of forthcoming terrorist deeds (Mcleod & Schell, 2008) Information and Communication Security Technology Center (ICST) plays major part to counter information security threats. ICST has designed a network system with almost 13,000 government administrators in several countries to transmit and issue any emergency alert to them and provide consultative information. ICST has also formed a National Security Operation Center (NSOC) which supports as an important association to provide information security. The ICST cooperates with government organizations in several counties. For example, In Malaysia, ICST had formed ‘National Cyber Early Warning Center’ which helps in observing and identifying computer threats which can impact on Malaysian organizations (Fujiwara, 2006). Technical Counter Measures Technical countermeasures deal with protection of information security system and network system of government organizations. In order to increase the security of information, government organizations use firewall system. Firewall performs as a filter and obstacle which manages the flow of information from organization’s server to internet. Firewall can create a defense for every computers of an organization. Firewall can be of three kinds: ‘packet-filtering firewall’, ‘circuit-level firewall’ and ‘application-level firewall’. Each serves different technical countermeasures for securing information. Besides firewall, government organizations also use cryptographic controls. Through cryptographic measures government organizations can protect data against illegal leak. It is a scientific procedure where data and information are encoded in storage media and spread over internal network. If any unofficial person enters into the network, the encryption makes the stolen information worthless and thus inhibits misappropriation of information. In present days, substantial consideration to encryption is given by several governments to conceal illegal and terrorist activities. Physical Counter Measures Physical information security violation can impact much more on government organizations’ information compared to technical attack like that of worm. With the introduction of several physical portable drives such as pen drive, USB hard drive, the concern of physical security becomes more serious for government organizations. ‘Pod Slurping’ is a new threat for information security where iPod can be organized to execute a file named ‘sleep.exe’. This program has the ability to copy information from any computer system at high speed, about 100 Mega Byte per minute. Physical protection of laptop is also significant as use of laptop computer for information storage has increased (Giannoulis & Northcutt, 2007). Government organizations can take following physical counter measures for information asset security based on priority of information: Server Room Security: For protecting the information in government organizations, admittance control cards can be introduced so that only specific personnel can gain access to the server of governmental data. Depending on the priority of information government organization can use Biometrics where employee can use computer information by thumbprint or retina identification system. The awareness of employee is vital for any security. Despite several physical countermeasures, any unauthorized person can gain access to confidential government organization’s data by simply taking the advantages of employees’ ignorance (Giannoulis & Northcutt, 2007). Computer Protection: For protecting information from portable drives, government organizations can restrict the use of devices such as pen drives, USB hard drives and USB CD/DVD drives in their information system so that data cannot be taken easily or stolen by unofficial person. Government personnel can use locks in their laptop system so that it makes harder for system invaders to take any information (Giannoulis & Northcutt, 2007). Personnel Countermeasures Personnel countermeasures specifically mitigate the handling that how people are appointed and dismissed from job in government organizations. For every government organizations there is need for inspecting the background of employees, checking the policy applicable for employees, and checking the limitations about accessing information for employees (Winkler, 2007). The security of information in government organizations includes the roles of employers, engineers, implementers and managers. A wide range of information security issues are related about how those above persons use the computers and power of their positions required for their jobs. No information system is safe without proper management of personnel. The personnel countermeasures in any government organization comprises of the following methods: Staffing: In government organizations, the staffing procedure must go through four phases. 1. Position Description: In the process of describing a position, security concerns should be recognized and addressed. When a position is largely demarcated, the administrator must decide the type of information access required for that position. Two information security rules are applied while granting access to information which includes: departure of responsibilities and minimum freedom to access (Swanson & Guttman, 1996). 2. Defining Position Sensitivity: Administrator of government organizations should define the position sensitivity on the basis of responsibilities and information access intensities. This phase is important for proper economical screening (Swanson & Guttman, 1996). 3. Screening: Background screening of employees help organizations to decide if a specific person is appropriate for a particular position. It is more efficient to isolate the responsibilities of employees and provide least privilege to restrict the high sensitivity, compared to depending on screening to minimize the risk of information security (Swanson & Guttman, 1996). 4. Employee Training and Alertness: It is vital for every government organization to train the employees regarding information security and the obligation related with their positions (Swanson & Guttman, 1996). Administration: Government organizations must guarantee effective administration of employees’ information access to preserve the security. The administration comprises of following activities: Workers Account Management: Government organizations have the right to appeal, create, publish, and close the workers’ account. Besides organizations can also monitor workers and their individual access approvals when needed (Swanson & Guttman, 1996). Inspection and Management Appraisal: It is necessary for government organizations to occasionally appraise workers’ accounts. The review of accounts should examine the level of information access, conform to the minimum freedom of workers, and check if the authorizations are informed. The inspection and management appraisal can be accomplished at two levels: application and system (Swanson & Guttman, 1996). Identifying Unofficial or Prohibited Actions: Government organizations need to use mechanisms for identifying unofficial and prohibited activities. It can be accomplished by transferring employees throughout sensitive positions or periodic selection of staffs (Swanson & Guttman, 1996). Conclusion In any government organization, the resources and operations are highly reliant on information technology to achieve the objectives and targets. Considering the high reliance, information becomes a strategic enabler for success of government organizations. Thus, defending information is main concern for any government establishments (Bowen et al. 2007). Through information security, government organizations can protect their information system from illegal accessing, leaking, distraction, alteration, inspection, coping or damaging. Government organizations possess several intimate information regarding nuclear operation, military operation, business deals, and employees. Most of those data are processed electronically and shared across organizations’ internal network. As the use of internet and computer increases and develops, the risk of leaking and stealing those high priority information has also increased. There are internal as well as external threats of government information. Thus, information security has become highly important and technologically advanced expressively in recent times. Government organizations are required to provide a great deal of effort for protecting information asset from external as well as internal threats. Through proper security measures government, organizations are able to ensure the integrity, availability and confidentiality of information. References Aoufi, S. E. (2011). Information Security Economics. UK: The Stationery Office. Attorney-General's Department. (2010). Physical Security. Retrieved September 28, 2011, from http://www.ag.gov.au/www/agd/agd.nsf/Page/ProtectiveSecurityPolicyFramework_Part6-CoreProtectiveSecurityPolicies_6.3AustralianGovernmentphysicalsecuritycorepolicy Bowen, P., Chew, E., & Hash, J. (2007). Information Security Guide For Government Executives. Retrieved September 28, 2011, from http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf Clarke, R. A., & Knake, R. K. (2010). Cyber War: The Next Threat to National Security and What to Do About It. New York: Harper Collins Publishers. Calder, A., & Watkins, S. (2008). IT Governance: A Manager's Guide to Data Security and ISO 27001/ISO 27002. US: Kogan Page Publishers. Caudill, J. (2008). Physical Asset Management and IT Security an Xterprise White Paper. Retrieved September 28, 2011, from http://www.xterprise.com/files/182_xterprise_physical_asset_management.pdf Fujiwara, B. (2006). Cyber Security “Threats and Countermeasures”. Retrieved September 28, 2011, from http://www.gbd-e.org/ig/cs/CyberSecurityRecommendation_Nov06.pdf Giannoulis, P., & Northcutt, S. (2007). Security Laboratory: IT Managers - Safety Series. Retrieved September 28, 2011, from http://www.sans.edu/research/security-laboratory/article/281 IsecT Ltd. (2011). ISO/IEC 27002:2005 Information Technology — Security Techniques — Code of Practice for Information Security Management. Retrieved September 28, 2011, from http://www.iso27001security.com/html/27002.html#Section8 Information Management Branch. (2005). Information Security Classification. Retrieved September 28, 2011, from https://www.rimp.gov.ab.ca/publications/pdf/InfoSecurityClassification.pdf Mcleod, R., & Schell, J. G. P. (2008). Management Information Systems, 10th Edition. India: Pearson Education India. Mahindra Special Services Group. (2010). Information Security Threats: Implications for National Security. Retrieved September 28, 2011, from http://www.skoch.in/images/stories/security_paper_knowledge/Increasing%20Information%20Security_DineshPillai.pdf Province of British Columbia. (2011). Security Classification: PUBLIC. Retrieved September 28, 2011, from http://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/isp.pdf Sinclair Community College. (2010). Identification and Assessment of Assets and Risks. Retrieved September 28, 2011, from http://sinclair.edu/about/information/usepolicy/pub/infscply/Identification_and_Assessment_of_Assets_and_Risks.htm Swanson, M., & Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. Retrieved September 28, 2011, from http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf Treasury Board of Canada Secretariat. (2009). Policy on Government Security. Retrieved September 28, 2011, from http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578§ion=text Verizon. (2010). Comprehensive Defense-In-Depth Enterprise Security Solutions. Retrieved September 28, 2011, from http://www.verizonbusiness.com/resources/factsheets/fs_physical-security-solutions-for-federal-government_en_xg.pdf Winkler, I. (2007). Zen and the Art of Information Security. Amsterdam: Elsevier. Bibliography CISSP Forum. (2007). Top Information Security Risks for 2008. Retrieved September 28, 2011, from http://www.iso27001security.com/Top_information_security_risks_for_2008.pdf Devost, M. G. (n.d.). Current and Emerging Threats to Information Technology Systems and Critical Infrastructures. Retrieved September 28, 2011, from http://www.devost.net/papers/business-briefing.pdf Fowler, S. (2003). Information Classification – Who, Why and How. Retrieved September 28, 2011, from http://www.sans.org/reading_room/whitepapers/auditing/information-classification-who_846 Government of Alberta. (2003). Information Assets in the Government of Alberta. Retrieved September 28, 2011, from https://www.rimp.gov.ab.ca/imf/pdf/IMFrameworkReport.pdf Harmeel, M. E. (2009). Humans… The Overlooked Asset. Retrieved September 28, 2011, from http://www.sans.org/reading_room/whitepapers/honors/humans-overlooked-asset_33257 Mitrakas, A., (2007). Secure E-Government Web Services. Idea Group Inc. Redmill, F., & Anderson, T. (2007). The Safety of Systems: Proceedings of The Fifteenth Safety-Critical Systems Symposium. Springer. State Administrative Manual. (2009). Classification of Information. Retrieved September 28, 2011, from http://sam.dgs.ca.gov/TOC/5300/5320.5.htm Read More