Confidentiality, Integrity and Availability Triangle, Information Security Policy - Assignment Example

Mid-Term Exam 1. DEFINE EACH OF THE COMPONENTS OF THE C.I.A TRIANGLE. DISCUSS THE SIGNIFICANCE OF THE KEY CONCEPTS OF INFORMATION SECURITY IN RELATION TO THE TRIANGLE. C.I.A triangle, which essentially stands for ‘Confidentiality, Integrity and Availability’, is a very efficient and known model that is utilized for the development of security policies. This model is also used for the utilization of information technology to a very large extent. It is used in the process of identification of problem areas pertaining to information security and is also used for introducing appropriate solutions for the problems related to information technology. In addition, this security model largely emphasizes the security aspects of information technology and helps people in analyzing all those important aspects that pertain to the comprehensive and valuable features of information technology (Whitman and Herbert 1-250). The three major components of the C.I.A triangle consist of Confidentiality, Integrity and Availability. Confidentiality: It is considered as one of the most important components of this particular model as it solely emphasizes the aspect of procurement of valuable information and it’s prevention from getting shared to unauthorized personnel. Information technology is considered to be a vital aspect as it serves multiple purposes. All kinds of major transactions that take place in today’s scenario are mostly based online mode and there are many malicious internet users who are very proficient in stealing and manipulating information that is highly restrictive (Whitman and Herbert 1-250). Integrity: It is also considered to be a vital aspect of this particular triangle as this component largely emphasizes the protection of information along with preventing it from getting modified or even manipulated from any kind of unauthorized users which may prove to disrupt the information sharing process (Whitman and Herbert 1-250). Availability: This component focuses on the aspect of sharing of information to all those authorized users who need to access the information whenever it is required. This component allows the right people to access the information at the right time (Whitman and Herbert 1-250). Information security is considered to be the most important aspect in the field of information technology as it widely emphasizes the broad aspect of protection of information along with ensuring unauthorized access. It also facilitates to prevent revelation or disruption of the information to unwanted individuals. The two key concepts of information security essentially include IT security and Information assurance. IT security relates to ensuring proper security to the computers and all its components. Similarly, information assurance relates to the procurement of information and prevention of the valuable data from getting lost or being manipulated. However, both of these concepts have greater significance in relation to the triangle, especially in the modern day technological context as these concepts along with the components of C.I.A aim at a basic objective i.e. to ensure all round security in matters pertaining to information technology and its proper usage (Whitman and Herbert 1-250). Best example of information technology and utilization of the concepts of information security and components of C.I.A would be that it is utilized by IT specialists, corporations, hospitals, financial institutions, government and military among broad entities. The components are utilized with the prime objective of ensuring comprehensive and steadfast security regarding various types of business information that are processed and shared for various authenticated and business purposes (Whitman and Herbert 1-250). 2. DESCRIBE AN INFORMATION SECURITY POLICY. EXPLAIN WHY IT IS CRITICAL TO THE SUCCESS OF AN INFORMATION SECURITY PROGRAM Information security policies are certain documented business rules and regulations that are implemented for the sole purpose of storing and protecting information in an appropriate manner. These policies largely emphasize an appropriate plan or a course of action in matters pertaining to information technology and its use. It is also considered to be a very essential foundation in the implementation of an information security programme. Information security policies play a vital role in the process of information flow as well as the process of securing of information. These policies are designed to improvise the process of information flow in an orderly manner. These policies provide a set of specific guidelines to the IT practitioners and IT officials who are well versed with the process of information system. The guidelines consist of valuable information regarding the various processes through which an information system can be made effective. It also comprises information regarding the administrative processes which are needed to be followed in order to ensure an effective information management process. It also entails timely execution of the formulated tasks that may include installation of firewalls and other security features among others that are carried out to ensure total security in the information procurement, information storage as well as information sharing process. Moreover, information security policies help in determining the various training programs which are needed to be initiated for ensuring a highly efficient IT support system and also for making the IT personnel more effective (Whitman and Herbert 1-250). Information security polity is considered to be very critical for the success of an information security program because all the elements of an information security policy that have been studied primarily focus on the broader aspects of the overall information technology process. A sound information security program can effectively provide great aid in making the overall information technology process highly productive. In addition, it will lead to proper functioning of the information process with timely execution of the pre-determined standards. Thus, by following an effective information security policy, all round security can be assured. This aspect would prove to be very fruitful, as it will enable the entire management to work in a diversified manner as the guidelines that are set in the information security policies are also meant to create a strong linkage between all the members of an organization. The guidelines also enable them to work in a cohesive manner for the sole purpose of ensuring total security in the information systems (Whitman and Herbert 1-250). For example, IBM which is one of the leading software companies in the world comprehensively utilizes the concept of information security policy in its overall working processes. The company is also engaged in highlighting the importance of this particular policy. In addition, there is more and more number of information technology based organizations that are observed to use this particular policy nowadays (Whitman and Herbert 1-250). 3. DISCUSS THE DIFFERENCE BETWEEN ENTERPRISE INFORMATION SECURITY POLICY, ISSUE-SPECIFIC SECURITY POLICY, AND SYSTEM-SPECIFIC SECURITY POLICY Points of Distinction Enterprise Information Security Policy Issue-Specific Security Policy System-Specific Security Policy Meaning 1. Sets the scope and strategic path for all the security efforts of an organization. 2. This policy is also used for assigning different responsibilities to the various personnel for ensuring total information security. 1. An effective issue-specific security policy chalks out a targeted and detailed guidance for the sole purpose of instructing all those members who are associated with an organization, for the purpose of using the technology based systems in an orderly manner. 1. Systems-specific security policies essentially do not have much similarity with the other types of policies. 2. These policies are specifically created to follow certain procedures or standards that are to be used while working with information systems. Contents 3. This policy contains various rules and regulations that the users need to follow. 2. This policy contains specific information, applicability and scope related to the policy, technological definition along with roles and responsibilities of the personnel. 3. This policy contains specific information regarding technical specifications that are required to be put into place. Documentation 4. This policy contains various information that includes: Overview of the philosophies pertaining to security The roles of the security personnel Articulated sharing of responsibilities Articulated and unique responsibilities that are shared in an organization 3. In this policy, documents pertaining to all the major issues in an organization are covered. It also includes proper administration of the issue along with analyzing each of the requirements of all those broad issues that mainly relate to information system in an organization 4. In case of system-specific security policy, the documents generally consist of technical specifications along with proper guidance that are needed to be provided to the personnel for ensuring proper management in the organization. Components 5. This policy includes all those basic components that are quite vital in the organizational perspective. It also entails those facts that enable to determine the importance of this policy, various guidelines and other elements relating to security aspects of information technology. 4. As compared to enterprise information security policy, this policy has extended components that principally include the aspects that pertain to systems management, equipment usage, prohibitions, various procedures relating to violations of rules and regulations among various other aspects. 5. In this policy, the components generally include management guidance, technical specifications and access control guidelines that are provided to guide the users for accessing the information systems in an organization. All these security policies aim at a basic objective i.e. to ensure all-round security in matters with regard to information and its free flow. Also, these policies ensure comprehensive effectiveness in an organization along with providing guidelines to the personnel in a cohesive manner. It also ensures steadfast security of information and procurement of the information as well (Whitman and Herbert 1-250). These policies are thus considered to be very important. For example, these policies are used by all those leading companies that are based on information technology such as IBM, Google, Microsoft and various other small and big software and technology based companies around the world (Whitman and Herbert 1-250). 4. DISCUSS THE ELEMENTS OF SECURITY EDUCATION TRAINING AND AWARENESS PROGRAM. EXPLAIN THE FACTORS THAT CAN INFLUENCE THE EFFECTIVENESS OF A SECURITY TRAINING PROGRAM. Security education training and awareness program largely emphasizes providing fruitful training to all the users which is required for incorporating with the information technology system. Security education training and awareness programs are conducted in both the small as well as big organizations. The basic elements of this particular program hold primary importance. These elements are cited below: Security awareness Security training and, Security education All these elements are essentially targeted to ensure all round security which is the primary concern. By implementing this particular program, the broader aspects of security are emphasized in the organizations and proper training is provided to the personnel regarding the importance of security and the various ways through which proper security in the organizations can be assured (Whitman and Herbert 1-250). The first element i.e. ‘security awareness’ is that particular aspect which relates to spreading of awareness about the concept of security and its broad dimensions. In this particular stage, the various implications of security and its applications are familiarized within the organization. The second element i.e. security training relates to those aspects that are associated with training and development of personnel in the field of security and its applications in the organizations. In this stage, the employees in an organization are specifically trained about the processes of procuring information in an authenticated manner and securing it from malicious users thereby. The third element i.e. security education primarily relates to the fundamental teachings which are provided to the employees in an organization. It is usually provided in the initial stages when an organization plans to initiate proper security in matters pertaining to procurement of information and its proper storage. In order to initiate a proper information system, organizations generally go for inducting security education in order to tighten the aspects of security in the organizations (Whitman and Herbert 1-250). There are various factors that can influence the effectiveness of a security training program. For example, different factors pertaining to the increased need of security in the field of information technology can influence the effectiveness of a security training program to a very large extent. As there are variable number of technological based organizations along with other organizations that are emerging, the concept of security is gaining more and more importance in the current scenario. Considering this vital aspect, there is strong possibility that the concept of security training program will become much more influential in determining its importance. Moreover, all round effectiveness in this particular segment will also be made possible as this particular training is intended to ascertain efficiency in matters pertaining to security and its varied importance in the context of an overall organization. Therefore, the concept of security training process is expected to meet the broad security requirements of the organizations as this aspect will definitely provide a great aid to develop trained manpower who can very well manage the emerging trends and importance of security in the organizations (Whitman and Herbert 1-250). 5. DISCUSS THE INFORMATION SECURITY FRAMEWORK AND SECURITY MODELS Information security framework is essentially a technological product that offers multiple benefits relating to security along with measures to ensure proper security within an organization. This particular product comprises certain specific features such as governance of security, proper risk management techniques and certain portfolios for compliance with the rules and regulations of an organization. This particular product ensures fast services and also assures a very specific approach for maintaining proper enterprise security which is very much essential for any organization to sustain and operate its various organizational processes in a comprehensive manner. It helps in enhancing the operational facilities of an organization and also facilitates to identify the security gaps that exist in an organization. This way, it aids an organization to meet the business requirements which in turn enables to assure better business performance. In addition, this framework also helps in prioritizing the broad security initiatives that are needed to be adopted for meeting the various business requirements (Kim and Solomon 1-100; Whitman and Herbert 1-250). Security models generally relate to the various schemes that are enforced and specified for the implementation of the security policies in the organizations. A security model usually classifies the various rights pertaining to access to the systems. All kinds of security models essentially serve the common objective of preventing unauthorized access to the systems and information. It also classifies the different entities that can access the information whenever it is required. These models also specify the time, place/location and process through which the access can be made. Furthermore, these models classify the different functions of security and the process through which proper security is assured in an organization. Security models are effectively utilized for keeping proper track of the network through which information is shared within the organization. It also facilitates in analyzing those threats that may come from the malicious users (Kim and Solomon 1-100; Whitman and Herbert 1-250). These models also provide proper guidance in relation to the applications that are needed to be used while dealing with the information system. With the help of security models, one can easily derive a fair idea before choosing particular software or program in order to perform various activities that may relate to office automation, email applications and can also help an organization in planning the resources by way of Enterprise Resource Planning (ERP). Most widely used security models are the Bull’s Eye model and the Access Control Lists (ACL) model which serve primary and effective functions in the organizations. All the above functions are served by these particular models and are highly utilized for their extended services (Kim and Solomon 1-100; Whitman and Herbert 1-250). Thus, the services provided by the models are considered to be very important and for these reasons they are widely utilized by most of the companies which seek extra security in matters pertaining to information and the processes through information gets stored, shared, processed and transferred in the organizations (Kim and Solomon 1-100; Whitman and Herbert 1-250). For example, there are various companies that utilize both security models along with information security framework. Companies such as Acme, HCL and IBM among others can be considered to be the best examples in this regard (Kim and Solomon 1-100; Whitman and Herbert 1-250). Works Cited Kim, David, and Michael Solomon. Fundamentals of Information Systems Security. United Kingdom: Jones & Bartlett Learning, 2010. Print. Whitman, Michael E., and Herbert J. Mattord. Management of Information Security. United Kingdom: Cengage Learning, 2010. Print. Read More