Technical and Formal Security - Research Paper Example

? Full Paper Information Security Cyber-criminals are intelligent as well as organized. Once the computer network is breached, they install small lop holes or software intruders for giving hackers access whenever they want to access the network again. In simple words one can say that, it is a computer to computer attack to steal the confidential information, integrity or the data presently available on the network. The attack adopts a calculated approach to modify action against data, software and hardware in both computers and networks (Denning & Denning, 2010). It is essential to define a solid network defense for handling cyber-attacks. We have divided security into two aspects i.e. technical and formal security. Technical System Security After identifying the purpose, there is a requirement of identify weaknesses or vulnerabilities along with impact and types. Organizations have to consider the backdoors and the week points that may allow or trigger any threats to disrupt business operations by compromising an asset or information system. Moreover, a holistic approach is required to address all risks and vulnerabilities, as every minor vulnerability can expand by cascading other risks in the system. At a technical standpoint, what needs to be protected hardware, applications or data? That is a question that must be addressed by organization itself (Royal Canadian, 1992). The summary of this question can only be encountered by identifying and categorizing threats. As per (Dhillon, 2007) threats are categorized as Modification, Destruction, Disclosure, Interception, Interruption and fabrication and implies on hardware security, data security and software security. Effective change management and configuration management procedures along with documentation are the most effective controls for minimize security vulnerabilities that may arise from incompatible modules or hardware modification from the system (Prin of computer security 2E2010). Destruction is associated with physical damage to a hardware device, network device or software. Whereas, software destruction can be from a malicious code, Trojan or unintentional deletion of a kernel of any application etc. Similarly, data can also be deleted intentionally or unintentionally and can also be cause by malfunctioning device. Disclosure of data is proportional to confidentiality i.e. need to know basis. Data is easy to be stolen because the original copy still seems intact, in spite of the data theft. Data types can be classified in to many types, again depending on organizational requirements. For instance, trade secrets, upcoming financial results or long term strategic plans of the organization can be classified as top secret, whereas, customer information can be classified as confidential. Organizations conducting business online collect customer information via websites. Data can also be intercepted by unauthorized access to computing and electronic resources. Moreover, unauthorized remote can also result in accessing information from a remote location. Interruption can also cause system availability that may result from malfunctioned hardware or power outage. Moreover, interruption of services can also be caused from broadcast storm or network congestion that may cause denial of service. Lastly, fabrication refers to a penetration of transactions to a database. Fabrication is often conducted by unauthorized parties in a way that is difficult to identify the authentic and forged transaction. One of the examples of fabrication is called as ‘Phishing’. Moreover, asymmetric and symmetric encryption techniques are considered as per requirements. Moreover, non-repudiation can be prevented by third party certificate authorities. Formal System Security Management of information system security requires a development of organizational structure and processes for ensuring adequate protection and integrity. Likewise, for maintaining adequate security, an appropriate relationship organization is required for maintaining integrity of roles and responsibilities. Moreover, a major strategy and policy is required to maintain and manage information system security. However, information system security will not be effective if the organization does not realize that information security must be considered as a top level management responsibility. Likewise, information security management must be derived by the board of directors and must be aligned with corporate governance. Corporate governance is defined as “the system by which the corporations are directed and controlled” (Von Solms & Von Solms, 2008). As, it is the responsibility of the board of directors, if a top down approach is not followed, there will be no effective security governance within the organization. Moreover, considering information security solely as a technical will result in a failure of an information security program. As technical controls can only prevent threats and vulnerabilities via a specific set of technical configurations, there is a requirement of information security management that will demonstrate the performance and measurements of security metrics (Stamp, 2011). Some of the examples include dashboard, balanced scorecards etc. (Quigley, 2011) that will show the current and required information security state of the organization. However, implementing information security governance at the top level cannot resolve issues, as it is a multi-dimensional discipline. This is because information security management is a complex issue that must be reviewed and maintained on a periodic basis. Moreover, effective risk management should be in place so that organization wise risks are identified in order to establish an effective information security management plan. Organizations must maintain a minimum acceptable standard that will be considered as the recommended best information security management practices. However, corporate information security enforcement is essential that will act as a management control and define purpose, scope, ownerships, standards, configuration requirements, enforcement and revision history. Likewise, this policy will demonstrate comprehensive details and will include all aspects of protecting information of the organization. Furthermore, in spite of information security governance, risk management, policy and policy enforcement, user awareness is essential. As risk environment is constantly changing, every employee must be aware of practices effective procedures for information security. A comprehensive training and awareness program by NIST address three levels of users i.e. beginners, intermediate and professionals (Whitman & Mattord, 2010). Each group is addressed by customized user awareness training sessions that also includes computer based testing environment. Conclusion For addressing confidentiality, integrity, availability, non-repudiation, authorization, authentication and risks, we have represented a framework. The two systems i.e. formal, and technical, and their coordination, demonstrated technical, management and human interaction and management factors. However, in protecting data and information in an organization is a collaborative effort i.e. technical systems acts as a core and incorporates all the technical aspects, formal systems acting as a management aspect. References Denning, P. J., & Denning, D. E. (2010). The profession of IT discussing cyber attack. Communications of the ACM, 53(9), 29-31. doi:10.1145/1810891.1810904 Dhillon, G. (2007). Principles of information systems security: Text and cases John Wiley & Sons. Quigley, M. (2011). Ict ethics and security in the 21st century: New developments and applications Igi Global. Prin of computer security 2E (2010). McGraw-Hill Education (India) Pvt Limited. Royal Canadian, M. P. (1992). Security: Technical security standards for information technology Royal Canadian Mounted Police. Stamp, M. (2011). Information security: Principles and practice Wiley. Von Solms, S. H., & Von Solms, R. (2008). Information security governance Springer. Whitman, M. E., & Mattord, H. J. (2010). Management of information security Course Technology. Read More