Framework and Assumptions for Creation of Information Security System - Coursework Example

Information System Security Table of Contents 3 Introduction 4 Discussion 5 Certification Standards of the Information Security System 6 Framework and Assumptions for Creation of Information Security System 6 Necessity of Information Security System 9 Information System Security from a Management Perspective 10 Security Issues Associated with Management of an Information System Security and the Appropriate Risk Management 11 Cryptographic Concepts Associated with the Information System Security 13 Information System Security Breach 15 Conclusion 19 References 20 Abstract Advancement in the information technology (IT) has undoubtedly yielded significant benefits to individuals, business and government. However, dazzling growth in IT has also been accompanied with the increasing risks such has unauthorized access to information, data tampering and issue concerning with protection of sensitive data. All these threats have placed a greater requirement for information security system (ISS). Correspondingly, the objective of this report was to understand the various aspects of ISS. Apart from just the understanding, the discussion also evaluated the steps in terms of creating an effective ISS along with maintain it accordingly. The later sections of the discussion highlighted the security types focusing on the encryption and decryption aspects. The findings from the study revealed that effective information security system is crucial in terms of safeguarding the interests of an organization and ensuring its competitiveness and sustainability in the present competitive market scenario. It was ascertained that while creating ISS, it is crucial to consider the threat aspects so as to ensure the reliable and secure information system. Introduction ‘Information Security System (InfoSec)’, in technological terms can be describe as an interconnected security based system which specifically aims towards safeguarding the crucial digitized form of information from being unauthorized accessed by type of unreliable source or individual1. Such type of unreliable access might significantly hamper the stored digitized data in term of ‘disclosure’, ‘modification’, ‘crashing’ or even ‘disrupting’ it2. This concept of ‘Information Security System’ have gained significant amount of preference within the past few years3. This is mostly because of the changing pattern of marketing trend and the competition level; industries are becoming more and more concerned regarding confinement of their organizational information to prevent the competitors from imitating it. Adding to that, due to the digitization and ecommerce related concepts, majority of the organizational based information are transformed into digitized form for effective storage and evaluation, which further increases the chances of online security issue occurrences4. As a result, almost all organizations in the present scenario are establishing own security domains. The prime intention is to preserve the integrity as well as the information privacy factor. All these have gradually contributed in terms of bringing about appreciable level of improvisation within the data security and the policy standards. One common example for this context is the establishment of firewall security within every data storage facility of the business process, which until date has proved its significance and effectiveness in terms of data safeguarding. The objective of this report is to critically evaluate the undermining concept of information security systems. Moreover, the report will also provide details regarding how to create and maintain secured information Systems and security issues5. Discussion Figure 1 The above-illustrated figure projects a detailed description regarding how the concept of firewall (Information Security System) works. In this figure, the main node generally describes about the primary platform, which has access to all the server platforms within the organization’s data warehouse. Through this primary platform, the organizational employees or the customers in case of e-commerce business process channelize control and requirement specific information to all the connected sub nodes that are continuously accessed. Adding to that, the main purpose of the firewall is to prevent unauthorized nodes from getting access to the primary node, which in turn might lead to data hampering from the main servers6. Certification Standards of the Information Security System There does not seem to occur any sort of certification standard for the system however, establishing these kinds of systems requires the intervention of individuals who in term are certified candidates in the areas of information security. Adding to that, there occurs multiple certification standards based on which the professionals within this area gets verified 7For instance, the ‘Certified Information Systems Security Professional (CISSP)’ which was the first ‘ISO/IEC Standard 17024’ globally certified program in the areas of information security. Business organizations generally hire individuals who are CISSP certified as security domains. These hired individuals will be responsible in terms of defining and designing the organizational information security architecture through the installation of various security tools and setting up safety protocols8. Framework and Assumptions for Creation of Information Security System The architectural framework for the information security system generally describes about the systematic procedure undertaken during defining of the architectural policies and structure. Adding to that there seems to appear multiple types of Information Systems Security (ISS) architecture that are being implemented depending on the organizational needs. Some of architectural framework examples are provided as under9. Diagrammatic Representation of the Flow Chart for Creating an Information Security System Source (10) The above provided flow chart projects a computable understanding regarding the architectural framework of the Information Security System. Point mentioned within the flow chart describes about the stages of establishment of ISS by a certified domain within an organization. As for the description, the primary step for the establishment of the ISS is the policy definition step. In this step, the domain takes into consideration of the company’s data hiding requirements and based on that, the policies are defined11. This step is followed by the second step in which the scope of the ISS is defined. In this step, the necessity of the establishment of ISS also is defined based on certain specific areas. The third stage is regarding the risk assessment followed by effective management. In this stage, the possible chances of attack on the system are identified based on which, appropriate measures are taken into consideration. Instance regarding this aspect includes the setting up of the allowable gateway ports for safe access to the authentic and private organizational data12. This step is followed by the fourth step, which is all about selection of appropriate equipment that will be necessary in terms maintaining specific control over the system. For instance, the selection process of hardware and software based switches, routers, splitters, server equipment etc. The final step is regarding identifying the areas of applicability of the previously defined steps13. Necessity of Information Security System The necessity of establishment of an effective information security system can be described by taking into consideration of three crucial factors, which have been provided as under. Safeguarding of Business Integrity If seen from a business perspective, it can be stated that effectiveness within a business process can be attained by maintaining the data confidentiality and integrity factor. Every business organization within this competitive era needs to safeguard their organization and work related information so as to prevent other competitive players from imitating the same. As for the negative consequence, if the business process of one organization is imitated by the others then there might occur a risk that the business process may lose its market reputation as well as share due to the availability of the substitutes. Thus, the necessity of the information security system can be felt in this context. ISS provides a scope for execution and management of the crucial data so as to preserve the integrity of the organization14. Safeguarding of the Customer’s Assets Attaining customer’s trust is one of the crucial factors that might contribute towards ensuring the sustainability of the Business process in this digital era. This is due to the fact that as a part of recent development, majority of the monetary transaction processes have become online so as to improvise the convenience level of the both the organizations as well as the customers. A common instance that fits the condition of the provided context includes the e banking. In the present day context, the business transactions within the banks and the customers generally happen in an online fashion. Thus, there occurs significant level of chances of occurrences of fraudulences and information theft at any possible instance. In this context, an effective information system helps both the customers as well as the banking organizations in terms of safely and systematically managing their process so as to prevent the negative consequences. For instance, the introduction of password protection policy in cases of card transaction and online purchasing services15. Safeguarding Customer Confidentiality Information system security also helps organizations such as banks and other insurance services in the context of safeguarding the confidential information of the customers and thus attaining their trust and loyalty. In a general sense, it can be stated that customers always want their asset related information to be kept safe and confidential. This is due to the fact that leakage of such kind of information might raise concerns for both the customers as well as the turn the sustainability of the business process as a liability16. These are some of the facts that prove the importance regarding the implementation of an effective information system security tool. Information System Security from a Management Perspective Information system security does play a specific role in terms of systematically managing the employee related information within organizations. This kind of organizational based information security system requires a collection of experienced executives from every department who will be having the expertise of every department. Furthermore, such kind of ISS contains data belonging from various aspects like ‘date of birth, ‘joining date’, ‘employee performance reports’, ‘related complaints’ and many more. Based on these specific data, decisions either in favor of or in against of employees is taken accordingly17. Security Issues Associated with Management of an Information System Security and the Appropriate Risk Management Source (18) The above-illustrated diagram describes about the risk management steps, which are generally carried out in the information system security. The detailed description of this section has been provided as hereunder. Security issues within the information system security can be described as the existence of the possible chances of error that might hamper the quality as well as the functionality of the system and incur additional cost to for the organization. Since the information security system is mostly confined to the effective management and safeguard of the digitized data within the organization, thus in this regards there occurs multiple possible chances of data errors. Few of such data error types have been listed and described as under19. If seen from the perspective of statistical data collection within an organization, two main types of data errors might arise. The first type is the collection error and the second type is the corruption error. In case of the collection errors, the possibilities of defect arise during the collection process. Common examples are recording of the redundant data due to mistaken efforts of the collector. The second type of error might appear due to certain faults within the storage or the execution process of the data20. As a corrective measure, organizations do need to implement the concepts of risk assessment and risk management with the prime intention of identifying the chances of occurrences of such hampering facts. As a result, these two aspects form the necessary elements of the information security system. The steps within the risk management process generally includes planning, analysis, implementation, control and monitoring the systematic representation of which has been provided in the above diagram21. Additively these five steps also find specific positions within the definition of the security related policies. On the contrary, the risk assessment procedure just remains confined analyzing the possible risk factors that might suddenly appear out of the void. As a general term, the risk assessment is all about repeating the cycle of risk management repeatedly within specific time. Thus, it can be stated that the concept of cryptography finds significant level of acceptance and preference in the areas of information system security22. Cryptographic Concepts Associated with the Information System Security The concept of cryptography is quite interesting and finds significant level of applicability in the areas of information system security. This concept has been described on the basis of the below provided diagram Source (23) The pictorial diagram presented above reflects that data generally exists in three main forms. The first form is the stored or dormant form. In this form, the data either remains stored within certain storage device or remains unused. The second stage of data existence is the transmission stage where the data undergoes transmission from one point to another. The third or the final stage is the data processing stage where the data undergoes simultaneous processing as well as storage24. Out of all the three stages of data existence, only the first and the second stages are vulnerable to data hampering activities. As a corrective measure, data in these two stages are often subjected to encryption processes so as to prevent its easy access by unauthorized sources. Here the concept of cryptography appears. In general terms, cryptography can be described as the process of ciphering the authentic data with some sort of cryptographic algorithm, the details of which has been provided as under with an example25. Source (26) Again, the above provided diagram provides a glimpse regarding how the process of encryption and decryption actually works. Here in the above provided example, the word ‘HELLO’ represents the actual data that might be either in the stored form or in undergoing a transmission process. Thus, the data at this stage is vulnerable to sudden attacks from unauthorized sources. Now what the encryption and the decryption process actually do is that it changes the meaning of the actual data through application of certain mathematical steps embedded within the algorithm and then transmits it27. On the contrary, only the receiver of the encrypted file possesses the decryption key and thus can decode the coded data into its original form and thus preventing the chances of data hampering or being unauthorized accessed. Hence, it can be stated that the concept of cryptography finds significant level of applicability and preference in the areas of information system security. Similar is the case with the decryption algorithm. However as for the criticizing factor is concerned that till date the firewall protocols within the commercial sectors have not been developed to much extent and thus the chances of information theft and account fraudulences still exists 28. Information System Security Breach Before understanding the concepts of online system security, it is necessary to attain a detailed understanding regarding the type of security breaches that might occur in the present digitized information network. Moreover, based on this understanding, effective information system security models and policies can be defined accordingly. Thus, as for the general term, internet security breach can be described as the destructive or the illegal form of processes conducted with the prime intention of bypassing the established information security protocols of an organization through certain specific loopholes. This kind of breached are often conducted with the intent of jeopardizing the valuable stored organizational data that might cause significant amount of financial as well as reputation related harms. Information system security can be of multiple types the details of which have been described in the later sections of this discussion29. Present Trend of Information Breach If the breach records of the past few years are taken into consideration and evaluated effectively, it can be found that due to the digitization of information within the financial sector, the scope of financial related security breaches have subsequently increased in accordance. Multiple cases of financial fraudulences related to customer as well as proprietorial information along with unauthorized outsider system access have arisen over the past few years. This has risked the sustenance of multiple business organizations along with the interests of the common customers30. Steps of Handling Information System Security Breaches The task for handling information security breaches has always been a complex task for the organizational security domains as well as the law-abiding bodies. As a result, the federal system has structured five appropriate stages for effectively handling such security breaches. The mentioned five stages have been provided in the diagrammatic representation as provided above. The details regarding each of these steps have been explained as hereunder31. Prevention In this stage, each and every infrastructure related data of the company gets monitored and recorded from the perspective of the attacker so as to understand the existing loopholes within the system. The areas taken under consideration include the internal and the external users of the system, business operations and vulnerable areas. As seen from the attackers perspective, the areas taken into consideration includes ‘assessment of security related risks’, ‘security audits’, ‘testing related to active loopholes and system penetration probabilities’, ‘security patches and system updates’32. Detection This stage generally comprises of decisions regarding the factors that are needed to be accepted and that are needed to be rejected by an organization in context to its information security requirement. This also includes the selection of appropriate tools and gadgets for establishing an effective control. For instance, selection of routers, firewalls, data storage applications and activity logs maintaining digital tools among others33. Containment This stage is all about minimizing the level of information damage or loss with respect to a specific kind of attack. It is also followed up by defining of the responsive strategies that might minimize the level of negative impact on the organization during the commencement of information security breach34. Investigation In this stage, specific investigation is conducted regarding the causes that lead to the attack. The steps within the investigation gets carried out based on the traced evidences of the commencement. Adding to that, further security decisions are made depending on the facts attained from the investigation35. Resolution and Reporting This is the final stage of the security breach handling procedure. This step is followed by summarization and preparation of the final reports and policies so as to prevent any scopes of future attacks. The step also includes creation of various sorts of legal filings and documentyations.in respect to the case findings36. Conclusion From the above discussion, multiple facts can be drawn regarding the various aspects of information security system. These aspects include the possible scopes and the possible risks associated to this regards. Additionally, based on this multiple conclusions can be drawn regarding the implementation of effective security related policies that might prove vital in terms of safeguarding the integrity and the authenticity of the crucial data of organizations. References Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9 (1), 69-104. Ioannidis, S., Keromytis, A. D., Bellovin, S. M., & Smith, J. M. (2000). Implementing a Distributed Firewall. Abstract, 1-10 Ling, A. P. A., & Masao, M. (2011). Selection of model in developing information security criteria on smart grid security system paper. Introduction, 1-7. Rasmussen, J. (1997). Risk management in a dynamic society: a modeling problem. Safety Science, 27 (2), 181-213. Stallings, W. (2014). Cryptography and network security. Chapter 2, 1-68. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management guide for information technology systems. NIST Special Publication, 1-55. Tittel, E., Stewart, J. M., & Chapple, M. (2004). CISSP®: certified information systems security professional study guide, 2nd edition. Sybex Index, 649-677. Whitman, M. E. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 43-57. Wiederhold, G. (1991). Mediators in the architecture of future information systems. Stanford University, 1-36. Read More