Information Security Measures - Coursework Example

Information Security Summary Information security measures in organizational computing systems are no longer reactive, but proactive with a focus on system design, communication, security culture, policy, and organizational structure. Design for security requires an understanding of security components; principles of security; and achievement of information security with administrative, physical, and technical safeguards. A study of information security in computing systems has been envisaged. The objective of the study is to identify security issues within a specific system. The study has been planned in several stages; review of relevant literature; study of architectures and measures in computing systems; case study of security issues within a specific system; and recommendations for good practices for information security. The study is expected to be completed in over a year, and resources at the University library and the computer laboratories have been considered adequate for the study. A risk assessment approach is necessary for the development of systems with an acceptable level of risk. The use of security standards backed with administrative and technical measures are good practices for minimizing security risks. Information Security Introduction Computing applications have become ubiquitous in human endeavours, with applications ranging from simple processing of personal information to complex systems. The widespread growth in the use of computers has led to an increase of risks to security as well. Computers vulnerable to such risks could lead to a range of myriad problems such as loss of information to failure of complex systems resulting in loss of life and property. Addressing computer security is of utmost significance in the design of systems. Organizations have been compelled to institute security systems/programs for the protection of information from increasing levels of threats (Knapp et al., 2009). There has been an evolution of security measures from the addressing of security breaches to managing those that have an impact on the economic growth of an organization. Information security is not about looking at the past of an attack faced; neither is it about looking at the present with the fear of being attacked; nor is it about looking into the future about the uncertainty that might befall us. It is about being alert at all times (Dlamini et al., 2009). Review of Relevant Literature Models of computer security such as the Bell-LaPadula model, the Biba model, and the Clark-Wilson model work within the confidentiality, integrity, and availability (CIA) framework. These models have been summarized in the Handbook of Information Security Management. Other models have been based on behavioural theory, and criminology theory. The Bell-LaPadula model assigned access levels to data and information, and users and processes capable of modifying data. Read permission was granted for objects at or below the subjects’ access level, write permission for objects at or above the subjects’ access level, and read-write permission for objects at their access level. The Biba model addressed integrity, and deals with confidentiality in a manner similar to the Bell-LaPadula model. However, within the Biba model, processes could not modify data stored at the higher level. The Clark-Watson model has a focus on integrity, well-formed transactions and separation of duties. Other CIA models include the Southerland model, the Brewer-Nash model, and the Gouden-Meseguer model. However, these goal-oriented models are limited in the defence against computer misuse. Several computer models have a focus on individual behaviour, such as the theory of planned behaviour (TPB), theory of general deterrence (TGD), and expected utility theory. Intentions are based on factors including attitude, subjective norms, and perceived behaviour controls. The TPB model has been an excellent choice in the prevention of computer misuse. The Straub’s computer security model suggests three layered defence; deterrents based on TGD; preventives; and detectives. Deterrents have been helpful in reduction the amount of misuse within organizations. Preventives have been effective against internal and external threats as they limit access to systems, and detectives alert system administrators for adequate corrective action (Foltz, 2004). Organizations in the past have focussed on compliance with regulations. However, there has been a growing realization that bare bones, minimal-requirements approach to security was unacceptable, and thinking like a blackhat might be a better approach to security. This requires embedding security into the culture, assessment of threats, likelihood of impact and impact assessment, regular review, addressing the biggest risks, and regular monitoring (Bunbury, 2009). A comprehensive framework should be developed by organizations for cultivating a security-aware culture (Veiga & Eloff, 2009). Communication, security culture, policy, and organizational structure were the most common factors associated with computer and information security (Kraemer & Carayon, 2007). BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM are generic international information security management guidelines. Design for security requires an understanding of security components; principles of security; threats, vulnerabilities, control measures and assurance of information; and achievement of information security; administrative, physical, and technical safeguards. Security could be achieved by addressing the components: confidentiality, integrity, availability and accountability. Data or information not being made available to people or processes that are not authorized is the confidentiality property. Data or information not being altered or destroyed without authorization is the integrity property. Data or information being accessible and useable when demanded by an authorized person is the availability property. The ability to audit the actions of people or processes and a determination of whether the actions are appropriate is the accountability property. Accountability principle, awareness principle, ethics principle, multidisciplinary principle, proportionality principle, integration principle, timeliness principle, reassessment principle, and equity principle are generally accepted system security principles published by the International Information Security Foundation (International Information Security Foundation, 1999). There are numerous threats to information systems which could originate from within and outside organizations. An information security risk assessment is the foundation for the security plan. Such a plan seeks to apply measures that reduce risks to acceptable levels. Policies, procedures, and technology form the control measures. Administrative safeguards include actions, policies and procedures for selecting, development, implementation, and maintenance of measures. Physical safeguards include actions, policies, procedures and measures for controlling access to information assets such as sites, servers, and networks. Technical safeguards include measures for information security and integrity (NIST, 2009). According to the principle of information security safeguards, data controllers must use an adequate level of safeguards before processing information. Data controllers need guidelines for the design, implementation, and operation of technological and organizational measures for the protection of information (Dayarathna, 2009). Aims and Objectives A study of information security in computing systems has been envisaged. A broad aim of the study is to understand information security in computing systems. A specific aim of the study is to explore issues in the security of computing systems. The objective of the study is to identify security issues within a specific system. The School of Mathematical and Computer Sciences at Heriot-Watt University conducts research in the field of computer science with a focus on issues that could arise from developments in computer science. Methodology The initial stage of the project would have a focus on the study of information security issues in computing systems. Relevant literature on the subject would be reviewed. The second stage of the project would emphasize on system architectures and measures that form the underlying principles of information security. The third stage would involve a case study of information security issues within a system. This could include a system within the University laboratories or an external system. The system architecture and measures would be examined, and issues discussed. The fourth stage would involve recommendations for good information security practices. The final stage would include synthesis of results and compiling the thesis. Resources available at the University library and computer laboratories have been considered adequate for the study. Project Management A literature review on technical issues in information security in computing systems would be presented. A case study would be presented illustrating some of these issues in computing systems. Recommendations for good practices in information security in computing systems would be presented. A schedule for the management of the project has been illustrated in table 1. Table 1. Project Management Stage Activity Timeline Deliverable 1. Review of Relevant Literature 02/11/2009-22/02/2010 Literature review on technical issues 2. Study of Architecture and Measures in Computing Systems 01/03/2010 – 23/08/2010 Findings on architecture and measures 3. Case Study of Information Security Issues in a Specific System 30/08/2010-18/10/2010 Findings on architecture and measures 4. Recommendations on Good Practices for Information Security in Computing Systems 25/10/2010-22/11/2010 Recommendations on good practices 5. Thesis Preparation 29/11/2010-27/12/2010 Thesis Conclusion Widespread growth in the use of computing systems has lead to an increase in risks to security of these systems. Computer security models have been developed based on CIA and behaviours, providing various degrees of security. An understanding of security principles and architectures is necessary for achieving security in computing systems. A risk assessment approach is necessary for the development of systems to reduce risk levels to an acceptable level. Good practices suggest the use of security standards backed with administrative and technical measures to minimize security risks. References Bunbury, P. (2009). Moving from compliance-based security to a risk-based security model. Computer Fraud & Security. 2009 (9), 14-17. Dayarathna, R. (2009). The principle of security safeguards: Unauthorized activities. Computer Law & Security Review. 25 (2), 165-172. Dlamini, M., Eloff, J. & Eloff, M. (2009). Information security: The moving target. Computers & Security. 28 (3-4), 189-198. Foltz, C. (2004). Cyberterrorism, computer crime, and reality. Information Management & Computer Security . 12 (2), 154-166. International Information Security Foundation. (1999). Generally Accepted System Security Principles. Available: http://www.infosectoday.com/Articles/gassp.pdf. Last accessed 18 October 2009. Knapp, K., Morris, F., Marshall, T. & Byrd, T. (2009). Information security policy: An organizational-level process model. Computers & Security. 28 (7), 493-508. Kraemer, S. & Carayon, P.. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics. 38 (2), 143-154. NIST. (2009). Computer Security Resource Center. Available: http://csrc.nist.gov/. Last accessed 18 October 2009. Veiga, A. & Eloff J. (2009). A Framework and Assessment Instrument for Information Security Culture. Computers & Security. Available online Read More