Information Security Fundamentals - Book Report/Review Example

Information Security Fundamentals Information security refers to the practice of shielding information from illegal use, access, disclosure, perusal, modification, disruption, inspection, destruction or recording (Peltier, Peltier & Blackley, 2005). It is a universal term, which can be used irrespective of the form the data might take. Successful security procedures and rules do not exist for their own good, but they are created to safeguard vital assets, thus supporting the entire business goals. Classifying security as a business enabler is the initial step in developing an efficient program. Information Security Fundamentals permits future security experts to acquire a solid knowledge of the fundamentals of this area, as well as the entire variety of issues, which practitioners must tackle. This volume allows learners to comprehend the key elements, which comprise an effective information security program and, in the long run, relate these concepts to their individual efforts (Peltier, Peltier & Blackley, 2005). The volume assesses the fundamentals of computer security, worker responsibilities and roles together with common threats involved in this field. It assesses the need for policies and procedures, management controls, plus risk analysis, and presents an all-inclusive list of objectives and tasks that frame a typical information security program. The book talks about organization-wide regulations along with their documentation, and business and legal requirements. It discusses policy format, centering on worldwide, topic-specific, as well as application-specific regulations. After a review of asset organization, the volume studies access control, the elements of physical security, as well as the processes and foundations of risk management and risk analysis. Information Security Fundamentals ends by discussing business continuity planning comprising of recovery strategies, preventive controls and methods of conducting a business impact analysis. This paper will present a concept review of this volume and explain the relevant conceptual material (theories, concepts) from the course. The book mainly centers on seven concepts: more than just computer security, elements of information protection, roles and responsibilities, common threats, policies and procedures, risk management and typical information protection program (Peltier, Peltier & Blackley, 2005). Elements of Information Protection Information protection must endorse the mission of the enterprise or the business objectives. The senior management has two essential responsibilities: duty of care, as well as a duty of loyalty, which this means any decision they make should be made considering the interest of the business. Information protection should be cost effective. Executing controls anchored in edicts is contradicting to the business environment (Peltier, Peltier & Blackley, 2005). Information protection accountabilities and responsibilities must be made open. This is because, for any program to be effective, it will be essential to publish a policy statement on information protection. Information protection must be periodically reassessed (Peltier, Peltier & Blackley, 2005). The authors provided these elements so that security professionals will not lose sight of their objectives and goals. More Than Just Computer Security Providing useful information protection needs a wide-ranging approach, which considers many areas both in and outside the I.T field (Peltier, Peltier & Blackley, 2005). In this section, the authors argue that an information protection program is more than developing controls for the computer-stored data. In 1965, the suggestion of the "paperless office" was first pioneered. The initiation of third-generation computers led to this concept. Access to information, as well as the environments, which process them, is dynamic. Technology and their users, data in the systems, risks connected to the system, and security requirements are ever shifting (Peltier, Peltier & Blackley, 2005). The capacity of information protection to endorse the mission of the enterprise or business objectives might be restricted a number of factors like the current attitude toward controls (Peltier, Peltier & Blackley, 2005). Roles and Responsibilities The senior management has the decisive task for safeguarding its organization's information resources. One of these roles is the endorsement of a Chief Information Officer (CIO) (Peltier, Peltier & Blackley, 2005). This officer directs the business’s day-to-day supervision of information resources. The security administrator and the ISSO should report straight to the CIO and are answerable for the day-to-day management of the information protection program. Supporting responsibilities are carried out by the service providers and comprise of systems operations, whose employees design and run the computer systems (Peltier, Peltier & Blackley, 2005). They are charged with applying technical security on the systems (Peltier, Peltier & Blackley, 2005). Telecommunications is liable for offering communication services, including data, voice, video, and fax. Common Threats According to these authors, information processing systems are susceptible to numerous threats, which can impose various types of harm that can lead to significant losses (Peltier, Peltier & Blackley, 2005). This harm can diverge from errors damaging database integrity to fires obliterating entire complexes. Losses can arise from the actions of allegedly trusted workers swindling a system, from exterior hackers, or from sloppy data entry (Peltier, Peltier & Blackley, 2005). Precision in approximating information protection-associated losses is not likely because since losses are never revealed, and others are concealed to avoid adverse publicity. The loss of a business’s physical facility or its supporting infrastructure can lead to solemn problems and make up 8% of information protection-associated problems (Peltier, Peltier & Blackley, 2005). Policies and Procedures An information protection policy/plan is the documentation of the entire enterprise decisions on managing, as well as protecting information (Peltier, Peltier & Blackley, 2005). In making these rulings, managers go through tough choices concerning competing objectives, resource allocation, in addition to organization strategy connected to securing both information and technical resources and guiding worker behavior (Peltier, Peltier & Blackley, 2005). When developing an information security policy, it is best to comprehend that information is a benefit of the enterprise plus is an asset of the business. Therefore, information goes past the limits of IT and is present in all fields of the enterprise. To be useful, an information protection policy should be part of the business asset management program, as well as be enterprise-wide (Peltier, Peltier & Blackley, 2005). Risk Management Risk is the likelihood of something unfavorable taking place (Peltier, Peltier & Blackley, 2005). Risk management, on the other hand, is to recognize those risks, evaluate the probability of their happening and then assuming the necessary steps to lessen the risk to a satisfactory level. All risk scrutiny processes apply the same method. Establish the asset to be assessed. Recognize the risk, vulnerabilities, threats, or issues. Study the likelihood of the risk happening and the implication to the asset or the group should the risk be acknowledged (Peltier, Peltier & Blackley, 2005). Then identify controls, which would bring the impact down to a satisfactory level. The book helps the reader comprehend qualitative risk analysis, plus it then grants examples of this procedure. To make sure that you get a proper exposure to risk analysis, the volume presents up to eight diverse methods, ending with FRAP – Facilitated Risk Analysis Process (Peltier, Peltier & Blackley, 2005). Typical Information Protection Program As years have passed, the computer security group charged with access management and disaster recovery planning has developed into the enterprise-wide information security group (Peltier, Peltier & Blackley, 2005). This group's ever-expanding responsibilities and roles comprise of, Risk analysis, Firewall control, virus control and response team, business impact analysis (BIA), computer crime investigation, computer emergency response team (CERT), encryption, records management, voice-mail, e-mail, video-mail policy and internet, industrial espionage controls, legal issues, internet monitoring and disaster planning (Peltier, Peltier & Blackley, 2005). In addition to such elements, the security expert now has to make sure that standards are assessed and acted upon where necessary. This volume talks about these new standards in depth (Peltier, Peltier & Blackley, 2005). Summary The position of the information security professional has transformed over the past years and will change more and more. Executing controls to be in conformity with audit needs is not the manner in which a program should be run. There are restricted resources accessible for controls. To be efficient, the information users and owners should accept the controls. In order to meet this end, it will be essential for the information protection experts to launch winning partnerships with their constituencies. Reference Peltier, T., Peltier, J., & Blackley, J. (2005). Information security fundamentals (1st ed.). Boca Raton, FL: Auerback Publications. Read More