The Primary Objectives of Information Security - Coursework Example

Information Security Introduction Information security is the protection of information from a wide variety of threats, such as, getting accessed byunauthorized persons, disclosed, sold or destroyed, without the consent of the owner of the information (Whitman & Mattord, 2011, p.399). Thus, the primary objectives of information security are to ensure the privacy, reliability and accessibility of information. Information security is becoming one of the most important concerns in almost every profession and every field of life. Information security is a business issue, not just a technology issue. Sensitive information about the consumers and employees, finances, inventories, payments, research work, is being maintained by governments, organizations, companies, banks, armed forces, healthcare sectors, so on and so forth. This corporate information is the most crucial asset of a company and is at stake if proper measures are not taken to deter the security attacks. The information may have been stored in any form. For example, it may be in printed form; stored in files and documents; saved on the computers’ hard disks; shown on video tapes; and, transmitted by post, email or any other physical or electronic means. Organizations very rightly plan to invest in information security so as to protect themselves against competitive disadvantage and criminal access to the confidential information (Layton 2006). Companies and corporations need to secure their information shared with their consumers to cope up with delicate and sensitive business environment. A company’s sensitive information is at stake more due to illiteracy of the authorized staff, which handles the information, regarding information security. The secret business data can always be disclosed, altered and misused due to information security illiteracy. Designing an Information Security Policy Designing an information security policy is the first and the foremost step towards the implementation of information security (Peltier, 2004). It is vital for a company or an organization to design and implement a security policy regarding the protection of information before starting sensitive projects. Danchev (2003, p. 3) states that: The first step towards enhancing a companys security is the introduction of a precise yet enforceable security policy, informing staff on the various aspects of their responsibilities, general use of company resources and explaining how sensitive information must be handled. The policy will also describe in detail the meaning of acceptable use, as well as listing prohibited activities. A security policy acts as a centralized crucial document that will help in eliminating the risk of security breaches by securing the confidential information stores from getting disclosed to unauthorized persons. It defines the importance of a company’s information assets and lays out guidelines how these assets are to be secured. Danchev (2003) says that a well developed security policy must tell how the sensitive information is going to be handled; what methods should be followed to protects important IDs and passwords along with other accounting data; what steps must be followed in case of intrusion or a physical security threat; how to use the Internet and networks in a safer way; and, how to use the email system without becoming a victim to malicious attacks. Information Security at Physical Level Information security at physical level is defined as a blockade placed about a computing system using secured operating systems and other protective measures to prevent unauthorized access to the information stored on it. This kind of information security whose main objective is to secure the information saved in computer systems can also be referred to as computer security or cyber security or logical security, in which information is protected by operating systems and special softwares from unauthorized access. Moreover, the physical security of hardware has to be made sure along with the guarantee that the servers are running smoothly and have internet access. The computer systems today, thanks to the precious information stored on them, have become more prone than ever before to physical attacks like data theft, copying and selling of information, hacking and viruses. If such an attack occurs, the enemy easily gets access to the information stored on the computer system. He can use different methods to access this information like he can remove the hard disk of the target computer system and then later own run it on his own system, or he can use techniques to start the system with no passwords, or he can steal the information by copying it on disks, or he can damage the whole system by running files on it that contain viruses, or he can steal the whole system, be it a desktop, laptop or a PDA (personal digital assistance). Information Security Threats “A threat is defined as an event (for example, a tornado, theft, virus infection), the occurrence of which can have an undesirable impact on the well-being of an asset” (Kallhoff, 2007, p.1). In the field of computers, internet and networking, the information security threats are categorized as computer and network security threats, environmental threats, electrical threats, political threats and maintenance threats. Some of the major computer information security threats include theft, fraud, backdoor, DoS (Denial of Service) attacks, data flood, malicious code, document grinding, and enumeration. Frauds, like gaining access to computers that control access to important resources as inventory systems and financial accounts, are more likely to be attempted by authorized persons who are also referred to as insiders and the situation is called employee sabotage. Bogue (2003) states that, “Sometimes those who are gaining access to a system are not cyberterrorists; theyre just curious employees who want to learn more about the systems or perhaps play with some settings to see if they can allow themselves a greater ability to control their PCs.” Network security threats include malware, anti-DNS pinning, banner grabbing, backjacking, hacking, land attack, blue boxing, domain hijacking, and the list continues. Environmental threats include fire, windstorms, rainstorms, snowstorms, torrents, tornados, lightning, roof leaks, very high or very low temperature, heavy dust, earthquakes and moisture which can harm the computer system or network at a very high level thus posing threat to the information saved on it. Electrical threats include sudden surges or spikes in the power supply or voltage, congested electrical outlets, blackout (power loss or electricity failure) and brownout (inadequate voltage supply). Political threats are also there from which the organization, system and the information have to be secured. Approaches to Deter Information Security Attacks Physical Security of Hardware The first and foremost thing is that the system which contains sensitive and crucial information should be kept away from public place (Vacca, 2012, p.931). You need to make sure that the enemy does not get access to the computer system (routers, control boards, servers, electronic components) as stealing of information comes at the next stage. Use the ‘lock everything’ approach. Physical security may start from as little a thing as locking the doors and windows and using security systems like burglar alarms and security cameras with automatic log footage, and end at as complex a method as securing the whole network. One must look for devices that lock the computer cases to desks and lock the disk drives and the CPU as well. The system must be password protected. The BIOS of the system must be configured so that it does not boot from a floppy drive being used by the intruder. Though, laptops and PDAs are much common in use nowadays, they are also prone to theft because of their size and portability. It is very important to ensure the security of these handy systems and the information they contain. If this information includes sensitive business information, then it should be ensured that unauthorized persons to not get the grant of access. This way, if the system gets stolen, the information will remain secure. Moreover, it would be a matter of common sense to keep the portable system like a laptop or a PDA along wherever one goes or lock it using cable-type security locks. An important technique is to make backups of files containing important data. This way, one will always have a copy of the information that is lost. Doing so also helps in identifying the crucial information that will be at threat and thus one can carry out necessary steps to restore the information to a certain level. Physical Security of Networks In a network, those computers must be physically secured that hold sensitive information and network passwords on them (Engebretson, 2007, p.154). These may be kept in a separate room that is physically secured away from public. All sensitive servers and networks should be secured from the enemy by means of firewalls, code encryption and decryption (cryptography) and intrusion detection system because if the server has been physically accessed, then it is very easy to reboot it and gain access to its hard drives. Conclusion Information security has become the most important consideration in nearly every field of life. Businesses, organizations, firms, healthcare centers, financial corporations and military are always implementing newer ways that would help in securing the sensitive information saved on their hard copy documents and electronic means. As technology is more and more being incorporated into almost every profession, the need for information security is also arising with every passing day. Whether it is a child communicating with his friends over the internet or it is a business corporate sharing his confidential information through online collaboration tools, the security of information being exchanged must be ensured, so that it does not get into wrong hands to get disclosed, misused or sold without the consumer’s consent. References Bogue, R.L. (2003). What is physical security? Lock IT Down: Dont Overlook Physical Security On Your Network. Retrieved March 8, 2014, from http://www.techrepublic.com/article/lock-it-down-dont-overlook-physical-security-on-your-network/#. Danchev, D. (2003). Building and implementing a successful information security policy. WindowSecurity.com. Retrieved March 9, 2014, from http://www.windowsecurity.com/pages/security-policy.pdf Engebretson, D.J. (2007). Guide to Networking for Physical Security Systems. New York, NY: Security Networking Institute. Kallhoff, J. (2007). Physical security threats. Global Information Assurance Certification. Retrieved March 7, 2014, from https://www.giac.org/cissp-papers/287.pdf Layton, T. (2006). Information Security: Design, Implementation, Measurement and Compliance. New York, NY: CRC Press. Peltier, T.R. (2004). Information Security Policies and Procedures. Florida, CRC Press. Vacca, J.R. (2012). Computer and Information Security Handbook. New York, NY: Newnes. Whitman, M., & Mattord, H. (2011). Principles of Information Security. Boston: Cengage Learning. Read More