The Importance of Information Security - Research Paper Example

Knowledge and Information Security [Type the [Pick the Introduction The cyberspace continues to get overloaded with the information that is being fed every micro second. From exchange of few texts on messengers, to highly confidential state secrets, all of this information has occupied some place within the cyberspace (Von Solms, 2000). The evolution of information technology in the recent past has eased out life style of billions of people; it has transformed their routine business, social interaction, and leisure seeking activities. Day by day, the involvement of internet continues to grow in one’s life, this lightning fast expansion of digitalized world has its pros and cons (Whitman & Mattord, 2011). First of all the speed at which the information is processed and used is exponential, it saves time and energy; however, the extensive networking with in the cyberspace is not stronger than a bubble, a slight infringement may cause it to collapse. The mesh of links among people, organizations and governments has made the cyberspace a highly complex, yet an extremely expensive entity (Whitman, 2003). The complexity of cyberspace is attributed to the technological advancements in the architecture of operating systems; while the knowledge or the information that is carried by the cyberspace, makes it a priceless entity. The margin of negligence tends to decrease, and this continues to build pressure on the stakeholder involved. No one can deny the power of knowledge, it is a weapon that can turn the world upside down within few seconds, and therefore, protection of such vital asset is imperative. The phenomenon of safeguarding the information is referred to as information security. Defining information security is not an easy task, considering the rapidly transforming world of information technology. However, in an attempt to define the phenomenon of information security, one can suggest a few important aspects that tend to remain vital for information security, and by analyzing the various aspects, one may reach to a reasonable definition (Kissel, 2011). The purpose of building up information security is to prevent unauthorized access and malicious intervention (Peltier, et al., 2005). Further, it must provide safe channel for access to information providers and sharers. Information security can thus be defined as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability” (Kissel, 2013, p. 94). The dichotomy of this definition reveals two basic elements of information security that are preservation of information, and prevention from adulteration or misuse. Over the last seven to eight years, the governments have stated taking keen interest in information security (Singh, et al., 2014). They consider cyber warfare as a threat to their sovereignty; moreover, the episode of the WikiLeaks must not be overlooked. The WikiLeaks is a nonprofit organization, which is run by whistleblowers from different area. The whole concept behind the development of such an organization is quiet controversial. Some people are of the opinion that there is no harm in having such an organization as far as they reveal the truth to the public; while on the other hand there is a great opposition for the existence of such bodies. The main headliners provided by the WikiLeaks were linked to post 9/11 development and crusades administered by the Americans. These documents were in the quantity of hundreds of thousands. The press releases based on the revelations made by the WikiLeaks send tremors to the government offices all across the globe. Taking leaf out of the WikiLeaks episode, it will be easy to explain that why information security is so important to an organization and what is the power of knowledge. What was released by the WikiLeaks was nothing more than a text documents or videos, it did not include any weapon of mass destruction, but still the damage it caused far superior than the damage that may be caused by an explosion of a hydrogen bomb. This clearly explains that why knowledge is the most powerful weapon on earth. Even in the most of the developed countries around the world that preach lessons of democracy, and transparent governance, there are still some government secrets that are kept hidden (Whitman, 2003). When confidential information is leaked, and it becomes public, this loss is treated as failure of a government, who is incapable of protecting its own secrets, in simple words it is the breach of duty. The tremors sent by the WikiLeaks considered the United States of America as its epicenter. This is why the whole networking and information processing in the White House is receiving extra care and overprotection for last few years. Considering these latest developments in the information security at the highest level, it has become more important for a common man to understand the dynamics of information security. Therefore, this article is attempted to outline the basic components and pillars of information security. Further, it will elaborate the role of information security in today’s organizational structure, and will also identify some of the recent developments in 21st century’s information security setup. Last but not the least, the threats to information security will also be discussed, along with the assessment of risks to information technology. Components of Information Security The defining features or components of information security are three in number, and they include confidentiality, integrity and availability. Authentic information is one that remains unadulterated, but this does not mean that it is preserved in a place to which no one has any access, plus the information obtained must be in agreement with its original source. Therefore, an information security system must obey these principles for managing and securing information (Singh, et al., 2014). Keeping this pretext in mind, the CIA triad explains it is essential value to information security systems. The first component of information security as suggested earlier is confidentiality. Confidentiality refers to “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information” (Kissel, 2013, p. 45). While designing information security policy for an organisation, the policy makers must consider confidentiality as a priority to their agenda. For instance, in healthcare systems it is obligatory for the healthcare professionals to keep patients record confidential. Similarly, while carrying out electronic transaction it is essential that all the information obtained from the customers must be kept in secrecy (Anderson & Moore, 2006). Negligent handling of data may lead to undesired consequences, first the customer gets offended, and he or she has all the right to file a suit against the company, while on the other hand it pushes back the potential clients, because they don’t want to give their personal information to an organization that does not respect the very first component of information security (Denning, 1999). Integrity is the second major component of information security. Integrity refers to the agreement within the information used, and the information provided by the source. For example, people who order shipment of products to their door step offer their exact address, if there is some minor change in the postal address the whole operation of delivery results into a failure. Again, this failure in recording the true information can cost an organization heavily, because a product delivered at a wrong address may be used in an unauthorized manner against the company and the client. Last but not the least, the third component of information security is availability. Information that is not available to its authentic users is useless; therefore, while hiding the information from unauthentic users, it is extremely important for information security officials to make this information accessible to authorized users (Singh, et al., 2014). So many times it has been reported by the customers that they find it really difficult to access their personal information provided by themselves on the website or to the database. Moreover, organization itself needs to have an easy access to their client’s information to carry out business deals without any delay. Adding to these basic components of information security, there are some scientists that believe that apart from these three essential components there are few more elements that actually give full form to information security. According to Donn Parker there are six atomic elements of information security that include confidentiality, integrity, availability, possession, authenticity, and utility (Singh, et al., 2014). Meanwhile, some thinkers are of the opinion that authenticity and accountability are two vital objectives of information security (Singh, et al., 2014). Different Methods Used for Preserving Information From a technical point of view, information security is preserved via three basic mechanisms that are access control, encryption and programming (Kaufman, et al., 2002). Access control is the most basic method of securing information. The access control in computing world refers to a phenomenon that allows authorized users to access systems, information and resources, while it prevents access to unauthorized users. For instance, providing a password to log in to your computer or profile is simple example of access control. Access control works in a very basic manner, and it is easy to break into the systems or databases that are protected by access control technology (Stallings & Brown, 2008). Moreover, access controls are only applicable at a certain point within the operational change. There are two basic types of access controls, Data Access Controls and System Access controls. In both the types the process of gaining access relies on the credentials offered by the user (Tipton, 2012). To overcome this simplistic approach of gaining access, dual authentication was used; where the access is only offered on providing credentials along with some particular code e.g. pin code. More lately, the use of biometric readings has become very common such as the use of fingerprints for gaining access, or voice signature (Jain, et al., 2006). The next method for protecting information is the use of encryption technology. Encryption has been used manually for preserving information for past several centuries. Encryption is more effective than access control. It is a way of scrambling information, and it is only deciphered by the person or people who hold the key. Encrypted information usually lies in plain text form, a person cannot reveal the true meaning until he or she does not have the access to the key that has the code for deciphering the encrypted information. Some people even regard encryption as the best way of securing information (Von Solms, 2000). Some of the most widely used encryption tools and software include Cryptext, 7zip, AxCrypt, and TrueCrypt etc. After encryption, the third technique that is used to preserve data and for securing the information is programming (Whitman, 2003). Programming is usually defined as a step wise process that is based on feeding particular information at each step. The use of programming languages for safeguarding the data is being widely used by information security officials. There is a great variety of programming languages that are available at human disposal (Vroom & Von Solms, 2004). However, the choice is usually made on the purpose of job that needs to be done; some of the commonly used programming languages include Cisco, JavaScript, C++, .Net, PHP etc. Auditing of databases can also be used to ensure the security of a database. Auditing allows one to identify the activity user wise, and it further provides useful information of different operations or tasks that are being carried out by data-miners (Tipton, 2012). The choice of method that is to be used for information security is mainly decided by the organization on the basis of the skills that its information security team possesses. However, one must suggest that protection of information is the primary concern, and maximum input should be provided in order to establish a safe security system. Non-technical Pillars of Information Security Management The terms as complex as information security always sends signals that point it as an entirely technological theme. However, this is not the case; the implication of information security’s principles requires technological competence and non-technological assistance (Elmarie & Von Solms, 2005). The non-technological pillars of information security include information security policy, commitment from top management, awareness, organization and compliance monitoring (Elmarie & Von Solms, 2005). Information security policy can be defined as “aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information” (Kissel, 2013, p. 98). So, formulation of information security policy for an organization plays a crucial role, it only provides the protocol for safe practices, but it also reflects the understanding of an organization regarding its strongest assets. The purpose of information security policy remains incomplete until the members of organization holding the higher positions do not show commitment, because everyone knows that good governance at the top brings harmony to the low liners (Elmarie & Von Solms, 2005). Position of a director is one of the most crucial posts in an organization, because it is the director’s call that determines the future direction for an organization. People at the higher posts are expected to lead from the front, and especially in the matters that are as delicate as information security (Von Solms & Von Solms, 2004). Therefore, the need of spreading information security awareness among the employees of an organization is imperative. “The purpose of awareness presentations is simply to focus attention on security. According to (Kissel, 2013, p. 106), awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” Another reason for making the employees aware of the necessity of information security is that most of the security breaches are carried out by humans, and it also involves a great deal of human error. For instance, if an employee forgets to log out his or her computer, or follows unguarded practices while using the information (Von Solms, 2001). The fourth non-technological pillar of information security is compliance monitoring. It is a method of measuring and analyzing the practices prevalent with an organization, and it is intended to keep regular checks and balances. Further, it is applied for evaluating the suitableness of the previously formulated information security policy. The last support for validity of information security comes from the organization itself (Vroom & Von Solms, 2004). The structure, culture and environment of an organization are very crucial elements for information security. The whole setup with an organisation responds to the fact that what importance is given to knowledge in a particular organization. Definitely, the range and kind of information handled by an organization varies greatly from organization to organisation. Similarly, following this variance of information, the overall mechanism of ensuring information security from one organization to another may vary. Organizations must ensure to preserve the information that they possess, they should train their staff to equip skills and practices that are essential for ensuring information security (Elmarie & Von Solms, 2005). Information Security and Business Despite the stupendous development in the electronic world, a majority of the people still feel more comfortable in dealing with tangible things. There are two main issues, first people are accustomed to the traditional ways of exchange, and second they lack in trust for the operations that carried out electronically e.g. e- business, e- banking etc. Though, these people overlook the procedure that take place once they submit their information or money, all of it is processed electronically behind the customer service counter (Kaufman, et al., 2002). Habits take time to change, but winning the trust of the customer is most important. Therefore, the triad of information security makes sense; it offers confidentiality, access, and integrity (Anderson & Moore, 2006). Companies or organizations involved in different genera of business must consider information security as one of fundamental principles of operations in the present scenario, and in the times to come (Thomson & Von Solms, 1998). Another problem that has retarded the popularity of electronic businesses is that people find it too complex to understand, they prefer barter system, where they just exchange things, information, and wealth (Gordon & Loeb, 2002). Human factor is a problem that is regularly faced by companies when it comes to information security. In this perspective it is very important for an organisation to run information security awareness programs, and make people learn and understand the proper protocols to be followed, and they must be taught to obey the laws of information security. Information security is one of the essential pre-requisites to manage business in the modern world. Companies tied to old trends often ignore the importance of information security; however, this practice will not last for long. People have their trust in companies, and companies must respect the honor and the integrity of the information provided by their clients. The rise of globalization has reinforced the need of establishing strong measures for preserving information. In the years to come, it is expected that most of the business dealings will be entirely carried out by electronic means. The reason being it is fast, cheap, and environmental friendly. Therefore, organisations need to invest in securing the information that deal with. Threats to Information Security The evolution of information security setup is triggered by the threats that are commonly faced by organizations. It is a natural phenomenon that organisms adapt to their environment; the changes in the technology are one expression of human adaptation towards varying needs of time. There is a huge list of threats that are faced by the present information security setup; some of these threats will be discussed briefly. The first threat that will be discussed is related mostly to information security of personal or home users’ i.e. errors and omission. This threat is always present because when people use their personal computers their attitude is quiet relax and they intend to overlook minor issues, in doing that, most of the users allow unauthorized access to users worldwide (Denning, 1999). This is definitely an alarming sign since there is nothing much a layman could do, while using his computer. Fraud and theft is the next threat that is posed to information security, most of the people give in their personal or account information to sites that are not authorized. The recent collapse of bitcoin currency has been facing a lot of damage from cyber-thieves. Hacking is another phenomenon that has lingered as brutal threat over information security since its inception. Hacking is usually carried out by people to extract information from computers, and online accounts (Thomson & Von Solms, 1998). There is no fixed purpose for hacking; some people do it professionally, while others may do it for the sake of fun. Every year billions of dollars are spent by countries to fight this evil of malicious hacking. Nation backed cyber espionage is also becoming a common threat for information security, countries are spending sums in order to get access into their enemies accounts, the reason being the lust for power, and as mentioned earlier knowledge is the most lethal weapon that anyone could think of. A major concern for organizations at present is from its ex-employees especially those who have worked in information security panel. These people can prove troublesome; they may use unfair means to exploit organizations’ reputation and the information. Use of freeware and unauthorized malware as alternate software pose another threat to information security especially in case of personal users (Volonino & Robinson, 2003) . Conclusion Information technology is not entirely a technological issue; it has more to do with administration of an organization. Any mishap in information security directly effects the organization as whole. Therefore, it is very important for an organization to administer its information security setup in a proper way. The proper way to secure the information is to develop a valid information security and then implementing it to preserve and protect the information. When devising an information security policy one must not overlook any of the major components of information security, especially the CIA triad. The administration of security policy must be backed by up to date technology that ensures safety. The purpose of following the technological trends is to equip an organization with maximum defense mechanism. The choice of security mechanism depends on the nature of work; there is range of methods available for protecting information, such as encryption, programming and access control. Information security is highly important at the state level, there are cyber spies that are omnipresent and they continue to leak the state secrets to the unauthorized parties. Moreover, there is a need to spread information security awareness among people in general, and among employees in general, because a major source of information security breach is caused by human error. The stakes are high, and there is not much margin for error, therefore, people need to understand the obligation of information security. The threats to information security continue to increase with the increase internet users and personal computer owners. Information security should also be preserved at an individual level; in the past a lot of cases have been observed where teenagers have become victim to malicious hackers on the internet. Information security has multiple strings attached to it, and it can affect people belonging to every field of life. It can affect economy, government, society or all at the same instance, but may be at different scale. Overall, to sum up this essay, one can state that knowledge is the most valuable asset, and it is more lethal than a hydrogen bomb, therefore, its protection essential. References Anderson, R. & Moore, T., 2006. The economics of information security.. Science, 314(5799), pp. 610-613. Denning, D. E. R., 1999. Information warfare and security. Reading MA: Addison-Wesley.. Elmarie, K. & Von Solms, S., 2005. Five non-technical pillars of network information security management. In: Communications and Multimedia Security. s.l.:Springer, pp. 277-287. Gordon, L. A. & Loeb, M. P., 2002. The economics of information security investment.. ACM Transactions on Information and System Security (TISSEC), 5(4), pp. 438-457. Jain, A. K., Ross, A. & Pankanti, S., 2006. Biometrics: a tool for information security.. Information Forensics and Security, IEEE Transactions on, 1(2), pp. 125-143. Kaufman, C., Perlman, R. & Speciner, M. (., 2002. Network security: private communication in a public world.. s.l.:Prentice Hall Press. Kissel, R., ed., 2011. Glossary of key information security terms.. s.l.: DIANE Publishing.. Kissel, R., 2013. Glossary of Key Information Security Terms, NIST Interagency/Internal Report (NISTIR)-7298rev2, Gaithersburg: NIST. Peltier, T. R., Peltier, J. & Blackley, J., 2005. Information Security Fundamentals. New York: CRC Press: Auerbach Publications. Singh, A., Vaish, A. & Keserwani, P. K., 2014. Information Security: Components and Techniques. International Journal of Advanced Research in Computer Science and Software Engineering, 4(1), pp. 1072-1077. Siponen, M. T., 2000. A conceptual foundation for organizational information security awareness.. Information Management & Computer Security, 8(1), pp. 31-41. Stallings, W. & Brown, L., 2008. Computer Security (No. s 304).. s.l.:Pearson Education.. Thomson, M. E. & Von Solms, R., 1998. Information security awareness: educating your users effectively.. Information management & computer security, 6(4), pp. 167-173. Tipton, H. F. &. K. M., 2012. Information security management handbook.. s.l.:CRC Press. Volonino, L. & Robinson, S. R., 2003. Principles and practice of information security.. s.l.:Prentice. Von Solms, B., 2000. Information security—the third wave?.. Computers & Security, 19(7), pp. 615-620. Von Solms, B., 2001. Information security—a multidimensional discipline.. Computers & Security, 20(6), pp. 504-508. Von Solms, B. & Von Solms, R., 2004. The 10 deadly sins of information security management.. Computers & Security, 23(5), pp. 371-376. Vroom, C. & Von Solms, R., 2004. Towards information security behavioural compliance.. Computers & Security, 23(3), pp. 191-198. Whitman, M. E., 2003. Enemy at the gate: threats to information security.. Communications of the ACM, 46(8), pp. 91-95. Whitman, M. & Mattord, H., 2011. Principles of information security.. s.l.:Cengage Learning.. Read More