Security Foundation - Report Example

Security Foundation name: Institution name: 1. Introduction Information is important in every organization. If information in an organization has been compromised, there can be a wide range of consequences that ranging from damage to an organisation’s reputation through financial penalties such as regulatory costs and fines of remediation (Edward, 2005). Therefore, why many organizations take a tactical approach to addressing their information security. Security domain is a model based approach that help companies to analyse their information security risks in a business context and provide a direct and clear mapping between the security controls that are needed to manage the risks and the risk itself (Rolf, 2008). The ten security domain include: Law, investigation, ethics; access control systems and methodology; Cryptography; Physical Security; Security Management Practices; Application and Systems Development Security; Security Architecture and Models; Business Continuity Planning and Disaster Recovery Planning; Telecommunications and Network Security; and Computer Operations Security. This report will conduct a critical analysis of Cryptography and Application and Systems Development Security to conduct related job titles (Edward, 2005). And how these two jobs are related to security theory and general academic characteristics (William, 2005). The analysis of these two jobs will include micro-focus that highlights the two positions and macro-level analysis indicating similarities and difference for the two positions. 2. Annotated Bibliography i. Cryptography A Cryptographer specialise in cyber security. According to employment posting found in CareerBulder.com in September 2013, cyber analysts task is to identify issues related to software vulnerable to hacking and help software design solutions that include encryption, and how to prevent them. Cryptography jobs entails analyse and decipher encrypted data to assist government (National Institute of Standards and Technology, 2011), businesses or law enforcement officers in solving threats, crime or security concerns (Satoh and Araki, 2006). Cryptography also entails developing computational models that will help solve problems in science, engineering, business, or other industries. ii. Application and Systems Development Security Application and systems analysts helps companies achieve their objectives by designing, evaluating and developing computer application systems (Edward, 2005). In addition, application and system developer is also in charge of overseeing the implementation of required software and hardware components for approved applications, creating flow charts and diagrams for computer programmers to follow (Venter and Eloff,2003), and coordinating tests of the application system to ensure proper performance. This job entails the use of combination of information engineering, data modelling, sampling and accounting principles (Anderson, 2003), mathematical model building to ensure comprehensive and efficient designs (Fennelly, 2004). Analyst will sometime be required to prepare return on investment and cost benefit analysis to determine the feasibility of implementing a new technology solutions. 3-Method Secondary research method use of data from previous published research studies to undertake the study synthesis and to combine findings of different research studies on research problem (Kuckartz, Metzler & Kenney, 2002). This sometimes is also known as content analysis. This research employed existing documents such as books, documentation of IT systems, and other research studies findings amongst other to determine factors that explains security domain (Kuckartz, Metzler & Kenney, 2002). Therefore, this study employed books journals and other source materials that touches on security domains (Kuckartz, Metzler & Kenney, 2002). The findings where then analysed below. 4. Findings The requirements of information security have undergone two major changes in the last two decades. The first change is the need for protecting information and files has become evident. Collecting tools and procedures that are designed to protect information and data and to control access to the company resources (Rolf, 2008). The second major changes is the Application and Systems Development Security (Biringer et el, 2007). The person in charge of application and system development security is needed to protect information or data during storage or transmission. A person in these two fields will be required to restrict such as network traffics filtering with firewall technology defense against distribution of malicious programs like viruses preventions (Biringer et el, 2007), management and detection of intrusion prevention of unwanted communication like email spamming and hacking. There are some system designed that is sued to protect information or data which uses the cryptography method as a primitive. Cryptography is the science and art of protecting information from undesirable persons by converting it into a form non-recognizable by it hackers while transmitted or stored (Gaudry et el, 2000). Data cryptography is the scrambling of the content of data, such as text, audio, video, image and so forth to make the data invisible, unreadable or unintelligible during storage or transmission (Miller, 2006). In Cryptography, the security of encryption system rely mostly on the secrecy of the encryption instead of the encryption algorithm itself. Both cryptography and Application and Systems Development Security are similar in such a way they are depended on three components. i) Algorithms or architecture set in place (Hitchcock et el 2000). This is found to be a formal specification. For example in cryptography is the algorithm itself, in the case of application and system development, it is the formal specification. ii) Implementation of the architecture: this refers to how the algorithm or architecture is being implemented. Programming mistakes, such as buffer overflow is able to affect this component. iii) Operation thereof: this is seen to include operator issues, such as choosing weak passwords on workstations or routers, or accidental disclosure of a shared key. For instance, configurations could be sent to unauthorised third parties. Application and Systems Development Security has same fundamental characteristics and the possibility of failing any of them. For example an application can have weakness in the security design, development mistakes, or implementation mistake. In Cryptographic the basic principles are: In simple form, encryption is found to convert data is some form. This is seen to protect the privacy of the data when it is being send from the sender to a receiver (Rolf, 2008). On the side of the receiver, the information or data is decrypted and the information is brought back to its original form (Fennelly, 2004). The concept of decryption and encryption requires extra is found to require extra information. This extra information is known as key. Application and Systems Development Security is not a haphazard process. They are many factors that must be considered before any design effort is made (Edward, 2005). All the application are found to be simple as possible. Indeed, the more elegant the application the more simple it is. It fact, it usually take a lot of work and thought over multiple iterations to simplify. At micro focus, Cryptographic job involves building innovative software that is used to improve business value from enterprise applications (Biringer et el, 2007). In turn, it is seen to help organizations to increase their value of business by exploiting those core IT assets and respond to business changes. In addition, cryptographic job build tools that support clients. The micro focus for application and Sysems Development Security job range from powerful integrated development environment for application development. This job enables companies to streamline their development by exploiting visual studio technology or contemporary eclipse, thus providing a fast remote development capabilities and fast mainframe integration (Fennelly, 2004). Offering smart editing, advance debugging, compilation and integrated testing capabilities. In addition, micro focus of application and system application development security job is it gives the job holder with the ability to instantly unlock the value in the core systems (Koblitz, 2005). A lot of companies have incorporated data loss prevention plans and data encryption that are based on strong cryptographic methods into their network security strategic planning programs. A cryptographic will be in charge of security solutions and this will include digital signatures that will be used to verify the authenticity of updates for companies systems and so forth. Literature Review The field of cryptography is found to deal with techniques or methods for conveying information or data securely. The main goal for cryptography is to allow recipient to receive securely messages. A cryptography will try as much as possible to prevent the eavesdroppers from hacking or understanding the messages that have been sent (Edward, 2005). In other words, cryptography will encrypt the message or data to be transmitted in order to hide its meaning. The information will then be revealed after the intended person tries to access the information. This reversible mathematical process is seen to produce encrypted output that is called a cipher text. Cryptography will be responsible for proving technical and operational support and to ensure proper cryptographic control are effectively applied in the organisation which they work in. Cryptography will be dedicated to ensure organizational data and are required to maintain compliance with industrial standards (William, 2005). This field will mainly focus on the operations of the cryptographic infrastructure of the company business. While, successful candidate in cryptographic field is required to possess knowledge and experiences that is required to manage cryptographic keys and this will be according to industry best practices. Personnel in the field will also require to ensure industry best practises are adhered to in the use, storage, and operation of cryptographic functions in the organizational environments (William, 2005). A cryptographer will required to troubleshoot, maintain and enhance operations Cryptographic Key Management System. Apart from this, a person will be required to have strong technical foundation in general cryptography, because the candidate in that field will required to operate and maintain cryptographic key storage, manage procedures and policy around organizations key storage, help organisation adhere to security policies, and also ensures companies adhere to regulatory compliance requirements (Edward, 2005). Given the need for a cryptographic role, most organisations therefore are looking for a person with unique blend of organizational, excellent technical and communication skills (Rolf, 2008). A candidate in this role will be required to address and prioritise security related events and also be able to follow industry best practices (Fennelly, 2004). Preferred experiences will include in cryptographic job will include the following qualifications: symmetric key cryptography; information security practices; key management system architecture; public key cryptography; key management assurance standards; experience with hardware security modules systems; experience with operational cryptographic key management system; Cryptographic and Application Integration Protocols such as XML, SAML, Web Services, SSL, XACML and so forth, Technology solutions that will be used to protect and secure cryptographic keys and digital certificates. Qualification for this job will need a person being experienced in large enterprise environments; the potential candidate must be able to understand technology and industry leading security processes and standards; he or she must be having experiences in IT security and risk management; have a good communication skills and strong project management skills and be able to work independently; the potential candidate should be able to meet project deadlines according to project timelines and dates and lastly, the potential candidate should possess bachelor’s degree in either, and/or Information Systems (McDermott and Geer, 2001), Business Administration or other related field (Rolf, 2008). In addition, industrial standard certifications such as GIAC, CISM, CISSP, QSA, and so forth will also be preferred. On the other hand, Application and Systems Development Security requires an awareness of how different work environment demand different security (William, 2005). The duties for this field will include interfacing with development. Company to on-board application and performance secure code reviews suing static analysis tools like HP fortify, IBM AppScan and so forth. In addition, a candidate in this position will be required to execute binary statics testing tools that is able to identify third party components vulnerabilities utilities or assessment tools. Most companies are looking for persons who are willing and eager to learn. The duties for this field usually include providing source code review through testing process, as well as identifying vulnerabilities and weaknesses within the system, and thereafter proposing a countermeasures on the same. In addition, this role in Application and Systems Development Security will be responsible for verifying findings as needed with application team (Menezes et el, 2008); validating automated testing prioritize and results that are based on the overall organization risk; a person will be required to write formal security assessment report for each application; perform manual source code review for company’s security vulnerabilities. Pre requisites for this Application and Systems Development Security job a person need to have a degree in web development or application code. An individual also need to understand web-based, security and infrastructure vulnerabilities; debugging and understanding application compilation or build related errors is also required (Rolf, 2008). Also, a person need to have experience with java IDEs- knowledge of application servers, web servers, build tools, and so forth. In addition to this, an individual need to understand fortify, appscan source sonatype, veracode or blackbuck platform will be a plus for an individual. Above these requirements, also excellent communication skills and the ability to communicate with other management and staff are also important. Conclusion The need for security experts has grown exponentially over the years toward an internet explosion that has been fuelled by e-banking, e-commerce, social media and e-governance. In future, Information or data security will fuel the growth of businesses; in addition, businesses are continuing to demand high level compliance to privacy, data security and cyber security regulations (Rolf, 2008). Despite a continuing economic slowdown that has been putting pressure on IT budgets around the world, cyber security spending globally would continue on an upward trajectory, reaching $86 billion in 2016, up from $60 billion in 2012.” Therefore, the requirement for security jobs would be in multiples. References Anderson, J. M. (2003). "Why we need a new definition of information security". Computers & Security, 22(4), 308–313. doi:10.1016/S0167-4048(03)00407-3. Biringer, B. E., Matalucci, R. V., & O’Connor, S. L. (2007). Security risk assessment and management.Hoboken, NJ: John Wiley and Sons Cohen, H.; Miyaji, A.; Ono, T. (1998). "Efficient Elliptic Curve Exponentiation Using Mixed Coordinates". Advances in Cryptology – AsiaCrypt '98. Lecture Notes in Computer Science 1514: 51–65 Edward A. (2005), Fundamentals of Computer Security Technology , Prentice – Hall. Fennelly, L. J. (Ed.) (2004). Effective physical security (3rd ed.). Boston, MA: Elsevier Butterworth-Heinemann. Hitchcock, Y.; Dawson, E.; Clark, A.; Montague, P. (2002). "Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card" (PDF). ANZIAM Journal 44. Gaudry, P.; Hess, F.; Smart, N. P. (2000). "Constructive and destructive facets of Weil descent on elliptic curves" (PDF). Hewlett Packard Laboratories Technical Report. Koblitz, N. (2005). "Elliptic curve cryptosystems". Mathematics of Computation 48 (177): 203- 209. Kuckartz, U., Metzler, K., & Kenney, F. (2002). Qualitative text analysis: A guide to methods, practice & using software. London, UK: SAGE Publications. Rolf O. (2008). Internet and Intranet Security , Second edition, Artech House, Incorporated. Miller, V. (2006). "Use of elliptic curves in cryptography". CRYPTO. Lecture Notes in Computer Science 85: 417–426 Menezes, A.; Okamoto, T.; Vanstone, S. A. (2008). "Reducing elliptic curve logarithms to logarithms in a finite field". IEEE Transactions on Information Theory 39. McDermott B. E., & Geer, D. (2001). Information security is information risk management. In Proceedings of the 2001 Workshop on New Security Paradigms NSPW ‘01, (pp. 97 – 104). ACM. doi:10.1145/508171.508187 National Institute of Standards and Technology. (2011).Advanced Encryption Standard, FIPS 197 Venter, H. S. and Eloff, J. H. P. (2003). "A taxonomy for information security technologies". Computers & Security, 22(4), 299–307. Satoh, T. and Araki, K. (2006). "Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves". Commentarii Mathematici Universitatis Sancti Pauli 47. William R Cheswick and Steven M Bellovin, Firewalls and Internet Security, Addison-Wesley, 1994. William S. (2005). Network Security Essentials : Applications and Standards, Prentice –Hall. Read More

This report will conduct a critical analysis of Cryptography and Application and Systems Development Security to conduct related job titles (Edward, 2005). And how these two jobs are related to security theory and general academic characteristics (William, 2005). The analysis of these two jobs will include micro-focus that highlights the two positions and macro-level analysis indicating similarities and difference for the two positions. 2. Annotated Bibliography i. Cryptography A Cryptographer specialise in cyber security.

According to employment posting found in CareerBulder.com in September 2013, cyber analysts task is to identify issues related to software vulnerable to hacking and help software design solutions that include encryption, and how to prevent them. Cryptography jobs entails analyse and decipher encrypted data to assist government (National Institute of Standards and Technology, 2011), businesses or law enforcement officers in solving threats, crime or security concerns (Satoh and Araki, 2006).

Cryptography also entails developing computational models that will help solve problems in science, engineering, business, or other industries. ii. Application and Systems Development Security Application and systems analysts helps companies achieve their objectives by designing, evaluating and developing computer application systems (Edward, 2005). In addition, application and system developer is also in charge of overseeing the implementation of required software and hardware components for approved applications, creating flow charts and diagrams for computer programmers to follow (Venter and Eloff,2003), and coordinating tests of the application system to ensure proper performance.

This job entails the use of combination of information engineering, data modelling, sampling and accounting principles (Anderson, 2003), mathematical model building to ensure comprehensive and efficient designs (Fennelly, 2004). Analyst will sometime be required to prepare return on investment and cost benefit analysis to determine the feasibility of implementing a new technology solutions. 3-Method Secondary research method use of data from previous published research studies to undertake the study synthesis and to combine findings of different research studies on research problem (Kuckartz, Metzler & Kenney, 2002).

This sometimes is also known as content analysis. This research employed existing documents such as books, documentation of IT systems, and other research studies findings amongst other to determine factors that explains security domain (Kuckartz, Metzler & Kenney, 2002). Therefore, this study employed books journals and other source materials that touches on security domains (Kuckartz, Metzler & Kenney, 2002). The findings where then analysed below. 4. Findings The requirements of information security have undergone two major changes in the last two decades.

The first change is the need for protecting information and files has become evident. Collecting tools and procedures that are designed to protect information and data and to control access to the company resources (Rolf, 2008). The second major changes is the Application and Systems Development Security (Biringer et el, 2007). The person in charge of application and system development security is needed to protect information or data during storage or transmission. A person in these two fields will be required to restrict such as network traffics filtering with firewall technology defense against distribution of malicious programs like viruses preventions (Biringer et el, 2007), management and detection of intrusion prevention of unwanted communication like email spamming and hacking.

There are some system designed that is sued to protect information or data which uses the cryptography method as a primitive. Cryptography is the science and art of protecting information from undesirable persons by converting it into a form non-recognizable by it hackers while transmitted or stored (Gaudry et el, 2000).

Read More