Principles of Information Security - Assignment Example

Running Head: Principles of Information Security Table of contents Title Table of contents ii State of information security: current challenges and potential solutions 1 Access control: multi-factor authentication 3 Firewalls 5 Reference List 8 Question 1 – State of information security: current challenges and potential solutions The report by Ernst & Young’s 12th Annual Global Information Security Survey identifies information securities as a vital virtue in the sense that organizations have to deal with swift movement in implementing measures to ensure that information in their dockets have to be treated with discretion. The information risks normally prevail both externally and within the organization, whereby external security risks prevail on the organizational networks and websites, this includes threats such as malware, spyware, pharming, phishing and website attacks as presented by Dhillon, ( 2001). The current and potential external challenges require companies employ the guideline which are primarily related to data privacy and fortification. Internal security risks includes abuse of employee privileges, theft of information and internally perpetrated fraud, this is managed by developing a formal reaction aimed at dealing with the employees expected to leave the association as a result of staff reductions or job purging. Furthermore, organizations should undertake a specific assessment exercise to identify the potential exposure within their jurisdiction and put in place appropriate risk-based response, Quigley, (2004). The risk have also been managed by realizing secure development processes, utilizing virtualization technologies, applying quality standards and regulatory compliance as well as having risk management methodologies in place. Moreover organizations have managed risks by recuperating IAM processes and technologies, integration of business processes and utilizing security testing and enhancing DLP technologies and processes. Other organizations have approach risk management by conducting internal security awareness and training as well as augmenting security risk management. Furthermore, organizations manage risks by internalizing information security functions and allocation of increased resources, and enhanced through the implementation information security management system (ISMS) Whitman, (2004), the vast approaches are chosen by preponderance number of companies to address their information security risks. The importance of data leakages and implementation of protection technologies to the organizations The data leakage is a very vital concern to several organizations in that the regulations that have been put in place still requires stabilization to meet in a range of geographical and validation of position with proper legal and operational group through the entire enterprise. They also needs to appreciate how their conformity efforts can be integrated into a winder changes of programs so that they can convey to greater protected information programs. Most of the companies need to recognize and understand the scope of privacy within their operations and come up with effective business champions who can coordinate each other to ensure standard processes and practices do not violate with privacy regulations of an organization. Data leakage protection (DLP) technologies that organization should then put into practice for the coming years is the encryption of the sensitive information before transmission which entails encryption of portable media, laptops, emails, and IAM products. The adoption of the virtualization and cloud computing offers an attractive options which will help to engrave the cost, increase manageability and improve the broad-spectrum of information technology efficiency. Cloud computing and virtualization will guarantee that any decision made are reliable with the general production strategy, as well as the information technology strategy and direct the growth of the organization. Question 2 – Access control: multi-factor authentication There has been great focus on risk management controls necessary in the banking industry as regards authentication of the credentials of commercial and retail clients utilizing Internet-based financial services, this has been occasioned by the technological and legal dynamics concerning safeguarding of the client information, with significant effort made to thwart of threats by criminals, where effectual authentication system are implemented in a manner that it guarantees that controls and authentication paraphernalia are apposite for the banks entire Internet-based products and services. The emergence of multi-factor authentication has been augmented by the challenges and shortcomings associated with single-factor authentication, as the sole control mechanism, where it derisory in high-risk transactions, these authentications such as passwords and PINs, have previously been immensely deployed in financial transactions. However emergence shifting risks like malware, spyware, pharming, phishing and sprouting erudition of compromise techniques have put the adequacy of single-factor authentication to question, hence necessitating the need for techniques that mitigate the associated risks such as layered security and multifactor authentication. HSBC uses a multiplicity of measures to safeguard financial information in its domain, these include Multi-layer logon verification, Transaction verification, 128-bit encryption and Automatic 'Time-out' features. In Multi-layer logon verification, HSBC protects financial information by a sophisticated permutation of a distinctive Username and Password and single use Security Code generated Online Security Device. The physical online security device dynamically generates unique security code which clients are required to correctly enter during every log in session. Moreover HSBC implements 128-bit encryption which is the premier level of encryption, for any information transmitted throughout an Internet Banking transaction. The Commonwealth Bank implements diversified approach to securing client information such as Encryption, Digital Certificates, Independent audits, dedicated staff, NetCode SMS and NetCode Token, Extra verification on NetBank transfers, automatic timeout period, NetBank activity log and Lockout. Digital certificates and encryption are the common techniques, where encryption entails 128-bit SSL encryption technology to encrypt all communication from customers’ computer to banks secure systems. Digital certificates are used by the bank to verify the identity and authenticity of websites. The advantage of encryption of is that security of the data is separated from the security of the devices holding the data; moreover encryption seats security measures unswervingly on the data itself. However it has disadvantage of increase of data access time and being very complex. Online Security Device has the advantage of offering supreme security; however the need to physically carry the device everywhere is a disadvantage. Digital certificates has the merit of being integrated with conventional web browsers, however, digital certificates has the merit of the need for various certificates to suit various websites. Question 3 – Firewalls Static packet filter firewall operates by a defined set of rules where the filter firewall scrutinizes each packet versus a set of rules. The packet are allowed to pass through if the firewall rules allow the type of packet, otherwise if the rule prohibits the packet, then the packet is plummeted or discarded depending on the setup of firewall rules. In the contrast however, a stateful firewall operates by dynamically filtering packets at the network layer in similarity with every firewall that performs stateful packet inspection (SPI) or stateful inspection, in this case, the operation involves the firewall maintaining track of the state of network connections such as Transmission Control Protocol streams, User Datagram Protocol communication traversing it Merkow, (2006), the firewall is pre-programmed discern genuine packets for different types of connections where exclusively packets identical to known connection state are allowed to pass, else rejected. A commercially available Firewall product that is capable of stateful packet filtering is the Cisco® PIX® 515E Security Appliance, where PIX means Private Internet Exchange offers diverse types of protections including robust consumer and application policy enforcement, multi-vector assault protection and cosseted connectivity services such as Intelligent connection capabilities, Application-Aware Firewalls services, Panko, (2010). Flexibility and resiliency as well as IPSec VPN Connectivity are considered which delivers immense superior security and networking capabilities. Cisco® PIX® 515E boasts of ability to conduct application layer inspection in terms of Attack Mitigation and Event Monitoring Solutions which is coalescence as inclusive composition and software representation management, application layer customizable managerial roles and access privileges with ample activity transformation administration and audit as well as Intelligent detection and implementation of security policies and entity groups. Furthermore Cisco® PIX® 515E offers application layer device hierarchy with "Elegant Rules"-based composition legacy, as well as maintenance for dynamically addressed appliances. The Cisco® PIX® 515E Security Appliance was chosen because of the reputation of the manufacturer Cisco, which is renowned worldwide as a leader networking and communication based innovation, with premium enterprise and all inclusive business routing with integrated services routers optimized for high-speed delivery of synchronized data, voice, and video services in a secure manner. Moreover, the fact that Cisco manufactures a wide range of networking products with advanced support options which includes proactive, onsite consultation and access rights to Cisco.com technical libraries influenced the choice of the product. Reference list Dhillon, G., 2001. Information security management global challenges in the new millennium. Hershey, Pa : Idea Group. Merkow,M., 2006. Information security principles and practices. Upper Saddle River, N.J. : Pearson Prentice Hall. Panko, R., 2010. Corporate computer and network security .Boston: Pearson Education. Quigley, M., 2004. Information security and ethics social and organizational issues. Hershey PA : IRM Press. Whitman, M., 2004. Management of information security. Boston, Mass: Thomson Course Technology. Read More