Tools Used in Tightening Information Security - Essay Example

Information Security Name Course Tutor Date Table of Contents Table of Contents 2 Information Security 3 Introduction 3 Information Security Components 4 Availability 6 Authenticity 6 Non-repudiation 6 Business Continuity Planning 7 Authorized Users can be the Most Risky 8 Controls 8 Administrative 8 Physical Control 9 Defense in Depth 10 Classification of Security Information 11 Access Control 12 Authentication 12 Authorization 13 Change management 14 Conclusion 15 Works Cited 16 Information Security Introduction Information security refers to the maintenance of privacy and integrity within the storage and transmission of information. Anytime unauthorized user accesses any kind of organizational information, the organizational security is breached. Information breach can be classified into five general groupings: messages interception, stealing stored information, changing or destroying information belonging to another party, spoofing as well as denial service which is the intentional shutdown of service machines. Hackers, intelligence bodies, criminals, business competitors, unhappy workers as well as other parties can try to infringe information security. Information security is about protection of information as well as information systems from unauthorized access, use, leak, disruption, modification, scrutiny, inspection or obliteration. Business organizations have a lot of confidential information regarding their workers, clients, products and financial status. Most of this data is collected, processed and stored electronically and transmitted across networks to other storage devices. In case confidential information regarding a business’ clients or financial status is accessed by its competitors, such security breach can result into business loss, law suits and also business insolvency. As a result, protecting the organizational confidential information is a business obligation (Gregory 25-26). There are several tools used in tightening information security, and it includes software scans for computer viruses or that safeguard against unauthorized infringement into computer systems from the networks; password systems, encrypting the messages and databases, physical access for computers, discs, pass cards, credit cards in addition to other equipments storing sensitive data. Whereas all these are vital when operating businesses, passwords along with encryption are possibly the most significant. It is easy to use the passwords. However, passwords alone cannot provide a high level security for many users. First, most users are made to provide passwords for several varying systems including, banking, e-mail, shopping and such. Therefore, users are tempted to use short passwords which are simpler to remember and use the same password for several systems and this results into domino effect in case the password is guessed (Thomas 56). Cryptography is the procedure by which plaintext is encrypted to a ciphertext before being transmitted or stored, then decrypted when the authorized user wants to read the plaintext. Debatably, this is the most definitive means of information security. Proper cryptography can protect the security of messages being transmitted and the database information. It can also by “authentication” act as a super-password system where the identity of the user can be confidently verified. Nevertheless, cryptography in a business organization augments the complexity, increases the costs and can result to shutdown of the systems (Chris 65). Information Security Components These components include, confidentiality, integrity in addition to Availability. Basically, information systems has three major portions namely, hardware, software and communications whose main aim is the identification and the application of information security standards as means of protection and prevention, at three heights; physical, personal and organizational. Fundamentally, there are implemented policies for informing people on how to utilize products and on how to make sure that there is information security in the organizations. Therefore, information security involves protecting the information as well as information systems against unauthorized access or information interference, whether in storage, processing, or transfer and against denying of services to the authorized users. Information security comprises the measures essential for detecting, documenting and countering such information security threats. Information security consists of computer security along with communications security (Chris 66-68). Confidentiality Confidentiality refers to the preventing the information disclosure to the unauthorized people or systems. For instance, a credit card transaction through the internet obligates the transmission of the credit card number from the buyer to the business and from the business to a transaction processing network. In this case, the system enforces the confidentiality through encryption of the card number during transmission, through restricting the places it may appear, for example log files, backups and such, and thorough limiting access to where it is stored. In case unauthorized person accesses the card number in any manner, violation of confidentiality has taken place (v Ivan 26). Violating the confidentiality takes several forms. For example, if an employee allows another person to see confidential information exhibited on the computer screen, this could be violation of confidentiality. Again, in case a laptop having sensitive information regarding an organization’s workers is stolen or sold, this can lead to confidentiality breach. Disclosing confidential information through the phone is the violation of confidentiality in case the caller is not allowed to have the information. Confidentiality is essential for upholding the privacy of the individuals whose personal information a system stores (Russell 5). Integrity In information security, integrity implies that the information cannot be changed without detecting. The integrity of information is breached when the information is dynamically altered in transit. Information security systems normally give information integrity as well as information confidentiality (Russell 5). Availability For any information system to function, information should be availed when it is required. This implies that the computing systems used in the storage of information used in storage and processing the information, the security controls used in protecting it as well as the communication channels used in accessing the information should be functioning appropriately. High availability systems are availed always and this prevents disruptions of services because of power outages, hardware failures and upgrading of the systems. Moreover, ensuring availability also entails prevention of denial service attacks (Russell 6-7). Authenticity It is necessary for an organization to always make sure that the information, transactions and communications whether physical or electronic are valid. It is also appropriate for the authenticity to confirm that the parties involved in the transactions are the genuine parties. Non-repudiation Non-repudiation refers to the intention of an individual to carry out their duties. It also means that one transaction party cannot deny having gotten a transaction and also the other party cannot refute having sent the transaction. Electronic commerce utilizes technologies like digital signatures to set up authenticity and non-repudiation (Gurpreet 12-14). Business Continuity Planning Business continuity is the way an organization goes on operating its important business units, in the occasion of planned or unplanned interruptions that have an effect on the usual business operations through raising planned and managed processes. Business organizations implement business continuity plans to work against any interference to important business activities/processed from the effects of key business failures or disasters. There are two fundamental features to the business continuity planning form. The source end tackles processing systems as well as the environment where they are stored in and the destination end stands for the business units that make use of the information. With the propagation of midrange and micro-computers, the locality of source and destination function is not always separate and different as before when all processing occurred within the information center. Nevertheless, the planning needs for each are the same irrespective of the physical locality of either system. Plans for the source end, need indentifying of the processing needs and the development and examining of a strategy to meet the processing needs. On the other hand, plans on the destination end need to take the same processing needs and establish processes to handle them outside of the usual processing atmosphere. While an all-inclusive business continuity plan can vary from a single sheet of “blue line” to a multi-volume binder, an effective plan should take account of both source and destination features. In most cases, just the source end is tackled (Vacca 18-20). Programs and information can be secured through providing passwords and digital certificates to the certified users. Nonetheless, passwords just authorize that an approved number has been keyed in, not that it is the real individual. Digital certificates in addition to biometric techniques, for example fingerprints, voices offer a more secure method. After the authentication of the user, encryption of the sensitive information can be done to prevent eavesdropping (Julia, 24-25). Authorized Users can be the Most Risky Even if precautions can be taken to validate users, it is very hard to establish if an authorized worker is doing something wicked. A person can have legitimate access to the extent of updating, but establishing of phony numbers are being entered necessitates a lot of processing. Accordingly, effectual security measures are always equilibrium between technology and personnel management. One of the best means of authenticating an individual is through face recognition. True face system makes use of neural network technology to differentiate a face with varying appearance, for example with or without glasses and hair style changes (Ivan 58-60). Controls Different types of controls can be implemented to mitigate risks associated with information. Administrative Administrative controls have endorsed written policies, processes, standards in addition to guidelines. Administrative controls establish the outline for operating the business and management of individuals. The controls inform individuals regarding the business operations. Administrative controls consist of organizational security policy, password policies as well as disciplinary policies. Through administrative controls, an organization can effectively chose and implement logical and physical controls. Logical and physical controls manifest administrative controls. Generally, administrative controls are very important within an organization (Thomas 45). Logical Controls Logical controls make use of software and information to supervise and control any access to information and computing systems. For instance, passwords, firewalls, data encryptions and such are logical controls. Principle of least privilege is very critical logical control within an organization. This principle necessitates a person, program or system procedure is not awarded any more access rights that are required to carry out a specific task. Breaching this principle can also take place when a person collects further access rights over time. This takes place when a worker’s job roles change, for example when someone is promoted or when one is transferred to a new department. The access rights needed by their new roles are often added onto their already present access rights which might no longer be essential or suitable (Ivan 55). Physical Control Workplace and computing facilities environment is monitored and controlled through physical controls. What’s more, physical controls monitor and control the accessing of these facilities. This includes the doors, locks, cameras, fencing, fire alarms, security guards and many more. Other physical controls include the separation of the network and work place into functional areas. Separating the duties is a crucial physical control. Separating the duties enables a person not to carry out a certain task alone. For instance, a worker who presents a request for reimbursement is not supposed to be in a position to permit payment or print the cheque. On the other hand, an application programmer is not supposed to be able to act as the server administrator; these duties should be separated from each other. Defense in Depth Information security should protect information all through the information lifespan; from the time the information was created to the time the information is disposed. The information should be protected when in motion and at rest. During the information life span, information can pass through several varying information processing systems and through numerous varying parts of information processing systems. Normally, there are various different means of threatening the information and also information systems. To entirely protect the information during its lifespan, all elements of the information processing system should have their own protection systems. The setting up, layering on along with overlapping of security procedures is known as defense in depth. The strong point of any system is not in any way better that it’s weakest tie. Utilizing a defense in depth strategy, in case one defensive measure fails, there should be other defensive measures that should continue providing protection. Going back to administrative controls, logical controls and physical controls; these controls can form the foundation where a defense-in-depth strategy can be established. Using this approach, defense-in-depth can be conceptualized as three different layers. Further insight into defense-in-depth can be obtained through perceiving it as formation of union layers, with information being the center of the union, individuals the subsequent outer layer of the union and network security, host-founded security in addition to application security forming the furthest union layers. Both perceptions are similarly valid and each offers important insight when implementing a high-quality defense-in-depth approach (Thomas 24-26). Classification of Security Information A critical element of information security within an organization is the acknowledgement of information and defining suitable processes and protection necessities for the information. Essentially, all information is not equivalent and hence not all information needs the same level of protection. Therefore, information should be allocated a security classification. During information classification, the first step should be the identification of senior management as being the owner of the information being classified. Afterward, a classification policy should be developed. According to Boddington, the policy is supposed to illustrate various classification labels, characterize the standards for assigning the information a given label, and also name the needed security controls for all classifications. Some features influencing the assigning of information classification comprise that importance of this information to the organization, the life-span of the information and if the information is outdated or not. The category of information security classification labels chosen and used is dependent on the organizational nature. For example, a business sector has labels like; public, sensitive, private and confidential (Boddington 4-5). All workers within an organization and also business partners should be having the required skills regarding the classification plan and understand the necessary security controls and handling processes for every categorization. The categorization of a specific information asset has been allocated is supposed to be appraised periodically to make sure the classification is still suitable for the information and to make sure that the security controls needed by the information categorization are there. Access Control Only the authorized individuals should be able to access the protected information. The organizational computers and to some extend the computer programs that process the information, should also be authorized. This necessitates the presence of the necessary mechanisms to control the accessing of the protected information. The complexity of the access control mechanisms ought to be at par with the worth of the organizational information being protected; the most sensitive and worth information requires the strongest control mechanisms. The base on which access control mechanisms are developed begin with identifying and authenticating. Identification Identification refers to the declaration of who a person is. If an individual claims “Good morning, my name is Simon” they are making a claim of their identity. Nevertheless, the assertion can be true or not. Before Simon can be allowed to access the protected information, he will be required to authenticate that he is the person he is claiming to be. Authentication Authentication refers to the verification of the identity claim. There are three kinds of information that can be used during authentication; what one knows, what someone has and something a person is. An example of something one knows is a PIN or a password. An example of what one has is an Identity card and an example of biometrics is a finger print or a retina scan. Strong authentication necessitates one to provide information from two of the three various kinds of authentication information. For instance, something one knows as well as something one has. This is known as two factor authentication. In many organizations, the computer systems use the Username as the identification form and password as the authentication form. Even though usernames and password have been used for a long time, they are slowly being replaced by more complex authentication means (Quigley 20-22) Authorization After successful identification and authentication, the information an employee is allowed to access is established. Moreover, the actions the person is permitted to carry out, for example view, change or delete is established. Authorization to access information starts with administrative policies in an organization. The policies lay down the information to be accessed, the people allowed to access such information as well as the conditions under which an individual may access the information. After this, the access control measures are constituted to implement these policies (Quigley 24). Diverse computing systems have different forms of access control mechanisms; some computing systems can even provide a choice of diverse access control mechanisms. The access control mechanism a computing system provides is based on three approaches to access control or it can be from amalgamation of the three approaches. Primarily, a non-discretionary approach combines all access control mechanisms under an integrated administration. Information access is normally based on the responsibility of the employee in the organization or the duty an individual is supposed to carry out. The discretionary approach provides the information resource owner with the capacity to control any access to these resources. On the other hand, the mandatory access control approach, information access is given or denied depending on the security categorization allotted to the information resource. Some examples of access control mechanisms include file permissions offered within UNIX, and group policy objects offered within Windows network systems. To be effectual, polices as well as other security controls should be enforceable and maintained. Efficient policies enable everyone to be responsible of his or her actions. More importantly, all failed and successful authentication trials should be logged, and also all information access should leave some kind of audit track (Quigley 12). Change management This is the procedure of directing and controlling changes to the information processing setting. This comprises changes to computers, servers and network. The main reason of change management is to lower the risks that come along due to the change of information processing environment and advance the steadiness and steadfastness of the processing atmosphere as changes take place. However, change management does not aim at preventing or obstructing essential changes from being employed (Vacca 42). Changing the information processing environment comes with some risks. Change management is used to manage the risks resulting from changing the information processing environment. Partly, change management process guarantees that changes aren’t employed at ill-timed period when they can interrupt important business procedures or disrupt other changes being executed. During the change management, the first important steps are: Defining the change Defining the scale of the change system Change management is normally supervised by a change review board having representatives from major business area, security, system administrators, desktop support and such. The change management processes that are easy can largely lower the general risk that results when changes occur on the information processing environment. Good change management processes enhance the quality as well as the success of changes during the implementation. This is achieved by planning, peer review, documentation in addition to communication (Vacca 42). Conclusion In spite of the security measures that an organization takes to protect the information, a breach of security takes place and hence it is appropriate for the organization to deal with the breach of information security efficiently. Information security breach can result from theft, an intentional system attack, system failure, unauthorized information access by an employee or fortuitous information loss. Nonetheless, the breach takes places and this should be responded to and managed properly. Therefore, an organization should have a policy that tackles information security breach as an organizational security measure. Organizational information only maintains is potential to deliver value, when its confidentiality, integrity and availability can be protected. Works Cited Boddington, Riochard. Knowledge and Information Security. ICT 265/565-PTR220. Julia Allen. The CERT Guide to System and Network Security Practices. Boston, MA: Addison- Wesley, 2005. Russell Vines. The CISSP Prep Guide. Indianapolis, IN: Wiley, 2004. Chris Mac. Network Security Assessment. Sebastopol, CA: O'Reilly, 2007. Ivan Eder. Advances in databases and information systems: Third East European Conference, ADBIS'99, Maribor, Slovenia, September 13-16, 1999: proceedings. London: Springer. Thomas Palter. Information Security Risk Analysis. Boca Raton, FL: Auerbach publications, 2001. Thomas Palter. Information Security Policies, Procedures, and Standards: guidelines for effective Information security management. Boca Raton, FL: Auerbach publications, 2007. Gregory White. All-in-one Security+ Certification Exam Guide. Emeryville, CA: McGraw- Hill/Osborn, 2008. Gurpreet DP. Principles of Information Systems Security: text and cases. New York: John Wiley & Sons, 2007. Quigley Marian. Information security and ethics: social and organizational issues. Sydney: Sage, 2008. Vacca John. Computer and information security handbook. New Jersey: Morgan Kaufmann, 2009. Read More