INFORMATION SECURITY

It is a prime concern for all those organizations which use computer based information systems as potential of information security breaches is much higher in these as compared to manual ones.

It relates to the protection of assets against loss, damage, or disclosure of information.

The basic objective of IS is the protection of the interests of those who rely on information from harm resulting from the failure of availability, confidentiality and integrity IS objective is met when: IS are available and usable whenever required (availability objective) Information is disclosed only to those who have the right to know it (confidentiality objective) Information is protected against unauthorized modification (integrity objective)

PRINCIPLES OF IS
1. 2. 3. 4. 5. 6. 7. 8. Accountability principle Awareness principle Multidisciplinary principle Integration principle Timeliness principle Reassessment principle Cost-effective principle Societal principle

1.

Accountability principle: following issues should be considered: Specification of ownership of data and information Identification of users who access the system in a unique way Assignment of responsibility for maintenance of data and information Institution of investigative and other remedial procedures when a breach or an attempted breach of information security occurs.

2.

Awareness principle: following issues should be considered: Levels of details disclosed should be consistent with information security requirements Appropriate knowledge should be available to all parties concerned Information security is not one shot action but is an ongoing process so that it becomes part of the organizational culture Security awareness being an on-going process is applicable to all employees, whether old or new recruits

3.

Multidisciplinary principle: issues to ba tackled in this context are as: Business value of the information being protected Technology that is available to meet the information security Impact of organizational and technological changes Requirements of legal and industry norms Requirements of managing advanced technology for information security

4.

Integration principle: the issues that should be addressed are: Information security policy and administration to be included as integral part of the overall management of the organization Information development and information security to be consistent with each other

5.

Timeliness principle: The issues that should be taken care are: Instantaneous and irrevocable nature of business transactions Volume of information generated from the increasingly interconnected and complex information systems Automated tools to support real-time monitoring Expediency of reporting security breaches to appropriate decision making level

6.

Reassessment principle: The issues that should be taken care are: Increase in up gradation of information systems according to business needs Changes in information systems and their infrastructure New threats to emerge over the period of time requiring extra safeguard New information security technology that has emerged or id emerging.

7.

Cost-effective principle: The issues that should be taken care are: Value to and dependence of the organization on a particular information asset The amount of security and confidentiality required The nature of threats that exists Costs and benefits of security Optimum level beyond which costs of security measures to be prohibitive

8.

Societal principle: The issues that should be taken care are: Fair presentation of data and information to legitimate users Ethical use and disclosure of information obtained from others

APPROACHES
Preventive information protection approach Restorative information protection approach Holistic information protection approach

IMPLEMENTATION OF IS
1. 2. 3. 4. 5. 6. DEVELOPMENT OF SECURITY POLICIES PRESCRIBING ROLES AND RESPONSIBILITIES DESIGNING SECURITY MEASURES EDUCATING EMPLOYEES IMPLEMENTATION MONITORING

DEVELOPMENT OF SECURITY POLICIES

A policy is the statement or general understanding which provides guidelines in decision making to members of an organization in respect to any course of action While designing such policies the core principles of IS should be kept in mind so that sound policies are developed It should cover the following aspects: The importance and need of IS in the organization Statement for the chief executive of the organization in support if the objectives on effective IS Data security Communication security/ Personnel security Description of responsibility and accountability for IS Physical, logical and environment security Security awareness, education and training

contd..
2. Security breaches, detection and reporting requirements PRESCRIBING ROLES AND RESPONSIBILITIES Chief information executive: has overall responsibility of developing and operating information systems including security Information security administrator-has overall responsibility for information security Other professionals- responsible for security measures in their respective areas Data owners- responsible for ensuring that appropriate security , consistent with organizational policies , is embedded in the information systems Technology providers-responsible for assisting in implementation of IS Users- responsible for adhering to procedures prescribed for IS

3.

REDESIGNING SECURITY MEASURES

It includes prescribing of standards, procedures, methods, and practices in respect of IS. While designing security measures , security requirements of individual information systems should be taken into account as different information systems have different security requirements.

4.

EDUCATING EMPLOYEES
Technical training Behavioral training

5.

IMPLEMENTATION
Managerial control Identification and authentication controls Logical access controls Accountability controls Cryptographic controls

Contd..
Computer operations control Physical and environmental controls

6.

MONITORING
Issues that need to be addressed in achieving effective monitoring include: Appointment of appropriate person, may be information security administrator, with appropriate authority to work and adequate tools and resources to control Establishment of clear investigating procedures Information system audit by external auditors Establishment of audit trail information from a large number of systems that may need to be examined.

SOURCES OF THREATS TO IS
INTERNAL SOURCES EXTERNAL SOURCES

INTERNET FRAUDS
Hacking Protection against hacking: Checking system security Use of firewalls Data encryption Viruses Protection against Viruses Use of antivirus Procurement of software from reliable sources Testing new applications on stand alone systems