INTRODUCTION TO INFORMATION SYSTEMS SECURITY

OVERVIEW

THE INTERNET HAS CHANGED DRAMATICALLY from its origins. It has grown from a
tool used by a small number of universities and government agencies to a worldwide
network with more than 3 billion users. As it has grown, it has changed the way people
communicate and do business, bringing many opportunities and benefits.

Today the Internet continues to grow and expand in new and varied ways. It supports
innovation and new services such as IP mobility and smartphone connectivity.

When the Internet started, the majority of connected devices were solely computers,
whether for personal use or within a company. In the most recent years, however, an
increasing variety of devices beyond computers, including smartphones, appliances,
vending machines, smart homes, and smart buildings, can connect and share data.

Today, people interact with the Internet and cyberspace as part of normal day-to-day
living.

This includes

 personal use
 business use.

Users must now address issues of privacy data security and business data security.

Security threats can come from either

 personal
 Business use of your Internet-connected device.

Intelligent and aggressive cybercriminals, terrorists, and scam artists lie in wait in the
shadows.

Connecting your computers or devices to the Internet immediately exposes them to

attack. These attacks result in frustration and hardship. Anyone whose personal
information has been stolen (called identity theft) can confirm to that.

Worse, attacks on computers and networked devices are a threat to the national
economy, which depends on e-commerce. Even more important, cyber-attacks threaten
national security. For example, terrorist attackers could shut down electricity grids and
disrupt military communication.
The world needs people who understand computer security and who can protect
computers and networks from criminals and terrorists. Remember, it’s all about
securing your sensitive data. If you have sensitive data, you must protect it.

What Is Information Security?

Before you learn about information security and see how important it is, you first need
to understand terms like information and security.

When you see these two words “information and security” you might wonder what type
of information is being discussed and why you would need to secure it.

The truth is that people unknowingly do many things that put their personal information
at risk and they often don’t know the impact of this mistake.

Securing information is a big challenge. This includes not only the protection of your
personal information but also of organizations that store your personal information on
their systems.

The type of information that you need to secure includes personal and organizational
data.

 Personal information includes banking data like ATM card details, transaction
details, information regarding banking passwords, and other personal details.
 Medical reports are also at risk of being stolen this can be in the form of
electronic reports or hard copies.
 Organizational data, such as trade secrets, product designs, and customer
information, is also at risk and must be secured.

There are various ways and means to protect information. In this book, you will learn
about the various best practices.

Data

Data can be any raw fact used to make decisions. Data is defined as a group of
numbers, letters, special characters in the form of text, images, voice recordings, and
so on. For

example, the number 1034778 could be a bank account number, an enrollment number
at a university, a vehicle number, and so on. The number in this example is just raw
fact and hence it’s called data.
Information

Information is data that can be processed to provide meaning. Information can be

related data that enables you to make decisions. In other words, information brings
clarity to the data so that you can act on it.

Information is data that has been processed into a form that is meaningful to the
recipient and is of real or perceived value in current or prospective actions or decisions.

Here are some characteristics of information:

• Availability: The information is available when required. For example, if you need
some back-dated data that you saved on the cloud a few years ago, it should be
available when required.

• Accuracy: The information is correct. The decisions that you make are based on the
accuracy of the information. For example, an experienced team member estimates the
project’s timeline and your budget is allocated based on that information. If the
information is not correct, that may lead to project delays or even termination.

• Authenticity: This term refers to the originality of the information. It should not have
been altered by anyone else. For example, if you are presenting a status report to your
client, it should be authentic or original.

Confidentiality: Only those people who have access rights or are authorized can see the
information. For example, salary data is confidential, so only authorized persons should
be able to access that information.

• Integrity: Integrity refers to the completeness of the information. The information that
you save must be complete and not corrupted. For example, you save important
information to the database. When you access it, it must be retrieved the same way it
was saved.

Information security is the practice of protecting information from unauthorized use.

We are living in an era where electronic devices such as laptops and mobile phones
have become part of our basic needs. We save huge amounts of information on our
computers, smartphones, storage devices, tablets, and on paper and then we often
treat them as ordinary files that have no importance. But if this information gets into
the wrong hands, it can lead to inconvenience, monetary losses, and reputation issues
for the organization. Hence, you need to make sure that all your important documents
are password protected, and you should avoid the habit of using the same passwords
for everything.
Information security is not only about securing information against unauthorized
access. It is the practice of preventing unauthorized access, use, modification, and
destruction of information.

It is important to know international standard for information security. Lets see ISO
27001

How ISO 27001 Applies to You

Imagine you are responsible for securing confidential data. What if this information was
stolen? What if your competitor accessed this information? In the wrong hands,
personal information can be used against you. This section explains how ISO 27001 can
safeguard your information.

ISO 27001: Information Security Management System

The latest published version of the Information Security Management System (ISMS)
standard is BS EN ISO/IEC 27001: 2017.

An ISMS is a framework of policies and procedures for perfecting risk.

 Define an information security policy: The main purpose of an information

security policy is to define what top management wants to achieve with its
security measures. This tells management who is responsible for which items,
with clear expectations, roles, and responsibilities.
 Define the scope of ISMS: Scope is an important factor in accordance with
the statement of applicability. The scope should cover the location of the
information security audit, the functions involved in the audit, as well as the
personnel and assets involved (physical, software, and information). It should
clearly define any exclusion. For example, say you are performing an audit for a
software division that includes the HR, IT, and admin departments (not including
sales and marketing). In this case, your scope document should clearly define
sales and marketing as exclusions.
 Conduct a risk assessment: Risk assessment is an essential part of any
business and ISO 27001 focuses on risk-based planning. The assessment or
analysis is based on the asset register. In simple words, you need to identify
which incidents might happen and determine the best way to do asset-based risk
assessments. This can be done by creating a focus group, holding a
brainstorming session, or interviewing asset owners.
 Manage identified risks: When managing identified risks, it is important to
use the plan document. When a risk is identified, it should be registered into the
 risk register and categorized based on the organizational risk management plan.
The asset owners should be responsible for their asset risk; however, the
standard does not tell you how to deal with the risk.
 Select the control objectives and controls to be implemented: There is a
long list of controls in ISO 27001. Chapter 7 covers these controls in detail.
 Prepare a statement of applicability: A statement of applicability in ISO
27001 is also referred to as an SOA document. It is one of the most important
documents in the system and organizations generally tend to spend more time
preparing it. This document will tell you how they implement the controls. It also
identifies any inclusions and exclusions.

This international standard provides requirements for establishing, implementing,

maintaining, and continually improving an information security management system.

An ISMS is a systematic approach to managing sensitive company information so that

it remains secure. Adopting an ISMS is a strategic decision since it includes people,
processes, and IT systems. It can help small, medium, and large businesses in any
sector keep their assets secure.

ISMSs stand on three main pillars, referred to as the CIA trio:

• Confidentiality

• Integrity

• Availability

Confidentiality

Confidentiality refers to protecting information from being accessed by unauthorized

parties. Imagine that you started a new company. You have physical assets like a
building, equipment, and computers. You have employees and important data, which
are also assets. You want only authorized people to see the data, so you want to
implement confidentiality. This way, only authorized people can access the data and
work with it. You can implement confidentiality by encrypting the data files and then
storing them to a disk. By doing this, only people who have access to the disk can see
the data and work with it.

In terms of personal information, say you want to open a new savings account at the
bank and need to invest $10,000. This information is confidential, as only the bank and
you can access it.
Integrity

Integrity refers to the consistency, accuracy, and trustworthiness of data over its entire
lifecycle. If you transfer $1001 to your friend, you want to be sure that he receives
$1001. You want to be confident that an unauthorized attacker can’t alter or manipulate
it to make it $100, or that the bank won’t make an error.

Availability

The availability of data is also very important. If the data is stored in a database, it is
very important that the business or authorized user can access it when needed. The
data should be readily available to authorized users. If the data is secured but not
available when it’s requested, this can be a big risk to the company. Say you go to the
bank to withdraw some money from your account, but the bank official tells you that
service is not available at that time. You will likely lose faith in that bank. Availability is
ensured by continuously maintaining the hardware and software. It is important to
ensure an optimal environment that is free from software conflicts. Security equipment,
such as firewalls and proxy servers, can guard against downtime and ensure protection
from denial of service (DoS) attacks.