Information Security

Lecture 01

Introduction
Information Security is not only about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use,
disclosure, disruption, modification, inspection, recording or destruction of information.
Information can be physical or electronic one. Information can be anything like one’s
details or we can say your profile on social media, your data in mobile phone, your
biometrics etc. Thus Information Security spans so many research areas like
Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc. During First
World War, Multi-tier Classification System was developed keeping in mind sensitivity of
information. With the beginning of Second World War formal alignment of Classification
System was done. Alan Turing was the one who successfully decrypted Enigma Machine
which was used by Germans to encrypt warfare data. Information Security programs are
built around 3 objectives, commonly known as CIA – Confidentiality, Integrity,
Availability. 

What is Security?
Security for information technology (IT) refers to the methods, tools and personnel used
to defend an organization's digital assets. The goal of IT security is to protect these
assets, devices and services from being disrupted, stolen or exploited by unauthorized
users, otherwise known as threat actors.
 Key Concepts
The basic tenets of information security are confidentiality, integrity and availability.
Every element of the information security program must be designed to implement one or
more of these principles. Together they are called the CIA Triad.

Components of an Information System

An Information system is described as having some components.
1. Computer Hardware. This is the physical technology that works with informations.
2. Computer Software. The hardware needs to know what to do, and that is the role of software.
3. Database and data warehouse.
4. Human resources and procedures.
5. Networks and Telecommunications
6. Procedures.

Computer security issues

There are some security issues, found almost all the time
1. Computer Viruses
2. Trojan Horses
3. Computer worms
(e.g. Morris worms, Melissa worms, etc.)
4. Distributed denial of service attacks
5. Computer break-ins
6. Email spams
7. Identity theft
8. Zero-day attacks
9. Botnets
10. Serious security flaws in many important systems
11. Spywares
12. Drive by downloads
13. Social engineering attacks

Balancing Information security and access

It is the sole purpose of an organization to protect the interests of the users and to provide them with
appropriate amount of information whenever necessary. Also, at the same time, it is necessary to
provide adequate security to the information so that not anyone can access it. The need for maintaining
the perfect balance of information security and accessibility arises from the fact that information security
can never be absolute. 
It would be harmful to provide free access to a piece of information and it would be hard to restrict any
accessibility. So, one needs to make sure that the exact required balance is maintained so that both the
users and the security professionals are happy. 

The System Development Life Cycle

Investigate: There are some steps, with through we can get a perfect investigation
1. Identification
2. Initial Investigation (System and Service Review)
3. Immediate Actions
4. Initial Reporting
5. Remediation planning
6. Remediation
7. Reporting

Analysis: Information Analysis is the process of inspecting, transforming, and modelling information,

by converting raw data into actionable knowledge, in support of the decision-making process. It’s a
systematic process of discovering and interpreting information. It has several variation:
1. Search
2. Source validation
3. Information Gathering
4. Original research
5. Aggregation
6. Maping
7. Categorization
8. Modeling
9. Summery
10. Interpretation

Logical Design: System design takes the following inputs −

 Statement of work
 Requirement determination plan
 Current situation analysis
 Proposed system requirements including a conceptual data model, modified DFDs, and Metadata
(data about data).

Physical Design: Physical design relates to the actual input and output processes of the system. It focuses
on how data is entered into a system, verified, processed, and displayed as output.
It produces the working system by defining the design specification that specifies exactly what the candidate
system does. It is concerned with user interface design, process design, and data design.
It consists of the following steps −
  Specifying the input/output media, designing the database, and specifying backup procedures.
 Planning system implementation.
 Devising a test and implementation plan, and specifying any new hardware and software.
 Updating costs, benefits, conversion dates, and system constraints.

Implementation: Implementation phase in SDLC is the process of configuring the software for certain
conditions of use, as well as training customers to work with the product. This stage begins after the
system has been tested and accepted by the company. At the time, a program is installed to support the
intended business functions.

Maintenance: Matt is a project manager assigned to deliver a software application to an insurance

company. After Matt's project team completes the coding and implementation phases of the software
development life cycle (SDLC), the product is deployed to the insurance company. Now that the insurance
company has the software, and the software is working as intended, Matt's team meets with the insurance
company to provide instructions for the maintenance and upkeep of the software. The maintenance
phase of the SDLC occurs after the product is in full operation. Maintenance of software can include
software upgrades, repairs, and fixes of the software if it breaks.
Software applications often need to be upgraded or integrated with new systems the customer deploys. It's
often necessary to provide additional testing of the software or version upgrades. During the maintenance
phase, errors or defects may exist, which would require repairs during additional testing of the software.
Monitoring the performance of the software is also included during the maintenance phase.

Data Responsibilities
General Responsibilities:

1.  Ensure compliance with TCNJ policies and all regulatory requirements as they relate to the information

asset.

2.  Assign an appropriate classification to information assets.

3.  Determine appropriate criteria for obtaining access to information assets.

4.  Assign and remove access to others based upon the direction of the Data Owner.

Assigning access to the information asset dataset so others can perform their respective job functions is an

important and necessary part of the Data Custodian’s job.

5.  Produce reports or derivative information for others.

In many cases the Data Custodian is also responsible for producing, interpreting, and distributing

information based on the datasets to which he or she has access.

6.  Log all information provided and access granted to others.

A log of all information that is disseminated must be kept including the dataset used, the receiving party, and

the date.  Likewise, access granted to others must be logged including the access level granted and the

dataset in question.

7.  Implement appropriate physical and technical safeguards to protect the confidentiality, integrity, and

availability of the information asset dataset.

8.  Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
9.  Report actual or suspected security and/or policy violations/breaches to an appropriate authority.