NATIONAL UNIVERSITY OF SCIENCE AND TECHNOLOGY

FACULTY OF COMMUNIVATION AND INFORMATION SCIENCE

DEPARTMENT OF RECORDS AND ARCHIVES MANAGEMENT

BSc Hons INFORMATION MANAGEMENT AND TECHNOLOGY

NAME: PANASHE E CHITAPI

STUDENT NUMBER: N02160040W

COURSE: INFORMATION SECURITY

COURSE CODE: IIM 2102

LECTURER: MR C. T. MUTARE

QUESTION: Identify the 5 pillars of information security that have been compromised on the
University`s ERP (Microsoft Dynamics NAV) over the past two years. Assess how each
compromised happened and how it affected the University`s operations.

DUE DATE: 04 NOVERMBER

Information security refers to a collection of technologies, standards, policies and management
practices that are applied to information to keep it secure (Decker, 2001). Information security is
also defined as the protecting of information (data) and information systems from unauthorized
access, use, disclosure, disruption and modification or destruction (Enslow et al , 2003).
Information security is very crucial as it defends information facilities and systems that store, use
and transmit it, from a wide range of threats in order to preserve its value to the organization.
Information security is enhanced through the use of the five pillars which are often referred to as
the guidelines for maintaining the information system`s safety against manmade and natural
threats. These pillars include Availability, Authentication, Integrity, Confidentiality, and non-
repudiation. The pillars of information security were compromised on the National University of
Science and Technology`s ERP (Microsoft Dynamics Navision) over the past two years. This
write up intends to assess how each pillar was compromised and how it affected the university
operations.

Availability is the first pillar that was compromised in the past two years in the NUST`s ERP
over the past two years. Availability refers to dependable access of users to authorized
information, particularly in light of attacks such as denial of service against information systems
(Jaquith, 2003). According to the Zimbabwean Article (A voice of the voiceless), NUST reported
that hackers injected a malware in the institution`s computer system which deleted students
results and payment history. The availability pillar was compromised in this situation as the part
three students who were supposed to go for attachment could not access their results. In this case,
students were limited in their ability to access important information such as results and their
payment history. This affected the university as it could mean that students would need to re-
register and rewrite the same courses in the following year, thus increasing work to the university
employees and students at most.

Integrity is also another pillar which was compromised in the NUST`s ERP two years ago.
Integrity is the protection of information against unauthorized deletion or damaging and
masquerade by malicious codes (Geer, 2002). Therefore, upholding the information system`s
integrity involves keeping its network intact and uncompromised. The integrity pillar of
information security was compromised in such a way that important information was deleted
such as students` results and payment history. This could hinder continuation of education in the
University as the part two students were not able to go for attachment without knowing their
grades. For example, one of the students mentioned in the report that, “I hope that can be
resolved because if not I will have to re-register and re-write the same course again next year
because special exams for final students this year have been written. It is my hope that the
payment history does not get interrupted”. This shows that the university was going to have a
backlog hence an increased workload which would require employees to work extra time and
hence the university to increase their payment which would increase the university budget.

Confidentiality is another pillar of information security which was compromised in the situation
when hackers injected malware in the NUST computer system. Confidentiality is the protection
of information against theft and eavesdropping (Enslow et al , 2003). The pillar entails that, only
those who are authorized can access data, devices or processes that contain data. This pillar was
compromised in the sense that, a students could log in using the username and password
combination and the portal produces information for another student. This compromised the
secrecy of private information such as students` results and payment history hence making
private information public without the consent of the owner. This destroyed the reputation of the
university as it could prove poor information security and therefore the university had to move to
the old system of processing students` results, thus placing the University computer system in
old technology which is slow processing. For example, the university in the article mentioned
that, “To ensure a successful graduation ceremony and smooth running of blended teaching and
learning, the university has moved to the old system of processing students’ results. Therefore,
the University had to be behind time in its operations.

Authenticity refers to the application of authentication methods such as biometrics, username

and password combination to verify a user`s identity before granting access to information
(Dorofee, 2002). When this pillar is compromised, data can be stolen, altered or impaired. This
pillar was compromised in the event when hackers injected malware in the computer system of
NUST leading to the producing of information to the wrong user. In this case, the Navision could
not produce information as per identity request. This is in the sense that, NUST students could
provide their user names and passwords and the portal produces information for other students
who did not request such information. This therefore shows that the authentication system of the
university was impaired hence compromising the authenticity pillar of information security. This
destroyed the reputation of the institution and slowed down its operations as the university had to
deal with that problem in the patience of the students.

In conclusion the compromise that occurred on the university ERP (Microsoft Dynamics
Navision) had a high impact in the university operations as it costed the university to encounter
the cost of data recovery. This also made the university deploy the old system of processing
results. Therefore it should be noted that in order to reduce such levels of risk, investigation of
flows of authentication system, running penetration tests to stimulate system attacks and use of
firewalls should be implemented so that such situations are avoided.
References

1. Alberts, C., and Dorofee, A. (2002). Managing information security risks: the OCTAVE
approach. Reading, MA: Addison Wesley.
2. Blakley, B., McDermott, E., and Geer, D. (2002). Information security is information risk
management. In proc. of ACM Workshop on New Security Paradigms (NSPW’01),
97104.
3. Decker, R. (2001). Key elements of a risk management approach. GAO-02-150T, U.S.
General Accounting Office.
4. Farahmand, F., Navathe, S., Sharp, G., and Enslow, P. (2003). Managing vulnerabilities
of information systems to security incidents. In proc. of ACM 2nd International Conf. on
Entertainment Computing (ICEC 2003), 348-354.
5. Geer, D., Hoo, K., and Jaquith, A. (2003). Information security: why the future belongs
to the quants. IEEE Security and Privacy, 1(4), 24-32.