Professional Documents
Culture Documents
LECTURER: MR C. T. MUTARE
QUESTION: Identify the 5 pillars of information security that have been compromised on the
University`s ERP (Microsoft Dynamics NAV) over the past two years. Assess how each
compromised happened and how it affected the University`s operations.
Availability is the first pillar that was compromised in the past two years in the NUST`s ERP
over the past two years. Availability refers to dependable access of users to authorized
information, particularly in light of attacks such as denial of service against information systems
(Jaquith, 2003). According to the Zimbabwean Article (A voice of the voiceless), NUST reported
that hackers injected a malware in the institution`s computer system which deleted students
results and payment history. The availability pillar was compromised in this situation as the part
three students who were supposed to go for attachment could not access their results. In this case,
students were limited in their ability to access important information such as results and their
payment history. This affected the university as it could mean that students would need to re-
register and rewrite the same courses in the following year, thus increasing work to the university
employees and students at most.
Integrity is also another pillar which was compromised in the NUST`s ERP two years ago.
Integrity is the protection of information against unauthorized deletion or damaging and
masquerade by malicious codes (Geer, 2002). Therefore, upholding the information system`s
integrity involves keeping its network intact and uncompromised. The integrity pillar of
information security was compromised in such a way that important information was deleted
such as students` results and payment history. This could hinder continuation of education in the
University as the part two students were not able to go for attachment without knowing their
grades. For example, one of the students mentioned in the report that, “I hope that can be
resolved because if not I will have to re-register and re-write the same course again next year
because special exams for final students this year have been written. It is my hope that the
payment history does not get interrupted”. This shows that the university was going to have a
backlog hence an increased workload which would require employees to work extra time and
hence the university to increase their payment which would increase the university budget.
Confidentiality is another pillar of information security which was compromised in the situation
when hackers injected malware in the NUST computer system. Confidentiality is the protection
of information against theft and eavesdropping (Enslow et al , 2003). The pillar entails that, only
those who are authorized can access data, devices or processes that contain data. This pillar was
compromised in the sense that, a students could log in using the username and password
combination and the portal produces information for another student. This compromised the
secrecy of private information such as students` results and payment history hence making
private information public without the consent of the owner. This destroyed the reputation of the
university as it could prove poor information security and therefore the university had to move to
the old system of processing students` results, thus placing the University computer system in
old technology which is slow processing. For example, the university in the article mentioned
that, “To ensure a successful graduation ceremony and smooth running of blended teaching and
learning, the university has moved to the old system of processing students’ results. Therefore,
the University had to be behind time in its operations.
In conclusion the compromise that occurred on the university ERP (Microsoft Dynamics
Navision) had a high impact in the university operations as it costed the university to encounter
the cost of data recovery. This also made the university deploy the old system of processing
results. Therefore it should be noted that in order to reduce such levels of risk, investigation of
flows of authentication system, running penetration tests to stimulate system attacks and use of
firewalls should be implemented so that such situations are avoided.
References
1. Alberts, C., and Dorofee, A. (2002). Managing information security risks: the OCTAVE
approach. Reading, MA: Addison Wesley.
2. Blakley, B., McDermott, E., and Geer, D. (2002). Information security is information risk
management. In proc. of ACM Workshop on New Security Paradigms (NSPW’01),
97104.
3. Decker, R. (2001). Key elements of a risk management approach. GAO-02-150T, U.S.
General Accounting Office.
4. Farahmand, F., Navathe, S., Sharp, G., and Enslow, P. (2003). Managing vulnerabilities
of information systems to security incidents. In proc. of ACM 2nd International Conf. on
Entertainment Computing (ICEC 2003), 348-354.
5. Geer, D., Hoo, K., and Jaquith, A. (2003). Information security: why the future belongs
to the quants. IEEE Security and Privacy, 1(4), 24-32.