138

International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 2, No. 1, March 2011

Setting up a Secure Information System Using

Information Security Management
Abdisalam M Issa-Salwe1
1
Taibah University, College of Computer Science & Engineering,
Al-Madinah Al-Munawwarah, P O Box 30002, Kingdom of Saudi Arabia
a.issasalwe@taibahu.edu.sa

Abstract – The security attention in information systems has
grown in recent years according to their diffusion, the growing role
they have in contexts in which they operate and their increasing
complexity and exposure to possible attacks. This leads Information
security not to be any longer a technology-focused problem as it has
become the basis for business survival. Information Security
Policies are the basis for a reliable information security scheme and
are critical to protect the organisation’s information system
resources and data. This paper analyses the need for organisation
the benefit of setting a strong Information Security Policies to
prevention system attacks rather than focusing on the detection
system.
Keywords: Information System security, Security Policy,
Strategic security plan, Risk assessment.
1. Introduction
Information security is the protection of information from
threats in order to ensure business continuity by reducing
business risk, and maximising return on investments and
business opportunities. In modern times, information is
exposed to a growing number of threats. Information Security
Policies are the basis for a reliable information security
scheme and are critical to protect the organisation’s
information system (IS) resources and data. IS are generally
defined by an organisation's asset that allows a company care
an organization’s business and consequently, needs to be
suitably protected. This is especially important in the
increasingly interconnected business environment. As IS are
vital to organisation it must be protected. In this case,
information system security generally consists in ensuring
that an organisation's material and software resources are
used only for their intended purposes [25].
The security attention in IS has grown in recent years
according to their diffusion, the increasing role they have in
contexts in which they operate and their increasing
complexity and exposure to possible attacks. [1] In strategic
terms, it must be emphasised alongside the availability and
integrity of information, often crucial to ensure continuity.
This paper analyses the need for organisation the
adavantage of setting a robust Information Security Policies
to prevention system attacks rather than focusing on the
detection system.
2. Background
According to International Organization for
Standardization (ISO) definition, security is the set of
measures to ensure the availability, integrity and
confidentiality of information. It is essential for
organisations to plan ahead against security breaches.
To follow this course, a contractor may offer a range of
technical protection or firewall encryption. However, it is
important to realise that the use of these techniques or
other security requires careful and systematic planning.
This leads to be able to implementation an optimal and
appropriate control within the organisation.
The security policy of the organisation, in the context of
IS, is to ensure information resources to be available to the
authorised user. It must provide each user its level of
accessibility rights, on time and in the way agreed. In IS, the
availability requirements are also linked to the performance,
and strength laid down by the security policy. The
availability of information to a user must be ensured without
interruption throughout the period provided (this is also
known as service continuity). The success of the availability
depends on factors such as the critical strength of the basic
software and application, and equipment reliability.
It is important not to assume that countermeasures in an
information system are sufficient to prevent any attacks. To
ensure a system, potential threats must be identified so as to
identify and anticipate the enemy's course of action. [25] The
system must prevent the direct or indirect alteration of the
information, both by unauthorised users and processes, and
pursuant to accidental or negligence. The system must
prevent any person from obtaining, directly or indirectly,
information that is not authorised to access.
Information security refers to all aspects of protection
covering information and IS from unauthorised access, use,
disclosure, disruption, modification, or destruction. Here the
aim is to provide confidentiality, integrity, and availability of
IS and the information within. [24] [24]
A comprehensive Information Security management
strategy should be based on security architecture of the
organisation. [26] According to Grobler and Louwrens
(2009), this architecture “…is not something one can
purchase. It is the process developing an awareness of risk,
an assessment of the current controls, and the alignment
controls to meet the requirements of the organisation…”
[27]. They argues to have a strong Information Security
Architecture the corporate Information Security Management
should be based on the sound implementation of security
technology. [26]
Research on security policy has been focusing on a small
level rather than organisational security policies. [6]
Computer security is a very spreading field. It has been

International Journal of Research and Reviews in Computer Science (IJRRCS)
examined by cryptographers, computer scientists and
electrical engineers. Because of this diversity and a
fragmentation studies on information security, there is a
serious need to make sense of the subject as a whole.
Existing literature focuses on certain sub-sectors of the
security mechanisms of information, such as access control
[11, 12], development of IS and security and encryption. [13,
15], Nevertheless, a comprehensive analysis of contributions
in the field of security of IS is lacking. [4] Because the many
existing approaches and security [5], the concern must be
given serious attempt to increase our understanding of their
strengths and weaknesses. [4, 17, 18]
Herrmann and Pernul suggest a framework where security
(mainly confidentiality) and integrity requirements of
business processes can be modeled [6]. This structure
consists of a three-layered architecture for business process
security. In layer three, the high-level security requirements
of business processes are graphically analyzed. In the second
layer, these are translated into more a formal, intermediate
language, and the security elements are identified and divided
into security blocks.
At level three, the security requirements of high-level
business processes are also analysed graphically. In the
second level, these are translated into a formal intermediate
language, and security features are identified and divided into
blocks of security. [6, 19] This structure covers (i) the
outlook of the information representing the entities and their
relationships, (ii) the functional of processes and data flows
between different activities, (iii) dynamic of the possible
states of each entity of information, (iv) organisational
influence described as role models, and (v) processes of
business perspective. [6, 19]
In general, the objective of information security is to
protect organisational activities to ensure business continuity,
minimise business damage and maximise return on
investment (as defined by ISO 17799). This practice focuses
on areas commonly accepted in the community of
information security: risk management, confidentiality,
integrity and availability protection/ response intrusion
detection, identification and authentication, access control,
administration of forest safety security.
3. Setting the Security
The Information system security is generally limited to
guaranteeing the right to access a system's data and resources
by setting up authentication and control mechanisms that
ensure that the users of these resources only have the rights
that were granted to them. [25] Yet security mechanisms can
create difficulties for users. Instructions and rules often
become increasingly complicated as systems grow. Thus,
Information system security must be studied in such a way
that it does not prevent users from developing uses that they
need and so that they can use IS securely.
The proposal that all organisations should put into practice
security practices means that it is possible to find a generic or
universal set of IS procedures and best practices. [4, 21] In
139
Vol. 2, No. 1, March 2011
order to have an organisation evaluated or certified to safety
standards, or to obtain a security label of its indebtedness, it
should demonstrate to its customers and partners business,
they are trustworthy, at least when it comes to security. [4]
The initial risk assessment should describe the threat
environment in which the system works and the possible
vulnerabilities which may occur. [22] This assessment should
be followed by an initial identification of requisite security
controls that will defend the system in its operational
environment. [22]
In terms of security is generally characterised by the
following equation:
R = (M x V)/C
Where R = Risk, M = Menace, V = Vulnerability, and C =
Countermeasure
Menace * Vulnerability
Risk =
Countermeasure
The threat corresponds to the type of threat that could be
damaged, whereas the vulnerability is the level of exposure
to threats in a particular context. Finally, the countermeasure
is any action taken to prevent the threat. [25]
Countermeasures to be implemented are not only forwarded
as technical solutions, but they also include user training and
awareness, and a well-defined procedure. Awareness must be
such that information resource custodians, users, providers
and management are informed of their respective
responsibilities for protecting information resources.
The purpose of this selection is to identify the subset of
minimum cost while respecting some constraints essential as
the following,
• Completeness: the subset of countermeasures must meet
all adverse events identified for the system under
consideration.
• Homogeneity: the countermeasures to be taken must be
compatible and integrated with each other to minimize
the cost of implementation.
• Controlled redundancy: the action should be measured
and weighed carefully. Some countermeasures might be
unnecessarily redundant as they may neutralise the some
of same event rated as "low risk”.
• Effective viability: the set of countermeasures must
respect the constraints of logistics and administrative.
Selected countermeasures should be integrated into the
broader framework of a comprehensive policy that places
safety and warrants as part of a unified design. For each
countermeasure, in essence, must be shown the precise role it
occupies in relation to other countermeasures and guidelines,
which meets the overall design.
Security incident handling begins with planning and
preparing the right resources, then developing proper
procedures to be followed, such as escalation and security
incident response procedures (see Figure 1). When a security
incident is detected, a security incident response is initiated

International Journal of Research and Reviews in Computer Science (IJRRCS)
by responsible parties using predefined procedures. A
security incident response represents the activities or actions
carried out to tackle the security incident and to restore the
system to normal operation. Specific incident response teams
are usually established to perform certain tasks within the
security incident. When the incident is over, follow up action
is taken to evaluate the incident and to strengthen security
protection against a recurrence. Planning and preparation
tasks will be reviewed and revised accordingly to ensure that
there are sufficient resources available (including manpower,
equipment and technical knowledge) along with properly
defined procedures to deal with similar incidents in the
future.
Figure 1: Handling Security
Source: InfoSec, http://www.infosec.gov.hk/english/faq/faq_general.html#1
3.1 Information Security Policy
Effective policy is a team efford involving the participation
and support of very one in the organisation and affiliate who
deals with information and information system. Users should
take responsibility to follow guidelines and exiting
procedures [24]. The first step towards securing your IT
infrastructures is to decide what you are really trying to
protect, and what you are trying to protect against. This
should be clear from your organisation’s security policy – if
you do not already have a policy, this should prompt you to
consider your priorities around [28]:
• Which of your information must remain confidential
• What integrity of information must be maintained
• What protection you need against unauthorised access
• Which availability you need to ensure to your
information and systems
• Which regulatory or legal obligations you need to
comply with, in your home jurisdiction and (potentially)
abroad
3.2. Resources of a system
Protecting the security requirements of a system means: (i)
reduce the probability of a violation; (ii) early identification
when and where in the system this happens; and (iii) limit the
140
Vol. 2, No. 1, March 2011
damage and restore the conditions violated as soon as
possible. [1, 2] It is very important that these measures are
taken in a systematic way, as part of a broader security
policy, and in compliance with the technical settings.
One of the major concerns in considering a system’s
vulnerabilities would be how to protect assets of the
system.[21] Resources are possessions with potentially value
to the system. [21] In an organisation, the resources of an
information system are the entities which provide the
operation. From a safety perspective, it is important to
distinguish between resources that constitute the system and
the resource they need to work. [6] It must be anticipated,
identified and assessed the aspects which can be linked to
events that could threaten the integrity of the system
resources. [1] A classification of types of common resources
of system information is useful to proceed in a systematic and
comprehensive way. Of particular interest, it must be
distinguished between physical and logical resources. [1, 4,
6, 21]
The physical resources usually present in a modern
information system are computers (i.e. servers and
workstations), peripherals (i.e. scanners, printers, and
modems), network equipment, the premises that house the
equipment and facilities. It is worth noting that even human
operators can be considered in certain aspects as physical
resources. [2] The logical resources present are typically
application software and basic software (DBMS, OS, and
Software), databases, the configuration registers of devices.
Logical resources include all of organisational rules and
behavior of human operators. [1]
The attacks on the physical resources are mainly aimed at
removing or damaging critical assets. Some of the main types
of attack on the physical plane are the following [1]:
• Theft: disks or entire servers, is an attack on the
availability and confidentiality.
• Damage: Usually these types of attack are intended to
damage equipment and the network.
Logic level attacks are mainly intended to interfere with
the system, steal information or degrade the performance of
the system. In terms of results aims to achieve an attack
against the logic level can be classified as follows: attack on
confidentiality, attack on the integrity and attack on
availability. Levels commonly found in modern systems of
information are [1]:
• Interface (client): which implements the user interface;
• Application server:, which implements application
services;
• Data Applications: responsible for the storage of data on
mass storage and retrieval;
• Hand-frames: where applicable, the interface with the
modern information system offered by one or more
systems of "legacy" systems is important is not cheap to
replace or modify
Once critical resources are identified, steps must be taken
to ensure in case of adverse events, which could cause
 141
International Journal of Research and Reviews in Computer Science (IJRRCS) Vol. 2, No. 1, March 2011

deterioration in the characteristics of integrity, availability against those that seek to minimise the likelihood that an
and confidentiality. According to statistics, accidental events adverse event occurs;
such as the failure of one system or human error (example, • Computer or organisation: the former are based on
accidental deletion of files, the installation of incompatible computer technology and the second the organisation
components or infected, corrupting the basic software) using the system;
remains the leading cause of accidental loss of data. • A physical or logical: operation to protect against
physical devices. Attacks such as theft or physical
damage, and those who operate at the logical level, such
3.3 A Systematic Approach
as anti-virus software, protection of logic resources
logical attacks.
Management Information Security has turned out to be
difficult as organsiations may fail to have an inclusive,
systematic management approach [26]. In today’s economic, Figure 2: System Approach to Security
political, technological, and social environment, addressing
information security is a core responsibility. [25] Threfore,
managers must find solutions which sets a comprehensive
knowledge of their organization’s security posture. Because
of constraints such as a budget problem may prevent security
professionals to handle the security demands properly. [26]
They have to evaluate the security position of the
organisation to decide the effectiveness and efficiency of the
security implemented in the organization. [26]
Threats to our agency’s data and IT resources come from
within and from outside our agency. They may be manmade
or of natural causes. They may be intentional or accidental.
It seems natural to characterise an attack based on the
technique an intruder can use. Attackers have malevolent
intention and their aim is to exploit the vulnerabilities of a
system. [21] It is hard to model security features without any
description of the attackers and their threats to a system. [21]
A systematic approach can identify all system components,
both physical (computers, routers, cables) and logical (files)
then draw all possible attack techniques that are applicable
(see Figure 2). The result of this approach can be easily
summed up with components of possible attacks. A
systematic approach can make [24]:

• The security requirements of the organisation should be Source: http://www.emeraldinsight.com/fig/1570140607001.png

clearly identified and understood.
• A clear security policy and procedures should be
established and enforced
• A periodic security risk assessments and audits should be
conducted, as well as continuous monitoring of systems
to ensure that effective and efficient security policies and
procedures are properly implemented.
Intruders can exploit the inherent weaknesses of some
protocols and network software, or simply imprudent
operating system configurations. In some versions of X-
Window graphics system, for example, one can spy on
everything that user makes [1].
To minimise the likelihood of adverse events to occur it is
necessary to use a holistic approach where it sets in place a
strong countermeasure related to technology, the growing
interconnection between systems and, more importantly, the
increasing sophistication of deliberate attacks.
Besides the classification criterion, we can distinguish
between countermeasures [1]:
• Corrective or preventive measures: preventive-measures
A crucial aspect condition adhered to the security
procedures laid down is to effectively enforce it and make
the staff to be fully aware of its importance. [20] Effective
security is a team effort involving the participation and
support of every employee and affiliate who deal with
information and/or IS. It is the responsibility of every
computer user to know these guidelines, and to conduct
their activities accordingly [24].
There must be clearly defined roles and responsibilities
in a safe management system, and for each role, the
administrator must be a simple user defined rule of
conduct and specific procedures. [1, 20]
Ensure that all procedural aspects are understood and
implemented correctly, and where necessary staff made
aware and be trained. [1] The introduction of safety
procedures should also be justified and made acceptable
with a broad awareness.

International Journal of Research and Reviews in Computer Science (IJRRCS)
4. Data Protection Policy
To protect data in the system is always an overwhelming
task, particularly when there is the question with the budget
or overloading team [29]. There are four key areas to be
considered for the construction for a holistic approach to
system protection. Despite that the policy of using
individually might work, it best could be approachable all
together to get “an overall strategy whose whole is greater
than the sum of its parts” [29].
a. Complying with policies: Make sure that users are
adhering to the policies you put into place. o stay ahead of
these escalating threats, your organization needs a solution
that detects and defends against known threats—preventing
most from getting into your system in the first place—while
also being able to effectively detect, block and remotely
clean up emerging, unknown threats. Such comprehensive
performance will give your business the advantage it needs in
the battle against malware and external threats.
b. External threats and malware: Stop users from being
careless with data. Regulations regarding securing
confidential, personal data continue to grow more numerous
and more stringent. Retailers and healthcare providers are
now joined by virtually every other type of business that
handles customer information under the microscope of
regulatory compliance for data security. It’s one thing to have
all your policies neatly documented, but it’s an entirely
different thing to get people to comply. Deploying a
technology solution enables you to enforce policies and
monitor activity across your organization. This also helps you
to prove that you are taking appropriate action to protect the
sensitive and confidential data on your network.
c. Preventing data loss: An organization that has
successfully implemented a dedicated lost prevention
solution is an exception to the norm. Most businesses wrestle
with this issue and are unsure of the best way to attack the
problem. For the vast majority of organizations,
implementing a dedicated data lost prevention solution is like
using a sledgehammer to crack a nut. One potential
nightmare for an organization — and its IT manager — is a
user who sends an email with confidential data attached and
accidentally copies an unauthorized, external recipient. Once
he or she pushes the send button, that data is off to where it
shouldn’t go — unless your data lost prevention solution
features a gateway that can identify that the data in question
shouldn’t be sent to an external recipient and stops the
transfer before it is completed. That’s how easy it would be if
your anti-virus product could also manage your data lost
prevention needs.
d. Securing mobile data: Ensure that sensitive data can’t
be compromised if users lose devices, while still allowing
data to be exchanged among authorized users. Several
solutions, such as encryption, are available to protect data at
rest on the network. However, when data starts moving, it is
at a much greater risk of being compromised or lost, whether
it’s moving because someone is taking it off the network, or
because it’s on the laptop of an employee who is travelling.
142
Vol. 2, No. 1, March 2011
5. Conclusion
Information security is achieved by putting into practice an
appropriate set of controls. This includes policies, processes,
procedures, organizational structures and software and
hardware functions.[29] These controls need done in
conjunction with other business management objectives.
Information system security is often the subject of
descriptions as it is often compared to a chain of a system's
security level. It must be as strong as the security level of its
weakest link. [25] Defining a security policy is an important
prerequisite for all organisations on safety (likely scenario) to
be treated as consistent. One must first make a selection of
countermeasures to be taken actually.
An effective level of awareness is essential to an
information security program. The security plan puts in place
the ability of the system refer to existing security controls. It
also offers a comprehensive description of the information
system as it offers references to key documents supporting
the organisation’s information security program [23] some of
which, as quoted in [23] are: the configuration management
plan, contingency plan, incident response plan, security
awareness and training plan, rules of behavior, risk
assessment, security test and evaluation plan, system
interconnection agreements, security authorisations and
accreditations, and the plan of action with milestones.[23]
[23]
As one of the main uses of IS is to share information
between people, conventional operating systems typically
provide facilities for the exchange of information.
References
[1] Leonforte, Antonio, La Sicurezza nei Sistemi
Informativi,2009.
http://www.villaumbra.org/resources/Documenti/Region
e/sicurezza%20S.I.pdf, accessed on 29/02/2010.
[2] Gray, J.W., III; , "Information sharing in secure
systems," Computer Security Foundations Workshop
III, 1990 Proceedings , vol., no., pp.128-138, 12-14,
Jun 1990
[3] Qi Shi; McDermid, J.A.; Zhang, N.; , "On analysis of
secure information systems: a case study," Computer
Software and Applications Conference, 1994.
COMPSAC 94. Proceedings., Eighteenth Annual
International , vol., no., pp.364-369, 9-11 Nov 1994,
[4] Siponen, Mikko, Designing secure information systems
and software: Critical evaluation of the existing
approaches and a new paradigm, 2007.
http://herkules.oulu.fi/isbn9514267907/html/ accessed
12/01/2010.
[5] Siponen Mikko T., Secure-System Design Methods:
Evolution and Future Directions,
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumb
er=1650155, IT Professional, IEEE, 05 July 2006, 8: 3,
pp. 40–44, accessed on 29/03/2010.
[6] Siponen, M.; Pahnila, S.; Mahmood, M.A.; ,
"Compliance with Information Security Policies: An

International Journal of Research and Reviews in Computer Science (IJRRCS)
Empirical Investigation," Computer , vol.43, no.2,
pp.64-71, Feb. 2010
[7] Backhouse J & Dhillon G, Structures of responsibilities
and security of information systems. European Journal
of Information Systems 5: 2-10, 1996.
[8] Barnes B H, Computer security research: a British
perspective. IEEE Software 15: 30-33, 1998.
[9] Parker D B, Computer security management, Prentice
Hall, Reston, USA, 1981.
[10] Sandhu R S, Lattice-based access controls. IEEE
Computer 26: 9-19.
[11] Sandhu R S & Samarati P, Access control: principle and
practice. IEEE Communications 32: 40-48, 1993, 1994.
[12] Baskerville R., The developmental duality of SIS.
Journal of Management Systems 4: 1-12, 1992.
[13] Baskerville R, SIS design methods: implications for
information systems development. ACM Computing
Surveys 25: 375-414, 1993.
[14] Dhillon G, Managing SIS. MacMillan Press LTD,
London, UK, 1997.
[15] [16] Dhillon G & Backhouse J, Current directions in IS
security research: toward socio- organizational
perspectives. Information Systems Journal 11: 129-156,
2001.
[16] Hirschheim R, Information systems epistemology: an
historical perspective. Proceedings of the IFIP WG 8.2.
Working Conference on Research methods in
information systems. Elsevier Science Publisher,
Amsterdam, 1985.
[17] Hirschheim R, Iivari J & Klein H K, A comparison of
five alternative approaches to information systems
development. Australian Journal of Information
Systems 5: 3-29, 1997.
[18] Röhm AW & Pernul G, COPS: A model and
infrastructure for secure and fair electronic markets.
Proceedings of the 32nd annual Hawaii International
Conference on Systems Sciences, Hawaii, 1999.
[19] Thomson ME & von Solms R, Information security
awareness: educating our users effectively. Information
Management and Computer Security 6: 167-173, 1998.
143
Vol. 2, No. 1, March 2011
[20] Okubo, T.; Taguchi, K.; Yoshioka, N.; Misuse Cases +
Assets + Security Goals, 2009. CSE '09. International
Conference on Computational Science and Engineering,
Volume: 3, 424 – 429, 2009.
[21] Mustaquim, M., Security Concern Throughout System
Development Life Cycle,
http://www.groundreport.com/Media_and_Tech/Securit
y-Concern-Throughout-System-Development-
Lif_18/2846835, 2007, accessed on 27/03/2010.
[22] Amer, S.H.; Humphries, J.W.; Hamilton, J.A., Jr.; ,
"Survey: security in the system development life cycle,"
Information Assurance Workshop, 2005. IAW '05.
Proceedings from the Sixth Annual IEEE SMC , vol.,
no., pp. 310- 316, 15-17 June 2005.
[23] InfoSec, Acceptable Use Policy,
http://csc.colstate.edu/summers/e-library/policy.html,
accessed on 10/042010.
[24] Kioskea, IT Security - Introduction to IT Security,
http://en.kioskea.net/contents/secu/secuintro.php3,
accessed on 15/03/2010.
[25] T Grobler and B Louwrens, New Information Security
Architecture, University of Johannesburg,
http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/0
46_Article.pdf , 2005, accessed on 10/04/2010.
[26] Tudor. Information Security architecture. (2001).
Auerbach.
[27] Rackspace, Securing an IT Infrastructure: A Decision
Maker’s Guide to Securing an IT Infrastructure, A
Rackspace White Paper , 2010
[28] Sophos, How to protect your critical information easily,
Sophos White Paper, 2006.
[29] ISO/IEC 17799:2005, Information technology -
Security techniques - Code of practice for information
security management,
http://www.iso.org/iso/support/faqs/faqs_widely_used_s
tandards/widely_used_standards_other/information_sec
urity.htm, 2005, accessed on 12/04/2010.