Malawi University of Science and Technology

Malawi Institute of Technology

Information Security

ISEC-210

Module Compiler
Allan Nila Chongwe – MSc. Computer Science, BSc. Information Technology

ISEC-210 Module Guide – A.N. Chongwe Page | 1

 Copyright

This material is a property of the Malawi University of Science and Technology

This material is not to be sold.

2021

All rights are reserved. No part of this publication may be reproduced, stored in a
retrieval system or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording or otherwise without copyright
clearance from Malawi University of Science and Technology.

Malawi University of Science and Technology,

P.O. Box 5196,
Limbe,
Malawi.
Tel: (265) 1 478 000
Fax: (265) 1 478 220
Email: registrar@must.ac.mw
Website: www.must.ac.mw

ISEC-210 Module Guide – A.N. Chongwe Page | 2

 Table of Contents

4.0 Introduction ..................................................................................................................................... 4

4.1 Intended Learning Outcomes ....................................................................................................... 4
4.2 Key Terms...................................................................................................................................... 4
4.3 What is Information Management? ................................................................................................... 5
4.4 Information Access ............................................................................................................................. 5
4.4.1 Identification and Authentication .................................................................................................... 6
4.4.2 Identification and Authentication Methods .................................................................................... 7
4.4.3 Authentication Factors..................................................................................................................... 9
4.5 Authorization .................................................................................................................................... 10
4.6 Ensuring Availability .......................................................................................................................... 11
4.7 Ensuring Accuracy ............................................................................................................................. 13
4.8 Ensuring Confidentiality .................................................................................................................... 15
Unit Summary ......................................................................................................................................... 17
Unit Activity............................................................................................................................................. 18
References .............................................................................................................................................. 19

ISEC-210 Module Guide – A.N. Chongwe Page | 3

 Unit 4
Information Management

4.0 Introduction

Welcome to Unit 4. In this Unit we will look at information

management in as far as information access is concerned. The three-
step security process of identify, authenticate, authorize is common in
our day-to-day lives. Within an effective access security framework,
these three stages work in tandem to keep the sensitive information
in IT systems and infrastructure safe. We will conclude with a look at
ensuring availability, accuracy, and confidentiality of information in
an organisation.

4.1 Intended Learning Outcomes

By the end of this unit, you should be able to:

a. Describe the information access security process.
b. Describe the common identification and authentication methods.
c. Describe the three (3) general authentication factors.
d. Describe how availability, accuracy and confidentiality can be
achieved.

4.2 Key Terms

During the course of this unit, you will find the following key words
or phrases. Watch out for these and make sure that you understand
what they mean.
 Access  Identification  Authentication
 Authorization

ISEC-210 Module Guide – A.N. Chongwe Page | 4

 4.3 What is Information Management?

Information Management is a discipline that involves the

organization, control, and governance of information within an
organization to support its business processes, operations, and
decision-making effectively. Information management is the process
of managing information throughout its lifecycle - from its
identification and collection to its disposal through archiving or
deletion. It encompasses all physical and electronic data collected by
an organisation from its customers, employees, vendors, clients, etc.
Information management (IM) involves several organizational
activities including the acquisition of information from one or more
sources, the custodianship, and the distribution of that information to
those who need it, and its ultimate disposal through archiving or
deletion.

4.4 Information Access

Information access is the ability to identify, retrieve, and use

information effectively. Access to information is vital to social,
political, and economic advancement. Traditionally, information has
been disseminated in a variety of formats that have been widely
accessible, often through public libraries. Many individuals also relied
on other people and the media for information. However, advances
in computer technology have revolutionized information access,
making vast stores of business, education, health, government, and
entertainment information accessible online. Despite technology's

ISEC-210 Module Guide – A.N. Chongwe Page | 5

 dramatic impact on the extent and availability of digital information,
many people do not have access to these resources.

People engaged in information seeking process have one or more

goals in mind. These goals can range from finding a new job to
keeping informed about a business competitor, from writing an article
to investigating an allegation of fraud. In information security,
information access entails that the people who are authorized to
access certain information are allowed to do so. Through other
technics, such as authorization and authentication, this information
must be restricted from access from unauthorized users.

4.4.1 Identification and Authentication

Identification is nothing more than claiming you are somebody or

something. You identify yourself when you speak to someone on the
phone that you do not know, and they ask you who they are speaking
to. When you say, “You are speaking to Benjamin”, you have just
identified yourself. In the digital world, identification is the ability to
uniquely identify a user of a system or an application that is running
on a system. Authentication, on the other hand, is the ability to prove
that a user or application is genuinely who that person or what that
application claims to be.

In the information security world, identification and authentication is

analogous to entering a username or user ID. For example, consider
a user who logs on to a system by entering a user ID and password.
The system uses the user ID to identify the user. Entering a password

ISEC-210 Module Guide – A.N. Chongwe Page | 6

 is a method for verifying that you are who you identified yourself as.
The system authenticates the user at the time of login by checking that
the supplied password is correct and matches the username or ID. You
can also authenticate via something you are. When you do this, you
first identify yourself and then submit a finger print, or a retina scan.
Once you have successfully authenticated, you have now done two
things: you have claimed to be someone, and you have proven that
you are that person you claimed to be. What is remaining now is for
the system or the authority to determine what you are allowed to do
next.

4.4.2 Identification and Authentication Methods

There are several identification and authentication methods in

information security. We will discuss the most common of these next:

i. User Id – this is the most standard form of identification and is

used most often by organizations as a mode of identification to
distinguish a user amongst others. Whenever user supplies user
id during identification process, the user is telling the system
that it wants to be recognized by that user id and after that the
process of authenticating the user, granting appropriate
resources to user starts.
ii. MAC address – All computers have a 48-bit number assigned
called a media access control (MAC) address to identify
themselves uniquely. Earlier, MAC address was embedded into
the hardware of the device and could not be changed by the
end user. Thus, it was a safe Identifier but nowadays most of

ISEC-210 Module Guide – A.N. Chongwe Page | 7

 the network devices have the MAC installed into the software
and thus can be changed by the user. So, it is not considered
now to be that unique and secure identification
iii. IP address – MAC address helps in identifying the physical
location of a computer whereas an IP address would help in
identifying the logical location of a system. IP addresses are
assigned to all systems using the TCP/IP network protocol.
Different systems in different subnets can have the same IP
address, but it must be unique in the device’s same subnet.
Again, an IP address can be easily changed by the user making
it not a strong identifier.
iv. Personal Identification Number (PIN) – PIN is given to the user
to authenticate whether the user has the right to perform any
action on an identity. It is most common in banking
transactions and is the second common form of user
authentication.
v. Identification Badges – Identification can not only be logical
but can also be physical. Thus organizations must have some
badges to identify their employees since the badge is supposed
to hold the username with their photo. It is made to deter any
possible activity that can arouse from a non-employee at the
very entry point within an organization. Although it seems to
be an efficient identification method, it is most often not
properly used by the employees and security guards also make
mistakes while comparing a person to that in the badge photo.

ISEC-210 Module Guide – A.N. Chongwe Page | 8

 There are some important things that organizations must ensure
before creating identities. For instance, identities should not reveal
too much information about the user. Again, identities should be
unique and must be used with multiple additional security controls to
verify the identity.

4.4.3 Authentication Factors

The following three general factors are used in authentication:

 Something a person knows – Something a person knows can be

a password, PIN, mother’s maiden name, or combination to a
lock. Authenticating a person by something that he or she
knows is usually the least expensive to implement. The
downside to this method is that another person may acquire
this knowledge and gain unauthorized access to a system or
facility.
 Something a person has – Something a person has can be a key,
swipe card, access card, or badge. This method is common for
accessing facilities, but could also be used to access sensitive
areas or to authenticate systems. A downside to this method is
that the item can be lost or stolen, which could result in
unauthorized access.
 Something a person is – This is also called biometric
authentication which is a form of authentication with a focus
on physical characteristics of a person such as fingerprint, hand
geometry, or iris pattern. The downside of this is that
biometrics requires specialized and expensive readers to

ISEC-210 Module Guide – A.N. Chongwe Page | 9

 capture the biometric data, making widespread deployment
difficult. Again it also suffers from the problems of replay and
tampering. Thus, an attacker capturing the data input and
replaying it at a later time, or creating false biometric profiles
to trick the system into accepting an imposter.

Two factor authentication and biometrics are strong authentication

methods. Unlike username and id which can be misused, these types
of strong authentication are beneficial for high level security. Two-
factor authentication involves the use of an item from the
authentication factors. For example information that the user knows,
such as a user id and password or something that the user is e.g.
biometrics. Biometrics verifies an individual’s identity by analyzing a
unique personal attribute or behavior, which is one of the most
effective and accurate methods of verifying identification.

Since single factor authentication can be defeated, multi-factor

authentication is used. Multi-factor authentication covers
combination of two or more authentication factors. For example,
banking systems use 2-factor authentication for transactions in the
form of username-password (something the user knows) and grid
information printed on the debit card back side or CVV (something
the user has).

4.5 Authorization

Authorization is the final step in the access security process that

determines what happens if a user or an application is successfully
authenticated. It allocates appropriate controls and privileges based

ISEC-210 Module Guide – A.N. Chongwe Page | 10

 on the identity in the system. This is where in big organizations users
are divided into roles and groups to manage access smoothly. So,
authorization is the process of defining what resources a user needs
and type of access to those resources. The types of resources could be
information or data, computer systems, the network, etc. while the
type of access to those resources could be read, write and execute or
a combination of these.

Some organisations ensure that only authorized users can access

sensitive resources at the right times. In the digital world, IT admins
can manage users and target systems, then set up authorization rules
and conditions to automatically grant or deny access to critical
resources. They can also monitor and record privileged users’ actions
within a session for audit purposes or to terminate any suspicious
activity in real time.

4.6 Ensuring Availability

Availability enables authorized users – persons or computer systems –

to access information without interference or obstruction and to
receive it in the required format. Consider, for example, libraries that
require identification before entrance. Librarians protect the contents
of the library so that they are available only to authorized persons.
The librarian must accept a person’s identification before that person
can be granted access to the book stacks. Once authorized patrons
have access to the contents of the stacks, they expect to find the
information they need available in a useable format and familiar
language, which in this case typically means bound in a book and

ISEC-210 Module Guide – A.N. Chongwe Page | 11

 written in their preferred language. The same applies in the digital
world. An authorized user, after successfully being identified and
authenticated, expects to have access to the information or resources,
e.g. computer systems, when he or she needs it and in a proper or
usable format.
Data or information in computer system must be stored securely and
made available to users when they need it. Several factors such as
infrastructure failure, malicious activity e.g. a DoS or a ransomware
attack, or poor or inconsistent data can compromise the availability
of information or resources. The following measures can be used to
mitigate threats to data or resource availability;

i. Backup - a backup is a copy of data or information that is stored

elsewhere so it can be recovered in the event that the original
copy is not available. The backup can be stored onsite or offsite.
ii. Disaster recovery - a strategy that enables an organization to
maintain or quickly resume mission-critical functions following
a disruption.
iii. Redundancy - data or infrastructure redundancy allows your
data or infrastructure to remain in service by providing
alternative paths or backup equipment in the event of a failure.
iv. Failover - this is a backup operational mode in which the
functions of a system component are assumed by a secondary
component when the primary component becomes
unavailable – either through failure or scheduled down time.

ISEC-210 Module Guide – A.N. Chongwe Page | 12

 v. Proper monitoring - observing, collecting and analysing
information and systems to detect suspicious behavior or
undesirable trends.

4.7 Ensuring Accuracy

Information has accuracy when it is free from mistakes or errors and

it has the value that the end user expects. If information has been
intentionally or unintentionally modified, it is no longer accurate.
Consider, for example, a bank account. You assume that the
information contained in your bank account is an accurate
representation of your finances. Incorrect information in your bank
account can result from external or internal errors. If a bank teller, for
instance, mistakenly adds or subtracts too much from your account,
the value of the information is changed. Inaccurate bank balance
could cause you to make mistakes, such as bouncing a check. Consider
having inaccurate data in your SARIS or MOODLE account such as
wrong grades, year of study, etc.

If the data remains in the appropriate format, tampering can be less

evident than theft, although the value of the data can be seriously
affected. Organisations must consider not only the integrity of data in
databases and applications, but also of data that has been backed up
for use in disaster recovery and sometimes the applications used to
capture and process the information. Again, the integrity of data
while in transit is also of paramount importance. An organisation that
is not sure of the integrity of its data cannot be sure that critical
operations are being carried out properly, that correct decisions are

ISEC-210 Module Guide – A.N. Chongwe Page | 13

 made, or that the appropriate goods and services are delivered to
customers and received from suppliers.

This can have a direct business impact, resulting in mistakes and missed
opportunities, wasted money and lost income, not to mention
lawsuits. But beyond these immediate losses are the broader problems
of public confidence and brand reputation. A company that does not
effectively serve its market can lose the confidence of its customers,
resulting in long-term damage to its brand.

A powerful tool in ensuring data integrity is hashing – using a

cryptographic algorithm to reduce a file or data element to a short
string of numbers called a hash or a message digest. When it is done
properly, the resulting message digest is unique to the piece of
information being hashed, so any change in the data will produce a
completely different digest. A comparison of digests from a Secure
Hash Algorithm (SHA) will immediately indicate any change in the
data.

Basic additional information security practices, including encryption,

monitoring and access control, also can help to ensure the integrity of
data in your systems.

Encrypting data at rest and in transit makes it less susceptible to

alterations. It would be difficult if not impossible for an unauthorized
person to modify cipher-text in a way that would not be readily
apparent when decrypted. Appropriate access control policy and
enforcement can help to keep adversaries away from the data, and

ISEC-210 Module Guide – A.N. Chongwe Page | 14

 network monitoring can identify suspicious activity as it happens, and
provide a trail if a breach is detected.

4.8 Ensuring Confidentiality

Information has confidentiality when it is protected from disclosure

or exposure to unauthorized individuals or systems. Confidentiality
ensures that only those with the rights and privileges to access
information are able to do so. When unauthorized individuals or
systems can view information, confidentiality is breached.

The value of confidentiality of information is especially high when it

is personal information about employees, customers, or patients.
Individuals who transact with an organization expect that their
personal information will remain confidential, whether the
organization is state owned or private. Problems arise when
organizations disclose confidential information. Sometimes this
disclosure is intentional, but there are times when disclosure of
confidential information happens by mistake – for example, when
confidential information is mistakenly e-mailed to someone outside
the organization rather than to someone within the organization.

Other examples of confidentiality breaches are an employee throwing

away a document containing critical information without shredding
it or forwarding an internal memo to non-members of staff or sharing
it on social media, or a hacker who successfully breaks into an internal
database of an organization and steals sensitive information about the
clients, such as names, addresses, and credit card numbers. With

ISEC-210 Module Guide – A.N. Chongwe Page | 15

 SARIS, a confidentiality breach can occur if one student is able to
access other students' confidential information such as grades.

As a consumer, you give up pieces of confidential information in

exchange for convenience or value almost daily. When you fill out an
online survey, you exchange pieces of your personal history for access
to online privileges. The bits and pieces of your information that you
disclose are copied, sold, replicated, distributed, and eventually
coalesced into profiles and even complete dossiers of yourself and
your life. A similar technique is used in a criminal enterprise called
salami theft. A deli worker knows he or she cannot steal an entire
salami, but a few slices here or there can be taken home without
notice. Eventually the deli worker has stolen a whole salami. In
information security, salami theft occurs when an employee steals a
few pieces of information at a time, knowing that taking more would
be noticed – but eventually the employee gets something complete
or useable without authorization.

To protect the confidentiality of information, you can use a number

of measures, including the following:

i. Information classification
ii. Secure document storage
iii. Application of general security policies
iv. Education of information custodians and end users.

ISEC-210 Module Guide – A.N. Chongwe Page | 16

 Unit Summary

In this Unit, we looked at information management in as far access is

concerned. We took at the three-step security process of
identification, authentication and authorization that is paramount in
information security. We concluded this unit with a look at different
measures that are used in order to ensure that the accuracy,
availability and confidentiality of information is achieved in an
organisation.

ISEC-210 Module Guide – A.N. Chongwe Page | 17

 Unit Activity

1. Describe the three stages in the information security access

process.
2. In your own understanding give at least one example of an
event that can lead to:
a. Confidentiality breach,
b. Inaccurate information,
c. Unavailability
3. Describe any four (4) identification and authentication
methods.
4. Discuss how we can ensure the following in an organisation
a. Confidentiality
b. Accuracy
c. Availability

ISEC-210 Module Guide – A.N. Chongwe Page | 18

 References

1. Whitman, M.E., Mattord, H.J. (2012). Principles of

information security (4th ed.). Boston: Thomson Educational.
2. Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC) 2
CISSP Certified Information Systems Security Professional
Official Study Guide. John Wiley & Sons.
3. Sivathanu, G., Wright, C. P., & Zadok, E. (2005, November).
Ensuring data integrity in storage: Techniques and
applications. In Proceedings of the 2005 ACM workshop on
Storage security and survivability (pp. 26-36).
4. The CyberArk. Worrall, J. (2016). Cyber Security: Don’t
Ignore Data Integrity. Accessed from
https://www.cyberark.com/resources/blog/cyber-security-don-
t-ignore-data-integrity

ISEC-210 Module Guide – A.N. Chongwe Page | 19

ISEC-210 Module Guide – A.N. Chongwe Page | 20