IMPORTANCE OF

INFORMATION SYSTEM
SECURITY

1 Group Assignment 1
10/12/2010
INFORMATION SYSTEM SECURITY
 The goals of ISS are to protect our information and
information systems.
 Information security means protecting information and 
information systems from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection,
recording or destruction-wiki
 It also ensures that information systems are available to
its users.
 This means that a secure information system maintains
confidentiality, integrity, and availability.
2
GOALS OF AN INFORMATION
SECURITY PROGRAM
 Confidentiality
 Prevent the disclosure of sensitive information from unauthorized people,
resources, and processes
 Integrity
 The protection of system information or processes from
intentional or accidental modification
 Availability
 The assurance that systems and data are
accessible by authorized users when needed

3
CONFIDENTIALITY
 Confidentiality of information ensures that only
those with sufficient privileges may access certain
information
 To protect confidentiality of information, a number
of measures may be used, including:

Information classification

Secure document storage

Application of general security policies

Education of information custodians and end users

4
INTEGRITY
 Integrity is quality or state of being whole,
complete, and uncorrupted information
 The integrity of information is threatened

when it is exposed to corruption, damage,

destruction, or other disruption of its authentic
state.
 Corruption can occur while information is

being compiled, stored, or transmitted

5
AVAILABILITY
 Availability is making information
accessible to user access without
interference or obstruction in the required
format.
 A user in this definition may be either

person or another computer system

 Availability means availability to

authorized users.
6
INFORMATION SECURITY MODEL
Processing Information States
Information Security
Properties Storage

Transmission
Confidentiality

Integrity

Availability

Policy and Procedures

Technology
Education, Training,
and Awareness 7
Security Measures
ISS ATTACKS
 Structured attack
 Come from hackers who are more highly motivated
and technically competent.
 These people know system vulnerabilities and can
understand and develop exploit code and scripts.
 They understand, develop, and use sophisticated
hacking techniques to penetrate unsuspecting
businesses.
 These groups are often involved with the major fraud
and theft cases reported to law enforcement agencies.
8
 Unstructured attack
• Consists of mostly inexperienced individuals using easily
available hacking tools such as shell scripts and password
crackers.
• Even unstructured threats that are only executed with the
intent of testing and challenging a hacker’s skills can still do
serious damage to a company.

9
 External attack
• Initiated by individuals or groups working outside of a company.
• They do not have authorized access to the computer systems or
network.
• They gather information in order to work their way into a network
mainly from the Internet or dialup access servers.

 Internal attack
• More common and dangerous.
• Internal attacks are initiated by someone who has authorized access
to the network.
• According to the FBI, internal access and misuse account for 60 to
80 percent of reported incidents.
10
• These attacks often are traced to disgruntled employees.
 Passive attack
 Listen to system passwords
 Release of message content
 Traffic analysis
 Data capturing

 Active attack
 Attempt to log into someone else’s account
 Wire taps
 Denial of services
 Masquerading
 Message modifications

11
  So to save our INORMATION?

INFORMATION SYSTEM SECURITY

Next  Importance of ISS

12
WHY WE NEED ISS?
 In the past, computers were standalone systems that were relatively
easy to protect. But now computers are globally connected to
network. Because of the interconnected nature of our information
systems, a risk to one is a risk to all.

 Because it enables to:

• Protect data that is required to be protected under the Privacy Act.
Over 80% of data is privacy protected.
• Protect the processes and corporate assets against damage or
unauthorized use.
• Provide for continuity of services. A disruption of services affects
the interests of beneficiaries and providers.
• Provide accessibility of information. We need to ensure that
customers and beneficiaries have prompt access to the information
13
they need.
CONTINUE…
 AND...
• It is a prudent business practice to reduce risks to system.
• It is also less-costly (and less embarrassing) if we take a
pro-active approach to security and “prevent, deter, and
detect” as opposed to “correct and recover.”

14
IMPORTANCE OF ISS
 INFORMATION has a value.
 E-Governance
 E-Business
 E-Money

 Technology can use harmful ways, dangerous ways, etc.

by peoples to retrieve information
 Information can be;
 Change
 Block to end users
 Destroy
 Misuse
15
by unauthorized people.
 Develop and implement standards and procedures to prevent and
detect criminal conduct
 Assign responsibility and ensure adequate resources at all levels,
and authority for the program
 Perform personnel screening as applicable (in accordance with laws,
regulations, and labor union requirements) and as related to program
goals and the responsibilities of the staff involved
 Ensure adequate and effective awareness and training at all levels of
the organization
 Ensure auditing, monitoring, and evaluating activities occur to
verify program effectiveness
 Implement internal reporting systems that ensure non-retaliatory
reaction
 Provide incentives and enforce discipline to promote compliance
 Consistently take reasonable steps to respond to violations and
prevent similar violations from occurring
16
 It is the responsibility of each component executive to
ensure information resources are adequately protected.
 High confidential information can be accessible by
unauthorized people.
 To prevent sharing passwords, leaving unattended
computers logged into the system.
 Information reaching the wrong hand can cause
consequences for society
 Attackers can be every where in a network

17
 If we start implementing strong security now and start
experiencing the benefits of a secure site and trusting
consumers.
 An information leak with in the company can failure

 The trust and belief that companies are dedicated to

providing information security is the only thing that
keeps digital commerce running.

18
WITH OUT PROPER ISS
 Customer complaints
 Competitor messages and internal messages related to
competitors
 Customer satisfaction levels with your organization's security
and privacy practices
 Providing for customers with special needs and requests
 Number of legal noncompliance reports regarding security
and privacy
 Perceived strength of posted security and privacy policies
 Marketing through what is considered as spam
 Number of staff grievances

19
EXAMPLES
 What happens when enough stories about security
problems come to the forefront of public knowledge?
 How much trust did TJX lose over their incident?

 What would happen if other huge online stores suffered

such a breach?
 How long would it take to rebuild that trust?

 Will consumers ever believe that you have a priority on

information security and trust you with their sensitive
information again?

20