Chapter 2 Fundamentals of IS Security

Chapter 2
Fundamentals of
Information Systems Security
Objectives
● Understand fundamental concepts of Security

● Be able to analyze the principles of information Systems
security.
● Be able to analyze the types of security controls.
● Understand what Policies, Standards and Procedures are
● Understand How to Plan , design, Implement and
Administer Secured Systems
● Explain Information Systems Security Program
Assessment Metrics
10/10/2023 Chapter 2 Fundamentals of Information Systems Security 2
IS Security Fundamentals
● Information Security is a Process

○ Bruce Schneier, one of the world’s well-known experts on
security, once wrote that “security is a process, not a
product.”
○ Indeed, with all the changing variables and players, security
is a never-ending evolutionary process, wherein defenses
change in response to new threats and new threats emerge
with the introduction of new systems and defenses.

Principles of Information Security
● Information security deals with three basic

issues: the confidentiality, integrity, and
availability of information.
● All of the principles, standards, and mechanisms you
will encounter are dedicated to these three abstract
but fundamental goals of Security, also referred to
as the C-I-A triad or information security triad.

Principles Cont’d…
● The following are some of the major principles of Information Security

○ Principles of least privilege,
○ Defense in Depth
○ Minimization
○ Compartmentalization.
○ Keep Things Simple
○ Fail Securely
○ Cost-Benefit Analysis
○ Secure the weakest link
Least Privilege
● The principle of least privilege stipulates, “Do not give any more
privileges than absolutely necessary to do the required job”.
● The principle of least privilege is a preventive control, because it
reduces the number of privileges that may be potentially abused
and therefore limits the potential damage.
● Examples
○ Giving users read only access to shared files if that’s what they
need, and making sure write access is disabled
○ Not allowing help desk staff to create or delete user accounts if all
that they may have to do is to reset a password
○ Not allowing software developers to move software from
development servers to production servers
Defense in depth
● The principle of defense in depth is about having more than one layer or
type of defense. The reasoning behind this principle is that any one layer
or type of defense may be breached, no matter how strong and reliable
you think it is.
● But two or more layers are much more difficult to breach.
● Defense in depth works best when you combine two or more different
types of defense mechanisms—such as using a firewall between the
Internet and your LAN, plus the IP Security Architecture (IPSEC) to encrypt
all sensitive traffic on the LAN.
● In this scenario, even if your firewall is compromised, the attackers still
have to break IP Security to get to your data flowing across the LAN.
Minimization
● The minimization principle is similar to the least privilege principle

and mostly applies to system configuration instead of the user
privileges.
● The minimization principle says “do not run any software,
applications, or services that are not strictly required to do the
entrusted job.”
● To illustrate, a computer whose only function is to serve as an e-mail
server should have only e-mail server software installed and enabled.
● All other services and protocols should either be disabled or not
installed at all to eliminate any possibility of compromise or misuse.

Compartmentalization
● Compartmentalization, or the use of compartments (also known as

zones, jails, sandboxes, and virtual areas), is a principle that limits
the damage and protects other compartments when software in
one compartment has malfunctioned or compromised.
● Applications run in different compartments are isolated from each
other.
● In such a setup, the compromise of web server software, for
example, does not take down or affect e-mail server software
running on the same system but in a separate compartment.
○ From the Concept of Compartments in large Ships

Keep things simple
● Complexity is the worst enemy of security. Complex

systems are inherently more insecure because they are
difficult to design, implement, test, and secure.
● The more complex a system is, the less assurance we
may have that it will function as expected.
● Security doesn’t work by obscurity(hiding).

Fail Securely
● Although fail securely may sound like an oxymoron, it isn’t. Failing

securely means that if a security measure or control has failed for
whatever reason, the system should not be rendered to an insecure
state.
● For example, when a firewall fails, it should default to a “deny all” rule,
not a “permit all.”
● However, fail securely does not mean “close everything” in all cases; if
we are talking about a computer-controlled building access control
system, for example, in case of a fire it should default to “open doors”
to help trapped in humans get out of the building.
● Main Objective is to secure even when in a failed state.
Cost-Benefit Analysis
● Although not strictly a principle, the cost-benefit analysis is a

must when considering implementation of any security
measure.
● It says that the overall benefits received from a particular
security control or mechanism should clearly exceed its total
costs; i.e The value of the Information protected should be
more than the cost we incur to protect it; otherwise,
implementing the security control would make no sense.
● This may sound like simple common sense, and it probably is;
nevertheless, this is an important and often overlooked
concern
Secure the Weakest link
● For people new to information security, many information

security principles and approaches may sound like a little
more than common sense.
● Although that may well be the case, it doesn’t help us much,
because very often we still fail to act with common sense.
● The principle of securing the weakest link is one such case:
look around and you will likely see a situation in which instead
of securing the weakest link, whatever it may be, resources
are spent on reinforcing the already adequate defenses.
Types of IS Security Controls
● Central to information security is the concept of controls, which may
be categorized
● By their functionality
○ Preventive, Detective, Corrective, Deterrent, Recovery, and

Compensating, in this order
● By the Plan of application
○ Physical: Controls that are physically present in the “real world”
○ Administrative: Controls defined and enforced by management
○ Logical/Technical: Technology controls performed by machines
○ Operational: Controls that are performed in person by people
○ Virtual: Controls that are triggered dynamically when certain

10/10/2023 Chapter 2 Fundamentals of Information Systems Security
circumstances arise. 14
Examples of Security Controls ….
Physical Administrative Logical/Technical Operational Virtual
Preventative Locks Separation Firewalls, Intrusion Guards on station Dynamic

&Rotation of Prevention System access lists
duties, (IPS),Authentication
Security Procedures
Detective Cameras Intrusion Detection System Guards patrolling
(IDS),
Logging,
Security Information and
Event Management (SIEM),
cryptographic checksums,
Deterrent Signs, Security policies Warning messages Visible guards and Dynamic
barbed wire cameras pop-up
warnings
Corrective HR penalties Redundancy
Recovery Backups, data replication Disaster recovery plans
Compensative Manual processes

Types of Controls by Functionality- Preventive
○Preventive controls try to prevent security

violations and enforce access control
● Like other controls, preventive controls may be
physical, administrative, or technical: doors, security
procedures, and authentication requirements are
examples of physical, administrative, and technical
preventive controls, respectively.
Types of Controls -Detective
● Detective controls are in place to detect security

violations and alert the defenders. They come into play
when preventive controls have failed or have been
circumvented and these controls are no less crucial
than preventive controls.
● Detective controls include cryptographic checksums,
file integrity checkers, audit trails and logs, and similar
mechanisms.But, how do you know if you are being
passively attacked? say by a spyware.
Types of Controls -Corrective
● Corrective controls try to correct the situation after

a security violation has occurred. Although a
violation has occurred, not all is lost, so it makes
sense to try and fix the situation.
● Corrective controls vary widely, depending on the
area being targeted, and they may be technical or
administrative in nature.
○ What will you do if you lost a key to your Data center?
Types of Controls - Deterrent
● Deterrent controls are intended to discourage
potential attackers and send the message that it
is better not to attack, but even if you decide to
attack we are able to defend ourselves.
● Examples of deterrent controls include notices
of monitoring and logging as well as the visible
practice of sound information security
management.
Types of Controls-Recovery
● Recovery controls are somewhat like corrective
controls, but they are applied in more serious
situations to recover from security violations and
restore information and information processing
resources.
● Recovery controls may include disaster recovery
and business continuity mechanisms, data
backup systems and, emergency key
management arrangements … etc.
○ Eg Cockpit Lockouts –this caused fatal accident in France
Air
Types of Controls- Compensating
● Compensating controls are intended to be

alternative arrangements for other controls
● Used when the original controls have failed or
cannot be used.
● When a second set of controls address the same
threats that are addressed by another set of
controls, the second set of controls are
compensating controls
Access Control Models
● Logical access control models are the abstract foundations upon

which actual computer based access control mechanisms and
systems are built. Access control is among the most important
Concepts in Computer Security. (as is policy in Information Security).
● Access control models define how computers enforce
access of subjects (such as users, other computers,
applications, and so on) to objects (such as
computers, files, directories, applications, servers,
printers, and devices).
Types of Access Control Models
● Four main access control models exist:

○ The Discretionary access control model(DAC).
○ The Mandatory Access Control Model(MAC).
○ The Role-based Access Control Model(RBAC).
○ The Rule-based Role-Based Access Control
Model (RB-RBACK).

Discretionary Access Control (DAC)
● The discretionary access control model is the most widely used of the
three models.
● Controls access based on the identity of the requestor and on
access rules (authorizations) stating what requestors are (or are not)
allowed to do.
● In the DAC model, the owner (creator) of information (file or directory)
has the discretion to decide about and set access control restrictions
on the object in question.
● The ability to share resources in a peer-to-peer configuration allows
users to control and possibly provide access to information or resources
at their disposal.
Mandatory Access Control
● Mandatory access control, as its name suggests, takes a stricter approach to
access control.
● Controls access based on comparing security labels (which indicate how
sensitive or critical system resources are- classification levels) with security
clearance levels (which indicate which system entities are eligible to access
certain resources)
● Users have little or no discretion as to what access permissions they can
set on their information.
● MAC-based systems use data classification levels (such as public, confidential,
secret, and top secret) and security clearance levels corresponding to data
classification levels to decide what access control restrictions to enforce
● This Model works in accordance with the system wide security policy set
by the system administrator.
● Data has a classification Level and Users have a Clearance Level.
Role-Based Access Control (RBAC)
● Controls access based on the roles that users have within the system and on
rules stating what accesses are allowed to users in a given role.
● In the role-based access control model, rights and permissions are assigned to
roles instead of individual users.
○ This added layer of abstraction permits easier and more flexible

administration and enforcement of access controls.
● For example, access to marketing files may be restricted to the marketing
manager role only, and users Solomon, David, and Ali may be assigned the role of
marketing manager.
○ Later, when a users moves from the marketing department to elsewhere, it
is enough to revoke his role of marketing manager; no other changes would
be required.
● When you apply this approach to an organization with thousands of employees
and hundreds of roles, you can see the added security and convenience of using
RBAC.
Rule-Based Access Control (RB-RBAC)
● Rule Based Access Control, also with the acronym RBAC or RB-
RBAC.
● Rule Based Access Control will dynamically assign roles to users
based on criteria defined by the custodian or system administrator.
● For example, if someone is only allowed access to files during
certain hours of the day, Rule Based Access Control would be the
tool of choice.
● The additional “rules” of Rule Based Access Control requiring
implementation may need to be “programmed” into the network
by the custodian or system administrator in the form of code
versus “checking the box.”

Centralized vs. Decentralized Access Control
● Further distinction should be made between centralized

and decentralized (distributed) access control models.
● In environments with centralized access control, a single,
central entity makes access control decisions and
manages the access control system;
● Whereas in distributed access control environments, these
decisions are made and enforced in a decentralized
manner. ( with multiple access control monitoring
servers)
IS Security: Policies, Standards and Procedures
● A policy is a high-level statement of enterprise beliefs,

goals and the general means for their attainment
● Standards are mandatory requirements that support
individual policies
● Procedures are mandatory step-by-step, detailed
actions required to complete a task successfully.
● Guidelines are similar to standards but are not
mandatory.

Policy
● Driven by business objectives and convey the

amount of risk senior management is willing to
accept.
● Easily accessible and understood by the intended
reader
● Created with the intent to be in place for several
years and regularly reviewed with approved
changes made as needed.
Standards
● Used to indicate expected user behavior.

○ For example, a consistent company email signature.
● Might specify what hardware and software solutions are
available and supported.
● Compulsory and must be enforced to be effective. (This also
applies to policies!)
○ Standards refer to mandatory activities, actions, rules, or regulations.
○ Standards can give directions on how a policy is supported and
reinforced

Procedures
● Often act as the “cookbook” for staff to consult to

accomplish a repeatable process.
● Detailed enough and yet not too difficult that only
a small group (or a single person) will understand.
● Installing operating systems, performing a system
backup, granting access rights to a system and
setting up new user accounts are all example of
procedures
Guidelines Vs Best Practices Vs Baselines
● Guidelines are recommendations to users when specific standards do
not apply.
● Best Practices: When there are no specific procedures / guidelines to use,
organizations can use Industry Best Practice, which are security efforts that
are among the best in the industry, balancing the need for access to
information with adequate protection.
● Baselines: A baseline can refer to a point in time that is used as a
comparison for future changes and results in a consistent reference point.
○ Baselines are also used to define the minimum level of protection that is required
○ Once risks have been mitigated, and security put in place, a baseline is formally
reviewed and agreed upon, after which all further comparisons and development
are measured against it

Policy and Procedure Cont’d…
The objective of an information security is to protect the integrity,

confidentiality and availability of the information
An information protection program should be part of an overall asset
protection program
Information security policies, standards and procedures enable
organizations to
 Ensure that their security policies are properly addressed
 Every employee knows what s/he needs to do to insure the information
security of the company
 Similar response is given for every problem- Consistency in handling an
issue.
Policy, Standards and procedures…..

The linkage-putting it altogether – with an Example
● A policy might state that access to confidential data must be

audited.
● A supporting guideline(Standards) could further explain that
audits should contain sufficient information to allow for
reconciliation with prior reviews. May also indicate
acceptable/supported logging technologies
● Supporting procedures would outline the necessary steps to
configure, implement, and maintain this type of auditing.
● Policies are strategic(long term) while standards, guidelines and
procedures are tactical(medium term).
Developing policies: A good policy should
Be Easy to understand (By all people who will have to read the policy)
Be Applicable (Don’t copy others’ policy word by word since it may not be applicable to you)
Be Do-able (The restrictions should not stop work!)
Be Enforceable (If it cannot be enforced, it will probably remain on paper)
Be Phased in (Organizations need time to digest policy)
Be Proactive (Say “what is allowed” rather than “what is not allowed”)
○ Organizations think:
■ Anything that is not permitted is prohibited
○ User think:
■ Anything that is not prohibited is permitted

A Good Policy Cont’d…
Avoid absolutism (Be diplomatic)

Meet business objectives
 Must balance Access and Security.
 Should lower the security risks to a level acceptable by the organization
without hampering the work of the organization to an unacceptable level

Types of Policies (based on the purposes they serve)
Regulatory: This type of policy ensures that the organization is

following standards set by specific industry regulations
Advisory: This type of policy strongly advises employees
regarding which types of behaviors and activities should and
should not take place within the organization
Informative: This type of policy informs employees of certain
topics. It is not an enforceable policy, rather one to teach
individuals about specific issues relevant to the company.

Developing security policies: There are three types (Tiers) of
security policies - layers
Global policies (Tier 1)

 Used to create the organization’s overall vision and direction
 An enterprise information security policy (EISP)
Topic specific policies (Tier 2)
 Address particular subject of concern
 The issue-specific security policy, or ISSP
 Ex. Antivirus, E-mail, Webserver….
Application-specific policies (Tier 3)

 Decisions taken by management to control particular applications
 System-specific security policies (SysSPs)
 Ex. Accounting system, HR System , Supply Chain Management System… etc.
Information Classification Policy- an Example
Why classify?
 Among the information available in the enterprise there are (approx.)
 10% confidential information
 80% internal use information
 10% public information
 It would be a big waste of resources to give the same level of security for
all the information we have
 You don’t put everything you own in a safe place!
What is a confidential information

 Information, if disclosed, could
 Violate privacy of individuals
 Reduce company’s competitive advantage
 Cause damage to the organization
Information Classification cont’d…
Many organizations classify information into different

classes of security
 Part of the asset classification policy
An information or asset classification process is a

business decision process
Examples of Information Classification
 Top Secret, Confidential, Restricted, Internal Use, Public
 Company confidential Red, Company confidential Yellow,
Company confidential Green, Company Public
Information Classification cont’d…
How to develop classification levels (standards)

 Discuss with other organizations’ specialists and learn from their
experiences
 Discuss with the management of your organization
 Prepare a draft and discuss it with the management
 Avoid the temptation of having too many levels
The information classification policy

 Defines the department’s policy with regards to
classification, declassification and reclassification of information
Developing standards
Standards define what is to be accomplished in specific terms
insure some quality of

Every industry has standards that try to
product or service, or enable interoperability
Many Industry Standards have information security issues
 Ex. Banking, Healthcare
Some of the standards become national regulations and organizations will
have to follow that(National Standards)
Organizations can also develop their own standards (enterprise standards)
Standards are easier to update than global policies
Standards have to be reviewed regularly (every year for example)

Developing standards cont’d…
Standards must be
 Reasonable
 Flexible
 Current
 Practical
 Applicable
 Reviewed regularly
Standards should enable the enterprise to fulfill its

business objectives while minimizing the security risks
Developing Procedures
Developing a procedure should be faster than developing a policy since it does not need
to be approved by management
The best way to write a procedure is to use a technical writer (different from the subject
matter expert – SME)
Procedure writing process (what is procedure ?)
 Interview with the SME
 Preparation of a draft
 Review of the draft by the SME
 Update of the procedures based on the comments
 Final review by SME
 Update of the procedures based on the comments
 Testing of the procedures
 Publishing of the procedures
The procedures should also be reviewed regularly
How about Practices?, How do they help in security? What does “Best Practices” mean?
Security Education, Training, and Awareness (SETA) program
The Defined Policies, Standards and Procedures will not serve the
purpose if not communicated to the people (an important component in
IS)
Generally, a Security Education, Training, and Awareness (SETA) program
is desirable in an organization. SETA program includes:
 Security Education is a long-term insight as to why security is
important.
 Security Training is a midrange plan to transfer knowledge and skill of
how security can be achieved.
 Security Awareness is a short-term exposure to what security
information is available.
Benefits of performing a SETA program
● Improving awareness of the need to protect

system resources
● Developing skills and knowledge so computer
users can perform their jobs more securely.
● Building in-depth knowledge, as needed, to
design, implement, or operate security programs
for organizations and systems.

SETA Program Summary

IS Security Governance Structure
● Governance of Information security is a part of

Information Systems Governance
● Introduces a new position under the CIO ( head
of the IS Department).
● CISO- Chief Information Security Officer
○ Is the head of Information Security in an
organization.
The CIO (Chief Information Officer)
● The changing role of the ISD highlights the fact that the CIO is
becoming an important member of the firm's top management
team.
○ Realization of the need for IT-related disaster planning and the
importance of IT to the firm’s activities.
○ Aligning IT with the business strategy
○ Implementing state-of-the-art solutions
○ Providing information access
○ Being a business visionary who drives business strategy
○ Coordinating resources
The IS Security Governance Hierarchy
● The Chief information security officer (CISO) has primary

responsibility for the assessment, management, and
implementation of information security systems in the
organization.
● The CISO usually reports directly to the CIO, although in larger
organizations it is not uncommon for one or more layers of
management to exist between the two.
● However, the recommendations of the CISO to the CIO must be
given equal, if not greater, priority than other technology and
information-related proposals.
Approaches to IS Security Program Implementation
This is the
Security
Hierarchy

Security Positions – what difference did you see?

Planning, Designing, Implementing and Monitoring Secured
systems (SecSDLC)
● Information Systems are developed using a standard development approach –SDLC,

which has set different phases.
● Each of the phases of the SDLC should include consideration of the security of the
system being assembled as well as the information it uses.
● Usually security considerations are underestimated in the Development of an
Information System.
○ Security is usually perceived as a technical-only issue and common practice considers
security requirements in isolation of the functional requirements of an information system.
● The SDLC doesn’t include security considerations
● Recently, there have been some organizations working on an Information Security
Frameworks.
● The well-known security framework is the C&A (Certification and Accreditation) process
of NIST (National Institute of Standards and Technology) of USA
SecSDLC- Phases
● The same phases used in the traditional SDLC can
be adapted to support the implementation of an
information security project.
● While the two processes may differ in intent and
specific activities, the overall methodology is the
same. At its heart, implementing the information
security involves identifying specific threats and
creating specific controls to counter those threats.
● The SecSDLC unifies this process and makes it a
coherent program rather than a series of random,
seemingly unconnected actions.
● Other organizations use a risk management
approach to implement information of security
systems.
C&A: Phases/Process to secured SDLC

C&A
● Certification and Accreditation (C&A) is a process

for implementing information security system.
● It is a systematic procedure for evaluating,
describing, testing and authorizing systems prior to
or after a system is in operation.
● The C&A process is used extensively in the U.S.
Federal Government.

C&A: what are they?
● Certification is a comprehensive evaluation of the technical and non-

technical security controls (safeguards) of an information system
● The evaluation supports the accreditation process and establishes the
extent to which a particular design and implementation meets a set of
specified security requirements.
● Accreditation is the formal declaration by a senior agency official
(Designated Accrediting Authority (DAA) or Principal Accrediting
Authority (PAA)) that an information system is approved to operate at
an acceptable level of risk, based on the implementation of an
approved set of technical, managerial, and procedural security
controls (safeguards).
The Secured Systems Development Process
● Has five basic phases which can be aligned to the

Waterfall Model/SDLC phases
○ Initiation Phase
○ Development/Acquisition
○ Implementation/Assessment
○ Operational/Maintenance
○ Disposal
What we do at Initiation phase
● During this phase, security requirements at an enterprise

level are identified.
● Key activities include:
○ Initial delineation of business requirements in terms of
confidentiality, integrity, and availability
○ Determination of information categorization and identification
of known special handling requirements to transmit, store, or
create information such as personally identifiable information
○ Determination of any privacy requirements.
What we do at Development & Acquisition phase
● During this phase, technical and functional

requirements are translated in to an actual plan for
an information system.
○ Conduct the risk assessment and use the results to
supplement the baseline security control
○ Analyze security requirements
○ Perform functional and security testing
What we do at Implementation/ Assessment phase
● During this phase, the system will be installed and

evaluated in the organization’s operational environment.
○ Integrate the information system into its operational
environment
○ Plan and conduct system certification activities in
synchronization with testing of security controls; and
○ Complete system accreditation activities

What we do at Operations/Maintenance Phase
● In this phase,
○ systems are in place and operating,
○ enhancements and/or modifications to the system are developed
and tested
○ hardware and/or software is added or replaced.
○ The system is monitored for continued performance in accordance
with security requirements and needed system modifications are
incorporated.
○ The operational system is periodically assessed to determine how
the system can be made more effective, secure, and efficient-
remember IS security is a process- not an Absolute Result/Product
Operations/Maintenance…

○ Configuration management and control ensures adequate
consideration of the potential security impacts due to specific
changes to an information system or its surrounding environment.
■ What kind of testing helps to avoid vulnerabilities due to change in an IS
Component?
○ Continuous monitoring—ensures that controls continue to be

effective in their application through periodic testing and
evaluation.

What we do at Disposal Phase
● This phase is important for disposal of a

system and closeout of any contracts in place.
● When information systems are transferred,

become obsolete, or are no longer usable, it is
important to ensure that organizational
resources and assets are protected.
Disposal phase cont’d…

○ Build and Execute a Disposal/Transition
Plan;
○ Archive of critical information-preservation;
○ Sanitization of media.
○ Disposal of hardware and software.
The SDLC
7 -Risk management in this context refers to risk associated with the development and not computer
security or system technical risk.

Security Consideration in SDLC- Summary

The Security Systems Development Life Cycle

The Security Systems Development Life Cycle Cont’d…

Information Systems Security Assessment Metrics
● The information security business has designed many security frameworks

that are internationally used for assessment of systems security.
● These frameworks facilitate the implementation of security controls within
an organization.
● Among the most popular are:
○ Control Objectives for Information Technology (COBIT),
○ ISO 27000 series of standards
○ Information Technology Infrastructure Library (ITIL).
○ Operationally Critical Threat, Asset and Vulnerability Evaluation
(OCTAVE). – Class Discussion – next week!

IS Security Assessment Metrics
● Measures and measurements are very important in order to

assess the effectiveness of an implemented Information Security
Management System (ISMS) and controls or groups of controls.
● Measures are key indicators or variables for which measurements
must be made.
● Measurements are generated by counting; metrics are
generated from the analysis on measurements.
● In other words, measurements are objective raw data and
metrics are either objective or subjective human
interpretations of the analytical output on those data.

IS Security Assessment Metrics Cont’d…
● According to Center for Internet Security (CIS), there can be three
types of metrics for Information Systems Security programs.
○ Management: Provide information on the performance of
business functions, and the impact on the organization
■ Audience: Business management
○ Operational: Used to understand and optimize the activities of
business functions
■ Audience: Security management
○ Technical: Provide technical details as well as a foundation for
other metrics.
■ Audience: Security operations
IS Security Measurement Requirements
● The following activities are considered a basis for an organization to fulfil
IS Security Measurement requirements.
○ Developing measures (i.e. base measures, derived measures and indicators).
○ Implementing and operating an Information Security Measurement Program.
○ Collecting and analyzing data.
○ Developing measurement results.
○ Communicating developed measurement results to the relevant
stakeholders.
○ Using measurement results as contributing factors for future decisions
○ Facilitating continuous improvement of the Information Security
Measurement Program

Key Components of Information System Security Assessment
Program- 4 Components
● Program Initiation: This component “identifies relevant

stakeholders”, determines who receives the security metrics, and
“what information they require to discharge their responsibility”.
○ Security Requirement identification
● Developing information security metrics: This is used to design the
Security policy and the security controls.-consists of two major
activities:
○ Identification and definition of the current IT security program/Policy and
○ Development and selection of specific metrics to measure the
implementation, efficiency, effectiveness, and the impact of the security
controls.
10/10/2023
Chapter 2 Fundamentals of Information Systems Security 76
Security Assessment Program Components Cont’d…
● Reporting information security metrics: This component analyzes how

information security metrics can be used to demonstrate “compliance
with security requirements (e.g., policy and procedures),
○ Measure Compliance with the Security Program/Policy.
● Maintaining(adapting) an information security metrics program:
Once an information security metrics program is deployed, the process is
not over.
○ Continuous Monitoring and Evaluation is important so that the metrics can
be changed with changing security environment and defense mechanism
○ Fine tuning the Metrics

● The bottom-up approach: Information security
program can begin as a grassroots effort in
which systems administrators attempt to
improve the security of their systems. (at
applications level)
● The top-down approach: In this case, the
project is initiated by upper-level managers
who issue policy, procedures and processes,
dictate the goals and expected outcomes, and
determine accountability
10/10/2023 IS Security - Introduction
for each required 78

Information System Security Assessment Model

Info. Systems Security Assessment Model – a Digital
Library Case

Info. Systems Security Assessment Model
● As shown in the previous slide;

○ The higher the position on the staircase, the more
complete and complex is the state of the IS
Security management.
○ The model works on the premise that the critical
foundation of an Information System Security (ISS) is
its technological infrastructure that must be in place
first and foremost

Chapter 2 Fundamentals of IS Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2 Fundamentals of IS Security

Uploaded by

Copyright:

Available Formats

Chapter 2

● Understand fundamental concepts of Security

● Information Security is a Process

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 3

● Information security deals with three basic

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 4

● The following are some of the major principles of Information Security

○ Keep Things Simple

● The minimization principle is similar to the least privilege principle

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 8

● Compartmentalization, or the use of compartments (also known as

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 9

● Complexity is the worst enemy of security. Complex

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 10

● Although fail securely may sound like an oxymoron, it isn’t. Failing

● Although not strictly a principle, the cost-benefit analysis is a

● For people new to information security, many information

○ Preventive, Detective, Corrective, Deterrent, Recovery, and

○ Physical: Controls that are physically present in the “real world”

○ Administrative: Controls defined and enforced by management

○ Logical/Technical: Technology controls performed by machines

○ Operational: Controls that are performed in person by people

○ Virtual: Controls that are triggered dynamically when certain

Physical Administrative Logical/Technical Operational Virtual

Preventative Locks Separation Firewalls, Intrusion Guards on station Dynamic

Compensative Manual processes

○Preventive controls try to prevent security

● Detective controls are in place to detect security

● Corrective controls try to correct the situation after

● Compensating controls are intended to be

● Logical access control models are the abstract foundations upon

● Four main access control models exist:

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 23

○ This added layer of abstraction permits easier and more flexible

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 27

● Further distinction should be made between centralized

● A policy is a high-level statement of enterprise beliefs,

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 29

● Driven by business objectives and convey the

● Used to indicate expected user behavior.

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 31

● Often act as the “cookbook” for staff to consult to

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 33

The objective of an information security is to protect the integrity,

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 35

● A policy might state that access to confidential data must be

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 37

Avoid absolutism (Be diplomatic)

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 38

Regulatory: This type of policy ensures that the organization is

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 39

Global policies (Tier 1)

Application-specific policies (Tier 3)

What is a confidential information

Many organizations classify information into different

An information or asset classification process is a

How to develop classification levels (standards)

The information classification policy

Standards define what is to be accomplished in specific terms

insure some quality of

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 44

Standards should enable the enterprise to fulfill its

● Improving awareness of the need to protect

10/10/2023 Chapter 2 Fundamentals of Information Systems Security 48