CHAPTER TWO-2

FANDAMENTALS OF INFORMATION
SYSTEMS SECURITY
 IS Security Fundamentals
Deals with some fundamental concepts within the area of information
security
Needs of IS security
Enabling Safe Operation application: Organizations must create integrated,
efficient, and capable applications. Organization need environments that
safeguard applications
Protecting Data: An effective information security program is essential to the
protection of the integrity and value of the organization’s data
Safeguarding Technology Assets: Organizations must have secure IT
infrastructure services based on the size and scope of the enterprise.
 Cont.…

• Acts of Human Error or Failure: Includes acts done without malicious

intent caused by:
• Inexperience, improper training, incorrect assumptions & other
• Employees are greatest threats to information security– they are closest to the
organizational data
• Employee mistakes can easily lead to the following:
– revelation of classified data
– entry of erroneous data
– accidental deletion or modification of data
– storage of data in unprotected areas
 Principles of Information Systems Security
1. Split Up the Users and Resources: a security experts needs to assign access by a person’s job
type, and may need to further refine those limits according to organizational separations.

2. Assign Minimum Privileges: assign the minimum privileges needed to carry out his or her
responsibilities. If a person’s responsibilities change, so will the privileges

3. Plan for Failure : Planning for failure will help minimize its actual consequences should it occur.
Having backup systems in place allows us to constantly monitor security measures and react quickly
to a breach.

4. Record: Ideally, a security system will never be breached, but when a security breach does take
place, the event should be recorded.

5. Run Frequent Tests: IS professionals run tests, conduct risk assessments, reread the disaster
recovery plan, check the business continuity plan in case of attack, and then do it all over again.
 Components of Information System Security
• Component of Information System Security: It is entire set of software, hardware,
data, people, procedures, and networks necessary to use information as a resource
in the organization.
 Cont....
• Software: The exploitation of errors in software programming accounts for a substantial portion of
the attacks on information
• Hardware: Hardware is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system.
• Physical security policies deal with hardware as a physical asset and with the protection of
physical assets from harm or theft.
• Data: stored, processed, and transmitted by a computer system must be protected. Data is often
the most valuable asset possessed by an organization and it is the main target of intentional attacks.
• People: people have always been a threat to information security. Unless policy, education and
training, awareness, and technology are properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the weakest link.
• Procedures: are written instructions for accomplishing a specific task. When an unauthorized user
obtains an organization’s procedures, this poses a threat to the integrity of the information.
• Network: steps to provide network security are essential as is the implementation of alarm and
intrusion systems to make system owners aware of ongoing compromises.
 Introduction to Information Security Policy
• Information Security Policy (ISP) is a set of rules enacted by an organization to
ensure that all users or networks of the IT structure within the organization's
domain abide by the prescriptions regarding the security of data stored digitally
within the organization.
• The security policy should be concise and easy to read, in order to be effective
• The four components of security documentation are policies, standards,
procedures, and guidelines.
• Policy is a high-level statement of requirements.
• It describe security in general terms, not specifics.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to
be compliant with the intentions of the policy.
• It’s mandatory requirements regarding processes, actions and configurations .
• It is rules that give formal policies support and direction.
 Cont....
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• It is a documented set of steps necessary to perform a specific task.
examples of procedures, Installing operating systems, performing a
system backup, granting access rights to a system, and setting up new user
accounts.
• Guidelines are advice about how to achieve the goals of the security policy,
but they are suggestions, not rules.
• It is additional guidance that is recommended, but not mandatory. It is a
recommendations to users when specific standards do not apply.
 Cont.…
• In the absence of clear policy, organizations put themselves at risk and often
flounder in responding to a violation.
• For managers, a security policy identifies the expectations of senior management about roles,
responsibilities, and actions that should be taken by management with regard to security
controls.
• For technical staff, a security policy clarifies which security controls should be used on the
network, in the physical facilities, and on computer systems.
• For all employees, a security policy describes how they should conduct themselves when
using the computer systems, e-mail, phones, and voice mail.
Security Policy Development
• When developing a security policy for the first time, one useful approach is to focus on the why,
who, where, and what during the policy development process:
1. Why should the policy address these particular concerns? (Purpose)
2. Who should the policy address? (Responsibilities)
3. Where should the policy be applied? (Scope)
4. What should the policy contain? (Content)
 Phased Approach
• If you approach security policy development in the following phases, the work
will be more manageable:
1. Requirements gathering
2. Project definition and proposal based on requirements
3. Policy development
4. Review and approval
5. Publication and distribution
6. Ongoing maintenance (and revision)
• After the security policy is approved, standards and procedures must be developed
in order to ensure a smooth implementation.
• This will require the policy developer to work closely with the technical staff to
develop standards and procedures relating to computers, applications and
networks.
 Security Policy Contributors
• Human Resources: The enforcement of the security policy, when it involves
employee rewards and punishments, is usually the responsibility of the HR
department.
• Legal: Often, an organization that has an internal legal department or outside
legal representation will want to have those attorneys review and clarify legal
points in the document and advise on particular points of appropriateness and
applicability.
• Information Technology: Security policy tends to focus on computer systems,
and specifically on the security controls that are built into the computing
infrastructure.
• Physical Security: Physical Security (or Facilities) departments usually
implement the physical security controls specified in the security policy. In some
cases, the IT department may manage the information systems components of
physical security.
 Security Policy Audience

• Employees
• Contractors and temporary workers
• Consultants and service providers
• Business partners and third-party vendors
• Employees of subsidiaries and affiliates
• Customers who use the organization‘s information resources
The following are the goals of security policies:

• To protect an organization’s computing resources

• To prevent wastage of company’s computing resources
• To prevent unauthorized modifications of the data
• To reduce back risks caused by illegal use of the system resource
• To differentiate the user’s access rights
• To protect data from theft, misuse, and unauthorized disclosure
 Policy Categories
• Security policies can be subdivided into three primary categories:
• Regulatory, advisory and informative. Each has a unique role or function.
1. Regulatory: are security policies that an organization must implement due to compliance,
regulation, or other legal requirements.
• Regulatory policy ensures that the organization is following standards set by specific industry
regulations.
• Consists of a series of legal statements that describe in detail what must be done, when it must be
done, who does it and can provide insight as to why it is important to do it.
• These policies are used to make certain that the organization complies with local, state and federal
laws.
• Example of Regulatory policies
• Because of recent changes to Ethiopian federal law, The Company will now retain records of
employee inventions and patents for 1 years; all email messages and any backup of such email
associated with patents and inventions will be stored for one year.
 Cont..
2. Advisory policy
• Advisory policy strongly advises employees on the behaviors and activities which should and
should not take place within the organization.
• These policies are not mandatory but are strongly suggested, perhaps with serious consequences
defined.
• The job of an advisory policy is to ensure that all employees know the consequences of certain
behavior and actions.
• Failure to follow them will result in consequences such as termination, or a job action warning. A
company with such policies wants most employees to consider these policies mandatory. This type
of policy is generally based on security best practices.
• Provides recommendations often written in very strong terms about the action to be taken in a
certain situation or a method to be used.
• Example: Illegal copying: Employees should never download or install any commercial software
onto any network drives or disks unless they have written permission from the network
administrator. Be prepared to be held accountable for your actions, including the loss of network
privileges, written reprimand, or employment termination if the Rules of Appropriate Use are
violated.
 Cont..
3. Informative: is policies that exist simply to inform the reader.
• This type of policy isn’t designed with enforcement in mind; it is developed for education.
• Its goal is to inform and enlighten employees
• These policies may apply to specific business units, business partners, vendors, and customers
who use the organization‘s information systems.
 Cont.…
The form and organization of security policies can be reflected in an outline format
with the following components:
• Author -The policy writer
• Sponsor -The Executive champion
• Authorizer -The Executive signer with ultimate authority
• Effective date- When the policy is effective; generally when authorized
• Review date -Subject to agreement by all parties; annually at least
• Purpose- Why the policy exist.
• Scope -Who the policy affects and where the policy is applied
• Policy -What the policy is about
• Exceptions- Who or what is not covered by the policy
• Enforcement -How the policy will be enforced, and consequences for not following it
• Definitions -Terms the reader may need to know
• References -Links to other related policies and corporate documents