ITEC-3020 Computer Security Fundamentals
Information Handling: Security Concerns and Organizational Success
In an organization which only practices a formal and informal system of information handling, data can become unwieldy and difficult to manage. All messages being received at the informal level could/would be lost due to little or no method of record keeping. On the flip side, messages at the formal level would be relegated to a filing system which would require many hours of human interaction in order to maintain, sort, and query. Having a formal system would solve both these issues through record management and information keeping automation (e.g. databases). Lacking a technical system introduces many security concerns in terms of information management. Prominently is the inadvertent filing of information in the incorrect location, and message misappropriation through insecure transmission. The filing error is easily seen when a clerk places a file which should be located in a secure lock box on a table for anyone to peruse. Transmission interception is as simple as someone overhearing a conversation which should have been done through more private channels. Even with this modern handicap, an organization could still function successfully. This is self-evident as humans survived for eons before the advent of computerized systems. However, a technical system would ensure that the organization would remain competitive. That is, most organizations make their profits through efficient process management, which begins with the way in which they manage their data. Reference Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. John Wiley & Sons, Inc. |
Cryptography: Using the Vigenère Cipher | |
File Size: | 25 kb |
File Type: | docx |
This lab displays the use of the Vigenère Cipher to encrypt and decrypt several messages.
Network Security: Methods and Practices | |
File Size: | 16 kb |
File Type: | docx |
Extract: A network is more than its component parts. It is built for the distribution and sharing of information for the betterment of the organization. As such, a key focus should be on securing the data contained on that network. Therefore, all systems should be patched and updated to the latest firmware/software at all times, antivirus should be installed locally on all machines, and a gateway filter should be implemented at the router to scan all packets for malicious intent. This will ensure the integrity of all information more than the security, but in a corporate environment, this is what is needed.
SSE-CMM: Moving up the Stack | |
File Size: | 16 kb |
File Type: | docx |
Extract: This paper has defined assurance methods for each level of the SSE-CMM whereby an organization can gauge whether it has met a level of the staged CMM. The primary key at each point is a method of physically gathering evidence via documentation whereby proof is garnered that the level has been met and sustained. These assurances serve to provide a level of instruction for moving up the CMM stack without bypassing essential security requirements. In essence, no higher level is attainable in full until the previous level has been mastered.
Information Technology Security: Policy Administration
Information Technology security should be managed and maintained by the Information Technology department in conjunction with the organization’s Risk department. The IT department would be in charge of securing the network technically and writing the network security policy which all employees would have to abide. The Risk department would review and approve the policy to make sure it remains in line with corporate strategy, as well as, ensuring it covers more than just the technical aspects of network security. Having both departments oversee the security policy means that there are two separate ideologies determining the overall factors which should govern day to day operations. These divergent viewpoints ensure that corporate security and technology security are maintained to a high degree. Conversely, having these separate perspectives means that potential policy mandates may go through many iterations before being standardized. In this interim time, security breaches may occur, that would not have occurred, if the policy had been ratified. An information security manager has a wide range of tools at their disposal to cover the policies which are applied:
(cont.) |
Further to these technical security tools, risk bulletins posted on the organizational intranet can help staff stay ahead of any current threats. News dispatches from network security agencies which alert to possible threats can be subscribed to by the risk department. This information can, and should, be passed on to network administrators and staff. Finally, the Risk department can coordinate with HR to organize basic network security training for all staff. Reference Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. John Wiley & Sons, Inc. Meyers, M. (2009). CompTIA Netowrk+ Guide to Managing and Troubleshooting Networks (2nd ed.). McGraw-Hill. ___________________________________ Orion Strategy Process: IS Risk Modeling The Orion Strategy Process is very similar to the Supply Chain Operations Reference (SCOR) model in that it fashions a current As-Is state and then defines an idealized To-Be state (Harmon, 2007). From these two viewpoints, an overview of all risks which affect the organization can be determined via the gaps between the two models. Additionally, discussion over how business process work in terms of systems is used in both methods. This way of thinking allows analysts to see the overall picture, rather than focusing on the individual parts which may not cover the whole area of risk. The Orion model may not be implemented by many organizations as it focuses too tightly on systems security. It is likely that broader viewpoints offer more information in terms of organizational risk. Additionally, systems security is becoming something of a known trait. It is rare to find a company that does not understand that their systems are a point of security penetration, and as such, network admins and risk analysts are already on top of IS security policies. All that being said, for those organizations that do not already have a process modeling methodology, implementing the Orion Strategy should be a key priority. It will immediately enable them to see the risks inherent in their network, even if they already believe they are secure. Finding and securing even one system risk would ensure that organizational profits do not go to repairing a break, after it has already occurred. Reference Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. John Wiley & Sons, Inc. Harmon, P. (2007). Business Process Change: A guide for Business Managers and BPM and Six Sigma Professionals (2nd ed.). Burlington, MA: Morgan Kaufmann. |
Network Policy and Procedures - Example
(This is an example document showing how a network security policy could be outlined.)
ii. Note that all systems will be forced to shut down once a month to ensure that no account is left logged in indefinitely.
- All physical access to system hardware should be limited to authorized personnel.
- Authorized personnel are defined as those individuals who have taking security training course work, are registered in the authorization database, and in possession of a registered access RFID swipe card or network user ID.
- Server rooms will have doors which automatically lock and contain motion sensors which log times when individuals are present. Additionally, access will only be granted via use of registered access RFID swipe cards in conjunction with server room access code.
- All systems infrastructure belongs to the educational organization and no external entity is authorized to connect at any point to the system or systems. Any device which is connected is automatically the property of the educational organization, unless authorization is granted by the head of network security and the head network administrator.
- Information Categorization
- All data stored on educational systems must be classified in order of integrity and security.
- That data which is classified at the integral level may be readable by lower security levels but modifiable only by higher security levels in accordance with the Biba Model of data integrity.
- That data which is classified at the security level is modifiable only by higher security levels on a need to know basis in accordance with the Bell la Padula Model.
- Information on the educational systems belongs to the educational organization first and foremost. Information confidentiality must be maintained for any data which is classified level 2 or above (e.g. either low integrity or low security).
- User systems access must be authorized.
- All users accessing educational systems must be registered by the educational organization and receive a user name and password.
- The password for each user will maintain a high level of complexity and be routinely expired for forced password updates.
- Access of educational systems is at the educational organizations determination, meaning that access may be revoked for any reason at any time.
- All user accounts belong to the educational organization, and therefore, all data associated with the accounts belongs to the educational organization.
- A set account expiry will be maintained which must be refreshed by the user contacting the helpdesk and requesting the account be reactivated. This expiry will be set to three weeks and begin countdown upon each final log out.
ii. Note that all systems will be forced to shut down once a month to ensure that no account is left logged in indefinitely.
- Internet access will be managed via an endpoint management system.
- All policies pertinent to systems access will be valid for internet access on educational systems. E.g. if you use the educational internet access any data transmitted or received while using this access belongs to the educational organization.
- Reasonable usage of internet access will be solely in the prevue of each department head and should remain within the bounds of educational premise.
- Systems which access the internet will be placed in a DMZ and sit outside the bounds of normal educational systems access.
- All systems will maintain a firewall and virus scanner.
- All gateways will maintain a hardware firewall and endpoint scanner.
- All training environments will exist outside the normal educational system.
- As training in building and developing systems is a requirement, training environments will be maintained which exist outside system bounds. These environments will not interface with the educational system at any point.
- All requests for training environments should be made to the information technology helpdesk.
- All training environments are the sole property of the educational organization and therefore may be disconnected and/or confiscated for whatever means the organization deems fit.
- Policy Accountability
- All policies within this document are within the bounds of educational senior management, with oversight from the head of information technology at the advisement of the organizational risk department.
System Risks: Hospital Information System
Given the situation of an information system for a hospital, risks can come from many different angles. Personal or social factors with staff can lead to internal subversion of systems, rules governing system operation contradict process operations, development of systems leave room for analyst slip ups when developing software packages, and unsecured workplace environments leave open physical weaknesses that outside parties can exploit. Each of these risks can be mitigated and/or outright avoided given proper planning and training. Over worked, underpaid, and rotating hours lead to a disgruntled staff. Staff members in these situations tend to place less regard on system security and focus more time on making their own lives easier. This is, of course, at the expense of systems security. Overcoming such situations should be of great concern as internal subversion of systems is of the highest risk. Solutions come in the form of flexible reasonable working hours, overtime pay, and removing rotating hours so that staff can have a routine in their life. Contradictory system rules which state one thing while working conditions force another leave open a variety of exploit avenues. For instance, system rules state that no emails are to be sent containing patient records, un-encrypted. However, email encryption is not available on all systems, and where it is available, directions are too confusing for staff to understand. These Risks are in the medium risk category, where the chance of something going wrong is high, but the likelihood is low. Threat removal, in this instance, comes in the form of proper policy and procedure planning, as well as, review of those policies and procedures post implementation to ensure they are doing what is expected. (cont.) |
Systems development can leave open large holes if security is not considered from the start, for instance, a given system is supposed to monitor heart rate and report it back to the doctor in question. However, the system has no built in encryption, and as such, data is sent over the internet in plain text. Once again, this risk is in the medium category. Ensuring that security planning and oversight is taken into account from the start to finish of systems development, and scheduled audits of the system after implementation, will ensure that such vulnerabilities are not left unchecked. The highest risk, and at the same time, easiest risk to overcome, is that of physical exploits. An example of such is one where a staff member leaves their workstation unlocked, doors to secure medical systems are left open, or medical screens are placed so that the public can clearly see private medical details. Automated workstation locking, automatic sliding doors with RFID scanner locks, and proper placement of medical screens can all overcome these weaknesses. Since each of these risks is easy to overcome, there is no reason why they should not be implemented immediately. Reference Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. John Wiley & Sons, Inc. |
Corporate Governance: Information Systems Security Information Systems security, more often than not, is maintained by the information technology department. That being said, the responsibility of the systems being secure is in the hands of all professional managers, those people who are on the executive team. In terms of corporate governance, this means that executives expect IS security to maintain corporate integrity, confidentiality, and provide a base from which profitable process and/or actions may take place. Additionally, “Management is responsible to the shareholder for loss of value attributed to information system security compromises” (Dhillon, 2007, p. 203). Shareholder responsibility means that ownership of the systems and management of the systems is separated in terms of monetary value and legal recourse. If the systems are violated in such a way that confidential information is lost, stolen, or abused such that it affects the value of the corporation’s stock, the executive team are the people who will pay for that violation, not shareholders. That is to say, the stock may drop in value, but the executives will likely lose their jobs and/or face legal prosecution. In terms of legality, government entities may place legal requirements on certain organizations that deal in highly confidential and or integral information, such as financial organizations. In Australia, this is reflected in continuous training and retraining of staff in such things as the National Privacy Principles (Australian Government: Office of the Information Commissioner, 2008). These principles outline the laws that govern what an organization can and cannot gather from a customer, as well as, storage and disposal procedures for said data. Financial staff are require to be trained in the NPPs, on an annual basis, with records of that training remaining on file for auditors to review if they so choose. (cont.) |
All this being said, IS security is more than just protecting of shareholder’s interests and customer privacy, it also ensures that different groups within the organization can communicate without fear that their exchanges are being misled. Imagine if IS security were breached in an organization to the extent that communication flows were rerouted and then altered, such that, incorrect data was received by each department. In a hospital, this could very well lead to deaths as patients received incorrect medication or dosages. In a financial organization, this could lead to the loss of great sums of customer capital, e.g. Enron. Reference Australian Government: Office of the Information Commissioner. (2008, February). Private Sector Information Sheet 1A - National Privacy Principles. Retrieved April 2, 2013, from Australian Government: Office of the Information Commissioner: http://www.privacy.gov.au/materials/types/download/8776/6583 Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. John Wiley & Sons, Inc. |
Security Evaluation Criteria: ITSEC vs. TCSEC | |
File Size: | 36 kb |
File Type: | docx |
Extract: When a software company develops a software application, whether this is a system or a product, certain security functionalities are expected by any customer of that organization. These expectations have been codified in the evaluation criteria standards TCSEC and ITSEC. Meeting each of the seven levels of these two standards gives an ever increasing sense of security viability of any application. This, in turn, provides confidence and assurances that the product’s security policy is being met.
USA PATRIOT Act and AML/CTF | |
File Size: | 22 kb |
File Type: | docx |
Extract: The USA Patriot Act was designed and passed to assist law enforcement agencies in tracking down and apprehending suspected terrorists. It does this in such a way as to remove or outright ignore the freedoms the American people have come to rely upon based on the very constitution the country was founded. Specifically, wiretaps can be done “without providing probable cause as the Fourth Amendment explicitly requires” (ACLU, 2010).
Comment Box is loading comments...