<Previous Lesson

Information Systems

Next Lesson>


Security of Information System

Security of Information System

The information systems are vulnerable to modification, intrusion or malfunctioning. Hence they need to
be secured from all these threats be devising a sound security system.
“Information assets are secure when the expected losses that will occur from threats eventuating over
sometime are at an acceptable level.”

28.1 Security Issues
Some losses will inevitably occur in all environments. So eliminating all possible losses is either impossible
or too costly. Level of losses should be specified. The level of losses decided should be linked with a time
period in which the occurrence would be tolerated. The definition mentions threats, which can be either
Physical, (e.g. Theft, rain, earthquake, disasters, fire) or
Logical (e.g intrusion, virus, etc)

Examples of intrusion
The security might be required to stop unauthorized access to the financial system of a bank from executing
fraudulent transactions. The purpose of intrusion may not only be to damage the database of the company
but may be limited to stealing customer list for personal use transferring money illegally. An employee
before leaving the company may have to be stopped from data manipulation, though he is having
authorized access to the system.

Management’s responsibility
Executive management has a responsibility to ensure that the organization provides all users with a secure
information systems environment. Importance for security should be sponsored by the senior management.
This would make employees/users of IS, feel the importance of secure environment in which the IS works
and operates un-tampered.

Importance of Security
Sound security is fundamental to achieving this assurance. Furthermore, there is a need for organizations to
protect themselves against the risks inherent with the use of information systems while simultaneously
recognizing the benefits that can accrue from having secure information systems. Thus, as dependence on
information systems increases, security is universally recognized as a pervasive, critically needed, quality.

28.2 Security Objective
Organization for Economic Cooperation & Development, (OECD) in 1992 issued “Guidelines for the
Security of Information Systems”. These guidelines stated the security objective as
“The protection of the interests of those relying on information, and the information systems and
communications that delivers the information, from harm resulting from failures of availability,
confidentiality, and integrity.”
The security objective uses three terms
Availability – information systems are available and usable when required;
Confidentiality – data and information are disclosed only to those who have a right to know it;
Integrity – data and information are protected against unauthorized modification (integrity).
The relative priority and significance of availability, confidentiality, and integrity vary according to the data
within the information system and the business context in which it is used.

28.3 Scope of Security
The concept of security applies to all information. Security relates to the protection of valuable assets
against loss, disclosure, or damage. Valuable assets are the data or information recorded, processed, stored,
shared, transmitted, or retrieved from an electronic medium. The data or information must be protected
against harm from threats that will lead to its loss, inaccessibility, alteration or wrongful disclosure.

Types of Information Assets
The question is what needs to be protected in an Information systems environment? In a manual
environment, usually the records kept in hard form are the main information assets to be safeguarded
against various threats. In computerized environments the sensitivity of the record being kept is enhanced.
Information Assets can be classified as follows:

28.4 Security Policy
The organization that is concerned with protecting its information assets and information system should
devise a security policy to be communicated formally to all concerned in an organization. The security
policy should support and complement existing organizational policies. The thrust of the policy statement
must be to recognize the underlying value of, and dependence on, the information within an organization.

Contents of Security Policy
Security policy is a critical document which should be designed to include almost all aspects of security
The importance of information security to the organization;
A statement from the chief executive officer in support of the goals and principles of effective
information security;
Specific statements indicating minimum standards and compliance requirements for specific areas:
Assets classification;
Data security;
Personnel security;
Physical, logical, and environmental security;
Communications security;
Legal, regulatory, and contractual requirements;
System development and maintenance life cycle requirements;
Business continuity planning;
Security awareness, training, and education;
Security breach detection and reporting requirements; and
Violation enforcement provisions
Definitions of responsibilities and accountabilities for information security, with appropriate
separation of duties;
Particular information system or issue specific areas; and
Reporting responsibilities and procedures
Now the question that arises is how a security policy is to be devised. The organizations interested in raising
the security levels of their information system undergo what is commonly termed as “Security Program” or
“Security Review”. This can be seen as a first attempt to devise a formal security policy for the organization.

28.5 Security Program
“A security program is a series of ongoing regular periodic reviews conducted to ensure that assets
associated with the information systems function are safeguarded adequately.”
The first security review conducted is often a major exercise

Conducting Security Program
There are certain steps which need to be undertaken for conducting a security program.

Preparation of Project Plan
In this phase the review objectives of the security program are specified. The scope of the work to be done
needs to be defined at the outset. Since there are possibilities of getting bogged down into the unnecessary
details? This would help avoid too much of unnecessary work which may be undertaken with little benefit

Major components of the project plan
Objectives of the review: There has to be a definite set of objectives for a security review e.g. to improve
physical security over computer hardware in a particular division, to examine the adequacy of controls in
the light of new threat to logical security that has emerged, etc.
Scope of the review: if the information system is an organization wide activity, what needs to be covered
has to be defined, e.g. scope will determine the location and name of computers to be covered in the
security review, etc.
Tasks to be accomplished – In this component, specific tasks under the overall tasks are defined e.g.
compiling the inventory of hardware and software may be one of many specific tasks to be undertaken
for security review.
Organization of the project team – A team is organized based on the needs of the security review.
Resources budget – What resources are required for conducting security review.
Schedule for task completion – Dates by which the tasks should be completed along with the objectives
to be achieved.

28.6 Identification of Assets
Identifying assets is the primary step in determining what needs to be protected. The classification of
information assets is already stated above. Unless the assets are defined, the related risks cannot be
determined that easily.

Ranking of Assets
The assets identified earlier should be given a rank according to the importance they have. Following are the
critical issues
Who values the asset? – Various interested groups (end user, programmer, etc) may be asked to rank the
assets in accordance with the criticality of usage and importance to them and to the organization e.g
a scale between 0 to 10 can be used for this purpose.
Degrees of importance may be defined as very critical, critical, less critical, etc.
How the asset is lost? – a customer master file might be accidentally damaged but the impact of being
stolen would be higher.
Period of obsolescence – within what time the asset becomes of no use without being used. As time
passes by, assets keep losing value which also affects the security review.

Threat Identification
“A threat is some action or event that can lead to a loss.”
During this phase, various types of threats that can eventuate and result in information assets being
exposed, removed either temporarily or permanently lost damaged destroyed or used for un-authorized
purposes are identified.

<Previous Lesson

Information Systems

Next Lesson>


Lesson Plan


Go to Top

Next Lesson
Previous Lesson
Lesson Plan
Go to Top