Security of Information System
Security of Information System
The information systems are vulnerable to modification,
intrusion or malfunctioning. Hence they need to
be secured from all these threats be devising a sound security
“Information assets are secure when the expected losses that
will occur from threats eventuating over
sometime are at an acceptable level.”
28.1 Security Issues
Some losses will inevitably occur in all environments. So
eliminating all possible losses is either impossible
or too costly. Level of losses should be specified. The level of
losses decided should be linked with a time
period in which the occurrence would be tolerated. The
definition mentions threats, which can be either
Physical, (e.g. Theft,
rain, earthquake, disasters, fire) or
Logical (e.g intrusion,
Examples of intrusion
The security might be required to stop unauthorized access to
the financial system of a bank from executing
fraudulent transactions. The purpose of intrusion may not only
be to damage the database of the company
but may be limited to stealing customer list for personal use
transferring money illegally. An employee
before leaving the company may have to be stopped from data
manipulation, though he is having
authorized access to the system.
Executive management has a responsibility to ensure that the
organization provides all users with a secure
information systems environment. Importance for security should
be sponsored by the senior management.
This would make employees/users of IS, feel the importance of
secure environment in which the IS works
and operates un-tampered.
Importance of Security
Sound security is fundamental to achieving this assurance.
Furthermore, there is a need for organizations to
protect themselves against the risks inherent with the use of
information systems while simultaneously
recognizing the benefits that can accrue from having secure
information systems. Thus, as dependence on
information systems increases, security is universally
recognized as a pervasive, critically needed, quality.
28.2 Security Objective
Organization for Economic Cooperation & Development, (OECD) in
1992 issued “Guidelines for the
Security of Information Systems”. These guidelines stated the
security objective as
“The protection of the interests of those relying on
information, and the information systems and
communications that delivers the information, from harm
resulting from failures of availability,
confidentiality, and integrity.”
The security objective uses three terms
information systems are available and usable when required;
Confidentiality – data
and information are disclosed only to those who have a right to know it;
Integrity – data and
information are protected against unauthorized modification (integrity).
The relative priority and significance of availability,
confidentiality, and integrity vary according to the data
within the information system and the business context in which
it is used.
28.3 Scope of Security
The concept of security applies to all information. Security
relates to the protection of valuable assets
against loss, disclosure, or damage. Valuable assets are the
data or information recorded, processed, stored,
shared, transmitted, or retrieved from an electronic medium. The
data or information must be protected
against harm from threats that will lead to its loss,
inaccessibility, alteration or wrongful disclosure.
Types of Information Assets
The question is what needs to be protected in an Information
systems environment? In a manual
environment, usually the records kept in hard form are the main
information assets to be safeguarded
against various threats. In computerized environments the
sensitivity of the record being kept is enhanced.
Information Assets can be classified as follows:
28.4 Security Policy
The organization that is concerned with protecting its
information assets and information system should
devise a security policy to be communicated formally to all
concerned in an organization. The security
policy should support and complement existing organizational
policies. The thrust of the policy statement
must be to recognize the underlying value of, and dependence on,
the information within an organization.
Contents of Security Policy
Security policy is a critical document which should be designed
to include almost all aspects of security
The importance of
information security to the organization;
A statement from the
chief executive officer in support of the goals and principles of effective
indicating minimum standards and compliance requirements for specific areas:
Physical, logical, and
Legal, regulatory, and
System development and
maintenance life cycle requirements;
training, and education;
detection and reporting requirements; and
responsibilities and accountabilities for information security, with appropriate
separation of duties;
system or issue specific areas; and
responsibilities and procedures
Now the question that arises is how a security policy is to be
devised. The organizations interested in raising
the security levels of their information system undergo what is
commonly termed as “Security Program” or
“Security Review”. This can be seen as a first attempt to devise
a formal security policy for the organization.
28.5 Security Program
“A security program is a series of ongoing regular periodic
reviews conducted to ensure that assets
associated with the information systems function are safeguarded
The first security review conducted is often a major exercise
Conducting Security Program
There are certain steps which need to be undertaken for
conducting a security program.
Preparation of Project Plan
In this phase the review objectives of the security program are
specified. The scope of the work to be done
needs to be defined at the outset. Since there are possibilities
of getting bogged down into the unnecessary
details? This would help avoid too much of unnecessary work
which may be undertaken with little benefit
Major components of the project plan
Objectives of the
review: There has to be a definite set of objectives for a security review e.g.
physical security over computer hardware in a particular
division, to examine the adequacy of controls in
the light of new threat to logical security that has emerged,
Scope of the review: if
the information system is an organization wide activity, what needs to be
has to be defined, e.g. scope will determine the location and
name of computers to be covered in the
security review, etc.
Tasks to be accomplished
– In this component, specific tasks under the overall tasks are defined e.g.
compiling the inventory of hardware and software may be one of
many specific tasks to be undertaken
for security review.
Organization of the
project team – A team is organized based on the needs of the security review.
Resources budget – What
resources are required for conducting security review.
Schedule for task
completion – Dates by which the tasks should be completed along with the
to be achieved.
28.6 Identification of Assets
Identifying assets is the primary step in determining what needs
to be protected. The classification of
information assets is already stated above. Unless the assets
are defined, the related risks cannot be
determined that easily.
Ranking of Assets
The assets identified earlier should be given a rank according
to the importance they have. Following are the
Who values the asset? –
Various interested groups (end user, programmer, etc) may be asked to rank the
assets in accordance with the criticality of usage and
importance to them and to the organization e.g
a scale between 0 to 10
can be used for this purpose.
Degrees of importance
may be defined as very critical, critical, less critical, etc.
How the asset is lost? –
a customer master file might be accidentally damaged but the impact of being
stolen would be higher.
Period of obsolescence –
within what time the asset becomes of no use without being used. As time
passes by, assets keep losing value which also affects the
“A threat is some action or event that can lead to a loss.”
During this phase, various types of threats that can eventuate
and result in information assets being
exposed, removed either temporarily or permanently lost damaged
destroyed or used for un-authorized
purposes are identified.