INFORMATION SYSTEM SECURITY

OVERVIEW
Introduction
Information system is an integrated set of components for collecting, storing, and
processing and communicating data, knowledge, and digital products. Business
firms and other organizations rely on information systems to carry out and
manage their operations, interact with their customers and suppliers, and compete
in the marketplace. Public institutions use information systems in gathering data
from stakeholders and delivering information to them.

The main components of information systems are computer hardware and

software, telecommunications, databases and data warehouses, human resources,
and procedures. The hardware, software, and telecommunications constitute
information technology (IT), which is now ingrained in the operations and
management of organizations.

Information systems support operations, knowledge work, and management in

organizations. Functional information systems that support a specific
organizational function, such as marketing or production, have been supplanted by
cross-functional systems. Such systems can be more effective in the development
and delivery of the firm’s products and can be evaluated more closely with respect
to the business outcomes.

Security
Security is the degree of resistance to, or protection from, harm. It applies to any
vulnerable and valuable asset, such as a person, dwelling, community, nation, or
organization. Security provides a form of protection where a separation is created
between the assets and the threat. It is implemented through policies and
procedures. A security policy is a document that outlines the rules, laws and
practices for asset access. Such document regulates how an organization will
manage and protect assets.
Information System Security
Information systems security is the practice of defending information from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction. It is a general term that can be used regardless of the
form the data may take.

Other definitions of information systems security are:

1. "Preservation of confidentiality, integrity and availability of information.
This is achieved through processes such as authorization, authentication,
accountability
2. "The protection of information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability."
3. "Ensuring that only authorized users (confidentiality) have access to
accurate and complete information (integrity) when required (availability)."
4. "Information Security is the process of protecting the intellectual property
of an organisation."
5. Information security is a risk management discipline, whose job is to
manage the cost of information risk to the business."
6. "A well-informed sense of assurance that information risks and controls are
in balance."
7. "Information security is the protection of information and minimises the
risk of exposing information to unauthorised parties."
8. "Information Security is a multidisciplinary area of study and professional
activity which is concerned with the development and implementation of
security mechanisms of all available types (technical, organisational, human-
oriented and legal) in order to keep information in all its locations (within and
outside the organisation’s perimeter) and, consequently, information systems,
where information is created, processed, stored, transmitted and destructed,
free from threats. Threats to information and information systems may be
categorised and a corresponding security goal may be defined for each category
of threats. A set of security goals, identified as a result of a threat analysis,
should be revised periodically to ensure its adequacy and conformance with

2
 the evolving environment. The currently relevant set of security goals may
include: confidentiality, integrity, availability, privacy, authenticity &
trustworthiness, non-repudiation, accountability and auditability."

Challenges to Information Systems Security

Information has become a critical asset of all organizations owing to their rapid
adoption of IT (Information Technologies) in the entirety of their business
activities, which has arisen from the need for the careful management of the
company’s information. Information is an asset which is currently as important as
capital or work. This reality is even more pressing in new generation companies in
which information is part of their core business. In fact, in the last few years we
have observed more and more organizations becoming heavily dependent on
Information Systems (IS). Information Systems therefore undoubtedly play an
important role in today’s society and are ever-increasingly at the heart of critical
infrastructures, and this is widely accepted in security research literature.

The current tendency towards using information systems which are increasingly
bigger and are distributed throughout the entire globe through the Internet has led
to the present-day information systems being vulnerable to a host of threats and
cyberattacks by cyber-terrorists, hackers using such programmes as virus which
are propagated through the Internet, social engineering attacks (phishing etc.) or
the inappropriate use of the Net’s assets by companies’ employees. The security in
computing has in fact grown tremendously since the 1970s, leading to a huge
number of techniques, models, protocols, etc. These have also been accompanied
by a notable amount of activity on the part of international organisations with
regard to standardisation and certification. This has taken place to such a great
extent that it is possible to find numerous international standardization
organizations that have created a complex structure of standards regarding
themes related to information security, which are frequently altered and updated.
The permanent and global nature of security threats and the increasing complexity
of IT infrastructures are currently leading organizations throughout the world to
revise their approaches towards information security. Hiring the ICT’s
(Information and Communication Technologies) equivalent of military men, i.e.

3
security technologists and white-hat hackers, and entrusting security to them is no
longer sufficient.

Information Systems Security Challenges and Innovations

Enterprise security is a classical term that reflects the efforts made to avoid
business risks, thus permitting a company to surpass any threat that may
jeopardize its survival. The traditional concept of security needs to be expanded in
order to include the aforementioned information assets, whose combination is
known as Information Systems Security. Security and information systems are
therefore two closely linked terms, which is shown by the fact that any company’s
information is as good as the security mechanisms that are implemented over it.
Unreliable information resulting from wrong security policies generates
uncertainty and mistrust, and has a negative impact on every business area.
Otherwise, secure information systems are a sign of certainty which contributes
towards generating value both within and outside the company. Information
Systems Security is a function whose mission is to establish security policies and
their associated procedures and control elements over their information assets,
with the goal of guaranteeing their authenticity, confidentiality, availability and
integrity. Ensuring these four characteristics is the core function of Information
Systems Security:
• Confidentiality is understood in the sense that only authorized users can
access the information, thus avoiding this information being spread among
users who do not have the proper rights.
• Authenticity allows trustful operations by guaranteeing that the handler of
information is whoever s/he claims to be.
• Integrity is the quality which shows that the information has not been
modified by third parties, and ensures its correctness and completeness.
• Availability refers to being able to access information whenever necessary,
thus guaranteeing that the services offered can be used when needed.
Some of the current security challenges can be identified according to the
innovative security approaches that will be reviewed in this course. These security
challenges could be grouped in the following security fields: Cryptography;

4
Security in Small and Medium Enterprises; Privacy; Security and privacy in the
Cloud and Internet; Security metrics; Forensics; Security standards.

Cryptography
The rapid growth of electronic means of communication signifies that information
security has become a crucial issue in the real world. Modern cryptography
provides fundamental techniques with which to secure communication and
information. Cryptographic protocols such as digital signatures, commitment
schemes, oblivious transfer schemes and zero-knowledge proof systems have
contributed towards the construction of various security systems. There are many
works that cover such topics as block ciphers, block modes, hash functions,
encryption modes, signatures, message authentication codes, and implementation.

Security in Small and Medium Enterprises

Enterprises have started to become conscious of the huge importance of having
adequate information systems and correctly managing them. Thus, in spite of the
fact that there are still many enterprises which assume the risk of having no
adequate protection measures, there are many others which have understood that
information systems are not useful without security management systems and the
protection measures associated with them. It is very important for enterprises to
implement security controls that will allow them know and control the risks to
which they may be submitted given that the implementation of these controls
leads to important improvements for these companies. But the implementation of
these controls is not sufficient, and enterprises should use systems that manage
security throughout time, thus allowing them to react to new risks, vulnerabilities,
threats, etc. in an agile manner.

Privacy
From a trust perspective, it is important for enterprises to ensure that they act in a
privacy conscious manner when accessing and working with an individual’s
personal information or personal identifiable information (PII). Privacy is already
a prime concern in today’s information society. The challenge now is to design
pervasive computing systems that include effective privacy protection

5
mechanisms. The controls focus on information privacy as a value that is different
from, but is highly interrelated with, information security. Organizations cannot
have effective privacy without a solid foundation of information security. However,
privacy is more than security and confidentiality, and also includes the principles
of, for example, transparency, notice and choice.

Security and privacy in the cloud and Internet

Although there is a significant benefit in the leverage of Cloud computing, security
concerns have led organizations to hesitate at the idea of moving critical resources
to the Cloud. Corporations and individuals are often concerned about how security
and compliance integrity can be maintained in this new environment in the rush to
take advantage of the benefits of Cloud computing, not least of which is the
significant savings in costs, many corporations are probably rushing into Cloud
computing without a serious consideration of the security implications. Cloud
computing has a set of security benefits which the Cloud providers offer to those of
their customers who choose to move their applications to the Cloud.

Security Metrics
A widely accepted management principle is that an activity cannot be managed if it
cannot be measured. Security falls into this rubric. Metrics may be an effective tool
which will allow security managers to discern the effectiveness of various
components of their security programs, the security of a specific system, product
or process, and the ability of staff or departments within an organization to
address security issues for which they are responsible. Metrics can also help to
identify the level of risk involved in not carrying out a given action, and thus
provide guidance in prioritizing corrective actions. Information security metrics
are seen as an important factor in making sound decisions about various aspects of
security, ranging from the design of security architectures and controls to the
effectiveness and efficiency of security operations.

Forensics
The field of computer forensic science emerged as an opponent to the growth of
computer crimes. Digital forensics is defined as a scientifically proven method for

6
the investigation of computers and other digital devices believed to be involved in
criminal activities. A digital forensic investigation should follow proper digital
forensic procedures or process models for its evidence to be admissible in a court
of law. Work in digital forensics covers a wide variety of areas such as law
enforcement needs to produce the compelling and legally recognized evidence
required to prosecute crimes; corporations might need to identify and mitigate an
insider threat, thus requiring a lower standard of proof; and military intelligence
needs might require quick action based on a limited amount of information.
Current solutions for computer forensics are presented in, which are only used to
collect, analyze and extract evidence after intrusions, and some are inspired by the
theory of artificial immune systems. Prevalent forensic techniques do not scale,
and the demand for forensic examination is already much greater than current
capacity.

Security standards
Securing information system resources is extremely important in ensuring that the
resources are well protected. Information security is not just a simple matter of
having usernames and passwords. Regulations and various privacy /data
protection policies impose a raft of obligations. Some proposals for information
security management already exist (ISO/IEC27001 [ISO/IEC27001 2005], ISM3
[ISM3 2007], BS 7799, PCIDSS, ITIL, all of them created by international
organizations for standardization. The protection of personal data takes on a
particularly special relevance in sectors such as the health, in which the
vulnerabilities of patients’ personal data are extremely important.