1. ABSTRACT
Rapid and dramatic advances in information technology (IT), while offering
tremendous benefits, have also created significant and unprecedented risks to
government operations. Federal, state, and local governments depend heavily on
information systems (IS) security measures to avoid data tampering, fraud, inappropriate
access to and disclosure of sensitive information, and disruptions in critical operations.
These risks are expected to only continue to escalate as wireless and other technologies
emerge.
The primary goal of any enterprise-wide security program is to support user
communities by providing cost-effective protection to information system resources at
appropriate levels of integrity, availability, and confidentiality without impacting
productivity, innovation, and creativity in advancing technology within the corporation’s
overall objectives.
Ideally, information systems security enables management to have confidence that
their computational systems will provide the information requested and expected, while
denying accessibility to those who have no right to it. The analysis of incidents resulting
in damage to information systems show that most losses were still due to errors or
omissions by authorized users, actions of disgruntled employees, and an increase in
external penetrations of systems by outsiders. Traditional controls are normally
inadequate in these cases or are focused on the wrong threat, resulting in the exposure of
a vulnerability.
2. INTRODUCTION
Rapid and dramatic advances in information technology (IT), while offering tremendous
benefits, have also created significant and unprecedented risks to government operations.
Federal, state, and local governments depend heavily on information systems (IS) security
measures to avoid data tampering, fraud, inappropriate access to and disclosure of sensitive
information, and disruptions in critical operations. These risks are expected to only continue to
escalate as wireless and other technologies emerge.
Electronic information is essential to the achievement of organizational objectives. Its
reliability, integrity, and availability are significant concerns. The use of computer networks,
particularly the Internet, is revolutionizing the way of business. While the benefits have been
enormous and vast amounts of information are now literally at our fingertips, these
interconnections also pose significant risks to computer systems, information, and to the critical
operations and infrastructures they support. Infrastructure elements such as telecommunications,
power distribution, national defense, law enforcement, and government and emergency services
are subject to these risks. The same factors that benefit operations—speed and accessibility—if
not properly controlled, can leave them vulnerable to fraud, sabotage, and malicious or
mischievous acts. In addition, natural disasters and inadvertent errors by authorized computer
users can have devastating consequences if information resources are poorly protected. Recent
publicized disruptions caused by virus, worm, 3 and denial of service attacks on both commercial
and governmental Web sites illustrate the potential for damage.
Computer security is of increasing importance to all levels in minimizing the risk of
malicious attacks from individuals and groups. These risks include the fraudulent loss or misuse
of resources, unauthorized access to release of sensitive information such as tax and medical
records, disruption of critical operations through viruses or hacker attacks, and modification or
destruction of data. The risk that information attacks will threaten vital national interests
increases with the following developments in information technology:
• Monies are increasingly transferred electronically between and among governmental agencies,
commercial enterprises, and individuals.
• Governments are rapidly expanding their use of electronic commerce.
• National defence and intelligence communities increasingly rely on commercially available
information technology.
• Public utilities and telecommunications increasingly rely on computer systems.
• More and more sensitive economic and commercial information is exchanged electronically.
• Computer systems are rapidly increasing in complexity and interconnectivity.
3. • Easy-to-use hacker tools are readily available, and hacker activity is increasing.
• Paper supporting documents are being reduced or eliminated.
An Information System is an organized combination of people, hardware, software,
communication networks & data resources that collects, transforms & disseminates
information in an organization. People have relied on information systems to communicate
with each other using a variety of physical devices (Hardware),
Information Processing Instructions &Procedures (Software), Communication
Channels (Networks) & Store Data (Data Resources).
Components of an IS
In an organization, information systems consist of the following components. These
components will formulate a system, which will help us to gather the
required information for making decision in various levels of management.
Data
o Input that the system takes to produce information
Hardware
o Computer itself and its peripheral equipment: input, output,
storage devices; includes data communication equipment
Software
o Sets of instructions that tell the computer how to input,
process, output and store data.
Communication networks
o Hardware and software specializing in transmission and
reception of electronic data.
People
o IS professionals and users who design, construct, operate and
maintain IS.
Procedures
o Rules to process data, e.g. priorities in running different
applications, security measures, routines for malfunctioning IS, etc.
Information System Resources
Every Information System is equipped with the following resources. The
goals of information systems can be easily achieved by employing these resources
to their optimum level by keeping in view that the purpose of using IS in an
organization.
•People Resources
o End users
o IS specialists
4. •Hardware Resources
o Machine so Media
•Software Resources
o Program Operating Systems (OS) Examples: Windows, Unix,
etc.Application Software Examples: Excel, Access, MS-Word, etc.Application software
that makes people buy computers that can run the software. Example: email system. To
use an email system (software), people buy computers.
o Procedures: Operating instructions for the people who will use an information
system. Examples: Instructions for filling out a paper form or using a software package.
•Data Resources:
o Data vs. Information
1. Data:Raw facts, observations, business transactions Objective
measurements of theattributes (characteristics) of entities (people, places, things,
events, etc.)Attributes can be last name, first name, gender, etc. for an entity of "people."
2. Information:Data that have been converted into a meaningful and useful
context for specific endusers.Processed data placed in a context that gives it value for
specific end users.1. Its form is aggregated, manipulated, and organized.2. Its content is
analyzed and evaluated.
3. It is placed in a proper context for a human user.
• Network Resources:
o Communications media.
o Communications processors.
o Network access & control software.
SECURITY OF INFORMATION SYSTEM RESOURCES
Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction.
5. For over twenty years, information security has held confidentiality, integrity and availability
(known as the CIA triad) to be the core principles of information security.
In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he
called the six atomic elements of information. The elements
are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of
the Parkerian hexad are a subject of debate amongst security professionals.
Confidentiality
Confidentiality is the term used to prevent the disclosure of information to unauthorized
individuals or systems. For example, a credit card transaction on the Internet requires the credit
card number to be transmitted from the buyer to the merchant and from the merchant to
a transaction processing network. The system attempts to enforce confidentiality by encrypting
the card number during transmission, by limiting the places where it might appear (in databases,
log files, backups, printed receipts, and so on), and by restricting access to the places where it is
stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality
has occurred..
Integrity
In information security, integrity means that data cannot be modified undetec This is not the
same thing as referential integrity in databases, although it can be viewed as a special case of
Consistency as understood in the classic ACID model of transaction processing. Integrity is
violated when a message is actively modified in transit. Information security systems typically
provide message integrity in addition to data confidentiality.
Availability
For any information system to serve its purpose, the information must be available when it is
needed. This means that the computing systems used to store and process the information,
the security controls used to protect it, and the communication channels used to access it must be
functioning correctly. High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial-of-service attacks.
Authenticity
6. In computing, e-Business and information security it is necessary to ensure that the data,
transactions, communications or documents (electronic or physical) are genuine. It is also
important for authenticity to validate that both parties involved are who they claim they are.
Non-repudiation
In law, non-repudiation implies one's intention to fulfil their obligations to a contract. It also
implies that one party of a transaction cannot deny having received a transaction nor can the
other party deny having sent a transaction.
Electronic commerce uses technology such as digital signatures and public key encryption to
establish authenticity and non-repudiation.
RISK MANAGEMENT:
Risk management is the process of identifying vulnerabilities and threats to the information
resources used by an organization in achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the
information resource to the organization.
Controls:
Administrative
Administrative controls (also called procedural controls) consist of approved written policies,
procedures, standards and guidelines. Administrative controls form the framework for running
the business and managing people. They inform people on how the business is to be run and how
day to day operations are to be conducted.
Logical
Logical controls (also called technical controls) use software and data to monitor and
control access to information and computing systems. For example: passwords, network
and host based firewalls, network intrusion detection systems, access control lists, and
data encryption are logical controls.
Physical
Physical controls monitor and control the environment of the work place and computing
facilities. They also monitor and control access to and from such facilities. For example: doors,
locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras,
barricades, fencing, security guards, cable locks, etc. Separating the network and work place into
functional areas are also physical controls.
******************************************************************************
*
7. Access control
Access to protected information must be restricted to people who are authorized to access the
information. The computer programs, and in many cases the computers that process the
information, must also be authorized. This requires that mechanisms be in place to control the
access to protected information. The sophistication of the access control mechanisms should be
in parity with the value of the information being protected – the more sensitive or valuable the
information the stronger the control mechanisms need to be. The foundation on which access
control mechanisms are built start with identification and authentication.
Identification is an assertion of who someone is or what something is.
Authentication is the act of verifying a claim of identity.
On computer systems in use today, the Username is the most common form of identification and
the Password is the most common form of authentication. Usernames and passwords have served
their purpose but in our modern world they are no longer adequate. Usernames and passwords
are slowly being replaced with more sophisticated authentication mechanisms.
After a person, program or computer has successfully been identified and authenticated then it
must be determined what informational resources they are permitted to access and what actions
they will be allowed to perform (run, view, create, delete, or change). This is
called authorization.
Cryptography
Information security uses cryptography to transform usable information into a form that renders
it unusable by anyone other than an authorized user; this process is called encryption.
Information that has been encrypted (rendered unusable) can be transformed back into its
original usable form by an authorized user, who possesses the cryptographic key, through the
process of decryption. Cryptography is used in information security to protect information from
unauthorized or accidental disclosure while the information is in transit (either electronically or
physically) and while information is in storage.
Cryptography provides information security with other useful applications as well including
improved authentication methods, message digests, digital signatures, non-repudiation, and
encrypted network communications.