SlideShare a Scribd company logo

It seminar isr

Download as DOCX, PDF
A
ASNA p.a
1 of 8
ABSTRACT Rapid and dramatic advances in information technology (IT), while offering tremendous benefits, have also created significant and unprecedented risks to government operations. Federal, state, and local governments depend heavily on information systems (IS) security measures to avoid data tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in critical operations. These risks are expected to only continue to escalate as wireless and other technologies emerge. The primary goal of any enterprise-wide security program is to support user communities by providing cost-effective protection to information system resources at appropriate levels of integrity, availability, and confidentiality without impacting productivity, innovation, and creativity in advancing technology within the corporation’s overall objectives. Ideally, information systems security enables management to have confidence that their computational systems will provide the information requested and expected, while denying accessibility to those who have no right to it. The analysis of incidents resulting in damage to information systems show that most losses were still due to errors or omissions by authorized users, actions of disgruntled employees, and an increase in external penetrations of systems by outsiders. Traditional controls are normally inadequate in these cases or are focused on the wrong threat, resulting in the exposure of a vulnerability.
INTRODUCTION Rapid and dramatic advances in information technology (IT), while offering tremendous benefits, have also created significant and unprecedented risks to government operations. Federal, state, and local governments depend heavily on information systems (IS) security measures to avoid data tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in critical operations. These risks are expected to only continue to escalate as wireless and other technologies emerge. Electronic information is essential to the achievement of organizational objectives. Its reliability, integrity, and availability are significant concerns. The use of computer networks, particularly the Internet, is revolutionizing the way of business. While the benefits have been enormous and vast amounts of information are now literally at our fingertips, these interconnections also pose significant risks to computer systems, information, and to the critical operations and infrastructures they support. Infrastructure elements such as telecommunications, power distribution, national defense, law enforcement, and government and emergency services are subject to these risks. The same factors that benefit operations—speed and accessibility—if not properly controlled, can leave them vulnerable to fraud, sabotage, and malicious or mischievous acts. In addition, natural disasters and inadvertent errors by authorized computer users can have devastating consequences if information resources are poorly protected. Recent publicized disruptions caused by virus, worm, 3 and denial of service attacks on both commercial and governmental Web sites illustrate the potential for damage. Computer security is of increasing importance to all levels in minimizing the risk of malicious attacks from individuals and groups. These risks include the fraudulent loss or misuse of resources, unauthorized access to release of sensitive information such as tax and medical records, disruption of critical operations through viruses or hacker attacks, and modification or destruction of data. The risk that information attacks will threaten vital national interests increases with the following developments in information technology: • Monies are increasingly transferred electronically between and among governmental agencies, commercial enterprises, and individuals. • Governments are rapidly expanding their use of electronic commerce. • National defence and intelligence communities increasingly rely on commercially available information technology. • Public utilities and telecommunications increasingly rely on computer systems. • More and more sensitive economic and commercial information is exchanged electronically. • Computer systems are rapidly increasing in complexity and interconnectivity.
• Easy-to-use hacker tools are readily available, and hacker activity is increasing. • Paper supporting documents are being reduced or eliminated. An Information System is an organized combination of people, hardware, software, communication networks & data resources that collects, transforms & disseminates information in an organization. People have relied on information systems to communicate with each other using a variety of physical devices (Hardware), Information Processing Instructions &Procedures (Software), Communication Channels (Networks) & Store Data (Data Resources). Components of an IS In an organization, information systems consist of the following components. These components will formulate a system, which will help us to gather the required information for making decision in various levels of management. Data o Input that the system takes to produce information Hardware o Computer itself and its peripheral equipment: input, output, storage devices; includes data communication equipment Software o Sets of instructions that tell the computer how to input, process, output and store data. Communication networks o Hardware and software specializing in transmission and reception of electronic data. People o IS professionals and users who design, construct, operate and maintain IS. Procedures o Rules to process data, e.g. priorities in running different applications, security measures, routines for malfunctioning IS, etc. Information System Resources Every Information System is equipped with the following resources. The goals of information systems can be easily achieved by employing these resources to their optimum level by keeping in view that the purpose of using IS in an organization. •People Resources o End users o IS specialists
•Hardware Resources o Machine so Media •Software Resources o Program Operating Systems (OS) Examples: Windows, Unix, etc.Application Software Examples: Excel, Access, MS-Word, etc.Application software that makes people buy computers that can run the software. Example: email system. To use an email system (software), people buy computers. o Procedures: Operating instructions for the people who will use an information system. Examples: Instructions for filling out a paper form or using a software package. •Data Resources: o Data vs. Information 1. Data:Raw facts, observations, business transactions Objective measurements of theattributes (characteristics) of entities (people, places, things, events, etc.)Attributes can be last name, first name, gender, etc. for an entity of "people." 2. Information:Data that have been converted into a meaningful and useful context for specific endusers.Processed data placed in a context that gives it value for specific end users.1. Its form is aggregated, manipulated, and organized.2. Its content is analyzed and evaluated. 3. It is placed in a proper context for a human user. • Network Resources: o Communications media. o Communications processors. o Network access & control software. SECURITY OF INFORMATION SYSTEM RESOURCES Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) to be the core principles of information security. In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals. Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.. Integrity In information security, integrity means that data cannot be modified undetec This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality. Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks. Authenticity
In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. Non-repudiation In law, non-repudiation implies one's intention to fulfil their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation. RISK MANAGEMENT: Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. Controls: Administrative Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Logical Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. Physical Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls. ****************************************************************************** *
Access control Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected – the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundation on which access control mechanisms are built start with identification and authentication. Identification is an assertion of who someone is or what something is. Authentication is the act of verifying a claim of identity. On computer systems in use today, the Username is the most common form of identification and the Password is the most common form of authentication. Usernames and passwords have served their purpose but in our modern world they are no longer adequate. Usernames and passwords are slowly being replaced with more sophisticated authentication mechanisms. After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Cryptography Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption. Cryptography is used in information security to protect information from unauthorized or accidental disclosure while the information is in transit (either electronically or physically) and while information is in storage. Cryptography provides information security with other useful applications as well including improved authentication methods, message digests, digital signatures, non-repudiation, and encrypted network communications.
It seminar isr

Recommended

Pharmaceutical companies and security
Pharmaceutical companies and securityPharmaceutical companies and security
Pharmaceutical companies and securityJuliette Foine
 
Im 111 lecture 1
Im 111 lecture 1Im 111 lecture 1
Im 111 lecture 1ITNet
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security Sammer Qader
 
Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MISAmirul Shafiq Ahmad Zuperi
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Computer forensic
Computer forensicComputer forensic
Computer forensicibraheem ogundele
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Security & ethical challenges
Security & ethical challengesSecurity & ethical challenges
Security & ethical challengesLouie Medinaceli
 

Recommended

Pharmaceutical companies and security
Pharmaceutical companies and securityPharmaceutical companies and security
Pharmaceutical companies and securityJuliette Foine
 
Im 111 lecture 1
Im 111 lecture 1Im 111 lecture 1
Im 111 lecture 1ITNet
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security Sammer Qader
 
Chapter 5 MIS
Chapter 5 MISChapter 5 MIS
Chapter 5 MISAmirul Shafiq Ahmad Zuperi
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Computer forensic
Computer forensicComputer forensic
Computer forensicibraheem ogundele
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Security & ethical challenges
Security & ethical challengesSecurity & ethical challenges
Security & ethical challengesLouie Medinaceli
 
Case study no 2
Case study no 2Case study no 2
Case study no 2Devons Somera
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1Royalzig Luxury Furniture
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Chapter 14: Information Technology
Chapter 14: Information TechnologyChapter 14: Information Technology
Chapter 14: Information Technologydmeyeravc
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information SystemDaryl Conson
 
It
ItIt
Itktsharma
 
Cb12e basic ppt ch15
Cb12e basic ppt ch15Cb12e basic ppt ch15
Cb12e basic ppt ch15Eric
 
Foundations of Information System in Business - Mark John Lado
Foundations of Information System in Business - Mark John LadoFoundations of Information System in Business - Mark John Lado
Foundations of Information System in Business - Mark John LadoMark John Lado, MIT
 
Exploring the Difference Between Information Technology and Information System
Exploring the Difference Between Information Technology and Information SystemExploring the Difference Between Information Technology and Information System
Exploring the Difference Between Information Technology and Information SystemLaguna State Polytechnic University
 
N018138696
N018138696N018138696
N018138696IOSR Journals
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...IRJET Journal
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET Journal
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
A survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsA survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsunyil96
 
Unit-1.pptx
Unit-1.pptxUnit-1.pptx
Unit-1.pptxAjayKumar73315
 
Data Security
Data SecurityData Security
Data Securityankita_kashyap
 
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATIONHOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATIONSHANTO-MARIAM UNIVERSITY OF CREATIVE AND TECHNOLOGY
 
C018131821
C018131821C018131821
C018131821IOSR Journals
 

More Related Content

What's hot

4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Chapter 14: Information Technology
Chapter 14: Information TechnologyChapter 14: Information Technology
Chapter 14: Information Technologydmeyeravc
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information SystemDaryl Conson
 
Cb12e basic ppt ch15
Cb12e basic ppt ch15Cb12e basic ppt ch15
Cb12e basic ppt ch15Eric
 
Foundations of Information System in Business - Mark John Lado
Foundations of Information System in Business - Mark John LadoFoundations of Information System in Business - Mark John Lado
Foundations of Information System in Business - Mark John LadoMark John Lado, MIT
 
Exploring the Difference Between Information Technology and Information System
Exploring the Difference Between Information Technology and Information SystemExploring the Difference Between Information Technology and Information System
Exploring the Difference Between Information Technology and Information SystemLaguna State Polytechnic University
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...IRJET Journal
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET Journal
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
A survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsA survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsunyil96
 

What's hot (18)

Case study no 2
Case study no 2Case study no 2
Case study no 2
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Chapter 14: Information Technology
Chapter 14: Information TechnologyChapter 14: Information Technology
Chapter 14: Information Technology
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information System
 
It
ItIt
It
 
Cb12e basic ppt ch15
Cb12e basic ppt ch15Cb12e basic ppt ch15
Cb12e basic ppt ch15
 
Foundations of Information System in Business - Mark John Lado
Foundations of Information System in Business - Mark John LadoFoundations of Information System in Business - Mark John Lado
Foundations of Information System in Business - Mark John Lado
 
Exploring the Difference Between Information Technology and Information System
Exploring the Difference Between Information Technology and Information SystemExploring the Difference Between Information Technology and Information System
Exploring the Difference Between Information Technology and Information System
 
N018138696
N018138696N018138696
N018138696
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
IRJET- A Review of Information Systems Security: Types, Security Issues, and ...
 
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud ComputingIRJET- Comprehensive Study of E-Health Security in Cloud Computing
IRJET- Comprehensive Study of E-Health Security in Cloud Computing
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
A survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsA survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methods
 

Similar to It seminar isr

Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
 
information of system technology
information of system technologyinformation of system technology
information of system technologybilal anjum
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data LeakagePatty Buckley
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaINFOGAIN PUBLICATION
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
Information security
Information securityInformation security
Information securityOnkar Sule
 
SECURING INFORMATION SYSTEM 1.pptx
SECURING INFORMATION SYSTEM 1.pptxSECURING INFORMATION SYSTEM 1.pptx
SECURING INFORMATION SYSTEM 1.pptxCabdullhiY
 
Navigating the Digital Nexus.docx
Navigating the Digital Nexus.docxNavigating the Digital Nexus.docx
Navigating the Digital Nexus.docxgreendigital
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wpCMR WORLD TECH
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...Stefano Maria De' Rossi
 
Securing information system (Management Information System)
Securing information system (Management Information System)Securing information system (Management Information System)
Securing information system (Management Information System)Masudur Rahman
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposedNumaan Huq
 
Information systems security_awareness_fy10
Information systems security_awareness_fy10Information systems security_awareness_fy10
Information systems security_awareness_fy10Wesen Tegegne
 

Similar to It seminar isr (20)

Unit-1.pptx
Unit-1.pptxUnit-1.pptx
Unit-1.pptx
 
Data Security
Data SecurityData Security
Data Security
 
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATIONHOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
HOW INFORMATION SYSTEM IS EFFECT ON AN ORGANIZATION
 
C018131821
C018131821C018131821
C018131821
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
information of system technology
information of system technologyinformation of system technology
information of system technology
 
Causes And Consequences Of Data Leakage
Causes And Consequences Of Data LeakageCauses And Consequences Of Data Leakage
Causes And Consequences Of Data Leakage
 
Network Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in NigeriaNetwork Security and Privacy in Medium Scale Businesses in Nigeria
Network Security and Privacy in Medium Scale Businesses in Nigeria
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
Information security
Information securityInformation security
Information security
 
SECURING INFORMATION SYSTEM 1.pptx
SECURING INFORMATION SYSTEM 1.pptxSECURING INFORMATION SYSTEM 1.pptx
SECURING INFORMATION SYSTEM 1.pptx
 
Navigating the Digital Nexus.docx
Navigating the Digital Nexus.docxNavigating the Digital Nexus.docx
Navigating the Digital Nexus.docx
 
ke-1.pptx
ke-1.pptxke-1.pptx
ke-1.pptx
 
security IDS
security IDSsecurity IDS
security IDS
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wp
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
 
Securing information system (Management Information System)
Securing information system (Management Information System)Securing information system (Management Information System)
Securing information system (Management Information System)
 
E04 05 2841
E04 05 2841E04 05 2841
E04 05 2841
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposed
 
Information systems security_awareness_fy10
Information systems security_awareness_fy10Information systems security_awareness_fy10
Information systems security_awareness_fy10
 

It seminar isr

  • 1. ABSTRACT Rapid and dramatic advances in information technology (IT), while offering tremendous benefits, have also created significant and unprecedented risks to government operations. Federal, state, and local governments depend heavily on information systems (IS) security measures to avoid data tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in critical operations. These risks are expected to only continue to escalate as wireless and other technologies emerge. The primary goal of any enterprise-wide security program is to support user communities by providing cost-effective protection to information system resources at appropriate levels of integrity, availability, and confidentiality without impacting productivity, innovation, and creativity in advancing technology within the corporation’s overall objectives. Ideally, information systems security enables management to have confidence that their computational systems will provide the information requested and expected, while denying accessibility to those who have no right to it. The analysis of incidents resulting in damage to information systems show that most losses were still due to errors or omissions by authorized users, actions of disgruntled employees, and an increase in external penetrations of systems by outsiders. Traditional controls are normally inadequate in these cases or are focused on the wrong threat, resulting in the exposure of a vulnerability.
  • 2. INTRODUCTION Rapid and dramatic advances in information technology (IT), while offering tremendous benefits, have also created significant and unprecedented risks to government operations. Federal, state, and local governments depend heavily on information systems (IS) security measures to avoid data tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in critical operations. These risks are expected to only continue to escalate as wireless and other technologies emerge. Electronic information is essential to the achievement of organizational objectives. Its reliability, integrity, and availability are significant concerns. The use of computer networks, particularly the Internet, is revolutionizing the way of business. While the benefits have been enormous and vast amounts of information are now literally at our fingertips, these interconnections also pose significant risks to computer systems, information, and to the critical operations and infrastructures they support. Infrastructure elements such as telecommunications, power distribution, national defense, law enforcement, and government and emergency services are subject to these risks. The same factors that benefit operations—speed and accessibility—if not properly controlled, can leave them vulnerable to fraud, sabotage, and malicious or mischievous acts. In addition, natural disasters and inadvertent errors by authorized computer users can have devastating consequences if information resources are poorly protected. Recent publicized disruptions caused by virus, worm, 3 and denial of service attacks on both commercial and governmental Web sites illustrate the potential for damage. Computer security is of increasing importance to all levels in minimizing the risk of malicious attacks from individuals and groups. These risks include the fraudulent loss or misuse of resources, unauthorized access to release of sensitive information such as tax and medical records, disruption of critical operations through viruses or hacker attacks, and modification or destruction of data. The risk that information attacks will threaten vital national interests increases with the following developments in information technology: • Monies are increasingly transferred electronically between and among governmental agencies, commercial enterprises, and individuals. • Governments are rapidly expanding their use of electronic commerce. • National defence and intelligence communities increasingly rely on commercially available information technology. • Public utilities and telecommunications increasingly rely on computer systems. • More and more sensitive economic and commercial information is exchanged electronically. • Computer systems are rapidly increasing in complexity and interconnectivity.
  • 3. • Easy-to-use hacker tools are readily available, and hacker activity is increasing. • Paper supporting documents are being reduced or eliminated. An Information System is an organized combination of people, hardware, software, communication networks & data resources that collects, transforms & disseminates information in an organization. People have relied on information systems to communicate with each other using a variety of physical devices (Hardware), Information Processing Instructions &Procedures (Software), Communication Channels (Networks) & Store Data (Data Resources). Components of an IS In an organization, information systems consist of the following components. These components will formulate a system, which will help us to gather the required information for making decision in various levels of management. Data o Input that the system takes to produce information Hardware o Computer itself and its peripheral equipment: input, output, storage devices; includes data communication equipment Software o Sets of instructions that tell the computer how to input, process, output and store data. Communication networks o Hardware and software specializing in transmission and reception of electronic data. People o IS professionals and users who design, construct, operate and maintain IS. Procedures o Rules to process data, e.g. priorities in running different applications, security measures, routines for malfunctioning IS, etc. Information System Resources Every Information System is equipped with the following resources. The goals of information systems can be easily achieved by employing these resources to their optimum level by keeping in view that the purpose of using IS in an organization. •People Resources o End users o IS specialists
  • 4. •Hardware Resources o Machine so Media •Software Resources o Program Operating Systems (OS) Examples: Windows, Unix, etc.Application Software Examples: Excel, Access, MS-Word, etc.Application software that makes people buy computers that can run the software. Example: email system. To use an email system (software), people buy computers. o Procedures: Operating instructions for the people who will use an information system. Examples: Instructions for filling out a paper form or using a software package. •Data Resources: o Data vs. Information 1. Data:Raw facts, observations, business transactions Objective measurements of theattributes (characteristics) of entities (people, places, things, events, etc.)Attributes can be last name, first name, gender, etc. for an entity of "people." 2. Information:Data that have been converted into a meaningful and useful context for specific endusers.Processed data placed in a context that gives it value for specific end users.1. Its form is aggregated, manipulated, and organized.2. Its content is analyzed and evaluated. 3. It is placed in a proper context for a human user. • Network Resources: o Communications media. o Communications processors. o Network access & control software. SECURITY OF INFORMATION SYSTEM RESOURCES Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
  • 5. For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) to be the core principles of information security. In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals. Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.. Integrity In information security, integrity means that data cannot be modified undetec This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality. Availability For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks. Authenticity
  • 6. In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. Non-repudiation In law, non-repudiation implies one's intention to fulfil their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation. RISK MANAGEMENT: Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. Controls: Administrative Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Logical Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. Physical Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls. ****************************************************************************** *
  • 7. Access control Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected – the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundation on which access control mechanisms are built start with identification and authentication. Identification is an assertion of who someone is or what something is. Authentication is the act of verifying a claim of identity. On computer systems in use today, the Username is the most common form of identification and the Password is the most common form of authentication. Usernames and passwords have served their purpose but in our modern world they are no longer adequate. Usernames and passwords are slowly being replaced with more sophisticated authentication mechanisms. After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Cryptography Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption. Cryptography is used in information security to protect information from unauthorized or accidental disclosure while the information is in transit (either electronically or physically) and while information is in storage. Cryptography provides information security with other useful applications as well including improved authentication methods, message digests, digital signatures, non-repudiation, and encrypted network communications.