2. InformationSecurity 2
Introduction
Organization information is very vital, as organizations have resorted to storing all the
information on computer devices. This, however, creates a security risk that calls for proper
measures to ensure the information is secure. This paper will address the issues involving
organization information security and ways to ensure the information is secure.
1. Principlesofsecuringorganizational information
1.1.Describe the differenttypesoforganizational information
There are three typesof organizational information;theyincludecomputer-basedinformation,
visual/printedinformationandaudible/oral information.
Computerbasedinformationisdatawhichhasbeenelectronicallyprocessedand transmitted
betweentwodataprocessingsystems orstoredina standalone computer.The computerbased
informationsystemincludesthatmedia,whichstoresthe informationelectronically,the software
usedto manipulate the information,the operatingsystemsoftware andnetworkingaswell asthe
telecommunicationinfrastructure (TheSecurityInstitute,2016).
Visual/printedinformationconsistsof informationthathasbeenprintedorwrittenon paper.The
printedorwritteninformationiscommonlyknownasthe hardcopy,whichdiffersfromcomputer-
basedinformationreferredtoasthe softcopy. However,the securityapplicationof suchvisual/
printedinformationisalsoapplicable toreadable formatoncomputerscreens (TheSecurity
Institute,2016)
Oral/audibleinformationconsistsof aspokenwordthroughtelephone conversationsonatelephone
network.Itshould,however,be understoodthatthe developmentof computerbasedprogramshas
blurredthe line betweenaudibleinformationandcomputerbasedinformation.The audible
informationwill dependonhowthe informationisinstalled,whetherasa standalone systemor
networkedwithothercomputersystems (TheSecurityInstitute,2016).
1.2. The content ofa securitypolicy and the ISO standard for information protection
In the fieldof informationsecuritymanagement,the followingshouldbe includedinasecuritypolicy
and the International OrganizationforStandardsforinformationprotection.Thesestandardsensure
that the sharingof informationtakesplace whileprotectingdataandcomputingassets (The Security
Institute,2016).
Protectionof sensitive information andassetsfromunwarranteddisclosureorinterceptionby
unauthorizedindividualsisreferredtoasconfidentiality.Reasonsforpreventingdataaccessare due
to lack of authorizedclearance,andthe needtoknow-basis.Inthe case of an attack, the potential
attackerlacks clearance forthe informationbeingaccessed.Suchcasesare more prevalentin
governmentsystemswhere securityclearance levelsare definedaccordingtothe differentlevelsof
access andrank. On a needtoknowbasis,the potential attackermightbe holdingageneral level of
authoritythatmighttheoreticallygrantthemdataaccess.However,theycanstill be blockedfrom
accessingthe data on a need–to-knowbasis.The criteriatobe usedingrantingthe accessto the
data are commonlydeterminedlocally.Suchcriteriamightnotinvolverankorstatus as a reasonto
have access tothe sensitiveinformation (The SecurityInstitute,2016).
3. InformationSecurity 3
Integrityisanothersafeguardingmeasure thatisincludedinthe ISOstandardsas well asthe security
policy.Thismeasure ensuresaccuracyand competence of information aswell asthe computer
software.The integrityof informationinvolvestwolevels,i.e.,baselinelevel andenhanced
protection.Toensure integrity,there isaneedtohave an anti-virussoftware forpreventing
maliciouscodes,anon-alterable mediumsuchasa CD-ROMfordata storage,a mastercopy to be
usedforcomparison,anda mathematical checksumtoensure there isnodata modification.The
checksumisusuallyaprogram that isinbuiltandservestoidentifywhetherdatahasbeenchanged
or manipulated.Also,adigital signature isnormallyusedforadditional integrity (The Security
Institute,2016).
However,securitycontrolsusedtoensure confidentialitycanalsobe usedtoensure integrity.Such
controlsmightbe usedto write,modifyandread permissionindependently (TheSecurityInstitute,
2016).
Availabilityof informationisanotherpolicymeasure onthe ISOstandardthat seekstoensure that
informationandothervital servicesare availablewheneveranauthorizedindividualsrequire it. The
availabilityrequirements,inmostcases,are definedbythe operatingsystemof acomputer,whichis
the systemlevel orthe service level,wheresystemuserinteractionstake place. However,the term
availabilityishardtoapplyon data directlysince the attacktakesplace on the systemorservice.
Instanceswhere deliberate attacksonservice orsystemtopreventdataaccessibilityare knownas
DeferredDenial of Service (DDoS) (TheSecurityInstitute,2016).
1.3. Methodsof securinginformation from baseline protectionto multiple countermeasures
Baseline protectionisthe type of protectionappliedtonormal situationssuchassecuritycontrols
that ensure goodpractice inthe industry.Onthe otherhand,enhancedprotectionisappliedin
specificsurroundingswhere specificriskshave beenidentified.Whenimplementingenhanced
security,there isaneedfora riskmanagementappraisal thathasbeenwell implementedthana
baseline protection.The enhancedprotectionusesanantivirussoftware to protectthe systemfrom
maliciouscodes,anon-alterable mediume.g.CD-ROMforstoringdata,a mastercopy to use for
comparison,amathematical checksumtocheckfor anydata modificationormanipulation,and
digital signaturesforadditional integrity (The SecurityInstitute,2016).
2. Threats to organizational informationusedin computer systems
2.1. The risk assessmentprocesswithinthe context ofinformation and data protection
An objective assessmentshouldbe done onexistingcountermeasures suchasthe statutoryand
legal requirements,informationassetsandrisksaffectingthose assetsregardingvulnerabilitybefore
the installationof protective devicesandimplementationof procedures.Moreover,there isaneed
to determine the mostcosteffective andmeasurestofollow.A considerationof potential attackers
isalso necessarytotake at thisstage.Thisbecause attackersuse variouswaysand are motivated
differentlywhileattacking (The SecurityInstitute,2016).
2.2. Advantages of implementingpasswordprotectionhierarchies
In informationsecurity,itisadvisabletouse a passwordwhile protectinginformation.The user
passwordshave several advantagessuchasprotectingunauthorizedaccesstoinformationinthe
computer;passwordsare storedina protecteddatabase where hackerscannotbe able toaccess
and passwordsgranta unique keytoaccess information,whichisonlyknown,tothe specificuser.
4. InformationSecurity 4
Also,passwordsenablecomputermanufacturerstograntthe user accessduringinitial installation
stage.A passwordhasa lowcost of implementation,universallyacceptedandconvenient.However,
passwordssometimeshave weaknesses,whichinclude,apasswordbeingtooshortor usingonly
lettersinthe lowercase,use of dictionarynames,andthe use of commonwordsor substituting
letterswithnumbersinthose commonwords.The weaknessesmentionedabove make iteasyfora
hackerto guessthe password.Otheruserscarelesslyplace the password,orpasswordhintclose to
theirdesktop,which makesiteasytoaccessthe informationonthatdesktop (The SecurityInstitute,
2016).
Apart frompasswords,weaknessesthere are alsothreatsthatface informationaccessibility;such
threatsare categorizedintoinsiderandoutsiderthreats.
2.3. Potential perpetrators ofthreats may be
Insiderthreatsare those threatsposedbysomeone workingwiththe organizationandmisuses'
informationthatcanbe a threatto the organization.Thismightbe eitherunwillinglydue tolackof
trainingwhere the employeeisnotaware of the securityrequirementsorignorantof the company
policiesdue tolackof awarenessof the companypolicies.Onthe otherhand,the threatmightbe
willinglydue tocoercionsuchthatthe employee isforcedtodisclose the informationorentitlement,
by missusingthe informationjustbecausehe/she can.Onthe otherhand,hackerswho obtain
unauthorizedaccesstocomputersystemsandnetworkstochallengethemselvesorwithmalicious
intent,pose external threats.The hackersmight accessanorganizationinformationwiththe intent
of disclosingittothe publicorextortfinancesfromthe organization (TheSecurityInstitute,2016).
2.4. Threats posedby ‘hacking
A hackeris typicallyathief whoidentifiesloopholesonthe networkora way to diverttechnical
systemsfromtheirinitial purpose of anetworksystemandexploitsthe loopholetochallenge
him/herself orgainfinanciallywiththe assistance of social engineeringtechnique.There are many
waysthat to hack systemsfromexternal locations.Some of thesewaysare technical andrequire a
lotof experiencesandspecificsystemsandsoftware.A hackermayuse wormsor Trojan horse to
modifyasoftware andfacilitate unauthorizedaccessbycorruptingdata.Whena hackerhacks a
website,the followingmightbe the motives,overt:whichinvolvesmaliciousmodificationof a
website onatargetedsystem.Covert,placingaTrojanhorse and activate itlateror modifya
software orconfigurationtoalloweasyaccessat a laterstage.Alsogatheringinformationtobe used
inotherunauthorizedactions.The actionsmentionedabovepose athreatto the organizationswhen
a hacker marksa particularorganizationasa target (The SecurityInstitute,2016).
3. The countermeasuresavailable to protect organizational information
3.1. Various typesof biometricsusedfor protection of information
Informationsecurityisenhancedbythe use of biometricstograntaccess.A biometricdevice isa
meansof access control that isreliable andfastinrecognizingindividuals.The device canuse facial
recognitionwhere itcanstore the facesof people ina database andcross-referencethemtogrant
access to information.Voice recognitioninvolvesdetectionof anindividual'sspokenwordand
matchesit withthe one savedonthe systemwhile grantingaccess;irisrecognitioniscurrentlythe
mostadvancedbiometricsystemwhichreadsthe irispatternonthe eye foraccessto be granted.
Hand geometryandfingerprintbiometricsystemgrantaccessbyreadingthe patternsonthe hand
and the fingerprintsince everyindividualhasadistinctpattern.Moreover,more researchisbeing
5. InformationSecurity 5
conductedtofindwaysof usingthe innerearand how we walkon biometrictechnology (The
SecurityInstitute,2016).
3.2. Convergence inthe contextof informationsecurity
Securityconvergence isthe termusedtodescribe the state of skillsintraditional security.The
descriptioninvolvesthe provisionof securityandriskawarenesstraining,abilitytounderstandand
handle humanattitudestowardssecurityrisk,the defense designthatasystemisusing,protection
of organizationassetsandriskassessment.The skillsmentionedabove andothersare what we refer
to as securityconvergence whentheyare combinedwiththe traditionalsecurity (The Security
Institute,2016).
3.3. The importance of encryption inthe contextof information security
Whenwe mentionaboutencryption,itissimplythe actof disguisingdatausinganalgorithmandan
associatedsetof keys.The purpose forthisisto make the informationindecipherable and
unreadable tothose wholackauthorization.The use of encryptionisappliedincomputersystems
for protectionof high-value informationsuchaspasswordsthatprovide accesstothe system,
protectionof data heldincomputersystemsinasecure storage andto protect data transmissionas
well ascommunicationsystems.The encryptionensuresthatthe informationbeingtransmittedis
not modifiable orreadable duringthe transmissionprocess.Thisensuresthe integrityof the
informationduringtransmission.The encryptionhashelpedorganizationsprovide infrastructure
services,e.g.trunkcommunicationservices,aswell asensuresintegritybetweensites,especially
duringfinancial transactionsandotherremote paymentservices (The SecurityInstitute,2016).
Encryptionhasalso provedtobe of benefitinWirelessLANssince somesendsignalsbeyondthe
requiredregion,the encryptionhelpstosecure the informationfromthe public.The process
requiresapublickeyinfrastructure tobe installed,whichisusedtomanage the use and verification
of the keysthatare encrypted.Anotheradvantage of encryptionisthatithelpstosecure unsecured
storage therebyprotectingthe informationfrombeingcompromisedonitsconfidentiality,
availability,andintegrity (TheSecurityInstitute,2016).
3.4. The appropriate countermeasure fora giveninformationsecurity breach scenario
Despite the measuresmentionedabove,there are timeswhenhackersmanage tobreachthe
security.Whenasecuritybreachhappenstoan organization,there are certainstepstobe takento
ensure the breachdoesnothappenagain.The firstthingto do isto report the breachjustlike any
othersecurityissue tothe central coordinatingfunctionforinvestigation.Whilereporting,the
investigatorswill require knowingthe detailsof whathasoccurred,whenthe incidentwasnoticed,
whatsystemshave beenaffectedandwhatpositionyouholdinthe organizationthatmandatesyou
to reportthe incident.The nextstepistopreserve the evidence byensuringsystemconfigurations,
systemlogs,andaudittrailshave notbeenaltered.Alsoisolatingthe computersystemstopave the
wayfor detailedevaluationtobe done (The SecurityInstitute,2016).
At the organizationlevel,once the breachhastakenplace,the seniormanagementshouldassessthe
impacton the business,evaluate the alternativesof resumingnormal service anddecide onwhat
actionsto be takento preventa breachinthe future.Also,theyconsideractionstobe takenafter
the investigationandthe changesinthe organizationproceduresandpoliciestobe implementedas
a resultof the incident (The SecurityInstitute,2016).
6. InformationSecurity 6
Conclusion
The progress in information security has taken huge strides towards being impenetrable, but
so have hackers. The need for advanced security measures is growing every day. With the
help of the points sited on this paper, managers can get a good understanding of the
importance of information security as well as the various ways they can use to protect it from
unauthorized access.
7. InformationSecurity 7
Reference
The Security Institute (2016). A study guide and source of reference for Security Managers
on the Certificate in Security Management. Information Security, 6(3), pp.12-18.