The document discusses information availability and security policy. It begins by introducing the authors and stating that the goal is to characterize information availability in detail and investigate how security policy can ensure availability. It then provides background on information availability, defining it as timely, reliable access for authorized users. The document identifies three components of availability: reliability, accessibility, and timeliness. It also lists several key determinants that impact availability, including security policy, operational controls, system monitoring, auditing, and physical security.
This document discusses improving the security of a health care information system. It begins by describing vulnerabilities in software applications and how connected systems can be exploited. The document then proposes a 3-tier architecture with encryption and file replication to strengthen security. Database backups and regular vulnerability checks are also recommended to defend the system from attacks and allow recovery of data. The goal is to develop a secure electronic health records system that protects sensitive patient information.
This document presents a framework for security mechanisms when monitoring adaptive distributed systems. It discusses investigating existing monitoring tools to understand their security impacts. It proposes implementing a secure communication channel using RSA encryption when collecting sensitive monitoring data. It also discusses developing a customized monitoring tool that assigns security metrics to parameters and encrypts parameters deemed high-risk based on their security metric values, to balance monitoring with security. The goal is to minimize security risks from monitoring while still enabling systems to adapt based on collected data.
Information Security Management System: Emerging Issues and ProspectIOSR Journals
This document discusses information security management systems (ISMS). It begins by defining ISMS as a collection of policies related to information technology risks and information security management. It notes that while many organizations have implemented ISMS frameworks focused on technology, information security also needs to be addressed at the organizational and strategic level. The document then provides an overview of common elements of ISMS, including risk assessment, policy development, and implementation. It discusses the impact of networks and the internet in driving increased focus on information security. In summary, the document outlines key concepts regarding ISMS and argues the need for holistic ISMS approaches in organizations.
The document discusses Information Security Management Systems (ISMS) and ISO/IEC 27001. It describes ISMS as a systematic approach to managing information security risks. ISO/IEC 27001 provides requirements for establishing, implementing, maintaining and improving an ISMS. It is based on a plan-do-check-act cycle. Implementing an ISMS and gaining ISO/IEC 27001 certification helps organizations manage information security risks, ensure legal and regulatory compliance, improve reputation, and gain a competitive advantage.
This document discusses information security in organizations. It covers several key topics:
- The importance of information security policies and ensuring all employees are trained on these policies.
- The benefits of network security such as controlling access, ensuring confidentiality and integrity of data.
- Common network and system security threats like eavesdropping, phishing, and denial of service attacks.
- The responsibilities of database administrators to securely manage and protect organizational data.
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...csandit
Database auditing has become a very crucial aspect
of security as organisations increase their
adoption of database management systems (DBMS) as m
ajor asset that keeps, maintain and
monitor sensitive information. Database auditing is
the group of activities involved in observing
a set of stored data in order to be aware of the ac
tions of users. The work presented here
outlines the main auditing techniques and methods.
Some architectural based auditing systems
were also considered to assess the contribution of
auditing to database security. Here a
framework of several stages to be used in the insti
gation of auditing is proposed. Some issues
relating to handling of audit trails are also discu
ssed in this paper. This paper also itemizes
some of the key important impacts of the concept to
security and how compliance with
government policies and regulations is enforced thr
ough auditing. Once the framework is
adopted, it will provide support to database audito
rs and DBAs.
This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.
This document discusses improving the security of a health care information system. It begins by describing vulnerabilities in software applications and how connected systems can be exploited. The document then proposes a 3-tier architecture with encryption and file replication to strengthen security. Database backups and regular vulnerability checks are also recommended to defend the system from attacks and allow recovery of data. The goal is to develop a secure electronic health records system that protects sensitive patient information.
This document presents a framework for security mechanisms when monitoring adaptive distributed systems. It discusses investigating existing monitoring tools to understand their security impacts. It proposes implementing a secure communication channel using RSA encryption when collecting sensitive monitoring data. It also discusses developing a customized monitoring tool that assigns security metrics to parameters and encrypts parameters deemed high-risk based on their security metric values, to balance monitoring with security. The goal is to minimize security risks from monitoring while still enabling systems to adapt based on collected data.
Information Security Management System: Emerging Issues and ProspectIOSR Journals
This document discusses information security management systems (ISMS). It begins by defining ISMS as a collection of policies related to information technology risks and information security management. It notes that while many organizations have implemented ISMS frameworks focused on technology, information security also needs to be addressed at the organizational and strategic level. The document then provides an overview of common elements of ISMS, including risk assessment, policy development, and implementation. It discusses the impact of networks and the internet in driving increased focus on information security. In summary, the document outlines key concepts regarding ISMS and argues the need for holistic ISMS approaches in organizations.
The document discusses Information Security Management Systems (ISMS) and ISO/IEC 27001. It describes ISMS as a systematic approach to managing information security risks. ISO/IEC 27001 provides requirements for establishing, implementing, maintaining and improving an ISMS. It is based on a plan-do-check-act cycle. Implementing an ISMS and gaining ISO/IEC 27001 certification helps organizations manage information security risks, ensure legal and regulatory compliance, improve reputation, and gain a competitive advantage.
This document discusses information security in organizations. It covers several key topics:
- The importance of information security policies and ensuring all employees are trained on these policies.
- The benefits of network security such as controlling access, ensuring confidentiality and integrity of data.
- Common network and system security threats like eavesdropping, phishing, and denial of service attacks.
- The responsibilities of database administrators to securely manage and protect organizational data.
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...csandit
Database auditing has become a very crucial aspect
of security as organisations increase their
adoption of database management systems (DBMS) as m
ajor asset that keeps, maintain and
monitor sensitive information. Database auditing is
the group of activities involved in observing
a set of stored data in order to be aware of the ac
tions of users. The work presented here
outlines the main auditing techniques and methods.
Some architectural based auditing systems
were also considered to assess the contribution of
auditing to database security. Here a
framework of several stages to be used in the insti
gation of auditing is proposed. Some issues
relating to handling of audit trails are also discu
ssed in this paper. This paper also itemizes
some of the key important impacts of the concept to
security and how compliance with
government policies and regulations is enforced thr
ough auditing. Once the framework is
adopted, it will provide support to database audito
rs and DBAs.
This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.
Cyb 690 cybersecurity program template directions the follAISHA232980
This document provides an overview of some of the key legal and ethical challenges related to cybersecurity. It discusses how organizations have an ethical responsibility to protect user data from hackers. When data breaches do occur, organizations are often partially at fault for not adequately protecting information. The document also discusses the importance of building and maintaining trust with employees. It notes that employees should feel comfortable reporting any wrongdoing through appropriate whistleblowing channels. Finally, it mentions some of the trade-offs that must be considered when addressing these challenges, such as privacy versus security and individual rights versus public safety.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Zlatibor risk based balancing of organizational and technical controls for ...Dejan Jeremic
This document discusses the importance of balancing organizational and technical controls for effective information security. It argues that a risk-based approach is needed to properly balance these controls. Organizational controls, like security policies and employee training, are important for addressing human and insider threats. While technical controls help manage technological vulnerabilities, both types of controls are needed. A risk-based approach identifies the most critical assets and processes to focus protection efforts. This balancing of controls based on risk can help maximize the effectiveness of an organization's information security management system.
This document outlines the information assurance policy of the University of Mumbai. It defines key terms related to information assurance and security. It establishes that the university will protect information in all forms from unauthorized access, modification, destruction or disclosure. It assigns responsibilities for information security to the Information Security Officer, Information Owners, and Custodians to ensure the confidentiality, integrity and availability of the university's information assets.
Recapitulating the development initiatives of a robust information security s...IOSR Journals
Abstract: Most current information security systems performance vary with the nature of the filed its being
operating. With an increased emphasizes on the adoption of security tools and technologies, the anomalies and
intrusion are mostly said defined to be detected on system's algorithm, when most systems have well defined
mechanism for rapid reaction and identification of intrusions. However, despite this support for anomaly
detection, this is usually limited and often require a full recompilation of the system to deploy a comprehensive
framework of security governance, strategies and practices employing the policies in implementation.
As a result, the absence of a robust security framework securing both the education and corporate
resources has heightened the tension for a strategic information security solutions which might ends with cost,
complexities and cumbersome to develop. This paper thereby presents an alternative comprehensive system
namely RITS-B which accommodates both the nature of education and organizations without a need to for a
further modification. Implication of the proposed approach at real time depicts its suitability in the arena of
concern.
Keywords: Information Security, Governance, Strategies, Practices, Regional Cultures and Believes.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of information through technical, administrative and physical controls. The most common principles of information security are confidentiality, integrity, availability, authenticity, non-repudiation and accountability. Access controls like identification, authentication and authorization help enforce security policies and protect information based on user roles and permissions. Cryptography also plays an important role through encryption to render data unusable without authorization. Information security requires an ongoing, layered approach to safeguard information throughout its lifecycle.
The document discusses various threats to information systems and the need for controls to protect systems. It describes common threats like accidents, natural disasters, sabotage, theft, and unauthorized access. It then discusses different strategies for information security controls, including containment, deterrence, obfuscation, and recovery. It also outlines specific types of controls like physical, biometric, telecommunications, failure, and auditing controls. Finally, it discusses techniques for controlling information systems, such as security policies, passwords, encryption, procedures, user validation, and backup protocols.
MA Healthcare discovered a security breach in their electronic health records system. Multiple user accounts were created over two weeks that elevated privileges, allowing access to clinical and financial records for 37,000 to 50,000 patients. An investigation was initiated, but audit logs had overwritten themselves. This could imply an insider breach. HIPAA requires technical, administrative, and physical safeguards to protect electronic protected health information. MA Healthcare needs to update policies on user accounts, passwords, training, and access authorization to improve security and compliance according to guidelines from NIST and HIPAA.
Information security management (bel g. ragad)Rois Solihin
This document discusses the information security life cycle, which includes 6 steps: 1) security planning, 2) security analysis, 3) security design, 4) security implementation, 5) security review, and 6) continual security. It focuses on the first two steps of security planning and security analysis. For security planning, it covers asset definition, security policy, security objectives, and security scope. For security analysis, it describes the key activities of asset analysis, impact analysis, threat analysis, exposure analysis, vulnerability analysis, analyzing existing security controls, and risk analysis to define security requirements.
This document discusses computer security and defines key related terms. It defines computer security as protecting systems to maintain integrity, availability, and confidentiality of information. It also discusses concepts like data confidentiality, privacy, data integrity, system integrity, and availability. Additional concepts discussed are authenticity, accountability, and the OSI security architecture which focuses on security attacks, mechanisms, and services.
Integrating Threat Modeling in Secure Agent-Oriented Software DevelopmentWaqas Tariq
The main objective of this paper is to integrate threat modeling when developing a software application following the Secure Tropos methodology. Secure Tropos is an agent-oriented software development methodology which integrates “security extensions” into all development phases. Threat modeling is used to identify, document, and mitigate security risks, therefore, applying threat modeling when defining the security extensions shall lead to better modeling and increased level of security. After integrating threat modeling into this methodology, security attack scenarios are applied to the models to discuss how the security level of the system has been impacted. Security attack scenarios have been used to test different enhancements made to the Secure Tropos methodology and the Tropos methodology itself. The system modeled using this methodology is an e-Commerce application that will be used to sell handmade products made in Ecuador through the web. The .NET Model-View-Controller framework is used to develop our case study application. Results show that integrating threat modeling in the development process, the level of security of the modeled application has increased. The different actors, goals, tasks, and security constraints that were introduced based on the proposed integration help mitigate different risks and vulnerabilities.
Security is an issue of generally recognized importance. Security starts with you, the user. It is well known that a formal security policy is a prerequisite of security. Having a policy and being able to enforce it is a totally different thing. This paper explains the three aspects of security that should be combined to create a well-rounded solution for securing organizations. This solution examines people, policy and enforcement as three dimensions in the world of security. This paper serves as 1) a conceptual framework for securing organization 2) the basis for formal policy-to-enforcement; 3) It raises awareness that the users should be informed of their roles and responsibilities in protecting the organization; and 4) evidence for writing policies that can be implemented and enforcement involves understanding the policies by the users
This document discusses writing an IT infrastructure audit report. It explains that the report communicates audit results to organizational leaders, prevents misinterpretation, and discusses corrective measures. The scope, objectives, methods, findings and other aspects make up the basis of the report. Compliance and governance are also discussed, along with tasks required for compliance like data protection, security controls, and assessments. Periodic assessments, annual audits, and defined controls are key to maintaining compliance.
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
This document provides a three-step plan for healthcare providers to strengthen cybersecurity:
1) Conduct a cybersecurity risk assessment to identify vulnerabilities
2) Purchase cyber insurance to transfer some risks and costs of breaches
3) Consider moving data and IT services to a qualified cloud provider that specializes in healthcare security and compliance. Outsourcing to an experienced cloud provider can improve capabilities while potentially reducing long-term costs compared to maintaining IT systems in-house.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. It is necessary to balance security controls with reasonable access. Key elements of information security include confidentiality, integrity, availability, and utility. Organizations implement administrative, logical and physical controls and follow a risk management process to identify vulnerabilities and select appropriate security measures. Laws and regulations also govern data security.
The document discusses mobile security and provides recommendations for organizations. It covers the following key points:
1. Mobility has introduced new security risks as the traditional network perimeter is broken and devices are used outside an organization's control. This includes risks from lost devices, insecure networks, overlap of personal and work usage, and cloud data storage.
2. A layered mobile security strategy is recommended, with security controls embedded in policies, infrastructure, applications, and data. Organizations should define acceptable usage policies and deploy mobile device management to monitor compliance.
3. Application security is also important, with recommendations to use secure development practices, test apps for vulnerabilities, and encrypt sensitive data. A defense-in-depth approach combining
This document discusses information systems security. It begins by defining information systems and noting their importance for strategic advantage and decision making. It then discusses the risks of inadequate security management and the need to ensure integrity and safety of systems. The document goes on to explain basic principles of information security like confidentiality, integrity, availability, and others. It also discusses threats like computer crimes, accidents, vulnerabilities and methods to minimize risks like developing systems correctly, user training, physical security controls, and auditing.
This ppt contains information about definition of computer & information security, types of attacks, services, mechanisms, controls and model for network security
Security and Control Issues in Information SystemDaryl Conson
This document discusses information systems security. It defines an information system as a set of components for collecting, storing, processing, and delivering information and knowledge. Information systems play an important role in modern society and infrastructures. To protect against potential losses, it is crucial for information systems to have security measures from the outset. Information system security aims to establish policies and controls to guarantee the authenticity, confidentiality, availability, and integrity of information assets. It discusses the importance of controls to provide security and quality assurance for information systems.
This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities.
Cyb 690 cybersecurity program template directions the follAISHA232980
This document provides an overview of some of the key legal and ethical challenges related to cybersecurity. It discusses how organizations have an ethical responsibility to protect user data from hackers. When data breaches do occur, organizations are often partially at fault for not adequately protecting information. The document also discusses the importance of building and maintaining trust with employees. It notes that employees should feel comfortable reporting any wrongdoing through appropriate whistleblowing channels. Finally, it mentions some of the trade-offs that must be considered when addressing these challenges, such as privacy versus security and individual rights versus public safety.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
Zlatibor risk based balancing of organizational and technical controls for ...Dejan Jeremic
This document discusses the importance of balancing organizational and technical controls for effective information security. It argues that a risk-based approach is needed to properly balance these controls. Organizational controls, like security policies and employee training, are important for addressing human and insider threats. While technical controls help manage technological vulnerabilities, both types of controls are needed. A risk-based approach identifies the most critical assets and processes to focus protection efforts. This balancing of controls based on risk can help maximize the effectiveness of an organization's information security management system.
This document outlines the information assurance policy of the University of Mumbai. It defines key terms related to information assurance and security. It establishes that the university will protect information in all forms from unauthorized access, modification, destruction or disclosure. It assigns responsibilities for information security to the Information Security Officer, Information Owners, and Custodians to ensure the confidentiality, integrity and availability of the university's information assets.
Recapitulating the development initiatives of a robust information security s...IOSR Journals
Abstract: Most current information security systems performance vary with the nature of the filed its being
operating. With an increased emphasizes on the adoption of security tools and technologies, the anomalies and
intrusion are mostly said defined to be detected on system's algorithm, when most systems have well defined
mechanism for rapid reaction and identification of intrusions. However, despite this support for anomaly
detection, this is usually limited and often require a full recompilation of the system to deploy a comprehensive
framework of security governance, strategies and practices employing the policies in implementation.
As a result, the absence of a robust security framework securing both the education and corporate
resources has heightened the tension for a strategic information security solutions which might ends with cost,
complexities and cumbersome to develop. This paper thereby presents an alternative comprehensive system
namely RITS-B which accommodates both the nature of education and organizations without a need to for a
further modification. Implication of the proposed approach at real time depicts its suitability in the arena of
concern.
Keywords: Information Security, Governance, Strategies, Practices, Regional Cultures and Believes.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption or destruction. It aims to ensure the confidentiality, integrity and availability of information through technical, administrative and physical controls. The most common principles of information security are confidentiality, integrity, availability, authenticity, non-repudiation and accountability. Access controls like identification, authentication and authorization help enforce security policies and protect information based on user roles and permissions. Cryptography also plays an important role through encryption to render data unusable without authorization. Information security requires an ongoing, layered approach to safeguard information throughout its lifecycle.
The document discusses various threats to information systems and the need for controls to protect systems. It describes common threats like accidents, natural disasters, sabotage, theft, and unauthorized access. It then discusses different strategies for information security controls, including containment, deterrence, obfuscation, and recovery. It also outlines specific types of controls like physical, biometric, telecommunications, failure, and auditing controls. Finally, it discusses techniques for controlling information systems, such as security policies, passwords, encryption, procedures, user validation, and backup protocols.
MA Healthcare discovered a security breach in their electronic health records system. Multiple user accounts were created over two weeks that elevated privileges, allowing access to clinical and financial records for 37,000 to 50,000 patients. An investigation was initiated, but audit logs had overwritten themselves. This could imply an insider breach. HIPAA requires technical, administrative, and physical safeguards to protect electronic protected health information. MA Healthcare needs to update policies on user accounts, passwords, training, and access authorization to improve security and compliance according to guidelines from NIST and HIPAA.
Information security management (bel g. ragad)Rois Solihin
This document discusses the information security life cycle, which includes 6 steps: 1) security planning, 2) security analysis, 3) security design, 4) security implementation, 5) security review, and 6) continual security. It focuses on the first two steps of security planning and security analysis. For security planning, it covers asset definition, security policy, security objectives, and security scope. For security analysis, it describes the key activities of asset analysis, impact analysis, threat analysis, exposure analysis, vulnerability analysis, analyzing existing security controls, and risk analysis to define security requirements.
This document discusses computer security and defines key related terms. It defines computer security as protecting systems to maintain integrity, availability, and confidentiality of information. It also discusses concepts like data confidentiality, privacy, data integrity, system integrity, and availability. Additional concepts discussed are authenticity, accountability, and the OSI security architecture which focuses on security attacks, mechanisms, and services.
Integrating Threat Modeling in Secure Agent-Oriented Software DevelopmentWaqas Tariq
The main objective of this paper is to integrate threat modeling when developing a software application following the Secure Tropos methodology. Secure Tropos is an agent-oriented software development methodology which integrates “security extensions” into all development phases. Threat modeling is used to identify, document, and mitigate security risks, therefore, applying threat modeling when defining the security extensions shall lead to better modeling and increased level of security. After integrating threat modeling into this methodology, security attack scenarios are applied to the models to discuss how the security level of the system has been impacted. Security attack scenarios have been used to test different enhancements made to the Secure Tropos methodology and the Tropos methodology itself. The system modeled using this methodology is an e-Commerce application that will be used to sell handmade products made in Ecuador through the web. The .NET Model-View-Controller framework is used to develop our case study application. Results show that integrating threat modeling in the development process, the level of security of the modeled application has increased. The different actors, goals, tasks, and security constraints that were introduced based on the proposed integration help mitigate different risks and vulnerabilities.
Security is an issue of generally recognized importance. Security starts with you, the user. It is well known that a formal security policy is a prerequisite of security. Having a policy and being able to enforce it is a totally different thing. This paper explains the three aspects of security that should be combined to create a well-rounded solution for securing organizations. This solution examines people, policy and enforcement as three dimensions in the world of security. This paper serves as 1) a conceptual framework for securing organization 2) the basis for formal policy-to-enforcement; 3) It raises awareness that the users should be informed of their roles and responsibilities in protecting the organization; and 4) evidence for writing policies that can be implemented and enforcement involves understanding the policies by the users
This document discusses writing an IT infrastructure audit report. It explains that the report communicates audit results to organizational leaders, prevents misinterpretation, and discusses corrective measures. The scope, objectives, methods, findings and other aspects make up the basis of the report. Compliance and governance are also discussed, along with tasks required for compliance like data protection, security controls, and assessments. Periodic assessments, annual audits, and defined controls are key to maintaining compliance.
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
This document provides a three-step plan for healthcare providers to strengthen cybersecurity:
1) Conduct a cybersecurity risk assessment to identify vulnerabilities
2) Purchase cyber insurance to transfer some risks and costs of breaches
3) Consider moving data and IT services to a qualified cloud provider that specializes in healthcare security and compliance. Outsourcing to an experienced cloud provider can improve capabilities while potentially reducing long-term costs compared to maintaining IT systems in-house.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. It is necessary to balance security controls with reasonable access. Key elements of information security include confidentiality, integrity, availability, and utility. Organizations implement administrative, logical and physical controls and follow a risk management process to identify vulnerabilities and select appropriate security measures. Laws and regulations also govern data security.
The document discusses mobile security and provides recommendations for organizations. It covers the following key points:
1. Mobility has introduced new security risks as the traditional network perimeter is broken and devices are used outside an organization's control. This includes risks from lost devices, insecure networks, overlap of personal and work usage, and cloud data storage.
2. A layered mobile security strategy is recommended, with security controls embedded in policies, infrastructure, applications, and data. Organizations should define acceptable usage policies and deploy mobile device management to monitor compliance.
3. Application security is also important, with recommendations to use secure development practices, test apps for vulnerabilities, and encrypt sensitive data. A defense-in-depth approach combining
This document discusses information systems security. It begins by defining information systems and noting their importance for strategic advantage and decision making. It then discusses the risks of inadequate security management and the need to ensure integrity and safety of systems. The document goes on to explain basic principles of information security like confidentiality, integrity, availability, and others. It also discusses threats like computer crimes, accidents, vulnerabilities and methods to minimize risks like developing systems correctly, user training, physical security controls, and auditing.
This ppt contains information about definition of computer & information security, types of attacks, services, mechanisms, controls and model for network security
Security and Control Issues in Information SystemDaryl Conson
This document discusses information systems security. It defines an information system as a set of components for collecting, storing, processing, and delivering information and knowledge. Information systems play an important role in modern society and infrastructures. To protect against potential losses, it is crucial for information systems to have security measures from the outset. Information system security aims to establish policies and controls to guarantee the authenticity, confidentiality, availability, and integrity of information assets. It discusses the importance of controls to provide security and quality assurance for information systems.
This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities.
The document discusses data security and controls in database management systems. It begins by introducing basic security concepts like secrecy, integrity, availability, security policy, and prevention vs detection approaches. It then describes access controls commonly found in current database systems, including different levels of granularity (e.g. entire database, specific relations or rows) and control modes (e.g. read, write, delete permissions). It also introduces the problem of multilevel security that traditional access controls cannot fully address.
Information Systems Security & StrategyTony Hauxwell
This document discusses information security strategies and the importance of protecting sensitive data. It defines an information security strategy as a set of procedures and policies to protect information assets from being lost, stolen or compromised. The core concepts of confidentiality, integrity and availability underpin security strategies and regulations. The document examines techniques for implementing security strategies, including identifying risks and complying with standards to ensure protection of information.
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdfDr Amit Phadikar
This document discusses database security and access control models. It provides an overview of three main access control models: discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). DAC allows users discretion over their own data and to share access privileges. However, it is vulnerable to Trojan horse attacks where a user's privileges are abused. MAC enforces security based on classification levels and prevents reading or writing outside of clearance levels. RBAC assigns system access based on user roles and duties. The document examines advantages and limitations of each model and how they enforce database security policies.
Database Security—Concepts,Approaches, and ChallengesElisaOllieShoresna
Database Security—Concepts,
Approaches, and Challenges
Elisa Bertino, Fellow, IEEE, and Ravi Sandhu, Fellow, IEEE
Abstract—As organizations increase their reliance on, possibly distributed, information systems for daily business, they become more
vulnerable to security breaches even as they gain productivity and efficiency advantages. Though a number of techniques, such as
encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive
approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject
qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the
semantics of data must be taken into account in order to specify effective access control policies. Also, techniques for data integrity
and availability specifically tailored to database systems must be adopted. In this respect, over the years the database security
community has developed a number of different techniques and approaches to assure data confidentiality, integrity, and availability.
However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of security
concerns, the “disintermediation” of access to data, new computing paradigms and applications, such as grid-based computing and on-
demand business, have introduced both new security requirements and new contexts in which to apply and possibly extend current
approaches. In this paper, we first survey the most relevant concepts underlying the notion of database security and summarize the
most well-known techniques. We focus on access control systems, on which a large body of research has been devoted, and describe
the key access control models, namely, the discretionary and mandatory access control models, and the role-based access control
(RBAC) model. We also discuss security for advanced data management systems, and cover topics such as access control for XML.
We then discuss current challenges for database security and some preliminary approaches that address some of these challenges.
Index Terms—Data confindentiality, data privacy, relational and object databases, XML.
�
1 INTRODUCTION
AS organizations increase their adoption of databasesystems as the key data management technology for
day-to-day operations and decision making, the security of
data managed by these systems becomes crucial. Damage
and misuse of data affect not only a single user or
application, but may have disastrous consequences on the
entire organization. The recent rapid proliferation of Web-
based applications and information systems have further
increased the risk exposure of databases and, thus, data
protection is today more crucial than ever. It is also
important to appreciate that data needs to be protected
not only from external threats, but also from insider threats ...
In what ways do you think the Elaboration Likelihood Model applies.docxjaggernaoma
This document summarizes common vulnerabilities observed in critical infrastructure control systems based on vulnerability assessments conducted by Sandia National Laboratories. It finds that most vulnerabilities stem from a lack of proper security administration, including failing to define security classifications for system data, establish security perimeters, implement defense-in-depth protections, and restrict access based on operational needs. Many vulnerabilities result from deficient or nonexistent security governance, budget constraints, personnel attrition, and a lack of security training for automation administrators. Comprehensive mitigation requires improved security awareness, strong governance, and configuration of technology to remedy vulnerabilities.
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
The document discusses precision controlled privacy preservation in relational data. It proposes a multilevel anonymization technique that combines generalization and suppression to provide improved security and minimum precision in retrieved data compared to previous methods. An experimental evaluation on a medical dataset shows the proposed method retrieves more tuples than previous privacy preserving access control and workload-aware anonymization methods, especially with increasing numbers of query predicates. The aim is to satisfy accuracy constraints for authorized data retrieval while preserving privacy through this combined anonymization approach.
This document discusses implementing IT security controls and the behavioral aspects of managing insider threats. It summarizes research showing that technical controls alone cannot solve security issues as they are also social and organizational problems. Later research applied a systems dynamics model and signal detection theory to observe behavioral risks, finding that information workers and security officers use experience and thresholds to decide when to investigate anomalies. Training staff on security tools and awareness was found to significantly reduce insider attacks. A 2010 framework addressed insider threats by considering the organization, individual, IT systems, and environment.
Information Privacy and Security: The Value and Importance of Health Information Privacy, security of health data, potential technical approaches to health data privacy and security.
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
The document discusses information assurance and risk management policies for Cerious Cybernetics Corporation. It identifies several key risks to the organization, including malware, password theft, traffic interception, phishing attacks, denial of service attacks, and SQL injection. It recommends that Cerious Cybernetics develop a robust information assurance policy addressing availability, integrity, authentication, non-repudiation, and confidentiality. The policy should include regular risk assessments, a risk management plan, security procedures, and staff training to help protect the organization from cyber threats.
The document outlines an agenda for an information security essentials workshop. It discusses key topics like the principles of information security around confidentiality, integrity and availability. It also covers security governance structures, roles and responsibilities, risk management, information system controls and auditing information security. The objectives are to provide an overview of information security, describe approaches to auditing it, and discuss current trends.
IN-DEPTH ANALYSIS AND SYSTEMATIC LITERATURE REVIEW ON RISK BASED ACCESS CONTR...ijcseit
This document provides a systematic literature review of risk-based access control models in cloud computing. It begins with an introduction to access control systems, traditional static models, and dynamic risk-based models. A methodology for the literature review is then described involving search criteria, quality evaluation, and data extraction. Key findings include the identification of security risks for cloud consumers and providers, common risk factors used in access control models, and risk estimation techniques. The review contributes an in-depth analysis of recent research on applying risk-based access control in cloud environments.
PLANT LEAF DISEASES IDENTIFICATION IN DEEP LEARNINGCSEIJJournal
Crop diseases constitute a big threat to plant existence, but their rapid identification remains difficult in many parts of the planet because of the shortage of the required infrastructure. In computer vision, plant leaf detection made possible by deep learning has paved the way for smartphone-assisted disease diagnosis. employing a public dataset of 4,306 images of diseased and healthy plant leaves collected under controlled conditions, we train a deep convolutional neural network to spot one crop species and 4 diseases (or absence thereof). The trained model achieves an accuracy of 97.35% on a held-out test set, demonstrating the feasibility of this approach. Overall, the approach of coaching deep learning models on increasingly large and publicly available image datasets presents a transparent path toward smartphoneassisted crop disease diagnosis on a large global scale. After the disease is successfully predicted with a decent confidence level, the corresponding remedy for the disease present is displayed that may be taken as a cure.
Database security is a growing concern as the amount of sensitive data collected and retained in databases
is fast growing and most of these data are being made accessible via the internet. Majority of the companies, organizations and teaching and learning institutions store sensitive data in databases .As most of these data are electronically accessed , It can therefore be assumed that , the integrity of these numerous and sensitive data is prone to different kind of threat such as{Unauthorized access, theft as well access denial}. Therefore, the need for securing databases has also increased The primary objectives of database security are to prevent unauthorized access to data, prevent unauthorized tampering or modification of
data, and to also ensure that, these data remains available whenever needed. In this paper, we developed
a database security framework by combining different security mechanism on a sensitive students information database application designed for Shehu Shagari College of Education Sokoto (SSCOE) with the aim of minimizing and preventing the data from Confidentiality, Integrity and Availability threats
This document presents a database security framework developed by the authors to secure a student information database. The framework combines various security mechanisms to enforce confidentiality, integrity, and availability (CIA) of the data. The framework was tested on exam officers who were either granted or denied access based on correct or incorrect login details, demonstrating the effectiveness of the security measures. The framework models the database system using use case and class diagrams and divides it into three layers - the presentation layer, application logic layer, and data/domain layer. The results indicate the framework successfully authenticates authorized users and restricts unauthorized access in line with the CIA principles.
Implementing Physical Security As An Access Control PlanAngie Willis
Implementing physical security as an access control plan takes careful planning. Physical security involves protecting personnel, hardware, rooms, and buildings through access control, observation, and testing. Measures include fencing, locks, access cards, biometrics, fire protection, and observation cameras. A clear plan is needed to reduce threats. Biometric sensors like iris scans or fingerprints can deter intruders from unauthorized access. Access control should include both physical and information security. Consideration should also be given to securing portable devices to prevent insider threats. Security controls like access control systems help manage and protect physical and digital assets through regulatory, technical and physical means.
This document outlines the key concepts in information security including confidentiality, integrity, availability, non-repudiation, access control, authentication, privacy, and security mechanisms. It discusses how security mechanisms aim to reduce vulnerabilities but can also create new ones. The goal of attackers in this course is to leak or misuse confidential information by exploiting existing vulnerabilities. It concludes by asking how security mechanisms can detect insiders who leak information they have access to through their work.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
CAKE: Sharing Slices of Confidential Data on Blockchain
Availability
1. Martin and Khazanchi
Information Availability
Information Availability and Security Policy
Andrew P. Martin
Information Systems & Quantitative Analysis
College of Information Science & Technology
University of Nebraska at Omaha
am41475@gimail.af.mil
Deepak Khazanchi
Information Systems & Quantitative Analysis
College of Information Science & Technology
University of Nebraska at Omaha
khazanchi@unomaha.edu
ABSTRACT
Information availability is a key element of information security. However, information availability has not been addressed
with the same enthusiasm as confidentiality and integrity because availability is impacted by many variables which cannot
easily be controlled. The principal goal of this research is to characterize information availability in detail and investigate
how effective enterprise security policy can ensure availability.
Keywords
Information Availability, Confidentiality, Integrity, Security Policy.
INTRODUCTION
Today’ businesses are highly dependent upon the availability of information resources. While information availability (IAV)
s
is well established as an attribute required for information security (INFOSEC), researchers and practitioners were, and
remain, most concerned with maintaining confidentiality and integrity of the information. IAV remains less understood in
practice and ignored in research because of the seemingly endless number of potential factors that can impact the availability
of information (Hosmer 1996; Parker, 1992). Brinkley & Schell (1995) argue that there exists an “
unboundedness of possible
causes of a loss of availability.”Tryfonas, Gritzalis & Kokolakis (2000) call for availability to be revisited at the macroscopic
level because of our ever-growing dependence upon online information. Lipson & Fisher (1999) believe that “ problems
the
of greatest concern today relate to the availability of information and continuity of services.”
The simultaneous increase in dependency upon information resources and attacks against those same resources gives
credence to the need, now more than ever, for better understanding of the factors that determine IAV. The astounding cost of
unavailability ranges from $1 to 3 million per hour depending upon the industry sector (ODI, 2006). Enterprises require that
availability be provided with the same certainty associated with confidentiality and integrity. Therefore, this paper has three
main objectives: (1) Explain the notion of IAV and its attributes; (2) Identify key determinants of IAV; and (3) Evaluate the
impact of one of these determinants (security policy) on IAV using the example of three firms (cases).
INFORMATION AVAILABILITY
Confidentiality is defined as the “
assurance that information is not disclosed to unauthorized entities or processes”(Schou,
1996). By controlling access to information and preventing unauthorized disclosure, a system can achieve confidentiality
(Brinkley & Schell, 1995). Integrity is defined as the “
condition that exists when data is unchanged from its source and has
not been accidentally or maliciously modified, altered, or destroyed” (Schou, 1996). Integrity focuses on preventing
unauthorized modification of information (Brinkley & Schell, 1995). In contrast to confidentiality and integrity, availability
is the “
timely, reliable access to data and information services for authorized users”(Schou, 1996). More broadly, availability
is about information being accessible as needed, when needed, where needed. The objective of availability is to enable access
to authorized information or resources (CEC, 1991). According to Viles & French (1995), most users expect a “
100-100
Web: 100 percent availability for all servers and 100 millisecond latency to every server.” This expectation is nearly
impossible to sustain, given the many threats to availability.
Components of Information Availability (IAV)
It is reasonably well established that availability has three components: Reliability, Accessibility, and Timeliness. Reliability
is “ probability of a system performing its purpose adequately for the period of time intended under the operating
the
conditions encountered” (Reibman & Veeraraghavan, 1991). Users do not want to depend upon a system that cannot be
trusted to consistently execute their requests. Broadly speaking, accessibility is “ degree to which a system is usable by as
the
many people as possible without modification”(http://www.wikepedia.org). There are several access control policies, such as
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1257
2. Martin and Khazanchi
Information Availability
Mandatory Access Control (MAC) and Discretionary Access Control (DAC) which are supported with access control
services such as Role Based Access Control (RBAC) (Sandu, 1996). Timeliness is the responsiveness of a system or resource
to a user request. Traditionally IAV has mostly been measured by the amount of time an information resource is either
processing or not (uptime and downtime) (Wood, 1995).
DETERMINANTS OF INFORMATION AVAILABILITY (IAV)
In Figure 1, each block on the far left represents an IAV factor that impacts the availability of an information resource or the
data stored within an information resource. Each factor influences one or more of the attributes of availability, thereby
contributing to the overall availability of the information resource. A discussion of each factor and its impact to the enterprise
follows.
Security Policy
An enterprise-wide security policy is the foundation for INFOSEC activities and establishes the framework for information
processing and use of IT devices within an enterprise. “ policy is a documented high-level plan for organization-wide
A
computer and information security. It provides a framework for making specific decisions, such as which defense
mechanisms to use and how to configure services, and is the basis for developing secure programming guidelines and
procedures for users and system administrators to follow”(Dekker, 1997).
Most security policies do not address IAV (NRC, 1991; Hosmer, 1996). In fact authors of policies generally concentrate on
confidentiality concerns. A system security policy should address who is using the system and the enterprise’ expectations
s
of users. Access control mechanisms can be defined and user privileges established. A security policy impacts the reliability
of an IS by establishing the thresholds within which the system operates. Current and future architecture and design
decisions should be based upon the organization’ strategic plan and the enterprise security policy. Furthermore, the level of
s
reliability that the organization also desires may impact the amount of preventative maintenance that occurs, the level of
system monitoring and auditing, and evaluation of system effectiveness.
Operational Controls and System Monitoring
By implementing operational controls within the system, security professionals can set limits that protect the organization’
s
information. Operational controls “ those system rules and guidelines that are necessary to manage the day-to-day
are
activities that occur within an enterprise’ information resources”(Weber, 1999, p. 291). Operational controls are created to
s
implement security policy, thereby providing a mechanism for enforcing the security policy. Monitoring system performance
provides the stakeholders of the enterprise with measurements of how the information resources are operating (Weber, 1999).
Real-time monitoring can be used to identify unauthorized activity and can be a powerful tool in protecting the system.
According to Hawkins, Yen, & Chou (2000), the best intrusion protection is constant monitoring for intrusions by utilizing
the best protection the organization can afford.
Operational controls and system monitoring can work together to enforce security policy and provide security professionals
the capability of defending the system at the desired level. Operational controls affect reliability, accessibility, and timeliness
by placing appropriate limits, as deemed necessary within the security policy, on users, applications, hardware, data storage,
and support functions.
Auditing and System Effectiveness Evaluation
According to Weber (1999, p. 10), auditing IT resources is a “
process of collecting and evaluating evidence to determine
whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively,
and uses resources efficiently.” Auditing is used to verify that the operational controls within the system are successfully
implemented and to analyze system behavior to detect misuse or abuse within the system (NRC, 1991). Auditing differs
from monitoring in that auditors analyze historical data, whereas monitors trigger alarms based upon real-time activity.
A system effectiveness evaluation is a specific type of audit that not only analyzes the reports and logs, but takes a macro
view of the system, the organization, and its personnel to determine how well the system meets the needs of the organization
(Weber, 1999). This type of evaluation is especially important for availability, in that the availability is a significant dynamic
of several factors that a system effectiveness evaluation measures (ibid). Auditing and system effectiveness evaluations
provide independent assessment of reliability and timeliness factors within the system. These evaluations may show trends
of inappropriate or unauthorized behavior on the system that is not being caught through real-time monitoring.
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1258
3. Martin and Khazanchi
Information Availability
Figure 1: Key Determinants Information Availability
Physical Security
Physical security is a critical prerequisite of IAV. If an organization does not provide physical security to its systems, then
unauthorized personnel would have unchallenged access to the organization’ systems. The traditional point of view looks at
s
protecting building sites and equipment from theft, vandalism, natural disaster, manmade catastrophes, and accidental
damage (NCES, 1998). While information is not directly protected through physical security, the information resides on
hardware that computer security experts are charged to protect, therefore warranting the attention of both information and
security professionals.
Securing the physical hardware and the communications pathways within the enterprise is an important step in assuring the
availability of the system. If the device containing the data a user is requesting is unavailable because the device has been
stolen, the power to that device has been cut, or the cable connecting the device is disconnected, the impact to the user or
process making the request is the same as if the requestor was not authorized to access that data. Bois (2002) aptly asserts
“ it is vital that we acknowledge that people seeking to do harm to our information infrastructure will not stop if they
…
cannot get to us via the Internet.”
Backups
Backups provide a copy of the data, applications, and O/S settings that are stored within a computer. By having backups, an
enterprise can minimize the downtime an enterprise experiences following an event that may leave a storage device damaged
or erased (Murphy, 1996). Additionally, backups have become necessary because the data stored within the enterprise is
valuable (Parrish, 2001). If the situation arises where information is lost, then a set of backups will greatly reduce the amount
of downtime and loss felt by the organization. Backups for both the system and user are required to provide maximum
restorable capability to the enterprise. Physical security of the backup media is crucial, requiring the same level of security
for the backup capability as other critical applications (Parrish, 2001).
Backups address timeliness and accessibility by providing the enterprise the capability to restore lost files in a timely manner.
Without backups, the system would need to be recovered by starting with blank storage.
Business Continuity
Business continuity is a key component of any enterprise’ plan to maintain operations in the event of a catastrophic event
s
such as a natural disaster or a network attack. Yet, only 20% of existing continuity plans are workable when tested (Brunetto
& Harris, 2001; Kelly, 2000). Business continuity impacts the timeliness and accessibility of a system by providing a
systematic and known process for restoring operations in the least time possible. Without a tested continuity plan, the
organization has no “
insurance”that operations will ever be restored to their pre-event state (Facer, 1999; Wilson, 1997).
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1259
4. Martin and Khazanchi
Information Availability
SECURITY POLICY AND IAV
The six factors identified earlier can influence IAV by impacting how a request made to an information resource is
successfully executed. Each factor plays a role in the success of this complex process, but the enterprise’ security policy
s
provides direction for how each segment of the IT infrastructure will be implemented, operated, maintained, and when
necessary terminated.
In order to address the question of how (and if) security policies of organizations address IAV and how this impacts IAV, we
conducted three case studies using Yin’ (1994) process. The three firms represented in study were as follows:
s
§
Company 1: A regional grocery store chain located in the southern United States and Mexico that employs over
55,000 people in over 300 locations and has annual sales in excess of $10 billion. This company is committed to its
customers by ensuring that zero outages occur as a result of a security breaches. The firm has an informational
website but does not engage in consumer e-commerce. The company’ focus is retail sales of groceries,
s
pharmaceuticals, health and beauty products, and a limited selection of housewares, paper goods and chemicals,
newspapers and magazines, flowers, and outdoor cooking products. This firm also produces a line of food products.
§
Company 2: A large member-owned Fortune 500 company that owns and manages more than $65 billion in assets
and offices throughout the United States and Europe. It offers members banking, investment, personal property and
casualty, and life insurance services. In 2001, this firm posted revenue of $9 billion. Approximately 15% of that
revenue is attributed to the company’ Internet presence. The firm also maintains a Corporate Intranet which is
s
available to employees and contains several online documents and tools that employees use on a daily basis. This
firm employs over 20,000 employees worldwide, with 2,600 personnel in the IT department, and 45 specifically
assigned to system security, but holds every employee responsible for security.
§
Company 3: A national telecommunications provider, offering local and long distance telephone service; dial,
dedicated, switched and digital subscriber line (DSL) services; and managed services to customers. The company
employs approximately 180,000 employees across the United States and reported $43 Billion in revenue in 2002. It
maintains an extensive Internet presence, which includes both informational sites and e-commerce applications.
Customers have a variety of options when viewing the company’ main webpage, including viewing bills, news
s
releases, or the company’ earnings report, as well as requesting new service, troubleshooting telephone problems,
s
or querying the company’ online telephone directory, and customers can register to receive e-mails (e.g., new
s
service information, bill-pay reminder, or a reply to a question). In addition to its public presence, employees have
access to a myriad of information and services via a corporate Intranet.
Case Study Approach
Following Yin (1994), first, the enterprise security policy or policies of each firm were examined to assess whether the
security policy addressed IAV and its enablers using a “
document review agenda” set forth in advance. Second, semistructured interviews were conducted with security personnel from each organization using an a priori list of thirty-five
questions as a starting point for the discussion.
Data collected from the interviews has been combined with the analysis of each organization’ documents to develop a
s
narrative case history for each organization studied. How each firm addresses IAV is examined in terms of the accessibility,
reliability and timeliness and the six factors that influence them.
Case Narratives
Company 1
This company’ corporate security policy does not mention availability at all, nor does the policy provide specific direction
s
or guidance to the reader as to how availability should be provided. Reliability, however, is included as a function that must
be assured. As seen in Figure 2, Company 1 hierarchically organizes its 22 information security policy documents, where
specific guidelines and directions are documented in operating procedures that address specific pieces of hardware or
software systems.
Reliability: Company 1 ensures reliability by architecting an infrastructure that includes frame relay (FR) and satellite
connectivity to all facilities. The entire infrastructure from circuits to printers is redundant. Stores have dual servers, and
servers and cash registers are connected to uninterruptible power supplies (UPS). Company 1 has a primary and backup data
center, each has generator backup and the two facilities are connected via a SONET backbone. All critical applications have
redundant backup with automatic failover. Servers are load-balanced and redundant for each of the application platforms
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1260
5. Martin and Khazanchi
Information Availability
within the enterprise. Not only is Company 1 committed to assuring reliability in its current infrastructure, their strategy plans
to double the current infrastructure capacity within 3 or 4 years. Furthermore, any new piece of hardware or software must
go through a certification process to ensure that corporate standards are met.
Accessibility: Company 1 grants access to information based upon the role (RBAC) the employee is fulfilling for the
business. Applying the law of least privilege, only information that an employee may need to perform the duties the
employee is assigned are made available. It should be noted that any employee movement is not automatically updated within
the IS. Due to the manual request that must be made to the Information Security Office, there is a strong possibility that an
employee’ role may not be updated when the employee changes jobs. Company 1 also recognizes that information may be
s
released to outside parties who must request access to information through the Public Affairs Department.
Timeliness: Timeliness is not addressed in Company 1’ security policy. By architecting the infrastructure with redundant
s
components and connectivity, reduced latency is achieved as a byproduct of reliability. Metrics of system “
uptime”are taken
mostly of the enterprise servers which are concentrated at the data center.
Company 2
Company 2 has high uptime requirements of its IT resources. This company’ Internet presence, and the applications made
s
available to users, requires 100% uptime to deliver on the company’ promise to its users. This company has built an
s
INFOSEC policy pyramid, as seen in Figure 3, to link the corporate security policy with technical procedures for specific
systems. The top layer of the pyramid is the corporate security policy with the corporation’ key security metrics filling the
s
next layer. These two documents address INFOSEC from a business perspective. The third layer, the corporation’ security
s
guidelines, begins to discuss security in technical detail, but also include business requirements.
The final layer of the pyramid is individual procedures, which apply to specific information resources. The company’ data
s
center and alternate facility are located within 200 miles of each other. Both are unmarked buildings, with on-site security
personnel.
Reliability: Company 2 addresses reliability through a combination of network planning, information security, and disaster
recovery actions. The company’ guidelines state requirements, such as dual, non-duplicated paths within the city where the
s
data center is located and separate upstream providers for both voice and data traffic. The same requirement exists for the
alternate data center. Furthermore, its two data centers are connected via an OC-12 connection and the backup data center
can automatically assume the workload in the event that an outage occurs at the primary data center. Both data centers are
hardened, stand alone facilities with the capability to feed and lodge personnel for an extended period of time. To further
enhance the enterprise’ reliability, Company 2 has developed extensive business continuity plans, which would be executed
s
during an event (e.g., natural disaster; physical or cyber attack; or power outage). These continuity plans are reviewed every
60 days to ensure that modifications to the physical and logical network have been recorded in the continuity plans.
Scenario-based exercises are regularly executed at 6-8 week intervals.
Auditing agencies regularly inspect the performance and operation of Company 2’ IT resources. The company’ Internal
s
s
Audit Division, which is separate from the IT Company, analyzes how the system the performance level, run security scans,
check data integrity, and review system logs. External agencies (e.g., Securities and Exchange Commission (SEC) and the
Federal Deposit Insurance Company (FDIC)) also audit Company 2.
Accessibility: Company 2 currently addresses accessibility through role-based access control (RBAC) and an industryleading Information Management System (IMS). Employees are granted access based upon the principle of least access,
which is based upon the employee’ position. If an employee moves from one job to another, then the losing manager
s
triggers a manual process to revoke current privileges and the gaining manager requests new access privileges required to
work in the new position. Members are required to log-on to the Internet site, which initiates the member’ session. Once
s
logged-on, the traffic from the company’ Internet site pass through the IMS, a transaction monitor which makes a member’
s
s
information accessible. Members who use the company’ Internet site may access account information, request services, and
s
in some cases conduct business transactions without visiting a physical office or speaking to a company representative.
Company 2 has a robust backup capability. Backups are written at the Backup Data Center and stored off-site. Backups are
handled by a leading industry backup application, which controls the backup process. Company 2 does not take a singleminded attitude toward backups. Each system has specific backup requirements that are defined when the system is brought
online. Those requirements are programmed into the backup system, thereby providing consistent control of the backup
process. In addition to data files, the company’ Database (DB) and system logs are also backed-up. By including logs in the
s
backup schema, Company 2 can recreate the stored data and any transactions that occurred since the last backup and the loss
of data.
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1261
6. Martin and Khazanchi
Information Availability
Figure 2: Company 1 Security Policy Hierarchy
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1262
8. Martin and Khazanchi
Information Availability
Timeliness: Company 2 addresses timeliness by monitoring, in real-time, certain aspects of circuits, hardware, and software.
Each IS has system-level response time objectives (e.g., end-to-end or application to application). Several IT resources are
designed using an N-tiered model. By architecting systems in this way, Company 2 has enhanced the capabilities of its
information resources, but has increased the complexity of the applications operating within the enterprise. To effectively
measure timeliness, the components of each IS are measured separately. These separate response times are then summed to
provide a high-level response time. Company 2 is then able to identify poor performance at a more granular level and make
the correct adjustment to keep the response times below the maximum response time stated in each system’ system-level
s
objective.
Company 2 balances real-time monitoring with after-the-fact auditing of system and event logs. The business decides how to
strike this balance by analyzing the business requirements and associated risks. The greater the risk assessed, the more realtime monitoring is used. Alarms are based upon a programmed threshold for each IS. Company 2 also audits system and
event logs to analyze user behavior and for the purpose of post-event analysis. By employing real-time monitoring,
Company 2 can address timeliness and defend the enterprise. This coupled with auditing can address system faults to prevent
future problems.
Company 3
IT services in Company 3 have been consolidated into a separate business unit. Day-to-day security is maintained by system
administrators and operations personnel who monitor the public and private networks that Company 3 operates. At Company
3, INFOSEC is a part of the company’ “
s Code of Business Conduct”(hereinafter referred to as “ Code” This document
the
).
states the boundaries within which employees of Company 3 must act. Included in the Code are clauses about the corporate
expectation of privacy, use of company property (including information), ethics, and equal employment opportunity. As seen
in Figure 4, Company 3 has written Executive support for CIS and these executive documents state that INFOSEC is critical
to the success of the business. It is worth noting that the policy provides the company’ confidentiality, integrity, and
s
availability definitions. Additionally, this policy explicitly states that non-availability could be a characteristic of company
information if the company’ information is not protected. While availability is defined in Company 3’ security policy, the
s
s
policy is written at an executive-level. The technology used to accomplish the goals stated in the policy is documented in the
company’ INFOSEC standards. INFOSEC guidelines address how to use the technology to accomplish those policy goals.
s
Reliability: Company 3 addresses reliability by clustering and consolidating data storage and processing and by employing
redundant circuitry throughout its logical and physical network. The company has strategically located regional data centers
which are controlled by an on-site security detail, with access card and biometric access devices installed at points of entry to
computer rooms. Additionally, Company 3 has identified a comprehensive list of hardware and software documentation (i.e.,
business benefits, technologies used, backup and application recovery contacts and requirements, and field support impact)
which IT personnel use to maintain each IT resource. Company 3 employs multiple firewalls throughout the enterprise, each
of which is dedicated to a certain class of user (e.g., affiliates, business partners, employees).
Company 3 conducts systematic backups at all its data centers. In addition to backups at the data center level, Company 3
has implemented an application which enables employees to backup critical files residing on a desktop PC. In the event that a
data center experiences an event resulting in downtime, each data center is linked to another data center, which acts as its
backup. Additionally, each data center maintains offline backup storage for itself and the data center to which it is linked.
As a national telecommunications provider, Company 3 is very concerned about disaster recovery and business continuity.
As a result, Company 3 has a workgroup within the company’ Asset Protection Division dedicated to planning the response
s
to an unforeseen event. Before any IT resource is added to the enterprise, a continuity plan is developed and tested.
Enterprise-wide tests of the company’ continuity plans are conducted annually.
s
Accessibility: Company 3 addresses accessibility through RBAC and the rule of least privilege. Employees are granted
access based upon the needs of their position and requirements of Federal Regulations. Company 3 has a standardized User
ID and utilizes an industry standard directory service. This enables developers to verify the identity of the user. This does
not, however, allow all users to access all IT resources. For some IT resources, ITO grants access; for others the administrator
or owner of the IT resource grants access. Company 3 tracks access controls manually. If an employee changes positions, the
employee will request access to any new IT resources that are required to complete work in the new position. For auditing
purposes, all access requests are documented and the accountability trail maintained. Additionally, Company 3 maintains
several classifications of information, which define the level at which that information can be released.
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1264
9. Martin and Khazanchi
Information Availability
Figure 4: Company 4 Security Policy Diagram
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1265
10. Martin and Khazanchi
Information Availability
Timeliness: Timeliness is addressed through the Systems Operations Center (SOC), where monitoring throughout the logical
and physical network is conducted. Company 3 employs a number of alarms which are activated based upon the rules
applied to each alarm. Periodically, the need for each alarm is reviewed to ensure that the cost of alarming the network is
commensurate with the risk of loss. Company 3 applies specific standards to its various IT resources. How each standard is
applied is dependent upon the criticality of the resource and the risk to the business. These factors are determined as part of
the design process, and timeliness metrics are made available to the IT staff through the Availability Management group.
Company 3 has an active Auditing group. This group not only audits IT systems, but the entire business. Audits are
conducted when irregularities within the business arise. During these audits, the supporting IT resources are analyzed. Any
identified IT or INFOSEC findings are included in the report which is provided to the President of the business unit, and
applicable sections are sent to the personnel responsible for that function (e.g., INFOSEC findings are sent to the appropriate
CIS consultant).
SUMMARY OF FINDINGS
Based on our understanding of factors that influence IAV and the related analysis of the data collected from three firms, we
can draw the following conclusions.
Ø Whether an organization’ security policy addresses IAV or not, business requirements are driving IT professionals to
s
provide IAV.
IAV was absent from Company 1’ security policy; the word ‘
s
availability’was included in Company 2’ security policy; and
s
defined in Company 3’ security policy. Regardless of how IAV was addressed in the company’ security policy, the
s
s
business requirements of all three companies had identified IAV. Furthermore, information is being used by each company
to bring the business closer to both customer and other businesses. By using IT to connect geographically dispersed
locations, the companies interviewed have leveraged consolidated storage plans to decrease operating costs and enhance the
services that each company can provide. These applications are not driven by INFOSEC considerations, but by business
requirements. The INFOSEC literature reviewed for this paper indicates that IAV is not being addressed because
unavailability has infinite causes. Conversely, businesses have embraced the possibilities (and the enhanced revenues) which
effective IAV brings.
Ø Security policies provide broad INFOSEC goals, which may include IAV, but do not provide sufficient detail to address
IAV in a day-to-day context.
After reviewing each company’ security policy and interviewing the company’ INFOSEC professional(s), it is clear that
s
s
each company did not desire to have detailed security policies. Applying a hierarchical approach to the policies, which all
three companies did, allowed each company to secure executive support for INFOSEC goals and develop more granular
documentation (i.e., standards, guidelines or procedures) for use by personnel charged with day-to-day control of the
information enterprise. The degree to which IAV is addressed in the security policy does not necessarily correspond with the
level of IAV that is demonstrated by each company.
Ø Of the three components of IAV, reliability is an obvious requirement in all cases. Timeliness and accessibility,
however, do not receive the same attention.
The companies participating in this research had all architected highly redundant infrastructures. Each company had done
this to remove as many single points of failure as possible. Furthermore, Companies 1 and 3 addressed IAV through
redundancy, but neither addressed timeliness. Company 2 also addressed IAV through redundancy and had detailed
timeliness metrics which provided additional granularity to Company 2. None of the companies addressed IAV through the
context of accessibility. In general, timeliness seems to be addressed through system performance parameters rather than
through security policy. For example, Company 2 recorded response times to provide metrics which could be analyzed to
address timeliness.
Ø Given the large showing of redundant IT components in the participating companies, there may be cause to add
‘
Redundancy’ a determinant of IAV.
as
Each of the participating companies had redundant hardware and software, communications pathways, and data centers.
Each company also placed a great deal of confidence in having redundancy to provide IAV in the event of an outage (e.g.,
natural disaster, manmade catastrophe, accidental or malicious action, or hardware or software failure). Therefore, after
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1266
11. Martin and Khazanchi
Information Availability
reviewing the data collected for this paper, we believe that ‘
Redundancy’should be included as the seventh determinant of
IAV in our model displayed in Figure 1. Past research in this area has shown that redundancy provides an organization the
ability to reconstruct information elements that may be corrupted or damaged and minimize unavailability by utilizing
redundant capabilities or restoring the capabilities of the IS (Jajodia et al., 1999). Additionally, having redundant
connectivity that has adequate capacity for the traffic load of the organization is an imperative for many organizations today
(Hutt et al., 1995).
Ø The ability to provide adequate IAV is impeded by resource constraints and the need to balance IAV with the other
security attributes (i.e., confidentiality and integrity), and economic and political considerations.
Past research shows that there is greater importance attached to confidentiality and integrity as compared with IAV. Our
study provides some support for the notion that there is a division between INFOSEC requirements and business
requirements. Furthermore, we find that IAV is addressed from a business perspective and not from a security perspective.
It is apparent that the ability to deliver adequate IAV has to be balanced with other security attributes and business
requirements. Also, IAV may need to be considered separately from confidentiality and integrity and potentially a separate
IAV policy may be needed within organizations to overcome the potential threats to availability.
CONCLUDING REMRKS
In this paper we have developed a detailed understanding of information availability (IAV) an important attribute of modern
information security. Based on past literature, we provide a detailed list of factors or determinants of information availability
and its attributes (reliability, accessibility and timeliness). We evaluate the impact of a firm’ security policy on IAV and
s
discuss some key findings. It is important to note that we intentionally focused our attention in this research on how one
determinant of IAV, security policy, impacts IAV. This is because we felt that without a well-developed security policy, an
enterprise is ill-prepared to ensure that information resources with be available and that the data is correct. However, we
believe that further research needs to be conducted on how the other determinants influence IAV and in what way the
interactions between the various determinants impacts IAV and INFOSEC.
REFERENCES
1.
Bois, J. (2002, April 4). Protect yourself. Retrieved from http://rr.sans.org/physical/protect.php. SANS Institute
(http://www.SANS.org).
2.
Brinkley, D. L. & Schell, R. R. (1995) Concepts and terminology for computer security. In. M. D. Abrams, S. Jajodia &
H. J. Podell (Eds.), Information security: An integrated collection of essays, 11-39. Los Alamitos, CA: IEEE Computer
Society Press.
3.
Brunetto, G. & Harris, N. L. (2001) Disaster recovery: How will your company survive? [Electronic version]. Strategic
Finance, 82(9), 57-61.
4.
CEC -- Commission of the European Communities (1991). Information Technology Security Evaluation Criteria
(ITSEC), Provisional Harmonized Criteria: Version 1.2 [Electronic version]. Luxembourg: Office for Official
Publications of the European Communities.
5.
Dekker, M. (1997) Security of the Internet. The Froehlich/Kent Encyclopedia of Telecommunications, Vol. 15, 231255. Retrieved May 21, 2002 from http://www.cert.org/encyc_article/tocencyc.html.
6.
Facer, D. (1999) Rethinking: Business continuity [Electronic version]. Risk Management, 46(10), 17-18.
7.
Hawkins, S., Yen, D. C., & Chou, D. C. (2000) Awareness and challenges of Internet security.
Management & Computer Security, 8(3), 131-143.
8.
Hosmer, H. H. (1996) Availability policies in an adversarial environment. Proceedings of the 1996 Workshop on New
Security Paradigms, USA, 105-117. Retrieved April 10, 2002 from http://doi.acm.org/10.1145/304851.304876.
9.
Hutt, A. E., Bosworth, S., & Hoyt, D. B. (Eds.). (1995) Computer security handbook (3rd edition). New York, NY:
John Wiley & Sons, Inc.
Information
10. Jajodia, S., McCollum, C. D. & Ammann, P. (1999) Trusted recovery [Electronic version]. Communications of the
ACM, 42 (7), 71-75.
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1267
12. Martin and Khazanchi
Information Availability
11. Kelley, J. (2000) Business continuity: Battling high-tech exposures [Electronic version]. Risk Management, 47(5), 3133.
12. Lipson, H. F. & Fisher, D. A. (1999) Survivability--A new technical and business perspective on security [Electronic
version]. Proceedings of the 1999 workshop on new security paradigm, Canada, 33-39.
13. Martin, A. (2003) Key determinants of information availability: a multiple case study. Unpublished MS in MIS Thesis,
University of Nebraska at Omaha.
14. Millen, J. K. (1992) Resource allocation model for denial of service. Proceedings of the Symposium on Research in
Security and Privacy. USA, 137-147.
15. Murphy, M.
(1996, February 1) Backup
http://www.linuxjournal.com/article.php?sid=1208.
strategy.
Retrieved
May
14,
2002
from
16. NCES -- National Center for Education Statistics. (1998, September 22) Safeguarding your technology: Practical
guidelines for electronic education information security [Electronic version] [Handbook]. In: Szuba, T. and the
Technology and Security Task Force of the National Forum on Education Statistics. Retrieved June 20, 2002, from
http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=98297
17. NRC -- National Research Council (1991) Computers at risk: Safe computing in the information age. Washington, D.C.:
National Academy Press.
18. ODI -- Ontrack Data International (2006) Cost of Data Loss.
http://www.ontrack.com/understandingdataloss/.
Retrieved January 12, 2006 from
19. Parker, D. B. (1992) Restating the foundation of information security.
Conference on Information Security, Netherlands, 139-151.
Proceedings of the Eighth International
20. Parrish, S. (2001, August 30) Security considerations for enterprise level backups. Retrieved June 7, 2002 from
http://rr.sans.org/backup/enterprise_level.php.
21. Reibman, A. L. & Veeraraghavan, M. (1991) Reliability modeling: An overview for system designers [Electronic
version]. Computer, 24(4), 49-57.
22. Sandu, R. (1996) Access control: The neglected frontier [Electronic version]. Proceedings of the First Australasian
Conference on Information Security and Privacy, Australia, 219-227.
23. Schneier, B. (2000) Secrets and lies: Digital security in a networked world. New York, NY: John Wiley & Sons, Inc.
24. Schou, C., Editor (1996) Information Systems Security Organization (ISSO) Glossary of INFOSEC and INFOSEC
related terms, Vols. I & II. Idaho: Idaho State University.
25. Tryfonas, T., Gritzalis, D. & Kokolakis, S. (2000, August) A qualitative approach to information availability.
Proceedings of Information Security for Global Information Infrastructures (IFIP TC11). Sixteenth Annual Working
Conference on Information Security, USA, 37-47.
26. Yin, R. K. (1994) Case study research: Design and methods. (2nd Ed.). Thousand Oaks, CA: SAGE Publications,
Inc.
27. Viles, C. L. & French, J. C. (1995) Availability and latency of world wide web information servers. Computing
Systems, 8 (1), 61-91.
28. Weber, R. (1999) Information systems control and audit. Upper Saddle Creek, New Jersey: Prentice-Hall, Inc.
29. Wilson, K. (1997, September 2) Contingency and recovery planning: Checklist for information systems. Retrieved on
June 6, 2002 from http://socrates.berkeley.edu:2001/em/checklist.html.
30. Wood, A. (1995) Predicting client/server availability [Electronic version]. Computer, 28(4), 41-48.
Proceedings of the Twelfth Americas Conference on Information Systems, Acapulco, Mexico August 04th-06th 2006
1268