This document discusses planning and implementing information security. It defines information security as protecting information from unauthorized access, use, disclosure, modification or destruction. The three main purposes of information security are confidentiality, integrity and availability, known as the CIA triad. There is a six phase security process that identifies assets, analyzes risks, establishes policies, implements defenses, monitors defenses and plans recovery from attacks. The first steps in implementing information security are conducting a full risk assessment and creating a security policy that everyone in the organization must follow to protect the security of the system.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
Security in the Cognitive Era: Why it matters more than everEC-Council
Change isn’t coming. It’s already here. More devices. More access points. More valuable data in the cloud. In this new digital era, perimeter controls and traditional security practices are not enough to safeguard your enterprise. You need security for the way the world works. Security intelligence and integrated controls are today’s essentials to gain visibility and get to a higher level of maturity. Learn how cloud, collaboration and cognitive will define the next era of security to help you outthink attackers and proactively protect your most critical assets.
IOSR Journal of Electronics and Communication Engineering(IOSR-JECE) is an open access international journal that provides rapid publication (within a month) of articles in all areas of electronics and communication engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in electronics and communication engineering. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
Security in the Cognitive Era: Why it matters more than everEC-Council
Change isn’t coming. It’s already here. More devices. More access points. More valuable data in the cloud. In this new digital era, perimeter controls and traditional security practices are not enough to safeguard your enterprise. You need security for the way the world works. Security intelligence and integrated controls are today’s essentials to gain visibility and get to a higher level of maturity. Learn how cloud, collaboration and cognitive will define the next era of security to help you outthink attackers and proactively protect your most critical assets.
IOSR Journal of Electronics and Communication Engineering(IOSR-JECE) is an open access international journal that provides rapid publication (within a month) of articles in all areas of electronics and communication engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in electronics and communication engineering. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
We live in a digital world in which our happiness, health, and even our lives can depend on the performance of technology. From medical equipment to cars, and home security systems to smartphones, computerized equipment plays a greater role in the human experience with each passing year.
IT Executive Guide to Security IntelligencethinkASG
Transitioning from log management and SIEM to comprehensive security intelligence.
This white paper discusses the increasing need for organizations to maintain comprehensive and cost-effective information security, and describes the integrated set of solutions provided by the IBM QRadar Security Intelligence Platform designed to help achieve total security intelligence.
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
Security is ever changing, and best practices are constantly being replaced by new methods to prevernt new threats. For more information, visit https://www.facebook.com/DanielMorganGS/ and https://dmgs.org/
Just created a slideshare presentation giving a basic introduction to the Confidentiality, Integrity & Availability (CIA) Security Model. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
Social engineering is a non-specialized system cyber attackers utilize that depends intensely on human communication and regularly includes fooling individuals into breaking standard security rehearses. The accomplishment of social engineering systems relies upon attackers' capacity to control unfortunate casualties into playing out specific activities or giving confidential information. Today, social engineering is perceived as one of the best security dangers confronting associations. Social engineering contrasts from customary hacking as in social engineering assaults can be non-specialized and don't really include the trade-off or misuse of programming or frameworks. Whenever fruitful, numerous social engineering assaults empower attackers to increase real, approved access to confidential information.
Information Security Management.Introductionyuliana_mar
Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
Businesses of all sizes are targeted by hackers to gain access to proprietary and customer data, threatening your ability to operate or even remain open for business.
Learn how to protect your business from threats and position it for growth.
This presentation talks about the relation between Cyber Security Resilience & risk aggregation. Both concepts have a near relationship because Risk aggregation refers to efforts done by firms to develop quantitative risk measures that incorporate multiple types or sources of risk.
Cyber Security Resilience is the capacity to have different Cyber controls which can provide the organization an adequate resilience according the organization risk appetite by doing risk management of the aggregation of multiple types or sources of risk.
SBIC Enterprise Information Security Strategic TechnologiesEMC
This report from the Security for Business Innovation Council describes next generation technologies that support an Information-Driven Security strategy.
IT Executive Guide to Security IntelligencethinkASG
Transitioning from log management and SIEM to comprehensive security intelligence.
This white paper discusses the increasing need for organizations to maintain comprehensive and cost-effective information security, and describes the integrated set of solutions provided by the IBM QRadar Security Intelligence Platform designed to help achieve total security intelligence.
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
Security is ever changing, and best practices are constantly being replaced by new methods to prevernt new threats. For more information, visit https://www.facebook.com/DanielMorganGS/ and https://dmgs.org/
Just created a slideshare presentation giving a basic introduction to the Confidentiality, Integrity & Availability (CIA) Security Model. You can see more slideshows on http://www.slideshare.net/ImranahmedIT or visit my website: http://imran-ahmed.co.uk
Social engineering is a non-specialized system cyber attackers utilize that depends intensely on human communication and regularly includes fooling individuals into breaking standard security rehearses. The accomplishment of social engineering systems relies upon attackers' capacity to control unfortunate casualties into playing out specific activities or giving confidential information. Today, social engineering is perceived as one of the best security dangers confronting associations. Social engineering contrasts from customary hacking as in social engineering assaults can be non-specialized and don't really include the trade-off or misuse of programming or frameworks. Whenever fruitful, numerous social engineering assaults empower attackers to increase real, approved access to confidential information.
Information Security Management.Introductionyuliana_mar
Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
Businesses of all sizes are targeted by hackers to gain access to proprietary and customer data, threatening your ability to operate or even remain open for business.
Learn how to protect your business from threats and position it for growth.
This presentation talks about the relation between Cyber Security Resilience & risk aggregation. Both concepts have a near relationship because Risk aggregation refers to efforts done by firms to develop quantitative risk measures that incorporate multiple types or sources of risk.
Cyber Security Resilience is the capacity to have different Cyber controls which can provide the organization an adequate resilience according the organization risk appetite by doing risk management of the aggregation of multiple types or sources of risk.
SBIC Enterprise Information Security Strategic TechnologiesEMC
This report from the Security for Business Innovation Council describes next generation technologies that support an Information-Driven Security strategy.
BEST WESTERN Indiana Inn is located near Jimmy Stewart Museum. Enjoy comfortable accommodations and excellent service at Hotel in Indiana, PA. Visit www.bestwesternindianainnpa.com.
The uncontrollable flow of change in technology these days and use of data, information and knowledge is creating a huge challenges in the front of application User and developer both. Data breaches are happening in every sector and every level of all sectors. These challenges are countless starting from operational to strategic and becoming more challengeable day by day as the penetration of Information technology application among the common man is increasing. Therefore the threat is become real. Everybody customers or companies, retailer or stakeholders , distributor or dealer need assurance; from the provider. corporate face up reputational risks among the user at every step. So there is a need to understand the information technology, a frame work or body which can manage , risks and controls. A body or a system of Privacy management system is which can build a frame work for protection of the data and at the same time can maintain , privacy and agreement issues. This can be done by adoption of a scalable risk-based method which can determine what to be secured and how by performing the certain action.
CIA = Confidentiality of information, Integrity of information, Avai.pdfannaielectronicsvill
CIA = Confidentiality of information, Integrity of information, Availability of information.
This model is designed to guide policies for information security in organization.Each field is
seperately identified and respective protective measures are listed.Any breach in anyof the three
fields will cause serious consequences to the parties involved.
Confidentiality:
Confidentiality can be called privacy.In todays world everyone has sensitive information which
can be a problem if fell into wrong hands. Only the authorized person must be able to view the
data while restricting the third parties to share the information.It is not much difficult to acheive
this but one problem is to be considered. If we allow tough measures the original trusted user
might face difficulties to view his information. so the rules should be friendly for the approriate
verified user as well.
Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of
data trasferred from one computer to another. Nowadays passwords and 2 factor authentication is
being used. But addition to that there are biometric verifications,storing on truecrypt
volumes,honey pots to divert intrusion attacks,security tokens,soft tokens,SSL/TLS ( for safe
commuication across network),etc
Integrity:.
Integrity involves maintaining consistency,accuracy,trustworthiness of data over its entire life
cycle. Information is only worth if its true and there are many attackers in the net who change the
details of a secured file so that it looses its value.
measures which can develop integrity are using file permissions and user access
controls,digitally signing the data, hashing the data and sending it to the receiver to compare it
with the received information using cryptography,using checksums or crptographic checksums.
There should also be a facility to repair the damaged information by using strong and secure
backup mechanism.
Availability:
This ensures that the user can get his/her information whenever he needs it. The main aim of
security is to safeguared the authorized user\'s data and ensure that he gets his data at all times is
crucial. some attacks mainly focusses on denying the user his access.this type of attacks are
DDOS attacks.Some parties might try to block some company\'s resources to the users so that
they can have more sales.Not only attackers natural disasters also might cause losing the data and
denying the user his right to get his data when needed.
The best solution is using offsite backups and ensuring the downtime to retreive is less.firewalls
and proxies can help the tackling of dos attacks (denial of service attacks), allowing redundency
for high important information can also help.
Solution
CIA = Confidentiality of information, Integrity of information, Availability of information.
This model is designed to guide policies for information security in organization.Each field is
seperately identified and respective protective measures are listed.Any bre.
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
Module 02 Performance Risk-based Analytics
With all the advancements in technology and encryption levels, some methods are faster or slower than others. In most cases a cybersecurity professional must weigh cost, performance, and security. Risk is a powerful tool used by all cybersecurity professionals to assist in making these decisions, and in influencing appropriate stakeholders by providing appropriate information with regard to these three elements.
Risk analysis or risk base analytics helps determine the level of risk to an organization. The first step in this process is to determine the sensitivity of the data being processed. The example below is a common data classification for many organizations; however, depending on how the data will be used, these data fields may vary due to classification levels.
· Public: Data available to the general public and approved for distribution outside the organization.
· Examples: press releases, directory information (not subject to a government regulations or blocks), product catalogs, application and request forms, and other general information that is openly shared. The type of information an organization would choose to post on its website offers a good example of Public data.
· Internal: Data necessary for the operation of the business and generally available to all internal users, users of that particular customer, and potentially interested third-parties if appropriate and when authorized.
· Examples: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.
· Confidential: Data generally not made available outside the organization and the unauthorized access, use, disclosure, duplication, modification, or destruction of which could adversely impact the organization and/or customers. All confidential information is sensitive in nature and must be restricted to those with a legitimate business need to know.
· Examples:
· Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
· Personally identifiable information entrusted to the organization’s care that is not restricted use data, such as information regarding applicants, donors, potential donors, or competitive marketing research data.
· Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
· Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
· Legally privileged information.
· Information that is the subject of a confidentiality agreement.
· Restricted: Data that MUST be specifically protected via various access, confidentiality, integrity and/or non-repudiation controls in order to comply with legislative, regulatory, con ...
Cybersecurity Vs Information Security.pptxInfosectrain3
A simple definition of information security is preventing unauthorized access during the storage or transmission of data. Biometric information, social media profiles, and data on mobile phones can be considered information. Therefore, research for information security covers various fields, such as cryptocurrency and online forensics.
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
BBA 3551, Information Systems Management 1
Course Learning Outcomes for Unit VIII
Upon completion of this unit, students should be able to:
3. Examine the importance of mobile systems and securing information and knowledge.
Reading Assignment
Chapter 12:
Information Security Management
Unit Lesson
In the last unit, we discussed outsourcing, the functions and organization of the IS department, and user
rights and responsibilities. In this final unit, we will focus on security threats to information systems.
PRIDE and System Security
PRIDE processes privacy settings on the server and returns a code that indicates which of the four privacy
levels defined for PRIDE govern a particular individual with a particular report/data requestor. By processing
settings on the server, those settings are not exposed to the Internet. The return code is, however, and the
operational system should probably use https for both the code and to return the report. This was not done in
the prototype, though.
The relationship between patients and PRIDE participants is N:M. One patient has potentially many
organizations, and an organization has potentially many patients. What this means is that a patient has a
relationship, potentially, to many participants of a given type: many doctors, many health clubs, many
insurance companies, and even many employers. In addition, a patient has a relationship to, potentially, many
types of participants.
Given the N:M relationships, a natural place to put privacy settings is in the intersection table. That table
serves, intuitively, as an opacity filter between a given patient and a given doctor (or other
person/organization).
The tension in the dialog between Maggie and Ajit at the beginning of Chapter 12 regarding what terminology
to use with Dr. Flores is intended to set up a discussion from both perspectives. It is a common problem for
techies when talking with business professionals: How much technical language should I use? It is important
to use enough to demonstrate competency, but not so much as to drown the businessperson in terminology.
Using the Ethics Guide: Securing Privacy
In this chapter, we discuss three categories of criteria for evaluating business actions and employee
behaviors:
legal
ethical (categorical imperative or utilitarianism)
good business practice
UNIT VIII STUDY GUIDE
Information Security Management
BBA 3551, Information Systems Management 2
We can clearly see the differences in these criteria with regard to data security. A doctor’s office that does not
create systems to comply with HIPAA is violating the law. An e-commerce business that collects customer
data and sells it to spammers is behaving unethically (by either ethical perspective). An e-commerce business
that is lackadaisical about securing its customers data is engaging in poor business practices.
Even still, business professionals today need t ...
1
Running Header: ORGANIZATIONAL SECURITY
4
ORGANIZATIONAL SECURITY
ORGANIZATIONAL SECURITY
Student’s Name
Tutor’s Name
Course Title
Date
Introduction
The security of the world is currently increasing in a simultaneous manner. Many countries all around the world try harder to cater to its citizens despite having huge numbers of citizens. Business is the core factor that gives out people a way to a better life. Organizations have emerged and that they all try as much as possible to be successful, despite having many challenges in the market square. The exchange of goods and services is the main core issue that led to the emergence of business globally. In general terms there are different products that are produced all around the world, researchers have proven that for the business to be rated in a successful level the security status of the business must also be considered. Security generally protects the product and services of the organization. It is very important to keep the security of the of the company high, this is based on the fact that all the product and services produced by the company will be secured from competitors and the ill motive individuals who might want to bring down the business. Employers and employees are the ones who are responsible for keeping the security in an organization to be at a high level.
Background information
In today’s world, everything that is tangible is always stored in a digital form. When the business lacks a form to defend its digital assets generally the business is lost, thus the potential loss of the business will grow bigger every day. (Gupta, Rees, Chaturvedi & Chi, 2006) The need of having legal security in the organization literally existed ever since the introduction of the first computer in the business environment. Recently the paradigm has greatly shifted over the years, nevertheless from the client-server systems and terminal server mainframe systems.
Despite the security system being very important, in many terms it has not always been set aside to be critical in organizational success. With the existence of the mainframe system being in the place, many organizations manage to protect their own systems from the abuse of the resources, for instances having unauthorized user gaining access to the organizational system and also the act of authorized user hogging company’s resources. Such types of abuse were considered to be more damaging based on the fact that the system had a higher cost during the early mainframes days. As time goes by, the technology techniques developed and increased to some level, hence the cost of the systems resources decreases, this issue apparently becomes less important to the business environment. (Gupta, Rees, Chaturvedi & Chi, 2006)The evolving act of having remote access outside the organizational networks was also considered to be non-existence. Furthermore, only the underground community had higher tools and knowledge that is rightfully needed.
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
Cyber security professionals are in high demand, and those willing to learn new skills to enter the area will have plenty of opportunities. Our goal is to present you with the most comprehensive selection of cybersecurity interview questions available.
Information security or Infosec worries with protecting information from unauthorized access. Its a part of information risk management and it therefore involves preventing or reducing the probability of unauthorized access, use, disclosure, disruption, deletion, corruption, modification, inspect or recording. In this article we will talk about the IT security, various threads to information security, different obstacles of information security and the various ways in which internet can be lucrative. Bhavya Verma | Purva Choudhary | Dr. Deepak Chahal "An Empirical Study on Information Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-4 , June 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30888.pdf Paper Url :https://www.ijtsrd.com/computer-science/computer-security/30888/an-empirical-study-on-information-security/bhavya-verma
7 Practices To Safeguard Your Business From Security Breaches!Caroline Johnson
Cybercriminals are out to get your business, and they're doing it in a big way. It's no secret that though cybercriminals often target large businesses, smaller organizations are also attractive to them. The logic is simple: small businesses usually follow a standard "not much to steal" mindset using fewer controls and easy-to-breach data protection strategies.
Here are the seven best practices every small business should implement immediately to protect their organization from cyberattacks and keep their data safe from thieves and hackers. To know about it visit: https://bit.ly/3G96FDr
1. Running head: PLANNING AND IMPLEMENTING INFORMATION SECURITY 1
Planning and Implementing Information Security
John Intindolo
American Public University
2. PLANNING AND IMPLEMENTING INFORMATION SECURITY 2
Planning and Implementing Information Security
Information Security has become a point of emphasis for almost everyone in today’s
world. A large portion of the population has a computer that they use for their daily activities.
Some use it to do their homework, pay their bills, or even balance their checkbook. Others may
use their computer to keep in touch with family and friends through social media websites, or to
keep up track of their fantasy football team’s stats. Businesses may rely on their computer
network to perform daily business transactions, store pertinent financial and customer data. The
one thing that they all share is that they need to be connected to the Internet.
The different types of networks that connect the user to the computer can come in many
forms. That connection could be through an at home network with a single computer connected,
or a large family with several computers, laptops, and smart phones connected, to a small business
with a group of computers connected to their network, or it could even be a large corporation
that has multiple networks spread across multiple locations. The point is no matter how big or
small a network is, the common things they all share is the need for their information to remain
secure. So what is Information Security?
Information Security is the practice of defending information from being accessed, used,
disclosed modified, inspected, recorded, or destroyed by someone who is unauthorized to do so
(“Definition of information security,” 2012). As demonstrated by that definition, Information
Security does not relate only to computers. Whenever a person locks a file cabinet, or requires a
passcode to open safe they are using a form of Information Security. Other examples of putting
Information Security methods into place would be when a person uses a password to log onto
their phone or computer. Some may simply be trying to protect their personal photos or their
music catalog of mp3’s, others like businesses are looking to protect financial data (such as
employee payroll records), customer data (such as billing and credit card information), or even
3. PLANNING AND IMPLEMENTING INFORMATION SECURITY 3
intellectual property (such as trade secrets). The point is to keep unauthorized access from the
system no matter how big or how small that system is. What are the three main purposes of
Information Security?
The three main purposes of Information Security are to protect the confidentiality,
integrity, and availability of information. This is commonly known in the Information Technology
field as the CIA Triad of Information Security. Confidentiality refers to ensuring that the
information is kept from being accessed by those who are not authorized to do so. The integrity
of Information Security simply put means that the information is valid or trustworthy. Integrity
ensures that the information has not been corrupted in any way while entering the system.
Availability is the third main purpose of Information Security and as the name suggests, refers to
keeping the availability of information resources. Availability can be disrupted in several different
ways including the following: a technical issue breaking the connection to the network, a natural
disaster that causes a power outage, or a man-made disaster that was done either accidently or
intentionally. All three aspects of the CIA Triad are important and without all three being
implemented the security of the system will fail. There are two other security measures of
Information Security that are an extension of the CIA Triad umbrella and they are: Authentication
and Nonrepudiation.
Authentication is “the process of determining whether someone or something is, in fact,
who or what, it is declared to be” (“Authentication vs.,” 2013). This can be accomplished through
the use of passwords for instance. Another example of authentication would be through the use of
security badges or a fingerprint scanner. If the person is not authenticated that they are who they
say they are, then they will not be able to connect to the network. It is important to use strong
passwords so that they may not be easily guessed by an attacker. Sometimes a password is just
not secure enough alone, and that would require the use of Multi-factored authentication. What
4. PLANNING AND IMPLEMENTING INFORMATION SECURITY 4
this means is that two or more authentication practices must be used before allowing someone
access to the network. For example, a password and the person’s social security number.
Repudiation can be defined as “the denial of an entity of having participated in all or part of a
communication” (Kremer & Raskin, p. 1). Therefore, nonrepudiation would be the complete
opposite of that, and indicates that the original source of data or the person who the data was sent
to has absolutely received the data.
There are choices that must be made in maintaining the security of information and
ensuring that the CIA Triad is being followed. These choices come in three different forms: rule-
based decisions, relativistic decisions, and rational decisions. Rule-based decisions are widely
accepted guidelines that are imposed for all subjects. Some examples of this would be a person
locking their doors to their house and locking their car doors. No one is making the person lock
their doors, but it is widely accepted as a practice of security.
Relativistic decisions are decisions that are made in an attempt to “one-up” someone who
has similar security problems. An example of this type of decision would be if a person went over
to their friend’s house and saw their security system, and then decided to go out and buy a more
advanced security system for themselves. In the field of Information Security this may not always
be done just to “one-up” another person’s security for bragging rights, but rather to ensure that
their information remains secured. The third common security decision is called a rational
decision. This means that the decision is based on analyzing the security process, and making a
well thought-out plan to determine the best measures to take. What is the security process?
The security process is a list of six phases that goes through the details of a problem
systematically and comes up with a rational decision to correct them. The six phases are as
follows: identify the assets, analyze the risk of an attack, establish a security policy, implement the
defenses, monitor the defenses, and recover from attacks (Smith, 2011, p. 5). Each of the six
5. PLANNING AND IMPLEMENTING INFORMATION SECURITY 5
phases are connected to each other. They are performed in order and each subsequent step builds
upon the results of the previous one. If there is an issue in a later step that states that an earlier
phase is incorrect, then the earlier step will be revisited and corrected.
Phase one is identifying the assets. This is done so that the most important data can be
separated from the least important. Identifying the assets will allow the security team to
understand what is pertinent to the organization and in need of protection. The second phase is to
analyze the risk of an attack. The purpose of this part of the security process is to identify where
there are weaknesses, so that they may be secured before an attacker has the chance to exploit
them. Establishing a security policy is the third phase and will create a set of rules that everyone
within the organization must follow. It does not matter if it is the CEO of the company or a
customer service representative. The security policy must be followed by all or it will fail.
Phase four is to implement the defenses. These defenses will protect the organization’s
network from an attack or an intrusion. This is where firewalls, anti-virus programs, anti-malware
programs, etc. are deployed. Phase five is to monitor the defenses that have been implemented. If
a there is a weakness in one of the defense that have been put into place, then the CIA of the
organization’s network is at risk. Therefore, when there is a weakness it must be corrected and
done so before it has a chance to be exploited. This continuous improvement is extremely
important to the success of a secure network. Technologies are constantly changing so if the
defenses are not being constantly monitored and updated the system will not survive. Phase six of
the process is recovering from attacks. No system is one-hundred percent impervious to an attack,
so it is important to have a plan in place to recover from an attack. Now that the purpose of
Information Security, the security decisions, and the security process have all been defined, how
does one implement Information Security?
6. PLANNING AND IMPLEMENTING INFORMATION SECURITY 6
The first step in implementation is to do a full risk assessment. According to Kiran, Reddy,
& Haritha, “Risk assessment is the progression that identifies and valuates the risks to information
security by defining the likelihood of occurrence and the resulting impact” (2013, p. 41).What this
means is that any and every asset to the organization will be analyzed and prioritized, from the
most important all the way down to the assets of smallest amount importance. This is the
foundation for a secure organization. The next step would be to create a security policy. The
purpose of the security policy is to determine the guidelines that every single person within the
organization to follow. It is important that those at the top of the organization follow this rule as
well, and stress its importance to everyone else. Why is so important for everyone to follow the
security policy?
The reason it is important for everyone to follow the security policy is because employees
who comply with the policy are the key to strengthening Information Security (Bulgurcu,
Cavusoglu, & Benbasat, 2010, p. 523). If everyone does not follow the policy the system will
falter. The security policy is a written policy that provides protection not only over the
information itself, but also the equipment and software that is used to process, stockpile, and
communicate that information. For reasons previously mentioned, it is extremely important that
the policy is constantly reviewed and updated to correct areas of weakness.
At this point is the next step would be to put together a security administration team. This
group of individuals will oversee that everyone within the organization is adhering to the security
policy. Having a team that works together will make it a lot easier to ensure that everyone is
following the security policy. If a company has hundreds of employees it may be difficult for one
or two people to monitor them all. A security administration team can be broken up into different
sectors of the organization. It is important that all members of the security administration team
7. PLANNING AND IMPLEMENTING INFORMATION SECURITY 7
work collaboratively to ensure that the policy is being followed. In other words, everyone on the
team should know if any issues come about in a sector that another administrator is overseeing.
An incident response plan would be the next logical step in implementing information
security. This plan will handle any and all incidents that occur, no matter how big or how
minuscule. As stated earlier, no system is immune to an attack no matter how secure it may be. It
is for this reason that it is of the utmost importance to have an incident response plan that will be
a guide for the incident response team to follow. This guide will save time and confusion in the
event of an intrusion. By documenting how to handle each and every incident, the team will
maintain connectivity or greatly reduce the downtime of the organization’s network when an
attack occurs. Additionally, the incident response plan can give the incident response team the
ability to isolate the incident, stop the attack from spreading, and doing more damage throughout
the network.
Now that an incident response plan has been put into place, the next step would be to
create an incident response team. The duties of the incident response team are to follow the
guidelines set forth in the incident response plan when an instance has taken place. As stated
above the response team will respond immediately to an incident and prevent the attack from
causing greater damage to the network by remedying the situation in a timely manner.
Furthermore, it is the incident response teams’ responsibility to keep the organization up and
running, or minimize the amount of time it is down following an attack. The members of the
incident response team are governed by the security administration team.
Keeping the business up and running or reducing the downtime of a network are important
factors that an incident response team is responsible for. This is accomplished by following a
business continuity plan. A business continuity plan will describe how to keep business moving in
the event of an incident. Not all incidents are a result of an attack however. Some are the result of
8. PLANNING AND IMPLEMENTING INFORMATION SECURITY 8
natural disasters such as an earthquake, tornado, or snow storm. The damage could be a simple
power outage or the data could be destroyed altogether. With man-made disasters the problems
can range from a malicious attack all the way to physical damage of equipment and software. A
big part of business continuity is to have constant backups that are performed once every 24
hours. Now if an office is hit by a tornado then that backup is most likely rendered useless;
therefore, backups should be stored at a secure off-site location.
Everyone wants there information to be kept secure. Whether it’s a teenager wanting their
music files protected, a man’s banking information, or a business’s financial and customer data,
the one thing that remains constant is the need for Information Security. Information Security
does not provide a quick fix solution. There is no one-step process that is the end all be all
solution. If there was one though could it be trusted? After all if something sounds too good to be
true it usually is. Information Security is instead a lengthy and complicated process that takes a
collaborative effort from everyone involved to make it work. There is no fool proof plan to
protect a network one-hundred percent, but if the policies and strategies outlined in this paper are
followed it will greatly reduce the risk of an attack.
9. PLANNING AND IMPLEMENTING INFORMATION SECURITY 9
References
Authentication vs. authorization. (2013). Retrieved from
http://protect.iu.edu/cybersecurity/authn-authz
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An
Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS
Quarterly, 34(3), 523-A7.
Definiton of information security. (2012). Retrieved from http://oit.unlv.edu/network-and-
security/definition-information-security
Kiran, K., Reddy, L., & Haritha, N. (2013). A Comparative Analysis on Risk Assessment
Information Security Models. International Journal Of Computer Applications, 82(1-13),
41-47.
Kremer, S., & Raskin, J. F.(n.d.). A game approach to the verification of exchange protocols.
Retrieved from http://robotics.eecs.berkeley.edu/~wlr/228a02/papers/NonRepudiation.pdf
Smith, R.E., PhD. (2011). Elementary Information Security. Burlington, MA: Jones & Bartlett
Learning.
10. PLANNING AND IMPLEMENTING INFORMATION SECURITY 9
References
Authentication vs. authorization. (2013). Retrieved from
http://protect.iu.edu/cybersecurity/authn-authz
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An
Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS
Quarterly, 34(3), 523-A7.
Definiton of information security. (2012). Retrieved from http://oit.unlv.edu/network-and-
security/definition-information-security
Kiran, K., Reddy, L., & Haritha, N. (2013). A Comparative Analysis on Risk Assessment
Information Security Models. International Journal Of Computer Applications, 82(1-13),
41-47.
Kremer, S., & Raskin, J. F.(n.d.). A game approach to the verification of exchange protocols.
Retrieved from http://robotics.eecs.berkeley.edu/~wlr/228a02/papers/NonRepudiation.pdf
Smith, R.E., PhD. (2011). Elementary Information Security. Burlington, MA: Jones & Bartlett
Learning.