Definitions And Concepts Of Information Security

Published Date: 02 Nov 2017

Information Security

Abstract:

Information is the most important element of an organization. Information must be protected from leaked or passed to unauthorized users. Organizations must have proper policies, procedures, and standards in place in the organization in compliance with laws and regulations. Information technology provides the information security to the data that is used in the transmission of the data or producing the new technical products. Technology was designed to protect the information from the different types of hackers and from the identity theft. The typical terms involves when dealing with information security involves IT Security and Information Assurance. Information Technology Security is information security when applied to technology while Information Assurance is the act of ensuring that data is not lost when critical issues arise for example computer or server malfunction, physical theft, or any other instance where data has the potential of being lost.

Keywords: Information, Information Technology, Information Security, Information Technology Security, Information Assurance

Introduction

Over the past decade, management of information systems security has emerged to be a challenging task. In today world, the use of information in organizations is very essential. Currently, people lived in the "information age" where people have become dependent on information and the internet as the medium of gaining and exchanging information. Many organizations today are fully dependent on information technology for survival. Information security is one of the most important concerns facing the modern organizations. Many threats can affect the information of the organizations such as the attacking of virus, malware, theft of information and so on.

There are many issues that facing by the organizations related to information security. Hacker attack is the main issue that faced by the organizations related information security. Hacker usually fake IP address of people in organization so that they will think it is sent from a location that it is not actually from. This may cause some operating systems such as Windows to crash or lock up. Other than that, the issues that are facing by the organizations is also interruption. Interruption is an attack on availability such as a denial of service attack (or DOS). The purpose of interruption is to make resources unavailable. Computer attacks such as viruses, Trojans, malware, worms and so on. These types of computer attacks can make the computer malfunction, the information susceptible, lost, and damage.

Methodology

Definitions and concepts of information security

In today’s world, the use of information is widely in the organizations. Most of the information must be protected with having the security of information. Security can be defined as the prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action. Information security can be defined as the protection of data or information and its critical elements including hardware and the systems that use, store and transmits that information. Information security also deals with the terms of Information Technology Security (IT Security) and Information Assurance.

The core principles of information security are the CIA triad which is confidentially, integrity and availability. The concept of information security such as confidentially, is determine that information that should stay secret and only those persons authorized to access it may receive access. Confidentiality is the principle that information and information systems are only available to authorized users, that that they are only used for authorized purposes, and they are only accessed in an authorized manner. Confidentiality also determines information disclosure authority and conditions; unauthorized disclosure or use of confidential information could be harmful or prejudicial. In today’s world, where it is called as information age, access to information is very important. Information that is accessed by unauthorized persons may have devastating consequences, not only in national security applications, but also in commerce and industry. Someone that read or copied the information without the permission is known as the loss of confidentiality. Cryptography and access controls are the main mechanism of protection of confidentially in information systems. Confidentiality is necessary for maintaining the privacy of the people whose personal information a system holds. Confidentiality is very important attributes. The example of loss of confidentially is some location such as hospital, banks, or other agencies have the legal obligation to protect the privacy of individuals.

Integrity is also the core principles of information security. Insecure network can make information corrupted. The loss of integrity is when the information is modified in unexpected ways. The changes of the information should only be possible if the change is authorized. Integrity has two broad types which are preventive mechanism and detective mechanism. Preventive mechanism prevents unauthorized modification of information for example is access control. Detective mechanisms intended to detect unauthorized modifications when preventive mechanisms have failed. There are three controls that protect integrity such as principle of least privileges, separation, and rotation of duties. Integrity controls make sure that all information is current and has not been altered or damaged. Trustworthiness, origin, completeness, and correctness of information are concerned with the integrity as well as to avoid the improper or unauthorized modification of information.

Another core principle of information security is availability. Availability can be defines as the principle that makes information assets are available and usable by authorized users when and where they need them. Authorized persons that want to get information cannot get the information that they need if information erased or become inaccessible. This is known as the loss of availability. The attack like viruses to the computer can make the system bring down. The data from the computer can delete, destroyed and overwritten. Denial of services (DOS) will make the users cannot access network or services provided on the network. Denial of services aims to make the websites unavailable. The method of how Denial of services (DOS) attacks is, the hacker try to attempt the computer with overload or shut down the computer. The resulting when the hacker attempts the computer to overload or shut down is the legitimate users can no longer access it.

The next core principles and concepts of information security is authenticity. Authenticity is define as the verifying the user’s identity. It proves the user’s identity and will ensure that the user proves he, she, or it is who they claim they are. Password is the example of authentication entity. Usually, the need for authentication is an online transactions, facebook and email. There are three methods of authentication which are what you know, what you have, and what you are. The reasons of the use of these methods are to obtain reasonable assurance that the identity declared at the identification stage belongs to the party in communication. The authentication methods of what you know are passwords, secret codes and personal identification numbers. The authentication methods of what you know is the most commonly used thanks to its low cost and easy implementation in information systems. However, this authentication method of what you know is not be considered strong authentication and is not adequate for systems requiring high security. Another method of authentication is what you have. The authentication method of what you have include an additional inherent per user cost. The last of authentication method is what you are. This authentication method of what you are is biometric authentication methods.

Authorization is also the core principles and concepts of information security. Authorization means the permission or granting rights to the individuals to access the information resource. Authorization also referred as the privileges. Users can do on the system with the authorization. Access control lists and security classes are examples of authorization entities. Authorization is most commonly defined by the system’s security policy and is set by the security or system administrator.

The core principles and concepts also is the accountability. Accountability can be defined as the system’s capability which can determine and track the actions or behaviors of a single individual within a system. It also can identify that particular individual. Accountability also known as the non-repudiation. Non-repudiation is one of the properties of cryptographic digital signatures that offer the possibility of proving whether a particular message has been digitally signed by the holder of a particular digital signature’s private key. Accountability is mainly provided by the logs and audit trails.

Besides that, identification is also the core principles and concept of information security. Identification means that the user claims their identity to a system. The example of identification is user identification (userID). User identification (userID) must have unique names for information security and depending on their scope they must be locally unique so that access control may be enforced and accountability established. Access control is commonly used in entity. Identification is necessary for authentication and authorization.

The last core principles and concept is privacy. Privacy refers to the rights of individuals to privacy of their personal information and adequate, secure handling of this information by its user. The means of personal information here is the information that directly identifies a human being such as name and address, although the details may differ in different countries. Privacy is the measures to protect an individual’s ability to determine what information is collected about them, who can access the information, how it may be used, and how it may be maintained. Many countries like European Union (EU), the privacy of information are protected by laws. The organizations must take the necessary precautions in order to protect the personal information.

Principles and Concepts of Information Security

Figure 1: Concepts of Information Security

Figure 2: Explanation Concepts of Information Security

Challenges of Information Security

In today world, technology has rapidly changed and information security has become a critical requirement of the business. There are many challenges of information security in our evolving environments that make it difficult to adequately protect our resources. However, there are many researches, standards, tools and technologies in order to secure and protect the business transactions, infrastructure and valuable information. These are several challenges related to information security.

Lack of awareness

Many organizations still do not understand the scope of information security.

Organizations did not aware the threats of information security such as the viruses, Trojans, worms, spyware, adware, cookies and others which can make the systems bring down and information lost, susceptible and damage.

Types of computer threats

Virus

Virus infects different files on computer or on the stand alone systems.

Virus tricks the person into taking some action for example clicking on malicious link, downloading a malicious files and others.

Virus also can spread through infected portable data storage.

Trojans

Trojans defines as the non-replicating type of malware which appears to perform desirable functions but instead drops a malicious payload.

The Trojans hide inside an innocent looking piece of software that user downloaded or received as an email attachment.

Trojans will infect user computer when they visit the web page.

Trojans adds itself to the computer’s startup routine. Trojans will monitor the computer until the user is connected to the Internet.

Persons that sent the Trojans will perform many actions, for example run programs on the infected computer, access personal files, modify and upload files, or sent out spam mail.

Worms

Worms are malicious programs, which take advantage on the weaknesses on the weaknesses in the operating systems.

Worms are able to spread at very high rates, which can lead the system being at risk of crashing.

This type of computer threats will copy themselves and spread through internet connections.

The effect of worms can encrypt a user’s files and make them unusable.

Adware

Adware displays the advertisement on user computer. It advertises the supported software.

Adware can become problems if it install itself on your computer without user consent, hijack user browsers in order to display more ads, and designed to be difficult to uninstall.

The effect of adware is it can slow down user PC and can slow down internet connection by downloading advertisement.

Cookies

Cookies is also the computer threats that enable websites to remember user details.

Cookies will remember user detail and track user visits. It can be threat to confidentiality but not user data.

Although cookies are also the computer threats but it also designed to be helpful. Cookies can store the data so that user don’t have to re-enter it next time.

Cookies will not harm user data.

Inconsistent enforcement of policies

• Low visibility information protection function – sometimes an information protection group or leadership is created but is not empowered through an adequate level of reporting level,

• Inadequate budgets for automated tools, expertise, and staffing resources,

• Unqualified management and staff,

• Lack of documented and communicated policies & procedures,

• Improperly designed & configured internal controls,

• Inconsistent monitoring of external incidents and compliance with internal policies or regulatory requirements,

• Inadequate risk assessment & gap analysis,

• Unidentified or incomplete identity protection scope,

• Decentralized & unaligned information protection function,

• Lack of internal support for information protection,

• Insufficient awareness of the risks and solutions,

• Unmanaged and blind transfer of controls to third parties,

• Low visibility information protection function – sometimes an information protection group or leadership is created but is not empowered through an adequate level of reporting level,

• Inadequate budgets for automated tools, expertise, and staffing resources,

• Unqualified management and staff,

• Lack of documented and communicated policies & procedures,

• Improperly designed & configured internal controls,

• Inconsistent monitoring of external incidents and compliance with internal policies or regulatory requirements,

• Inadequate risk assessment & gap analysis,

• Unidentified or incomplete identity protection scope,

• Decentralized & unaligned information protection function,

• Lack of internal support for information protection,

• Insufficient awareness of the risks and solutions,

• Unmanaged and blind transfer of controls to third parties,

Recommendations to Address the Challenges in Information Security

GUIDING EMPLOYEES THROUGH POLICIES

AND PROCEDURES

It has become increasingly important for people to actively assist in

successfully protecting information of organisations, and this has enhanced

the importance of implementing operational controls as guidance to them.

3.1 Policies

Policies are management instructions on how an organisation should be

run (Wood, 1994, p.2). These instructions reside at the top of the

organisational structure and are high-level statements that set the direction of

the organisation. The important role that policies play in the organisation is

Procedures

Procedures are specific operational steps that workers must take to

achieve a certain goal. They are based on the broad guidance provided by

policies, but are much more specific. Procedures should be tailored to the

specific environment into which they will be implemented, and should be

geared towards providing understandable help to the people who will be

using them (Wood, 1994, p.2).

Operational controls such as policies and procedures rely on human

behaviour to be implemented. Unlike physical and technical controls, simply

having policies and procedures in place is not enough. Employees must be

aware of these policies and procedures and be motivated to follow