Explanation Concepts Of Information Security

Published Date: 02 Nov 2017

Information Security

Abstract:

Information is the most important element of an organization. Information must be protected from leaked or passed to unauthorized users. Organizations must have proper policies, procedures, and standards in place in the organization in compliance with laws and regulations. Information technology provides the information security to the data that is used in the transmission of the data or producing the new technical products. Technology was designed to protect the information from the different types of hackers and from the identity theft. The typical terms involves when dealing with information security involves IT Security and Information Assurance. Information Technology Security is information security when applied to technology while Information Assurance is the act of ensuring that data is not lost when critical issues arise for example computer or server malfunction, physical theft, or any other instance where data has the potential of being lost.

Keywords: Information, Information Technology, Information Security, Information Technology Security, Information Assurance

Introduction

Over the past decade, management of information systems security has emerged to be a challenging task. In today world, the use of information in organizations is very essential. Currently, people lived in the "information age" where people have become dependent on information and the internet as the medium of gaining and exchanging information. Many organizations today are fully dependent on information technology for survival. Information security is one of the most important concerns facing the modern organizations. Many threats can affect the information of the organizations such as the attacking of virus, malware, theft of information and so on.

There are many issues that facing by the organizations related to information security. Hacker attack is the main issue that faced by the organizations related information security. Hacker usually fake IP address of people in organization so that they will think it is sent from a location that it is not actually from. This may cause some operating systems such as Windows to crash or lock up. Other than that, the issues that are facing by the organizations is also interruption. Interruption is an attack on availability such as a denial of service attack (or DOS). The purpose of interruption is to make resources unavailable. Computer attacks such as viruses, Trojans, malware, worms and so on. These types of computer attacks can make the computer malfunction, the information susceptible, lost, and damage.

Methodology

This term paper has completing based on two methods which are primary and secondary data. Through primary data, I was surveyed the websites in order to get the information about the information security. The information that I was surveyed are the definitions of information security, concepts of information security and its challenges that faced by the organizations.

Besides that, secondary data are also used in order to complete this term paper. I was analyzing the websites that I browsed so that I understand about the information security. After the data was analyzed, the data was collected to fulfill the requirements of this term

paper. I’m also search the literature that has in the internet so that I can better understanding the information security.

Definitions and concepts of information security

In today’s world, the use of information is widely in the organizations. Most of the information must be protected with having the security of information. Security can be defined as the prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action. Information security can be defined as the protection of data or information and its critical elements including hardware and the systems that use, store and transmits that information. Information security also deals with the terms of Information Technology Security (IT Security) and Information Assurance.

The core principles of information security are the CIA triad which is confidentially, integrity and availability. According to the websites http://www.sinclair.edu and http://www.mhprofessional.com, it stated that the concept of information security. The concept of information security such as confidentially, is determine that information that should stay secret and only those persons authorized to access it may receive access. Confidentiality is the principle that information and information systems are only available to authorized users, that that they are only used for authorized purposes, and they are only accessed in an authorized manner. Confidentiality also determines information disclosure authority and conditions; unauthorized disclosure or use of confidential information could be harmful or prejudicial. In today’s world, where it is called as information age, access to information is very important. Information that is accessed by unauthorized persons may have devastating consequences, not only in national security applications, but also in commerce and industry. Someone that read or copied the information without the permission is known as the loss of confidentiality. Cryptography and access controls are the main mechanism of protection of confidentially in information systems. Confidentiality is necessary for maintaining the privacy of the people whose personal information a system holds. Confidentiality is very important attributes. The example of loss of confidentially is

some location such as hospital, banks, or other agencies have the legal obligation to protect the privacy of individuals.

Integrity is also the core principles of information security. Insecure network can make information corrupted. The loss of integrity is when the information is modified in unexpected ways. The changes of the information should only be possible if the change is authorized. Integrity has two broad types which are preventive mechanism and detective mechanism. Preventive mechanism prevents unauthorized modification of information for example is access control. Detective mechanisms intended to detect unauthorized modifications when preventive mechanisms have failed. There are three controls that protect integrity such as principle of least privileges, separation, and rotation of duties. Integrity controls make sure that all information is current and has not been altered or damaged. Trustworthiness, origin, completeness, and correctness of information are concerned with the integrity as well as to avoid the improper or unauthorized modification of information.

Another core principle of information security is availability. Availability can be defines as the principle that makes information assets are available and usable by authorized users when and where they need them. Authorized persons that want to get information cannot get the information that they need if information erased or become inaccessible. This is known as the loss of availability. The attack like viruses to the computer can make the system bring down. The data from the computer can delete, destroyed and overwritten. Denial of services (DOS) will make the users cannot access network or services provided on the network. Denial of services aims to make the websites unavailable. The method of how Denial of services (DOS) attacks is, the hacker try to attempt the computer with overload or shut down the computer. The resulting when the hacker attempts the computer to overload or shut down is the legitimate users can no longer access it.

The next core principles and concepts of information security is authenticity. Authenticity is define as the verifying the user’s identity. It proves the user’s identity and will ensure that the user proves he, she, or it is who they claim they are. Password is the example of authentication entity. Usually, the need for authentication is an online transactions, facebook and email. There are three methods of authentication which are what you know, what you have, and what you are. The reasons of the use of these methods are to obtain reasonable

assurance that the identity declared at the identification stage belongs to the party in communication. The authentication methods of what you know are passwords, secret codes

and personal identification numbers. The authentication methods of what you know is the most commonly used thanks to its low cost and easy implementation in information systems.

However, this authentication method of what you know is not be considered strong authentication and is not adequate for systems requiring high security. Another method of authentication is what you have. The authentication method of what you have include an additional inherent per user cost. The last of authentication method is what you are. This authentication method of what you are is biometric authentication methods.

Authorization is also the core principles and concepts of information security. Authorization means the permission or granting rights to the individuals to access the information resource. Authorization also referred as the privileges. Users can do on the system with the authorization. Access control lists and security classes are examples of authorization entities. Authorization is most commonly defined by the system’s security policy and is set by the security or system administrator.

The core principles and concepts also is the accountability. Accountability can be defined as the system’s capability which can determine and track the actions or behaviors of a single individual within a system. It also can identify that particular individual. Accountability also known as the non-repudiation. Non-repudiation is one of the properties of cryptographic digital signatures that offer the possibility of proving whether a particular message has been digitally signed by the holder of a particular digital signature’s private key. Accountability is mainly provided by the logs and audit trails.

Besides that, identification is also the core principles and concept of information security. Identification means that the user claims their identity to a system. The example of identification is user identification (userID). User identification (userID) must have unique names for information security and depending on their scope they must be locally unique so that access control may be enforced and accountability established. Access control is commonly used in entity. Identification is necessary for authentication and authorization.

The last core principles and concept is privacy. Privacy refers to the rights of individuals to privacy of their personal information and adequate, secure handling of this information by its user. The means of personal information here is the information that directly identifies a human being such as name and address, although the details may differ in different countries. Privacy is the measures to protect an individual’s ability to determine what information is collected about them, who can access the information, how it may be used, and how it may be maintained. Many countries like European Union (EU), the privacy of information are protected by laws. The organizations must take the necessary precautions in order to protect the personal information.

Principles and Concepts of Information Security

Figure 1: Concepts of Information Security

Figure 2: Explanation Concepts of Information Security

Challenges of Information Security

In today world, technology has rapidly changed and information security has become a critical requirement of the business. There are many challenges of information security in our evolving environments that make it difficult to adequately protect our resources. However, there are many researches, standards, tools and technologies in order to secure and protect the business transactions, infrastructure and valuable information. Based on the websites http://www.identity-theft-awareness.com, these are several challenges related to information security.

Lack of awareness

Many organizations still do not understand the scope of information security.

Organizations did not aware the threats of information security such as the viruses, Trojans, worms, spyware, adware, cookies and others which can make the systems bring down and information lost, susceptible and damage.

Types of computer threats

Virus

Virus infects different files on computer or on the stand alone systems.

Virus tricks the person into taking some action for example clicking on malicious link, downloading a malicious files and others.

Virus also can spread through infected portable data storage.

Trojans

Trojans defines as the non-replicating type of malware which appears to perform desirable functions but instead drops a malicious payload.

The Trojans hide inside an innocent looking piece of software that user downloaded or received as an email attachment.

Trojans will infect user computer when they visit the web page.

Trojans adds itself to the computer’s startup routine. Trojans will monitor the computer until the user is connected to the Internet.

Persons that sent the Trojans will perform many actions, for example run programs on the infected computer, access personal files, modify and upload files, or sent out spam mail.

Worms

Worms are malicious programs, which take advantage on the weaknesses on the weaknesses in the operating systems.

Worms are able to spread at very high rates, which can lead the system being at risk of crashing.

This type of computer threats will copy themselves and spread through internet connections.

The effect of worms can encrypt a user’s files and make them unusable.

Adware

Adware displays the advertisement on user computer. It advertises the supported software.

Adware can become problems if it install itself on your computer without user consent, hijack user browsers in order to display more ads, and designed to be difficult to uninstall.

The effect of adware is it can slow down user PC and can slow down internet connection by downloading advertisement.

Cookies

Cookies is also the computer threats that enable websites to remember user details.

Cookies will remember user detail and track user visits. It can be threat to confidentiality but not user data.

Although cookies are also the computer threats but it also designed to be helpful. Cookies can store the data so that user don’t have to re-enter it next time.

Cookies will not harm user data.

Enforcement of policies not consistent

The policy management of organization does not good.

Organization fails to properly and addresses the risk of information protection to the public and also its member.

Many organizations did not enforce their policies in the past.

Many organizations did not clearly understand about organizations culture to develop their policies.

Management and staff are not qualified

The staff did not expertise in solving the solutions for the threats that occur into their systems.

The organizations did not send the staff to the training programs so that the staff did not have the knowledge about how to solve the problems regarding information security.

Ineffective security programs

Most of the information security programs fail to align with the organization’s objective and priorities.

Improper framework difficult to integrate security program with the goals, objectives and strategies of the business.

Most of the antivirus is not updated can give the information and data lost and damage.

Insufficient budget for automated tools, expertise and staffing resource.

The cost of tools for information security such as cryptography and biometric are very expensive.

The organization did not have sufficient budget for hiring the expertise staff in information security because the cost of hiring the expertise staff are very expensive.

Recommendations to Address the Challenges in Information Security

Challenges: Lack of awareness

Recommendations: Awareness about information security

The organizations must send the staff to the training programs in order to ensure about the risk of information security.

Organizations must give education training to the staff so that they can gain new knowledge about the challenges of information security today.

Challenges: Enforcement of policies not consistent

Recommendations: Employees must be guide through policies and procedures.

Policies are the instructions on how the organizations should be operated.

Policies can set the directions of the organizations.

Through policies, the organizations will follow the rule of management information security in their organizations.

Procedures are the step that must be taken by the staff in the organizations.

Procedures act as a guideline to the staff in managing the information security.

Challenges: Management and staff are not qualified

Recommendations: Hiring the qualified persons

The organizations must hire the qualified persons to fulfill the job in information security.

Hiring the qualified and expertise staff about the information security will improve the security of information.

The problems or challenges in information security can be solve fast, and can prevent the lost of data.

Challenges: Ineffective security programs

Recommendations: Develop an effective security programs.

An organization must define their objectives and priorities properly so that information security can be manage very well.

The framework of information security must be developed properly.

The organizations must aware in updating their antivirus so that the viruses or any other threats cannot damage the information of the organizations.

Challenges: Insufficient budget for automated tools, expertise and staffing resource.

In order to allocate the sufficient budget, the organizations must adequate the sufficient budget.

Conclusions

Based on this term paper, it can be summarizes that information security has been

used in large and small organizations today. Information security is very important in managing the information of the organizations secure from the threats like viruses, identity theft and other. In order to make information security managed properly, the organizations must understand the challenges of information security in an organization. Besides that, the organizations must understand the scope of information security and aligning it with the objectives and priorities of the organizations.

The organizations also must aware the threats of information security. The expertise persons are needed in the organizations in order to manage the information security. The staff of the organizations must be sent to training and must educate about the security of information. Lack of awareness of information security can make the security of information in danger.