Three Basic Component Of Security

Published Date: 02 Nov 2017

Three basic component of security are people, technology and proccess. Information security specialist responsibility is to identify complexity , weakness and limitation each one f the component of which consists many complicated structure.

Technology

- identitify application using technilogy that are vulnarable to attack.

Proccess

- to sustain the information system with limited technology capability a proccess can be design to compensate limitation.

People

- User of the system are vulnarable to diffrent types of attack such as weak password , phising and malware.

3. You may have noticed that certification programs are designed to support standard practices in network security. Why are standards so important to the computing industry? What would computing be like today if no standards had been adopted? Discuss this hypothetical situation.

Standards are important to the computer industry because collabration between B2B has reduced cost and complexity of technology that been adopted by organization and end user.

Organization and end users could be connected to community sponsored by B2B consortium for improved functionality and usability.

Hypothetically if no standard had been adopted :-

- information system would a silo based on particular development organization without interconnection standard between systems.

- data loss seem possible if using propritary system would meant difficult to moved to another propritary system.

- harder usability improvement because tools support is not strengthend.

4. Suppose you are the senior management team leader for a large, privately owned hospital. Create the outline of a basic programme-level information security policy for the organization.

PURPOSE

Information security policy is refered to the updated organization ICT policy. Organization ICT policy is aims to ensure:

a) end-users consisting of hospital staff, authorized vendor and authorized third party and administrator in IT Department in compliance of ICT policy.

b) user friendly procedures which follow basic guideline.

c) declared end-user responsibility.

d) minimized damage , prevent data loss and uphold organization integrity.

SCOPE

Organization policies include coverage for hospital's operations. Guideline of control systems and procedures include all of the following :

(a) Hardware

All assets including server , facilities and security equipment.

(b) Software

Application systems used to support data proccessing including operating systems, database systems, software systems or network monitoring software.

(c) Services

Supports for other assets to meet oraganization functions including network services, access system, electricity, air conditioning, fire fighting systems and physical location.

(d) Data or Information

All of organization document including system documentation, operating procedures, records, databases and files.

(e) Human

All personnel of organization including end-user, administrator , vendor and third party.

SCOPE

Items covered include the following critical applications:

a) Organization website .

b) Internal Information Systems.

c) External Information Systems.

RESPONSIBILITIES

For establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management system are:

(a) ICT Steering Committee

(b) IT Division.

Compliance

Authorizes and defines the use of specific penalties and disciplinary action for those failing to comply with computer security policies.

5. Suppose you are the IT management team leader for a new e-commerce company that is in the process of starting up. The company will sell custom-printed items (such as mugs, tee shirts, and golf balls) to businesses and individuals. You are assigned the task of designing a network for the new company, and senior managers demand that the network be completely secure. It is decided to base the new system on a theoretical model. Which of the confidentiality and integrity models would you choose, and why?

Bell-LA Padula Model

1) upper level management security concern.

2 comply with security requirements include :-

a) confidentiality,

b) enforcement of access control

c) mandatory access control

d) discretionary access control

e) based on multi-level security

In a nutshell, the Bell-LaPadula model prevents a user with a Secret clearance from viewing a Top Secret document (no read up). It also prevents a user from putting Top Secret information within a Secret document (no write down). In this model, the entities are divided into subjects and objects. Think of subjects as users and objects as computers or documents. To determine whether access is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode

Two major categories of information security models:

Access Control models: protect access to data*

Integrity Control models: verify that data* is not changed

The Biba Model

6. Choose an orgA model due to Ken Biba which is often referred to as "Bell-LaPadula upside down."

It deals with integrity alone and ignores confidentiality entirely.

Each subject and object in the system is assigned an integrity classification

Crucial

Important

Unknown

Integrity level of a user reflects user’s trustworthiness for inserting, modifying, or deleting information

Integrity level of an object reflects both the degree of trust that can be placed on the info stored in the object, and the potential damage could result from unauthorized modification of info

Two principles

No-read-down: A subject is allowed a read access to an object only if the access class of the object dominates the access class of the subject

No-write-up: A subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object

Organization in your community or imagine an organization of any kind—a large bank, a government agency, or a hospital, for instance. In this organization, which systems would be considered mission critical? Which systems would not be critical? Collaborate on a basic business impact analysis that shows how the loss of these systems would affect the organization.

BIA is proccess of determining the impact of an organization should a potential loss identified by the risk analysis.

For a large bank , mission critical systems would be :-

1) online banking systems

2) database systems

3) backup systems

4) interbanking systems

non-mission critical would be :-

1) internal personnel systems

2) websites

RISK IDENTIFIED

BUSINESS ACTIVITY AFFECTED

POTENTIAL OPERATIONAL LOSS

POTENTIAL FINANCIAL LOSS

MINIMUM TIME NEEDED TO RECOVER OPERATION

PUBLIC IMAGE

MISSION CRITICAL

online banking systems

Customers transactions activity

Reduced operational

Million dollar per hour

1 hour

High

database systems

Daily transactions

Overall operation

Million dollar per hour

1 hour

Medium

interbanking systems

Interbank transaction

Reduced interbank transaction

Possible million dollar per hour

1 hour

Low

backup systems

None

Possible loss of data

Possible million dollar

1 days

low

NON-MISSION CRITICAL

Websites

Bank various information

Loss potential customers

None

1 hour

High

Internal pesonnel systems

Bank's Personnel information

Reduced updated information

None

1 hour

low