INFORMATION SECURITY•It is a prime concern for all those organizations which use computer based information systems as potential of information security breaches is much higher in these as compared to manual ones.

•It relates to the protection of assets against loss, damage, or disclosure of information.

•The basic objective of IS is the protection of the interests of those who rely on information from harm resulting from the failure of availability, confidentiality and integrity

•IS objective is met when:

IS are available and usable whenever required (availability objective)Information is disclosed only to those who have the right to know it (confidentiality objective) Information is protected against unauthorized modification (integrity objective)

PRINCIPLES OF IS

1. Accountability principle

2. Awareness principle

3. Multidisciplinary principle

4. Integration principle

5. Timeliness principle

6. Reassessment principle

7. Cost-effective principle

8. Societal principle

1. Accountability principle: following issues should be considered:

• Specification of ownership of data and information• Identification of users who access the system in a

unique way• Assignment of responsibility for maintenance of data

and information

• Institution of investigative and other remedial procedures when a breach or an attempted breach of information security occurs.

2. Awareness principle: following issues should be considered:

• Levels of details disclosed should be consistent with information security requirements

• Appropriate knowledge should be available to all parties concerned

• Information security is not one shot action but is an on-going process so that it becomes part of the organizational culture

• Security awareness being an on-going process is applicable to all employees, whether old or new recruits

3. Multidisciplinary principle: issues to ba tackled in this context are as:

• Business value of the information being protected• Technology that is available to meet the information

security• Impact of organizational and technological changes• Requirements of legal and industry norms

• Requirements of managing advanced technology for information security

4. Integration principle: the issues that should be addressed are:

• Information security policy and administration to be included as integral part of the overall management of the organization

• Information development and information security to be consistent with each other

5. Timeliness principle: The issues that should be taken care are:

• Instantaneous and irrevocable nature of business transactions

• Volume of information generated from the increasingly interconnected and complex information systems

• Automated tools to support real-time monitoring• Expediency of reporting security breaches to

appropriate decision making level

6. Reassessment principle: The issues that should be taken care are:

• Increase in up gradation of information systems according to business needs

• Changes in information systems and their infrastructure

• New threats to emerge over the period of time requiring extra safeguard

• New information security technology that has emerged or id emerging.

7. Cost-effective principle: The issues that should be taken care are:

• Value to and dependence of the organization on a particular information asset

• The amount of security and confidentiality required• The nature of threats that exists• Costs and benefits of security

• Optimum level beyond which costs of security measures to be prohibitive

8. Societal principle: The issues that should be taken care are:

• Fair presentation of data and information to legitimate users

• Ethical use and disclosure of information obtained from others

APPROACHES• Preventive information protection approach

• Restorative information protection approach

• Holistic information protection approach

IMPLEMENTATION OF IS1. DEVELOPMENT OF SECURITY POLICIES

2. PRESCRIBING ROLES AND RESPONSIBILITIES

3. DESIGNING SECURITY MEASURES

4. EDUCATING EMPLOYEES

5. IMPLEMENTATION

6. MONITORING

DEVELOPMENT OF SECURITY POLICIES

• A policy is the statement or general understanding which provides guidelines in decision making to members of an organization in respect to any course of action

• While designing such policies the core principles of IS should be kept in mind so that sound policies are developed

• It should cover the following aspects:• The importance and need of IS in the organization• Statement for the chief executive of the organization in support if the

objectives on effective IS• Data security• Communication security/ Personnel security• Description of responsibility and accountability for IS• Physical, logical and environment security• Security awareness, education and training

contd..

• Security breaches, detection and reporting requirements

2. PRESCRIBING ROLES AND RESPONSIBILITIES• Chief information executive: has overall responsibility of

developing and operating information systems including security• Information security administrator-has overall responsibility for

information security• Other professionals- responsible for security measures in their

respective areas• Data owners- responsible for ensuring that appropriate security ,

consistent with organizational policies , is embedded in the information systems

• Technology providers-responsible for assisting in implementation of IS

• Users- responsible for adhering to procedures prescribed for IS

3. REDESIGNING SECURITY MEASURES• It includes prescribing of standards, procedures, methods, and

practices in respect of IS.• While designing security measures , security requirements of

individual information systems should be taken into account as different information systems have different security requirements.

4. EDUCATING EMPLOYEES• Technical training• Behavioral training

5. IMPLEMENTATION• Managerial control• Identification and authentication controls• Logical access controls• Accountability controls• Cryptographic controls

Contd..

• Computer operations control• Physical and environmental controls

6. MONITORING Issues that need to be addressed in achieving effective

monitoring include:• Appointment of appropriate person, may be information security

administrator, with appropriate authority to work and adequate tools and resources to control

• Establishment of clear investigating procedures• Information system audit by external auditors• Establishment of audit trail information from a large number of

systems that may need to be examined.

SOURCES OF THREATS TO IS

• INTERNAL SOURCES

• EXTERNAL SOURCES

INTERNET FRAUDS

Hacking

Protection against hacking:• Checking system security• Use of firewalls

• Data encryption

Viruses

Protection against Viruses• Use of antivirus

• Procurement of software from reliable sources

• Testing new applications on stand alone systems

Measure against computer frauds

• Detection of frauds

• Disk imaging and analysis technique:– Imaging hard disk– Recovering deleted files– Analysis of the processed image

• Actions after detection of frauds

Prevention of computer frauds

• Making fraud commitment difficult– Applying strong controls– Rotating jobs– Controlling sensitive data

– Controlling laptop computers

– Applying harsh punishment measures

• Improving fraud detection methods– Use of fraud detection software– Use of computer security officer

– Monitoring system activities

– Conducting system audit