Chapter 2
2.1 Information System Security Fundamentals
Overview
Computer Security is a branch of computer technology specifically refers to protecting
computer system and networks from unauthorized access, attacks, damage. Information
security is a broader that focuses on protecting all forms of information, irrespective of
whether it’s stored in digital form or physically.
The objectives- protection of information from theft, corruption, damage from disaster,
and so on.
• Security is the state of being free from danger or threat. Its prevention and protection of
computer assets from unauthorized access, use, alteration, degradation, destruction, and
other threats. Security program focuses on all sorts of information assets an organization
collects. Security is the technical methods used to protect the data and not concerned with
how and when it used. Security can be achieved without privacy but privacy cannot be
achieved without security.
The term computer system security means the collective processes and mechanisms by
which sensitive and valuable information and services are protected from publication,
tamper or alter or collapse by unauthorized activities or untrustworthy individuals and
unplanned events respectively.
• Privacy is a state in which one is not observed or disturbed by other. And also the
legal rights of the groups/individuals/organizations to be protected against unauthorized
intrusion into his personal life/affairs, by direct physical means or by publication of
information. Privacy program focuses on sensitive information related to
individual/personal such as names, addresses, login credentials, financial accounts, etc.
• Privacy is how an organization processes personal data to comply with laws,
regulations.
• Security or Privacy Threat: Any individual group, act, or object that poses a danger to
computer security and privacy is known as threat.
Information System Security (ISS) encompasses the strategies, policies, and technologies used to
protect information systems from unauthorized access, use, disclosure, disruption, modification,
1|Page
�or destruction. Understanding the fundamentals of ISS is essential for maintaining the security
and integrity of data.
Key Concepts in Information System Security
Definition of Information System Security
o The protection of information systems from various threats to ensure the
confidentiality, integrity, and availability of data.
Core objectives (Confidentiality, Integrity, and Availability)
Threats to Information Systems Security
External Threats:
o Malware: Malicious software designed to harm or exploit any programmable
device or network.
o Hacking: Unauthorized access to systems, often for stealing data or causing
damage.
o Phishing: Deceptive tactics used to trick individuals into revealing sensitive
information.
Internal Threats:
o Insider Threats: Risks posed by employees or contractors who misuse their
access privileges.
o Human Error: Mistakes made by users, such as accidentally exposing data or
failing to follow security protocols.
Environmental Threats:
o Natural Disasters: Events like floods, earthquakes, or fires that can damage
physical assets.
o Equipment Failures: Hardware malfunctions that can lead to data loss or system
outages.
2.2. Components of Information Systems Security
Information Systems Security (ISS) is a multifaceted field that encompasses various components
working together to protect information assets. Understanding these components is essential for
implementing effective security measures within an organization. Here, list of some components
of ISS.
People
2|Page
� o Role: Users, administrators, and security personnel are critical to maintaining
security.
o Human behavior is often the weakest link in security; training and awareness
programs are essential to mitigate risks.
o Regular training sessions, security awareness campaigns, and establishing clear
roles and responsibilities.
Processes: - Established procedures that govern how security is maintained.
o Some processes such as:
Risk Assessment: Identifying and evaluating risks to information assets.
Incident Response: Steps to identify, contain, and recover from security
incidents.
Change Management: Procedures for managing changes to systems and
software to minimize risk.
o Best Practices: Regularly review and update processes to adapt to evolving
threats.
Technology: - Tools and systems used to enforce security measures.
o Some technologies such as:
Firewalls: Devices that monitor and control incoming and outgoing
network traffic based on predetermined security rules.
Intrusion Detection Systems (IDS): Tools that detect and respond to
potential security breaches.
Encryption: Techniques to encode data to protect it from unauthorized
access.
o Regularly update and patch security technologies to protect against
vulnerabilities.
Policies: - Formalized guidelines that outline an organization’s security strategy. Security
policies provide the guidelines and rules that govern how information systems are
protected. They define acceptable use, data protection measures, and response strategies.
o Some policies such as:
Acceptable Use Policy: Rules for using organizational resources and
technology.
3|Page
� Data Protection Policy: Guidelines for handling and protecting sensitive
information.
Access Control Policy: Defines who can access specific data and
systems.
o Regularly review and revise policies to ensure they remain relevant and effective.
Physical Security: - Protecting physical assets of information systems such as server
rooms and data centers, from unauthorized access and environmental hazards.
o Components:
Access Controls: Security measures like keycards, biometric scanners,
and security personnel.
Environmental Controls: Systems to protect against fire, flooding, and
other natural disasters.
o Conduct regular security audits of physical environments to identify
vulnerabilities.
Compliance and Governance: - This refers to adherence to legal, regulatory, and
internal standards regarding information security, ensuring that organizations meet legal
obligations and industry best practices.
o These is some key aspects:
Regulatory Requirements: Laws and regulations (e.g., GDPR, HIPAA)
that mandate data protection measures.
Internal Governance: Policies and procedures to ensure compliance with
organizational standards.
o Stay informed about relevant laws and regulations, and conduct regular
compliance audits.
2.3. Principles of Information Systems Security
The principles of Information Systems Security (ISS) serve as foundational guidelines that
inform security policies, practices, and strategies. These principles help organizations protect
their information assets and respond effectively to security threats.
Confidentiality:- Ensuring that sensitive information is only accessible to authorized users.
o Implementation:
Use encryption to protect data in transit and at rest.
4|Page
� Implement access controls to restrict data access based on user roles.
o Best Practices: Regularly review access permissions and conduct audits to ensure
compliance.
Integrity: - Maintaining the accuracy and consistency of data over its lifecycle.
o Implementation:
Use checksums and hash functions to verify data integrity.
Implement version control and logging to track changes to critical data.
o Best Practices: Regularly back up data and validate backups to prevent loss or
corruption.
Availability: - Ensuring that information and resources are accessible to authorized users
when needed.
o Implementation:
Implement redundancy and failover systems to minimize downtime.
Conduct regular maintenance and updates to keep systems operational.
o Best Practices: Develop and test disaster recovery and business continuity plans.
Least Privilege: - Granting users the minimum level of access necessary to perform their
job functions, reducing the potential for unauthorized actions.
o Implementation:
Define user roles and associated permissions clearly.
Regularly review and adjust access rights as roles change.
o Best Practices: Conduct periodic audits of user permissions to prevent excessive
access.
Defense in Depth:- A layered security approach that employs multiple overlapping controls
to protect information systems, making it harder for an attacker to breach the system.
o Implementation:
Combine physical, technical, and administrative controls for
comprehensive protection.
Use firewalls, intrusion detection systems, and encryption in conjunction.
o Best Practices: Regularly assess and update security measures to address new
threats.
5|Page
� Accountability: - Ensuring that users are held responsible for their actions within the
information system, which is essential for security and auding.
o Implementation:
Implement logging and monitoring systems to track user activities.
Develop clear policies on acceptable use and consequences for violations.
o Best Practices: Conduct regular audits of logs and provide training on
accountability measures.
Risk Management: - The process of identifying, assessing, and prioritizing risks to an
organization’s information assets, followed by coordinated efforts to minimize or eliminate
them.
o Implementation:
Conduct regular risk assessments to identify potential threats and
vulnerabilities.
Develop and implement risk mitigation strategies based on assessment
findings.
o Best Practices: Regularly review and update risk management processes to adapt
to changing environments.
Segregation of Duties:- Dividing responsibilities among different individuals to reduce the
risk of fraud and error.
o Implementation:
Ensure that critical functions (e.g., access control and financial
transactions) are handled by separate individuals.
o Best Practices: Regularly review roles and responsibilities to ensure proper
segregation.
2.4. Introduction to Information Systems Security Policy
An Information Systems Security Policy (ISSP) is a formal document that outlines the security
requirements and guidelines for protecting an organization’s information assets. It provides a
framework for protecting information assets and ensures compliance with legal and regulatory
requirements. An effective ISSP serves as a roadmap for establishing security measures, ensuring
compliance, and managing risk.
Purpose of an Information Security Policy
6|Page
� Establish Security Expectations: Clearly define the organization's security goals and the
responsibilities of employees in maintaining security.
Guide Security Practices: Provide a framework for implementing security controls and
procedures.
Ensure Compliance: Help organizations comply with legal, regulatory, and contractual
requirements regarding data protection.
Mitigate Risks: Identify potential security threats and outline strategies to minimize risks
to information assets.
Elements of an IS Security Policy
Purpose and Scope
o Purpose: Clearly defines the objectives of the policy, including the need to
protect sensitive information and maintain security. Outlines the primary goals of
the security policy, such as protecting confidentiality, integrity, and availability.
Guides decision-making and resource allocation for security efforts.
o Scope: Specifies the boundaries and applicability of the policy which include the
systems, assets, data, personnel, geographical boundaries, and exclusions are
covered by the policy. To clarify which parts of the organization must adhere to
the policy.
Roles and Responsibilities
o Defines or Outlines the security responsibilities of various stakeholders, including
IT staff, management, and end users.
Management: Overall accountability for security initiatives.
IT Staff: Implementation and maintenance of security measures.
Users: Adherence to security practices and reporting incidents.
o To ensures accountability and clarity in security roles.
Acceptable Use Policy (AUP)
o Guidelines acceptable behaviors and practices for use of organizational resources,
including:
Internet usage
7|Page
� Email communication, guidelines for using company devices
Restriction on personal use of organizational resources
o It establishes guidelines for how employees, contractors and other users can
access and use these resources to ensure security and compliance.
o Helps prevent misuse of resources (like technology, data) and protects against
legal liabilities.
Data Protection Guidelines
o These guidelines or rules specify how data should be handled, stored, and shared
sensitive information to protect its CIA, including:
Data classification levels (e.g., confidential, internal, public)
Data access control (defines who has access to different types of data and
under what conditions, implements least privilege principles)
Encryption requirements for sensitive data
o Ensures that data is protected throughout its lifecycle.
Access Control Policy
o Details the procedures for granting, monitoring, and revoking access to systems
and data. Defines who can access specific systems and data, under what
conditions, and the methods for granting and revoking access, including:
Access control principles (least privilege, need to know/access should be
granted only individuals who require it for legitimate business purposes).
Role-based access controls
Authentication mechanisms
Access request and approvals
o To minimizes unauthorized access and protects sensitive information.
Incident Response Procedures
o Describes the procedures for detecting, reporting, and responding to security
incidents. Steps to be taken in the event of a security breach or incident,
including:
Identification and assessment of the incident
Containment and eradication measures
Recovery processes and communication strategies
8|Page
� o To ensures a timely and effective response to mitigate the impact of security
breaches.
Compliance Requirements
o It refers to the legal, regulatory, and industry standards that an organization must
adhere to in order to protect its information. Specifies how compliance with the
policy will be monitored and enforced. Addresses legal, regulatory, and
contractual obligations, including:
Industry-specific regulations (e.g., GDPR, HIPAA)
Organizational standards and best practices
o Helps maintain compliance and avoid legal penalties. Ensures adherence to the
policy and identifies areas for improvement.
Training and Awareness
o Programs designed to educate employees and stakeholders about information
security policies, practices and their roles in maintaining security.
o Promotes a security-conscious culture within the organization and reduces the risk
of human error.
Review and Revision
o Procedures for regularly reviewing and updating the security policy to ensure its
effectiveness and relevance.
o This is crucial for adapts to changes in the technology, regulations, and
organizational needs.
2.5. Plan, Design, and Implement Information Systems Security
Planning, designing, and implementing Information Systems Security (ISS) are crucial for
protecting sensitive data and ensuring organizational resilience against threats. This process
involves a structured approach to identify risks, establish security measures, and maintain an
effective security posture.
Planning Information Systems Security
It refers to the process of developing strategies, policies, and procedures to protect organizations
information assets from threats and vulnerabilities. Effective planning is essential for
9|Page
�establishing a comprehensive security posture that addresses potential risks, ensures compliance
with regulations, and supports business objectives. Here are key components of planning:
A. Assess the Current Security Posture
o Risk Assessment- The process of identifying, analyzing, and evaluating risks,
security controls and vulnerabilities to information assets.
Steps:
Identify assets (data, systems, personnel).
Identify threats (malware, insider threats, and natural disasters).
Evaluate vulnerabilities and their potential impact.
Prioritize risks based on likelihood and impact.
o Evaluate Existing Security Measures: Review current policies, procedures,
security controls, and technologies to identify gaps and areas for improvement to
understand its overall security effectiveness.
B. Define Security Objectives
o Establish Clear Goals: Determine what the organization aims to achieve with
its security program (e.g., compliance, risk reduction).
o Align with Business Objectives: Ensure security goals support the broader
mission and objectives of the organization.
Considerations:
o What data needs protection?
o What are the legal and regulatory requirements?
o How will security support business operations?
C. Create a Security Policy Framework
Involves developing a structured approach to establish, implement, and manage security policies
within an organization. This framework serves as a blueprint for ensuring that all security
measures align with the organizations goals, regulatory requirements and best practices.
o Develop Information Security Policies: Draft policies that cover access control,
incident response, acceptable use, and compliance.
o Engage Stakeholders: Involve relevant parties (management, IT staff, and users) in the
planning process. To ensures alignment with business goals and enhances buy-in for
security initiatives.
10 | P a g e
�Designing Information Systems Security
It refers to the process of creating a comprehensive architecture and framework that defines how
security controls, policies and practices will be implemented to protect an organizations
information assets. This stage follows the planning phase and involves translating security
objectives into actionable designs that can be effectively operationalized.
A. Develop Security Architecture
A framework that outlines how security controls are integrated into the organization’s
infrastructure.
Components:
o Physical security measures (e.g., access controls, surveillance).
o Technical controls (e.g., firewalls, encryption).
o Administrative controls (e.g., policies, procedures).
Architectural Design: Create a security architecture that aligns with organizational needs
and includes layers of security (perimeter, network, application, and data security).
B. Select Security Technologies
Identifying and choose appropriate tools and solutions that address identified risks
effectively and support the origination security objectives.
Examples:
o Firewalls to control network traffic.
o Intrusion Detection Systems (IDS) for monitoring suspicious activity.
o Endpoint protection for securing devices.
C. Establish Security Policies
Develop formalized policies to guide security practices and user behavior.
These policies serve as the foundations for the organizations security framework and
ensures that all employees understand their responsibilities regarding information
security.
Develop various types of security policies:
o Acceptable Use Policy (AUP)
o Data Protection Policy
o Incident Response Policy
D. Data Classification
11 | P a g e
�Categorize Data: Classify data based on its sensitivity and the impact of unauthorized disclosure
or alteration.
Implement Protection Measures: Apply security controls based on data classification levels (e.g.,
encryption for sensitive data).
E. Network Security Design
It refers to the process of creating a comprehensive strategy and framework to protect an
organizations network infrastructure from unauthorized access, attacks, and other security
threats.
Segmentation: Design the network to limit access between different segments, reducing
the risk of lateral movement during an attack.
Firewall and Intrusion Detection Systems: Implement firewalls and IDS/IPS to monitor
and control network traffic.
Implementing Information Systems Security
It refers to the process of putting into action the security policies, controls, and practices that
have been designed to protect an organizations information assets. This phase is crucial for
translating theoretical security plans into practical measures that enhances the organizations
overall security postures.
A. Deployment of Security Measures
o Install Security Solutions: Deploy antivirus software, firewalls, encryption tools, and
access control mechanisms according to the design specifications.
o Configure Systems Securely: Ensure that all systems are configured according to best
practices and organizational policies.
o Implement physical security controls (e.g., locks, access cards).
B. Employee Training and Awareness
o Conduct Security Training: Provide regular training sessions to educate employees about
security policies, recognizing phishing attempts, reporting security incidents, and safe
computing practices.
o Promote a Security Culture: Encourage a culture of security awareness where employees
feel responsible for protecting information assets.
C. Testing and Validation
Ensure that security measures are functioning as intended.
12 | P a g e
� Methods: Conduct vulnerability assessments and penetration testing. Simulate security
incidents to test incident response capabilities.
D. Monitoring and Continuous Improvement
Continuous Monitoring
o Implement Security Monitoring Tools: Continuously monitor systems for threats and
vulnerabilities. Activities like regularly review logs and alerts for unusual activities. Use
SIEM (Security Information and Event Management) systems to monitor and analyze
security events in real-time.
o Regular Audits and Assessments: Conduct periodic security audits to evaluate the
effectiveness of security measures and identify areas for improvement.
Update and Adapt Security Measures
o Review and Revise Policies: Update security policies and procedures regularly to reflect
changes in technology and emerging threats.
o Stay Informed on Threats: Keep abreast of the latest security threats and vulnerabilities to
adapt security measures accordingly.
13 | P a g e
