Choose a real or hypothetical organization, corporation (profit or nonprofit), o

Question

Choose a real or hypothetical organization, corporation (profit or nonprofit), or institution that uses IT in its product, services, activities, and/or operations. If you work in an organization or field that could benefit from an information network security policy, you might wish to apply the project to it.

Assignment: Prepare a well-written security policy proposal for your organization that utilizes the concepts of INFORMATION SECURITY LEGAL & ETHICAL ISSUES.

Make sure that your proposal includes the basic elements of a good security policy including:

1. Introduction describing your organization and describing its mission, products/services, technical resources, and technical strategy.

2. Analysis of the organization’s relationships to its clients/customers, staff, management, and owners or other stakeholders.

3. A vulnerability assessment.
Your recommendation, including:Proposed remedial measures (as appropriate to the situation; these might include firewall/gateway provisions, authentication and authorization, encryption systems, intrusion detection, virus detection, incident reporting, education/training, etc.)

4. Proposed code of ethics or code of practice to be applied within the organization.

5. Legal/compliance requirements and description of how they will be met

6. Proposed security policy statement/summary

Important: Your proposal must justify every element of your proposal in ethical and legal terms.  In other words, you need to state why each policy/code element (including technical elements) is good for business and why it is good/sound ethical policy (how it is good for the organization and why it is good for customers, users, or employees, or the public). Also identify any ethical/legal tensions, conflicts, and/or contradictions and justify any trade-offs being made in the recommendation.

Your paper should be 8-10 pages.

Explanation / Answer

Answer:

This chapter discusses security policies in the context of requirements for information security and the circumstances in which those requirements must be met, examines common principles of management control, and reviews typical system vulnerabilities, in order to motivate consideration of the specific sorts of security mechanisms that can be built into computer systems—to complement nontechnical management controls and thus implement policy—and to stress the significance of establishing GSSP. Additional information on privacy issues and detailing the results of an informal survey of commercial security officers is provided in the two chapter appendixes.

SECURITY POLICIES:

Confidentiality:

When protecting information, we want to be able to restrict access to those who are allowed to see it; everyone else should be disallowed from learning anything about its contents. This is the essence of confidentiality. For example, federal law requires that universities restrict access to private student information. The university must be sure that only those who are authorized have access to view the grade records.

Integrity:

Integrity is the assurance that the information being accessed has not been altered and truly represents what is intended. Just as a person with integrity means what he or she says and can be trusted to consistently represent the truth, information integrity means information truly represents its intended meaning. Information can lose its integrity through malicious intent, such as when someone who is not authorized makes a change to intentionally misrepresent something. An example of this would be when a hacker is hired to go into the university’s system and change a grade.

Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or someone authorized to make a change accidentally deletes a file or enters incorrect information.

Availability:

Information availability is the third part of the CIA triad. Availability means that information can be accessed and modified by anyone authorized to do so in an appropriate timeframe. Depending on the type of information, appropriate timeframe can mean different things. For example, a stock trader needs information to be available immediately, while a sales person may be happy to get sales numbers for the day in a report the next morning. Companies such as Amazon.com will require their servers to be available twenty-four hours a day, seven days a week. Other companies may not suffer if their web servers are down for a few minutes once in a while.

Tools for Information Security:

In order to ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be utilized as part of an overall information-security policy, which will be discussed in the next section.

Authentication:

The most common way to identify someone is through their physical appearance, but how do we identify someone sitting behind a computer screen or at the ATM? Tools for authentication are used to ensure that the person accessing the information is, indeed, who they present themselves to be.

Authentication can be accomplished by identifying someone through one or more of three factors: something they know, something they have, or something they are. For example, the most common form of authentication today is the user ID and password. In this case, the authentication is done by confirming something that the user knows (their ID and password). But this form of authentication is easy to compromise (see sidebar) and stronger forms of authentication are sometimes needed. Identifying someone only by something they have, such as a key or a card, can also be problematic.

Access Control:

Once a user has been authenticated, the next step is to ensure that they can only access the information resources that are appropriate. This is done through the use of access control. Access control determines which users are authorized to read, modify, add, and/or delete information. Several different access control models exist. Here we will discuss two: the access control list (ACL) and role-based access control (RBAC).

ACLs are simple to understand and maintain. However, they have several drawbacks. The primary drawback is that each information resource is managed separately, so if a security administrator wanted to add or remove a user to a large set of information resources, it would be quite difficult. And as the number of users and resources increase, ACLs become harder to maintain. This has led to an improved method of access control, called role-based access control, or RBAC.

Encryption:

Many times, an organization needs to transmit information over the Internet or transfer it on external media such as a CD or flash drive. In these cases, even with proper authentication and access control, it is possible for an unauthorized person to get access to the data. Encryption is a process of encoding data upon its transmission or storage so that only authorized individuals can read it. This encoding is accomplished by a computer program, which encodes the plain text that needs to be transmitted; then the recipient receives the cipher text and decodes it (decryption). In order for this to work, the sender and receiver need to agree on the method of encoding so that both parties can communicate properly. Both parties share the encryption key, enabling them to encode and decode each other’s messages. This is called symmetric key encryption. This type of encryption is problematic because the key is available in two different places.

An alternative to symmetric key encryption is public key encryption. In public key encryption, two keys are used: a public key and a private key. To send an encrypted message, you obtain the public key, encode the message, and send it. The recipient then uses the private key to decode it. The public key can be given to anyone who wishes to send the recipient a message. Each user simply needs one private key and one public key in order to secure messages. The private key is necessary in order to decrypt something sent with the public key.

MANAGEMENT CONTROLS-CHOOSING THE MEANS TO SECURE INFORMATION AND OPERATIONS

The setting of security policy is a basic responsibility of management within an organization. Management has a duty to preserve and protect assets and to maintain the quality of service. To this end it must assure that operations are carried out prudently in the face of realistic risks arising from credible threats. This duty may be fulfilled by defining high-level security policies and then translating these policies into specific standards and procedures for selecting and nurturing personnel, for checking and auditing operations, for establishing contingency plans, and so on. Through these actions, management may prevent, detect, and recover from loss. Recovery depends on various forms of insurance: backup records, redundant systems and service sites, self-insurance by cash reserves, and purchased insurance to offset the cost of recovery.

Preventing Breaches of Security—Basic Principles:

Management controls are intended to guide operations in proper directions, prevent or detect mischief and harmful mistakes, and give

early warning of vulnerabilities. Organizations in almost every line of endeavor have established controls based on the following key principles:

Individual accountability,

Auditing, and

Separation of duty.

These principles, recognized in some form for centuries, are the basis of precomputer operating procedures that are very well understood.

Individual accountability answers the question: Who is responsible for this statement or action? Its purpose is to keep track of what has happened, of who has had access to information and resources and what actions have been taken. In any real system there are many reasons why actual operation may not always reflect the original intentions of the owners: people make mistakes, the system has errors, the system is vulnerable to certain attacks, the broad policy was not translated correctly into detailed specifications, the owners changed their minds, and so on. When things go wrong, it is necessary to know what has happened, and who is the cause. This information is the basis for assessing damage, recovering lost information, evaluating vulnerabilities, and initiating compensating actions, such as legal prosecution, outside the computer system.

Auditing services:  support accountability and therefore are valuable to management and to internal or external auditors. Given the reality that every computer system can be compromised from within,and that many systems can also be compromised if surreptitious access can be gained, accountability is a vital last resort. Auditing services make and keep the records necessary to support accountability. Usually they are closely tied to authentication and authorization (a service for determining whether a user or system is trusted for a given purpose—see discussion below), so that every authentication is recorded, as is every attempted access, whether authorized or not. Given the critical role of auditing, auditing devices are sometimes the first target of an attacker and should be protected accordingly.

Separation of duty : is an example of a broader class of controls that attempt to specify who is trusted for a given purpose. This sort of control is generally known as user authorization. Authorization determines whether a particular user, who has been authenticated as the source of a request to do something, is trusted for that operation. Authorization may also include controls on the time at which something can be done (only during working hours) or the computer terminal from which it can be requested (only the one on the manager's desk).

DEVELOPING POLICIES AND APPROPRIATE CONTROLS:

Ideally a comprehensive spectrum of security measures would ensure that the confidentiality, integrity, and availability of computer-based systems were appropriately maintained. In practice it is not possible to make ironclad guarantees. The only recipe for perfect security is perfect isolation: nothing in, nothing out. This is impractical, and so security policies will always reflect trade-offs between cost and risk. The assets to be protected should be categorized by value, the vulnerabilities by importance, and the risks by severity, and defensive measures should be installed accordingly. Residual vulnerabilities should be recognized.

Planning a security program is somewhat like buying insurance. An organization considers the following:

The value of the assets being protected.

The vulnerabilities of the system: possible types of compro-

mise, of users as well as systems. What damage can the person in front of the automated teller machine do? What about the person behind it?4

Threats: do adversaries exist to exploit these vulnerabilities? Do they have a motive, that is, something to gain? How likely is attack in each case?

Risks: the costs of failures and recovery. What is the worst credible kind of failure? Possibilities are death, injury, compromise to national security, industrial espionage, loss of personal privacy, financial fraud, election fraud.

The organization's degree of risk aversion.

Security Roles and Responsibilitie:

Levels of Responsibilities[edit]

Classification of Roles and their Responsibilities[edit]

Data Owner

Data Custodian

System Owner

Security Administrator

Security Analyst

Application Owner

Supervisor

Change Control Analyst

Data Analyst

Process Owner

Solution Provider

User

Product Line Manager

RISKS AND VULNERABILITIES

Risks arise because an attack could exploit some system vulnerability (see, for example, Boxes 2.1 and 2.2). That is, each vulnerability of a system reflects a potential threat, with corresponding risks. In a sampling of a collection of over 3,000 cases of computer system abuse, drawn from the media and personal reporting, the following types of attack, listed roughly in order of decreasing frequency, predominated (Neumann and Parker, 1989):

Misusing authority, through activities such as improper acquisition of resources (reading of data, theft of programs), surreptitious modification, and denials of service, apparently by authorized users.

Masquerading, as in one user impersonating another.

Bypassing intended controls, by means such as password attacks and exploitation of trapdoors. These attacks typically exploit system flaws or hidden circumventive "features."

Setting up subsequent abuses such as Trojan horses, logic bombs, or viruses.

Carrying out hardware and media abuses, such as physical attacks on equipment and scavenging of information from discarded media. (Electronic interference and eavesdropping also belong in this class but have not been widely detected.)

Using a computer system as an indirect aid in committing a criminal act, as in auto-dialing telephone numbers in search of answering modems, cracking another system's encrypted password files, or running an illicit business.

Summary:

As computing and networking resources have become more and more an integral part of business, they have also become a target of criminals. Organizations must be vigilant with the way they protect their resources. The same holds true for us personally: as digital devices become more and more intertwined with our lives, it becomes crucial for us to understand how to protect ourselves.

Responsibilities of the Information Security Officer

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.