Information and computer security capstone project

¶ … Computer Security

People, process and technology are three things which are involved in information security. Biometrics, passwords and firewalls are some of the technical measures and these are not enough in justifying threats to information. In order to protect information from destruction and to secure systems, a blend of different procedures is required. While deploying information security some factors need to be considered for instance processes like de-registration and registration and people aspects like teaching, observance, leading etc. With the evolvement of information security, the focus has been transferred toward a governance-orientated and people-oriented approach (Baggett, 2003).

Background

The so-called initial stage of information security was characterized by a scientific approach in securing the environment of Information Technology. With the passage of time it was realized by the "technical people" working in an organization that the role of management in information security is imperative and it is essential to involve the top management (Von Solms, 2000). This realization became the basis for the second stage where organizations incorporated themselves with the information security facility. Both of the phases continued in parallel and they are termed as management involvement and technical protection mechanisms. Firms then realized that in past, some other essentials of information security have been ignored. They said that what is immediately required is to address human element that poses the most dangerous threat of information security to every firm (Von Solms, 2000, 1997, Da Veiga, Martins, & Eloff, 2007) and inside the organization extra concentration needs to be given to the culture of information security (Von Solms, 2000). It is included in the third segment of information security that employees should build in their daily routine the culture of information security. In fact it should be adopted as a culture within the organization. Acceptance of information security as a culture means the adoption of an approach which promotes the inclusion of information security in a manner that all the activities being conducted within an organization take place in its presence (Martins & Eloff, 2002).

Problem

It is the foremost duty of the executives to inculcate within the organization a proper culture relating to information security. Not only communicating the relevant content to the employees is important but also a complete controlling framework should be in existence (Cobit security Baseline, 2004). The next section goes ahead with the explanation of governance in relation to information security. This governance mechanism teaches the general approach under which information security is used to diminish threats (Von Solms, 2006).

The next section focuses on the ways to avoid threats of deception and social engineering. Survey conducted by Price Waterhouse Coopers (PWC, 2004) regarding the breaches of information security state that there have been quite a few technology breakdowns, like system failures or corruption, of important information but still the proportion of human error is considered to be the greatest as far as breaches are concerned. Price Waterhouse Coopers have given a suggestion of embedding a security-aware culture within the organization to solve the problem of human error. According to the management, if the employees are allowed to make interaction with the technical controls then there is likely to be a chance of deception to occur. It is emphasized by Von Solms (2006) that for mitigating the chances of threats, the governance mechanism of information security must be present.

Purpose

The sole objective behind this paper work is to asses to assess the existing approach which is being followed in the framework of information security governance, so that the upcoming updated governance could be more wide-ranging and much better than the previous one. The new governance structure is relying on technological, practical and individuals' behavioral mechanism to reach a particular spot of indication for governing information security. Four approaches, which are approaches that are being assessed in this paper are as follows; PROTECT (Eloff & Eloff, 2005), ISO 17799 (2005), the Information security Architecture (ISA) (Tudor, 2000), and the Capability Maturity Model (McCarthy & Campbell, 2001). The next section presents a list of components that are based on the four approaches mentioned above. The information security governance is constructed on the basis of information security components. Within the last section, the information security governance is discussed in detail.

Significance of problem or concern

The risks that an organization faces can be reduced when executives start following the governance framework of information security very strictly, and not only these, they should even monitor sternly the behavior of the employees. To promote the culture of information security, the entity should make provisions relating to employees behavior within their information security program. It would not be wrong to say that organization is looking for a governance structure which does not only work on the technological and procedural reins of the previous sessions but also takes account of the human behavior. A framework with such qualities would be able to mitigate threats from the organizations culture up to an acceptable level (Baggett, 2003).

Analysis of current solutions in the marketplace

ISO/IEC 177995 and ISO/IEC 27001

The technique-code for Information security management (ISO/IEC 17799, 2005) as stated in Information Security Organization (ISO) is a complete guidance for the organizations in the shape of a suggestion point which helps them recognize the controls that they would be needing in situations where information systems are used. Slowly and gradually, with the passage of time ISO/IEC 17799 (2005) has gained popularity as a very important standard as far as information security is concerned (ISO / IEC, 2005). There are 11 control segments mentioned in relation to this in the study.

ISO 27001 (2005), an officially recognized standard, is taken as the second part of ISO/IEC 17799 (2005). ISO/IEC 17799 (2005) suggests adopting a continuous development approach. Such an approach can be obtained when organizations start to establish, implement, operate, monitor, review, maintain and improve the entity's information security management system. The previous standards were built around a single approach, where as now ISO/IEC 17799 (2005) gives detailed mechanism of information security, while ISO/IEC 27001 (2005) sketches the executing and supervision strategies.

PROTECT

The research introduced by Eloff and Eloff (2005) consists of a program which is related to information security and is named as PROTECT. PROTECT is basically a short form of Policy, Risk, Objective, Technology, Executive, Compliance and Team. The aim of PROTECT is to tackle all the problems relating to information security. It comprises of schemes which ensure that well incorporated controls are present within the organization, which aim to reduce the chances of risks and guarantee efficacy and competitiveness. PROTECT has seven components and all these components aim to provide an efficient information and security program. The efficiency of the program is not limited to technological perspective but also deals with people.

Capability Maturity Model

The Capability Maturity Model (McCarthy & Campbell, 2001) presents a set of controls, which are aimed to prevent chances of illegal access, alteration or demolition of data. The study describes the seven major control points demonstrated by the holistic view of the model based on information security.

Security leadership is the first stage and lays stress on the significance of a security agent at the executive level and even on information security strategy. For both long and short-term security strategies within an entity, this should be taken as the origin. Second stage defines the duties which should be undergone for the development and execution of information security program. The responsibilities of many individuals need to be defined, like for instance the roles of security officer, network whiz, anti-virus expert, database professional and Helpdesk specialist. The third stage encompasses guidelines which need to be assembled in order to express and execute the information security program. These policies provide guidance on technological, procedural as well as the human part of information security. Security management can then turn out to be a division of routine operations. This comprises of operations regarding the monitoring of users and the technology organized. The organizations have to make sure that the employees are aware of their policies and the user reports are managed. In the end, the approach focuses on the technological aspects of information security, such as the arrangement of a safe firewall, network and database. Technology protections not only focus on IT environment but also embrace business stability and disaster revival (McCarthy & Campbell, 2001).

Capability Maturity Model follows the approach which begins from the strategic level and goes down to technology levels. The technology levels operate by the instructions or rather guidance given by the authorities at the strategic level. This model is used in executing information security. The model evaluates the information security program, identifies its risks and even gives solutions to reduce the effect of risks. The solutions given by the model are the implemented into the current procedures (McCarthy & Campbell, 2001).

Information Security Architecture (ISA)

A very flexible and competitive approach, Information security Architecture (ISA), is given by Tudor (2000) to prevent the organizations' assets from all sorts of threats. ISA highlights five principles, these principles identify the risks in which the organization is operating and also assess controls to reduce the risks. It also emphasizes that country law should have strict policies for the confidentiality of organizations' data. These principles also include procedures as well as technological requirements to deal with the entities' security needs.

First principle speaks about the security organization and infrastructure. It also defines responsibilities with respect to executive protection, while, the second principle necessitate that the policies and the standards given by management should be developed and executed. The security related controls that are developed in an organization should not be made in isolation rather it should be linked with the ongoing activities of the organization, thus incorporating the risks faced by organization. The third principle continues on with the risk assessment procedures that should be performed across all the stages of application, database and networks. A project should also be initiated that keeps a check on the financial plan and assets required to identify and reduce risks and in execution of controls. Training programs should be conducted by the organization to ensure that the employees are well aware of their responsibilities, so that their working level becomes more effective. Fourth principle aims to develop a bond of goodwill and trust between employees, management and third parties, in order to make transactions easier and also for the sake of sustaining privacy. The last principle, that is the fifth one, stresses on conformity testing. This is done by the external and internal auditors. These auditors monitor the efficacy of the security program. There should be a strict check on the number of times the sites are viewed, and the emails are used to keep a practical approach for identifying risks to confidential information. The latest research work of Tudor narrates that recovery of disasters and continuity of business are the two factors that can prevent entity's assets and useful information (Holborn, 2005).

Strategic plan

An all-inclusive inventory of some components was piled up from the pertinent segments of ISO 17799, some points from the Capability Maturity Model, components of PROTECT and fundamentals of the ISA method. The aforementioned components were chosen from every method and each component was represented either as an important principle (for instance, "risk focus"), or like an information security control (for instance, "business continuity"). A grouping of some components was made wherever the components coincided amongst the various methodologies (ISO 17799, 2005).

As far as the scope of the components of information safety is concerned, the components of ISO/IEC 17799 (2005) and the Capability Maturity Model by Campbell and McCarthy are considered to be complete. For this very reason, the ratios of representation of these are higher than that for the methodologies put forth by Tudor, Eloff and Eloff. When leading the information security in any company, many researchers consider reliance, ethical conduct and corporate governance to be the key features of any approach. These features are, however, lacking in the above mentioned approaches (Donaldson, 2005; Flowerday & Von Solms, 2006; Trompeter & Eloff, 2001).

Eloff and Eloff (2005) is of the view that a complete group of controls needs to be studied targeting predominantly on presenting a uniform approach for the organization of an information security program. The approach presented by Eloff is the only one that talks about the ethical conduct. Trompeter & Eloff (2001) is of the opinion that employees must incorporate ethical values into their lives in matters pertaining to information security of their organization. Baggett (2003) states that business values pertaining to both social responsibility and profit making should be developed and communicated by the administration and the owners of the organizations. To ensure that preferred environment of information security develop ethical values like not using the facility of Internet for personal reasons while working in the organization and not stealing the company's software to work at home, should be inculcated in the employees. Though the Eloff methodology (Eloff & Eloff, 2005) is all inclusive, it fails to make any remarks about factors like incident management and business continuity.

The approach by Tudor (2000) is the only approach which makes some remarks about trust. Von Solms (2000) regards trust as perhaps the most significant area of concern as far as instituting information security in an Information Technology setting is concerned. If the feeling of trust is reciprocated by both the employees and the management then it becomes easier to apply new processes and direct employees through behavioral changes relating to information security. Trust, ethical values and corporate governance should all be encompassed into the approach used by a business to offer a detailed collection of information security components which can counter the risks like efforts to socially engineer, fraudulent activities and abuse of information systems.

Plan of action for implementing your problem solution

By combining the approaches pertaining to the field of information security control, one can compile an all-inclusive group of components to study the information security control. The suggested structure of governance of Information security can be employed as a preliminary step for information security governance through the development of guiding principles and application of controls to counter the risks recognized by businesses, for instance, misappropriation of internet surfing, theft of identity and data corruption. This new structure can be used to control the behavior of the employees in all desired aspects of information security. Moreover, it can help nurture a desired degree of information security environment (Baggett, 2003).

Finally, this governance model gives the administration a way to apply an effectual and complete program of information safety governance which pertains to the routine, technical and human components. It combines the components of the previously mentioned approaches and also incorporates the components which have not been considered before, for instance, trust. Therefore, the framework gives a distinct reference point for managing the information security so that a desired level of information safety can be instilled in the organizational culture. Because the organizational culture of every organization is different and faces legal constraints, some components might be needed whereas the rest may not be needed (Baggett, 2003).

The information safety model is divided into four stages viz. A, B, C and D. Stage A comprises of tactical, administrative / application based and technical safety components. The tactical components give guidance to the administrative and functional components.

Level B comprises of six core groups which are classified with relation to the three categories of Level A The six core categories are:

* Tactical:

- Direction and governance.

* Administrative and Functional:

- Security organization and association;

- Security measures and regulations;

- Security program organization; and - User security organization.

* Technological:

- Technology protection and operations (Baggett, 2003).

Level C comprises of an all-inclusive inventory of information safety components classified under all the six core categories (level B). Each of these six core categories are affected by change (i.e. level D) (Baggett, 2003).

Application of information security components brings about a change in the procedures of an organization and will affect the manner in which people complete their tasks. Verton (2000) is of the opinion that establishments do not undergo any changes, but employees do and hence employees change establishments. In an organization, the changes related to information security need to be acknowledged and administered in such a manner which enables employees to integrate these changes into their daily tasks. While applying any component of information security, the component of "Change" should be accounted for. The six core classifications of information security components and the structure are stated below.

Leadership and Governance

The issue of information security is of great importance for the government that is why maximum support is provided by the top administrative level in order to protect information records. A collaboration of IT department and Corporate Governance is responsible to provide best information security governance (Von Solms, 2005). It is the responsibility of the board relayed by the Corporate Governance, to successfully manage the association with the help of good leadership skills (King Report, 2001; Donaldson, 2005). By corporate governance, one means authority, rights of ownership, reporting structure, ability to see and predict future patterns, policies and procedures adopted by the company (Knapp, Marshall, Rainer, & Morrow, 2004). IT governance also includes the policies related to the governance of its technology and information security stated by Posthumus and Von Solms (2005).

According to the research performed by Gartner (Security, 2005), execution of security development tools, dealing with security violations and disturbances and also the privacy rules and regulations are some of the main responsibilities of the Chief Information officers (CIOs) i.e. they are among the top ten priorities. The demonstration of good information security leadership can be possible by adopting these measures which represent that the management is considering the security issue as the main one in the development process.

An information security strategy development for an organization also comes under the responsibility of leadership and governance. This strategy involves dealing with information coercions by risk management policies which include adopting easy procedures and the required tools. A well defined collaboration of information security strategy and company's policies, including IT strategic procedures, could make it possible for a company to meet its short- and long-term goals (Security, 2005).

A new methodology of metrics and measurement is used to evaluate organization's efforts in dealing with the information security threats. Numerous security confrontations or experiences reviews can be considered as metrics. Metric is now being used by several organizations to enhance the efficacy of their information security policies and how it affects the company's overall strategy (Witty & Hallawell, 2003). Researchers mentioned that by using Metrics as a security tool, an organization can easily handle the day-to-day information insecurities which could become future business opportunities.

Security Management and Organization

Organization policies, rules and regulations are discussed under this heading. The main purpose of security management is to administer information security of the organization (ISO 17799, 2005). An information security organizational design includes compilation and reporting policies for example centralized or decentralized security management programs. Features like technical expertise, experience and resources dedicated to the enterprise security architecture (McCarthy and Campbell, 2001).

Well designed laws and regulations are required to enhance information security policies on national and international basis such as: Health Insurance Portability and Accountability Act HIP AA (Bresz, 2004), the Serbanes-Oxlay Act given by (Donaldson, 2005), The Electronic Communications and transactions Act known as ECT presented in 2002, the King Report (2001), the Promotion of Access to Information Act called PROATIA (2000).

Security Policies

According to ISO 17799 (2005), features like security related policies and procedures, levels and principles are the main source behind the information security execution process. These factors also guide management on how to control and hold the organization. These measures should also clarify the employee's expectations and how they should behave (Richards, 2002). The complete intentions and directions mentioned officially by the management is the policy defined by ISO 17799 (2005). Legal concerns and other such categories must be considered in making the security policies and should be implemented through efficient procedures and agreement monitoring. Some of the information security policies are accessibility, internet programs and the physical and environmental procedures. A procedure, like user registration and deregistration, form the fundamentals for accomplishing a policy and defines the statement of the security policy (Vroom & Von Solms, 2004). Procedures are defined on the basis of standards like various guidelines and password standard, such as configuring a firewall in order to meet the security policy's requirements.

Security Program Management

This category revolves around the management of a security program and includes monitoring and compliance. The enforcement and measurement of compliance is essential (Von Solms, 2005). In order to ensure compliance with information security policies and provide a prompt response to the incidents being identified, it is necessary to monitor both employee behavior and technology (Vroom & Von Solms, 2004). Monitoring of technology includes measuring capacity and the traffic traversing a network. Employee behavior monitoring implies monitoring the use of strong passwords, checking the installation of unauthorized software and monitoring the Internet sites being visited the most. Information security monitoring ensures that processes, procedures, controls and policies comply with the organization's goals, vision and objectives (Vroom & Von Solms, 2004).