Information is the Power. The importance of collecting, storing, processing and communicating the relevant information presently is viewed as crucial in order to achieve success in almost all the fields be it business firms, individuals or organizations. An integrated set of components assisting collection, store, process and communication of information is termed as information system. Increasing dependence on information systems is noticed in order to excel in the respective fields of operation such as competing in the marketplace, supply services, augmentation of the personal lives etc. New capabilities have been introduced in the field of information systems with the advent of new technology for collection recording and processing of information. Recording and dissemination of information system is considered to have revolutionized with the invention of movable type in 15th century and creation of portable typewriter at the end of 19th century.
The census tabulator of Herman Hollerith, invented to process the United States 1890 census is still considered to be the first large-scale mechanized information system representing a major leap towards automation. This provided a major inspiration for developing computerized information system that led to use of UNIVAC-I, the first computer, by the U.S. Bureau of the Census in 1951. Its commercial use was explored by General Electric in 1954. In 1970s the advent of personal computers brought many advantages in the field of information system to small business concerns and individuals. Acceleration of the creation of an open global computer network is seen with the invention of World Wide Web in the early 1990s. This revolutionized the information system in the form of digital human communications by way of e-mail, electronic conferencing delivery of products and establishment of business transactions. (Annex to National Training Standard for information systems security (INFOSE) Professionals)
The information system presently being armed with new technologies and new inventions noticed to have supported diverse human activities exerting substantial influence over society. Information and knowledge is presently considered to be vital economic resources. However, along with the new opportunities that the information system is modified to cater to in the present days the newer technologies introduced also posed serious threats in the forms of unauthorized disclosure, modification, destruction of data. This has become a matter of serious concern of everybody warranting greater emphasis on information system security. Security in its generalized form is defined as warranty of liberation against the anticipated threats ensuring an environment of safety. Protection of the information system more particularly the data against unauthorized access, utilization, modification, deletion is covered under the scope of information system security.
Implementation of security controls rigorously calls upon the productivity of the personnel employed in the process of developing information system. Its restricted use hampers the vary purpose for which it is developed. The information system security management therefore, involves a striking balance between security and productivity. Securing a system thus involves consideration of vulnerabilities, threats, countermeasures and acceptable risks. Perfect security of the computerized information system is possible only by shutting down the system in the face of an attack which is neither feasible nor desirable. Seeking of system designs yielding reasonably secure operation in an anticipated threat environment has therefore, become the prime concern of security engineers. Emphasizing on reasonable security ensuring productivity of the personnel is the call of the day. (Annex to National Training Standard for information systems security (INFOSE) Professionals)
The information systems security necessarily involves protection of the three crucial features of information-confidentiality, integrity and availability. Confidentiality is barring of undue access of the undesirable elements to the information. Ensuring confidentiality is the prime objective of all security policy of information systems. This entails prescription of set of rules for determining and examining the authentication for gaining access to particular information by a particular person. Confidentiality signifies the enforcement of access control measures. The second feature of information - integrity more broadly data integrity indicates closest possible representation of reality by the data. Thus data integrity involves the scope of accuracy, relevancy, and completeness. Unauthorized modification, misinterpretation, deletion of data calls upon maintenance of data integrity.
Avoidance of data redundancy and promotion of accuracy and completeness is the essentials of data integrity. The information system security strives to ensure completeness, accuracy of the data in order to reflect the reality that it represents. The third feature of information is confirmation of its availability to the appropriate users. The information systems security must ensure its availability to the authorized persons. Thus the characteristics of confidentiality and integrity together give rise to the characteristics of availability. Viewing in this direction the prime motive of the information system security measures is to ensure maintenance of these three key features of information that is ensuring confidentiality, ensuring integrity of the information and ensuring availability of the information to the authorized users. All the security measures pertaining to information systems strive to maintain these three basic characteristics of information. (Annex to National Training Standard for information systems security (INFOSE) Professionals)
The attacks of terrorism on September 11, 2001 against United States exerting enormous impact on the Nation as a whole forced the federal government and the society in unison to reevaluate the efficacy of the prevailing security measures. The terrorist attack posed serious threats in the new dimensions in the United States revealing the presence of enemies targeting to damage the way of life, prepared to attack in own soil and resorting to unconventional methods for achieving their objectives. The operational aspects of business and government have completely changed with the revolutions in information technology in United States. The complete surrender of control over the economic processes in the fields of manufacturing, utilities, banking and communications to the networked computerized information systems enhanced dependence of the nation on cyberspace. (Cyberspace threats and vulnerabilities; How secure are your information systems)
This has benefited the economy in terms of low cost and higher productivity which exhibits continuously increasing trend towards enhanced dependence on networked systems. The trend predicts complete dependence of the economy and national security on information technology and information system very soon. It has been revealed that the reach of the network computers have crossed the boundaries of the cyberspace supporting the operations of almost all the sectors of the American economy in the fields of energy, transportation, finance and banking, information and telecommunications, public health, emergency services, water, chemical, defense industrial base, food, agriculture, and postal and shipping etc. The increasing dependence on cyberspace created anticipations of severe threats from the adversaries of more devastating effects than the physical attacks exerted on September, 11.
This warranted identification of vulnerability in the cyberspace and the need for devising newer security measures for protection against them. The threat has enormously increased with the following attack of 'NIMDA', the propagation of the computer virus infecting and invading the computers until gaining access and destroying files, in the process affecting 86,000 computers. The threat is also further enhanced with the fact of increasing sophistication of computer attack tools arming increasing number of assaulters day by day. There are anticipations of surveillance on Government, Research Centers, and private companies by the enemies during peace as a prelude of cyber strike mapping the information system, identifying key targets during confrontations. Devastating consequences of cyber attacks on information networks have been foreseen in terms of disruptions in crucial processes, loss of intellectual property, revenue and life exerting harmful impacts on the critical infrastructures. (Cyberspace threats and vulnerabilities; How secure are your information systems)
The capability of the enemies to attack the cyber space from unlimited distances simultaneously hiding their identity, location and path of entry, increased the concern manifold. The global nature of the cyberspace increased the efficacy of the means used by the enemies and no more limited the protective security measures only to the geographical bounders. This made availability of the vulnerability to everyone, every where, those have the willingness and capability for exploitation. The increasing number and wide range of consumers of information system posed complex challenge for the management of threat and vulnerability in the cyberspace. The federal government felt the need for action on multiple levels in view of interconnection of millions of devices by the World Wide Web.
The problem of vulnerability of cyberspace is focused on five critical levels. The computers of home users and small business concerns are identified as first level targets that are susceptible to cyber attacks. Even though these are not considered to be the key infrastructure of the Nations, but the vulnerability of accessing the key infrastructure making the undefended home computer connected with a digital subscriber line or cable connection, as the medium without the knowledge of its owner is the matter of prime concern. These machines are utilized by the malicious third party adversaries for launching of the denial of service (DoS) attacks on key networked nodes, key infrastructures and enterprises. Next to Home and small business users the Large Enterprises like corporations, government agencies and universities constitute the second level those are vulnerable to cyber…