Security Information Is the Power. The Importance

Security

Information is the Power. The importance of collecting, storing, processing and communicating the relevant information presently is viewed as crucial in order to achieve success in almost all the fields be it business firms, individuals or organizations. An integrated set of components assisting collection, store, process and communication of information is termed as information system. Increasing dependence on information systems is noticed in order to excel in the respective fields of operation such as competing in the marketplace, supply services, augmentation of the personal lives etc. New capabilities have been introduced in the field of information systems with the advent of new technology for collection recording and processing of information. Recording and dissemination of information system is considered to have revolutionized with the invention of movable type in 15th century and creation of portable typewriter at the end of 19th century.

The census tabulator of Herman Hollerith, invented to process the United States 1890 census is still considered to be the first large-scale mechanized information system representing a major leap towards automation. This provided a major inspiration for developing computerized information system that led to use of UNIVAC-I, the first computer, by the U.S. Bureau of the Census in 1951. Its commercial use was explored by General Electric in 1954. In 1970s the advent of personal computers brought many advantages in the field of information system to small business concerns and individuals. Acceleration of the creation of an open global computer network is seen with the invention of World Wide Web in the early 1990s. This revolutionized the information system in the form of digital human communications by way of e-mail, electronic conferencing delivery of products and establishment of business transactions. (Annex to National Training Standard for information systems security (INFOSE) Professionals)

The information system presently being armed with new technologies and new inventions noticed to have supported diverse human activities exerting substantial influence over society. Information and knowledge is presently considered to be vital economic resources. However, along with the new opportunities that the information system is modified to cater to in the present days the newer technologies introduced also posed serious threats in the forms of unauthorized disclosure, modification, destruction of data. This has become a matter of serious concern of everybody warranting greater emphasis on information system security. Security in its generalized form is defined as warranty of liberation against the anticipated threats ensuring an environment of safety. Protection of the information system more particularly the data against unauthorized access, utilization, modification, deletion is covered under the scope of information system security.

Implementation of security controls rigorously calls upon the productivity of the personnel employed in the process of developing information system. Its restricted use hampers the vary purpose for which it is developed. The information system security management therefore, involves a striking balance between security and productivity. Securing a system thus involves consideration of vulnerabilities, threats, countermeasures and acceptable risks. Perfect security of the computerized information system is possible only by shutting down the system in the face of an attack which is neither feasible nor desirable. Seeking of system designs yielding reasonably secure operation in an anticipated threat environment has therefore, become the prime concern of security engineers. Emphasizing on reasonable security ensuring productivity of the personnel is the call of the day. (Annex to National Training Standard for information systems security (INFOSE) Professionals)

The information systems security necessarily involves protection of the three crucial features of information-confidentiality, integrity and availability. Confidentiality is barring of undue access of the undesirable elements to the information. Ensuring confidentiality is the prime objective of all security policy of information systems. This entails prescription of set of rules for determining and examining the authentication for gaining access to particular information by a particular person. Confidentiality signifies the enforcement of access control measures. The second feature of information - integrity more broadly data integrity indicates closest possible representation of reality by the data. Thus data integrity involves the scope of accuracy, relevancy, and completeness. Unauthorized modification, misinterpretation, deletion of data calls upon maintenance of data integrity.

Avoidance of data redundancy and promotion of accuracy and completeness is the essentials of data integrity. The information system security strives to ensure completeness, accuracy of the data in order to reflect the reality that it represents. The third feature of information is confirmation of its availability to the appropriate users. The information systems security must ensure its availability to the authorized persons. Thus the characteristics of confidentiality and integrity together give rise to the characteristics of availability. Viewing in this direction the prime motive of the information system security measures is to ensure maintenance of these three key features of information that is ensuring confidentiality, ensuring integrity of the information and ensuring availability of the information to the authorized users. All the security measures pertaining to information systems strive to maintain these three basic characteristics of information. (Annex to National Training Standard for information systems security (INFOSE) Professionals)

The attacks of terrorism on September 11, 2001 against United States exerting enormous impact on the Nation as a whole forced the federal government and the society in unison to reevaluate the efficacy of the prevailing security measures. The terrorist attack posed serious threats in the new dimensions in the United States revealing the presence of enemies targeting to damage the way of life, prepared to attack in own soil and resorting to unconventional methods for achieving their objectives. The operational aspects of business and government have completely changed with the revolutions in information technology in United States. The complete surrender of control over the economic processes in the fields of manufacturing, utilities, banking and communications to the networked computerized information systems enhanced dependence of the nation on cyberspace. (Cyberspace threats and vulnerabilities; How secure are your information systems)

This has benefited the economy in terms of low cost and higher productivity which exhibits continuously increasing trend towards enhanced dependence on networked systems. The trend predicts complete dependence of the economy and national security on information technology and information system very soon. It has been revealed that the reach of the network computers have crossed the boundaries of the cyberspace supporting the operations of almost all the sectors of the American economy in the fields of energy, transportation, finance and banking, information and telecommunications, public health, emergency services, water, chemical, defense industrial base, food, agriculture, and postal and shipping etc. The increasing dependence on cyberspace created anticipations of severe threats from the adversaries of more devastating effects than the physical attacks exerted on September, 11.

This warranted identification of vulnerability in the cyberspace and the need for devising newer security measures for protection against them. The threat has enormously increased with the following attack of 'NIMDA', the propagation of the computer virus infecting and invading the computers until gaining access and destroying files, in the process affecting 86,000 computers. The threat is also further enhanced with the fact of increasing sophistication of computer attack tools arming increasing number of assaulters day by day. There are anticipations of surveillance on Government, Research Centers, and private companies by the enemies during peace as a prelude of cyber strike mapping the information system, identifying key targets during confrontations. Devastating consequences of cyber attacks on information networks have been foreseen in terms of disruptions in crucial processes, loss of intellectual property, revenue and life exerting harmful impacts on the critical infrastructures. (Cyberspace threats and vulnerabilities; How secure are your information systems)

The capability of the enemies to attack the cyber space from unlimited distances simultaneously hiding their identity, location and path of entry, increased the concern manifold. The global nature of the cyberspace increased the efficacy of the means used by the enemies and no more limited the protective security measures only to the geographical bounders. This made availability of the vulnerability to everyone, every where, those have the willingness and capability for exploitation. The increasing number and wide range of consumers of information system posed complex challenge for the management of threat and vulnerability in the cyberspace. The federal government felt the need for action on multiple levels in view of interconnection of millions of devices by the World Wide Web.

The problem of vulnerability of cyberspace is focused on five critical levels. The computers of home users and small business concerns are identified as first level targets that are susceptible to cyber attacks. Even though these are not considered to be the key infrastructure of the Nations, but the vulnerability of accessing the key infrastructure making the undefended home computer connected with a digital subscriber line or cable connection, as the medium without the knowledge of its owner is the matter of prime concern. These machines are utilized by the malicious third party adversaries for launching of the denial of service (DoS) attacks on key networked nodes, key infrastructures and enterprises. Next to Home and small business users the Large Enterprises like corporations, government agencies and universities constitute the second level those are vulnerable to cyber attacks. Many such enterprises constitute parts of critical infrastructure and susceptible to attacks both for the data and power. (Cyberspace threats and vulnerabilities; How secure are your information systems)

Thirdly, forming of organizations of critical sectors or infrastructures in the sphere of economy, government or academics is positively viewed for counteracting the vulnerability of cyber attacks. Information Sharing and Analysis Centers (ISACs) created by such sectors for tracking cyber attacks sharing information on trends, identification of vulnerable factors and practices to counteract. This collaboration is also noticed to have produced shared institutions and mechanisms that resulted in vulnerabilities and cyber threats. Fourthly, some vulnerability are also viewed as national rather than limited to individual enterprises. Some key factors like threat to the protocols and routers used in internet, vulnerability of software and hardware products used nationwide, lack of trained personnel in cyber security are designated as the problems of national concern and needs coordinated approach. (Cyberspace threats and vulnerabilities; How secure are your information systems)

Finally, the vulnerability is considered as global. Internet is the network of networks spread beyond the national boundaries and its smooth operation is ensured by internationally shared standards. Susceptibility of the computers of one continent to the threats of cyber attacks has profound influence on the computers of another continent. It is therefore essential to entail international cooperation in addressing the issues of cyber security and sharing of information thereof. Warnings have been put forth by the Computer Emergency Response Team/Coordination Center that the incidents of cyber attacks are growing day by day at increasing rate and the matter of more concern is increase in numbers of vulnerabilities of the cyber attacks susceptible for exploitations by the attackers. Installations of network security devices are seen as panacea to counter act the vulnerabilities. (Cyberspace threats and vulnerabilities; How secure are your information systems)

However, it has been noticed that failures of the devices occur without its appropriate operation and without its regular updates and regular patching thus necessitating good security practices rather than its mere installation. The incidents of cyber attacks on home computers and computers of individual small enterprisers are common in United States that inflict lot of damages to the victims. This is used as a parameter to estimate the loss of relative damages at national level cyber attacks. The cyber attack in States is imminent in view of the prevailing conditions intending potential adversaries, wide availability of the means of cyber attack and existence of numerous and well-known vulnerabilities of the national information system.

Even though the efficacy of no single strategies can be viewed as complete solution for protecting the cyber space relentless efforts on the part of the Government for managing the risk and minimizing the inflicted damage is necessitated as a solution to the problem. The United States has seen identification of the potential risks in this regard by a Presidential Commission during 1997. First national plan addressing the problem was introduced during 2000. President Bush in the year 2001 prioritized the cyber security through an Executive Order and during 2002 all the federal cyber security agencies were consolidated and strengthened to constitute the proposed Department of Homeland Security. (Cyberspace threats and vulnerabilities; How secure are your information systems)

The cyberspace in United States constituted the nervous system of the critical physical infrastructures in key sectors such as agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunication, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping. In view of this it is of utmost importance to ensure healthy functioning of the cyberspace, comprising of millions and millions of interconnected computers in order to ensure smooth functioning of the economy as well as national security. As the implementing component of the National Strategy for Homeland Security, the National Strategy to Secure Cyberspace is devised in the post September, 11th 2001, era in order to complement the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. (The National Strategy to Secure Cyber Space)

The strategy advanced with the prime objective of engaging and empowering every American the freedom from the danger of threats to the cyberspace under their ownership, operation, control and interaction. Securing the cyberspace posed serious strategic challenges necessitating collaborative effort from the government-federal, state and local as well as from private and sectors and American people. Since ownership of most of the key infrastructure and cyber space is vested with the private sectors and the technological support to the cyberspace is continuously being evolved from the private sectors being supplemented by the academic innovations, voluntary participations of government, industry, academia and non-governmental agency has been urged in the strategy for cyber security.

As an initiation of the process the development of the Strategy began with solicitations of views from public as well as private sectors. Comments of individuals and institutions were solicited by the President's Critical Infrastructure Protection Board after releasing the draft Strategy during September, 2002. The initiation of the strategy development process in this manner ensured nationwide awareness on the importance of the issue of cyber security, imbibing the feeling on every American of having a direct role in its development and ensuring their commitment to it. The Department of Homeland Security consisting of the agencies active in the line of cyber security was approved by the Congress empowering to undertake new missions to prevent and protect against cyber attacks. (The National Strategy to Secure Cyber Space)

Later, Congress passed the Cyber Security Research and Development Act with an objective of a multi-year effort for creation of secured technology for cyberspace and expansion of research and development in the field of cyber security as well as improving the skills of the personnel engaged in cyber security. The prime objective of the National Strategy to Secure Cyberspace is to generate awareness among the individuals and organizations nationwide about the need of cyber security and appropriate action in the direction of ensuring a secured cyberspace, implementation of regular processes for identification and counteraction of the cyber vulnerabilities. The strategy revolves around prioritization of five national agenda in the direction of ensuring cyber security necessitating voluntary participation of individuals and organizations nationwide.

The importance of quick identification, sharing of the information and prescribing method for the remedy is considered as the first priority under the Strategy for mitigation of the effects of cyber attacks. The strategy envisaged establishment of a National Cyberspace Security Response System involving public and private organizations devoted to analyzing, watching, warning, and diffusing information thereby facilitating remedial and restoration efforts. The National Cyberspace Security Response System is viewed as a collaborative architecture of private and public organizations under the coordination of the Department of Homeland Security with a view to analyzing, warning, managing incidents of national significance, promoting continuity in information systems of government as well as private sector infrastructures, expanding sharing of information across the organizations ensuring cyberspace security. (The National Strategy to Secure Cyber Space)

Involvement of the private sector Information Sharing and Analysis Centers is emphasized to fulfill the objective. A program for reduction of national cyberspace security threat and vulnerability constituted the second priority of the Strategy. The strategy urged for coordinated national efforts by government and private sectors in the direction of identification of the critical cyber vulnerability inherent in the information systems and explores their remedies in form of sharing of best practices, evaluation and implementation of new technologies, etc. Pursuing of a three part effort such as reduction of threats and dissuade malicious attackers through effective programs identifying and punishing them; identification and remediation of the existing vulnerabilities anticipated to inflict damages to the key infrastructures; and developing new systems with less vulnerability and evaluating the new technologies on the basis of its vulnerability, is the prime objective of the third agenda of the strategy. Attacks on cyberspace are considered as crimes and deserves similar prosecution as that of physical crimes.

However, the objective of threat reduction is something more than mere prosecution. Lessons learned from the cyber attacks on private sector organization need to be taken as a framework for future agenda in mastering the skills for counteracting the cyber attacks evaluating the present available tools for counteracting the attacks. The strategy under this agenda includes enhancement of law enforcement capabilities for preventing and prosecuting the malicious attackers; secure the mechanisms of the Internet by improving the security and resilience of key Internet Protocols, promoting improved Internet Routing, improving management of security of the Internet infrastructure; fostering of trusted Digital Control Systems and Supervisory Control and Data Acquisition Systems; Reduction and remediation of software vulnerabilities; understanding Infrastructure interdependency and improving physical security of cyber systems and telecommunications; prioritization of federal research and development agenda in the field of securing cyberspace; evaluation and securing the emerging technologies vulnerable to the cyber attacks, etc. (The National Strategy to Secure Cyber Space)

The Third Agenda under the strategy aims at providing a national cyberspace security Awareness and Training Program. This emphasizes on promotion of comprehensive national program aiming at equipping all citizens with the necessary skills to exert efforts in securing their own parts of cyberspace. It involves fostering of adequate training and education programs for creation of the security workforce in order to cater to the needs of national cyber security. This is also aimed at improving the efficacy of the available training programs on cyber security and promoting the support of private sector for certification of well coordinated and widely recognized personnel on cyber security. Securing the Cyberspace used by Government is the Fourth Agenda of the Strategy. Even if key infrastructures in cyberspace is being owned by private sectors, the key functionaries of government associated with cyberspace such as national defense, homeland security, emergency response, justice, health etc. cannot be undermined and necessitates security from the threats. (The National Strategy to Secure Cyber Space)

The agenda involves continuous assessment of the threats and vulnerabilities to the federal cyber systems; introduction of agency specific approaches involving identification of enterprise architectures, full assessment of the vulnerabilities and probing into the risks that are posed by them, implementation of security controls etc.; introduction of authentication process for ensuring secured system access; securing the federal wireless local area networks; improving security in Government outsourcing and procurements; devising criteria for review of security measures and certification thereof. It also aimed at encouraging the state and local governments through the Department of Homeland Security for consideration of implementing the IT security programs and increased association with ISACs of other counterparts.

The Fifth and Final Agenda of the Strategy are ensuring national security and international cyberspace security cooperation. The most unique nature of the cyber attacks stems from the fact of the capability of the attackers to hide their identities and attack from distances with lightning speeds. The malicious attackers attack their neighbors and the computers at thousands miles away at same speed and at similar magnitude. This entails the necessity of being capable of safeguarding the critical infrastructure from the attackers irrespective the location of its origination. Confining the security measures to national boundaries has not become sufficient to counteract the cyber threats. It therefore, entails international cooperation enabling sharing of information, reduction of vulnerabilities and dissuade malicious attacker. (The National Strategy to Secure Cyber Space)

The Agenda as a measure of ensuring America's national security involves strengthening of the counterintelligence efforts in cyberspace, improvisation of capabilities for attack attribution and prevention, improvisation of interagency coordination for rapid response to the cyber attacks. In the international arena it urges to work through the organization of international operation with a view to facilitating and promoting global security with the expansion of the concept beyond ones borders. It also necessitates developing of secured networks, working with Canada and Mexico constituting North America into a safe cyber zone. Promoting establishment of National and international watch and warning networks for finding out and prevention of cyber attacks, and encouraging other nations to propound comprehensive laws for prosecution of cyber crimes in consonance with the Council of Europe Conventions on Cyber crime. Thus the National Strategy to Secure Cyber Space addresses the issue of cyber security in terms of five priorities. The first priority emphasizes on improvisation of the capabilities for quick response to the cyber attacks and reduction of potential damages. The next three priorities are directed to reduce the threats to the cyberspace by reducing the vulnerabilities to the cyber attacks and the final priority emphasizes on the importance of the international cooperation and international management of the threats. (The National Strategy to Secure Cyber Space)

The post 9-11 era necessitated the United States to devise national policy for securing information system for critical infrastructure and emphasized the need for voluntary participation of public and private sectors in the fight against threats to information system. The national policy for combating the anticipated attacks on information systems and cyber space are guided by several organizing principles. First of all the protection of cyberspace against the apprehended threats and vulnerabilities necessitated collaborative national efforts from all sections and the responsibility of protecting cyberspace is not confined to the federal government alone. (National Policy and Guiding Principles)

Care must be taken to avoid antagonisms of the cyber security measures with the protection of privacy and civil liberties. The civil liberties must not be at stake in the name of the security measures. There must be striking balance between security and productivity along with ensuring privacy and liberty. The next guiding principle in devising regulations is to ensure free market forces to play major roles in providing major initiations in the sphere of cyber security. The principle of accountability and responsibility is ensured in devising the strategy. Ensuring flexibility catering to the changing needs of emerging technologies is the need of the strategy. The strategy to fight security threats should be a continuous process involving multi-year planning. (National Policy and Guiding Principles)

The information system security basically concerned with safeguarding and maintenance of the fundamental characteristics of information that is confidentiality, integrity and availability. The management of information systems security involves exertion of restraints categorized under physical, technical and administrative heads. Each of the controls may be sub-divided as preventive or detective. The preventive restraints are aimed at avoidance of the incidents of breach of security while the detective controls strive for identification of the vulnerabilities that caused the occurrence of the untoward incidents. Besides the security controls also includes deterrent, corrective and recovery measures. The deterrent controls dissuade the individuals from deliberate infringement of security principles in pain of prosecutions. The corrective controls strives in wiping out of the vulnerabilities that caused the violation of security laws while the recovery controls attempt for reestablishment of the lost resources and capabilities.