DEPARTMENT NAME

Class: Batch:
Course code: Course Title:

UNIT I INFORMATION SECURITY 9

Information Security : Introduction – History – Security – Critical Characteristics of Information –

National Security Telecommunications and Information System Security Committee (NSTISSC) –
Security Model – Components of an Information System – Securing the Components – Balancing
Information Security and Access – The Systems Development Life Cycle – Security Professionals
and the Organization.

Information Security: Introduction:

Information security, often abbreviated as InfoSec, is a broad and critical field that encompasses
the protection of digital information from unauthorized access, disclosure, disruption, modification, or
destruction. As our world becomes increasingly digitized and interconnected, the importance of information
security has grown exponentially.

Information security is the practice of protecting information by mitigating information risks. It involves the
protection of information systems and the information processed, stored and transmitted by these systems
from unauthorized access, use, disclosure, disruption, modification or destruction. This includes the
protection of personal information, financial information, and sensitive or confidential information stored in
both digital and physical forms.

Why we use Information Security?

We use information security to protect valuable information assets from a wide range of threats, including
theft, espionage, and cybercrime. Information security is necessary to ensure the confidentiality, integrity, and
availability of information, whether it is stored digitally or in other forms such as paper documents.

Uses of Information Security:

1. Confidentiality: Keeping sensitive information confidential and protected from unauthorized

access.
2. Integrity: Maintaining the accuracy and consistency of data, even in the presence of malicious
attacks.
3. Availability: Ensuring that authorized users have access to the information they need, when they
need it.
4. Compliance: Meeting regulatory and legal requirements, such as those related to data privacy and
protection.
5. Risk management: Identifying and mitigating potential security threats to prevent harm to the
organization.
6. Disaster recovery: Developing and implementing a plan to quickly recover from data loss or
system failures.
7. Authentication: Verifying the identity of users accessing information systems.
8. Encryption: Protecting sensitive information from unauthorized access by encoding it into a secure
format.
9. Network security: Protecting computer networks from unauthorized access, theft, and other types
of attacks.

Prepared By: Page 1

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

10. Physical security: Protecting information systems and the information they store from theft,
damage, or destruction by securing the physical facilities that house these systems.

Issues of Information Security:

Information security faces many challenges and issues, including:

1. Cyber threats: The increasing sophistication of cyber-attacks, including malware, phishing, and
ransom ware, makes it difficult to protect information systems and the information they store.
2. Human error: People can inadvertently put information at risk through actions such as losing
laptops or smartphones, clicking on malicious links, or using weak passwords.
3. Insider threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.
4. Legacy systems: Older information systems may not have the security features of newer systems,
making them more vulnerable to attack.
5. Complexity: The increasing complexity of information systems and the information they store
makes it difficult to secure them effectively.
6. Mobile and IoT devices: The growing number of mobile devices and internet of things (IoT)
devices creates new security challenges as they can be easily lost or stolen, and may have weak security
controls.
7. Integration with third-party systems: Integrating information systems with third-party systems
can introduce new security risks, as the third-party systems may have security vulnerabilities.
8. Data privacy: Protecting personal and sensitive information from unauthorized access, use, or
disclosure is becoming increasingly important as data privacy regulations become more strict.
9. Globalization: The increasing globalization of business makes it more difficult to secure
information, as data may be stored, processed, and transmitted across multiple countries with different
security requirements.

HISTORY:

1960s: Offline sites security: The Information Security was limited to the access points where computers
were stored, as they used to be large in sizes and required a huge area to be stored and operated. Multiple
layers of security were installed over terminals in form of passwords and other security measures.

1970s: Evolution of personal computer and hackers: At this time there was no massive global network
connecting every device that wanted to be connected. Only large organizations, especially governments, were
starting to link computers via telephone lines and peoples started to seek different ways to intercept the
information flowing through those telephone lines in order to steal the data and these group of peoples
became the first hackers.

1980s: Evolution of cyber-crime: Hacking and other forms of cybercrimes skyrocketed in this decade with
people finding different ways to break into the computer systems and being no strict regulation against the
hackers it was a booming craze for the youth. Many government & Military groups were on the receiving end
of these crimes with loss of over millions of dollars from U.S. Banks and in response to this the government
started pursuing the hackers.

Prepared By: Page 2

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

1990s: “Hacking” becoming an organized crime: After the worldwide web was made available in 1989,
people started putting their personal information online; hackers saw this as a potential revenue source, and
started to steal data from people and governments via the web. Firewalls and antivirus programs helped
protect against this, but the web was a mostly unsecured with hackers finding different ways to infiltrate the
targets devices.

2000s: Cybercrime becoming a serious issue: Hacking wasn’t considered as serious issues in late 80’s but
with evolution of hacking and their dangers governments started chasing the cyber criminals. Strong measures
were taken against cyber criminals, hackers were jailed for years as punishment for cyber-criminal activity
and cyber security cells were formed in order to deal with the issues involving any form of cyber-crime.

2010s: Information security as we know it: Although different measures in form of firewalls and antivirus
were designed to protect the devices from attacks but hackers who were efficient and skilled enough were
able to breach the systems anyway. Different cryptographic algorithms and encryption techniques are being
used in order to protect the data over network and other transmission mediums.

In the early 2000s, security threats continued to evolve, and organizations began to take a more proactive
approach to information security. Regulations such as the Sarbanes-Oxley Act (SOX) in the US and the Data
Protection Act (DPA) in the UK were introduced to encourage organizations to take information security
more seriously.

Security:

WHAT IS SECURITY?

Understanding the technical aspects of information security requires that you know the definitions of certain
information technology terms and concepts. In general, security is defined as “the quality or state of being
secure—to be free from danger.”

Security is often achieved by means of several strategies usually undertaken simultaneously or used in
combination with one another.

Specialized areas of security

 Physical security, which encompasses strategies to protect people, physical assets, and the
workplace from various threats including fire, unauthorized access, or natural disasters
 Personal security, which overlaps with physical security in the protection of the people within the
organization
 Operations security, which focuses on securing the organization’s ability to carry out its operational
activities without interruption or compromise
 Communications security, which encompasses the protection of an organization’s communications
media, technology, and content, and its ability to use these tools to achieve the organization’s
objectives

Prepared By: Page 3

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 Network security, which addresses the protection of an organization’s data networking devices,
connections, and contents, and the ability to use that network to accomplish the organization’s data
communication functions
 Information security includes the broad areas of information security management, computer and
data security, and network security.

Where it has been used?

Governments, military, financial institutions, hospitals, and private businesses. protecting confidential
information is a business requirement.
Information Security components:

 Confidentiality
 Integrity
 Availability(CIA)

CIA Triangle

The C.I.A. triangle - confidentiality, integrity, and availability - has expanded into a more comprehensive list
of critical characteristics of information. At the heart of the study of information security is the concept of
policy. Policy, awareness, training, education, and technology are vital concepts for the protection of
information and for keeping information systems from danger.

CRITICAL CHARACTERISTICS OF INFORMATION

CRITICAL CHARACTERISTICS OF INFORMATION

Confidentiality

 Integrity

Availability

Prepared By: Page 4

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 Privacy
 Identification
 Authentication
 Authorization
 Accountability

Accuracy

 Utility
 Possession

Confidentiality:

Confidentiality of information ensures that only those with sufficient privileges may access certain
information. When unauthorized individuals or systems can access information, confidentiality is reached.
To protect the confidentiality of information, a number of measures are used:

 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users

Example, a credit card transaction on the Internet.

Integrity:

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is
threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Corruption can occur while information is being compiled, stored, or transmitted.

Integrity means that data cannot be modified without authorization.

Eg: Integrity is violated when an employee deletes important data files, when a computer virus infects a
computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized
user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and
so on.

Availability:

Availability is the characteristic of information that enables user access to information without interference
or obstruction and in a required format. A user in this definition may be either a person or another computer
system. Availability does not imply that the information is accessible to any user; rather, it means availability
to authorized users.

Prepared By: Page 5

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

For any information system to serve its purpose, the information must be available when
It is needed.

Eg: High availability systems aim to remain available at all times, preventing service disruptions due to
power outages, hardware failures, and system upgrades.

Privacy:

The information that is collected, used, and stored by an organization is to be used only for the purposes
stated to the data owner at the time it was collected. This definition of privacy does focus on freedom from
observation (the meaning usually associated with the word), but rather means that information will be used
only in ways known to the person providing it.

Identification:

An information system possesses the characteristic of identification when it is able to recognize individual
users. Identification and authentication are essential to establishing the level of access or authorization that
an individual is granted.

Authentication:

Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.
In computing, e-Business and information security it is necessary to ensure that the data, transactions,
communications or documents (electronic or physical) are genuine (i.e. they have not been forged or
fabricated)
Authorization:

After the identity of a user is authenticated, a process called authorization provides assurance that the user
(whether a person or a computer) has been specifically and explicitly authorized by the proper authority to
access, update, or delete the contents of an information asset.

Accountability:

The characteristic of accountability exists when a control provides assurance that every activity Undertaken
can be attributed to a named person or automated process. For example, audit logs that track user activity on
an information system provide accountability.

Accuracy:

Information should have accuracy. Information has accuracy when it is free from mistakes or errors and it
has the value that the end user expects. If information contains a value different from the user’s expectations,
due to the intentional or unintentional modification of its content, it is no longer accurate.

Prepared By: Page 6

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

Utility:

Information has value when it serves a particular purpose. This means that if information is available, but not
in a format meaningful to the end user, it is not useful. Thus, the value of information depends on its utility.

Possession:

The possession of Information security is the quality or state of having ownership or control of some object
or item.

NSTISSC SECURITY MODEL

‘National Security Telecommunications & Information systems security committee’ document.

It is now called the National Training Standard for Information security professionals.

The NSTISSC Security Model provides a more detailed perspective on security.

While the NSTISSC model covers the three dimensions of information security, it omits discussion of
detailed guidelines and policies that direct the implementation of controls.

Another weakness of using this model with too limited an approach is to view it from a single perspective.

 The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be
addressed to secure today’s Information systems.
 To ensure system security, each of the 27 cells must be properly addressed during the security
process.
 For example, the intersection between technology, Integrity & storage areas requires a control or
safeguard that addresses the need to use technology to protect the Integrity of information while
in storage.

COMPONENTS OF AN INFORMATION SYSTEM

Prepared By: Page 7

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 An Information system is a combination of hardware and software and telecommunication

networks that people build to collect create and distribute useful data, typically in an
organization. It defines the flow of information within the system.
 The objective of an information system is to provide appropriate information to the user, to gather
the data, process the data and communicate information to the user of the system.
 Software
 Hardware
 Data
 People
 Procedures
 Networks

Software:
The software components of IS comprises applications, operating systems, and assorted command
utilities.
Software programs are the vessels that carry the lifeblood of information through an organization.
These are often created under the demanding constraints of project management, which limit time, cost, and
manpower.

Hardware:
Hardware is the physical technology that houses and executes the software, stores and carries the data, and
provides interfaces for the entry and removal of information from the system.

 Physical security policies deal with hardware as a physical asset and with the protection of these physical
assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts
access to and interaction with the hardware components of an information system.

 Securing the physical location of computers and the computers themselves is important because a breach
of physical security can result in a loss of information. Unfortunately, most information systems are built on
hardware platforms that cannot guarantee any level of information security if unrestricted access to the
hardware is possible.

Data:
 Data stored, processed, and transmitted through a computer system must be protected.
 Data is often the most valuable asset possessed by an organization and is the main target of intentional
attacks.
 The raw, unorganized, discrete (separate, isolated) potentially-useful facts and figures that are later
processed (manipulated) to produce information.

People:
There are many roles for people in information systems. Common ones include
 Systems Analyst
 Programmer

Prepared By: Page 8

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 Technician
 Engineer
 Network Manager
 MIS ( Manager of Information Systems )
 Data entry operator

Procedures:
A procedure is a series of documented actions taken to achieve something. A procedure is more than a single
simple task. A procedure can be quite complex and involved, such as performing a backup, shutting down a
system, patching software.

Networks:

When information systems are connected to each other to form Local Area Network (LANs), and these
LANs are connected to other networks such as the Internet, new security challenges rapidly emerge.

Steps to provide network security are essential, as is the implementation of alarm and intrusion systems to
make system owners aware of ongoing compromises.

SECURING COMPONENTS:

Protecting the components from potential misuse and abuse by unauthorized users.

Subject of an attack -Computer is used as an active tool to conduct the attack.

Object of an attack- Computer itself is the entity being attacked

Two types of attacks:

1. Direct attack

2. Indirect attack

1. Direct attack

When a Hacker uses his personal computer to break into a system.[Originate from the threat itself]

Prepared By: Page 9

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

2. Indirect attack

When a system is compromised and used to attack other system.

[Originate from a system or resource that itself has been attacked, and is malfunctioning or working under
the control of a threat].

A computer can, therefore, be both the subject and object of an attack when ,for example, it is first the object
of an attack and then compromised and used to attack other systems, at which point it becomes the subject of
an attack.

BALANCING INFORMATION SECURITY AND ACCESS

 Has to provide the security and is also feasible to access the information for its application.
 Information Security cannot be an absolute: it is a process, not a goal.
 Should balance protection and availability

Approaches to Information Security Implementation

 Bottom- up- approach.

 Top-down-approach
 Has higher probability of success.
 Project is initiated by upper level managers who issue policy & procedures &processes.
 Dictate the goals & expected outcomes of the project.
 Determine who is suitable for each of the required action

THE SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC):

SDLC Waterfall Methodology

SDLC-is a methodology for the design and implementation of an information system in an organization.

A methodology is a formal approach to solving a problem based on a structured sequence of procedures.

SDLC consists of 6 phases.

Prepared By: Page 10

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

Investigation:

 It is the most important phase and it begins with an examination of the event or plan that initiates the
process.
 During this phase, the objectives, constraints, and scope of the project are specified.
 At the conclusion of this phase, a feasibility analysis is performed, which assesses the economic,
technical and behavioral feasibilities of the process and ensures that implementation is worth the
organization’s time and effort.

Analysis:

 It begins with the information gained during the investigation phase.

 It consists of assessments (quality) of the organization, the status of current systems, and the capability to
support the proposed systems.
 Analysts begin by determining what the new system is expected to do, and how it will interact with
existing systems.
 This phase ends with the documentation of the findings and an update of the feasibility analysis

Logical Design:

 In this phase, the information gained from the analysis phase is used to begin creating a systems solution
for a business problem.
 Based on the business need, applications are selected that are capable of providing needed services.
 Based on the applications needed, data support and structures capable of providing the needed inputs are
then chosen.
 In this phase, analysts generate a number of alternative solutions, each with corresponding strengths
and weaknesses, and costs and benefits.
 At the end of this phase, another feasibility analysis is performed.
Physical design:

Prepared By: Page 11

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 In this phase, specific technologies are selected to support the solutions developed in the logical
design.
 The selected components are evaluated based on a make-or-buy decision.
 Final designs integrate various components and technologies.

Implementation:

 In this phase, any needed software is created.

 Components are ordered, received and tested.
 Afterwards, users are trained and supporting documentation created.
 Once all the components are tested individually, they are installed and tested as a system.
 Again a feasibility analysis is prepared, and the sponsors are then presented with the system for a
performance review and acceptance test.

Maintenance and change:

 It is the longest and most expensive phase of the process.

 It consists of the tasks necessary to support and modify the system for the remainder of its useful life
cycle.
 Periodically, the system is tested for compliance, with business needs.
 Upgrades, updates, and patches are managed.
 As the needs of the organization change, the systems that support the organization must also change.
When a current system can no longer support the organization, the project is terminated and a new project is
implemented.
THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE (SEC SDLC ):

The same phases used in the traditional SDLC can be adapted to support the implementation
of an information security project.
Sec SDLC phases:
Investigation:

 This phase begins with a directive from upper management, dictating the process, outcomes, and goals of
the project, as well as its budget and other constraints.
 Frequently, this phase begins with an enterprise information security policy, which outlines the
implementation of a security program within the organization.
 Teams of responsible managers, employees, and contractors are organized.
 Problems are analyzed.
 Scope of the project, as well as specific goals and objectives, and any additional constraints not covered
in the program policy, are defined.
 Finally, an organizational feasibility analysis is performed to determine whether the organization has the
resources and commitment necessary to conduct a successful security analysis and design.

Analysis:

Prepared By: Page 12

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 In this phase, the documents from the investigation phase are studied.
 The developed team conducts a preliminary analysis of existing security policies or programs, along
with that of documented current threats and associated controls.
 The risk management task also begins in this phase.

Risk management is the process of identifying, assessing, and evaluating the levels of risk facing the
organization, specifically the threats to the organization’s security and to the information stored and
processed by the organization.

Logical design:

 This phase creates and develops the blueprints for information security, and examines and implements
key policies.
 The team plans the incident response actions.
 Plans business response to disaster.
 Determines feasibility of continuing and outsourcing the project.

Physical design:

 In this phase, the information security technology needed to support the blueprint outlined in the logical
design is evaluated.
 Alternative solutions are generated.
 Designs for physical security measures to support the proposed technological solutions are created.
 At the end of this phase, a feasibility study should determine the readiness of the organization for the
proposed project.
 At this phase, all parties involved have a chance to approve the project before implementation begins.
Implementation:
 Similar to traditional SDLC
 The security solutions are acquired ( made or bought ), tested, implemented, and tested again
 Personnel issues are evaluated and specific training and education programs are conducted.
 Finally, the entire tested package is presented to upper management for final approval.
Maintenance and change:
Constant monitoring, testing, modification, updating, and repairing to meet changing threats have been done
in this phase.

Security Professionals and the organization :

Security Professional is someone responsible for protecting the networks, infrastructure and systems for a
business or organisation.

Senior management: Chief information Officer (CIO) is the responsible for

 Assessment
 Management
 And implementation of information security in the organization

Prepared By: Page 13

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

Information Security Project Team:

Champion:

 Promotes the project

 Ensures its support, both financially & administratively.

Team Leader:

 Understands project management

 Personnel management
 And information Security technical requirements.

Security policy developers:

 Individuals who understand the organizational culture,

 existing policies
 Requirements for developing & implementing successful policies.

Risk assessment specialists:

 Individuals who understand financial risk assessment techniques.

 The value of organizational assets and the security methods to be used

Security Professionals:-

 Dedicated
 Trained, and well educated specialists in all aspects of information security from both a
technical and non-technical stand point.

System Administrators: Administrating the systems that house the information used by the organization.

End users:

Data Owners:

 Responsible for the security and use of a particular set of information.

Prepared By: Page 14

 DEPARTMENT NAME
Class: Batch:
Course code: Course Title:

 Determine the level of data classification

 Work with subordinate managers to oversee the day-to-day administration of the data.

Data Custodians:
 Responsible for the storage, maintenance, and protection of the information.
 Overseeing data storage and backups
 Implementing the specific procedures and policies.

Data Users (End users):

 Work with the information to perform their daily jobs supporting the mission of the organization.
 Everyone in the organization is responsible for the security of data, so data users are included here as
individuals with an information security role.

Prepared By: Page 15