MANAGING SECURITY OF INFORMATION
ITE 2 | Accounting Information System | Ablao. Andres. Callo. Magayano
Information Security Management
- Is an integrated, systematic approach that coordinates people, policies, standards,
processes, and controls used to safeguard critical systems and information from internal and
external security threats.
Information security
- sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use,
disclosure, disruption, modification, inspection, recording or destruction of information. It is a
general term that can be used regardless of the form the data may take (e.g. electronic,
physical).
Control over Data Integrity
- As a process, data integrity verifies that data has remained unaltered in transit from creation
to reception. As a state or condition, Data Integrity is a measure of the validity and fidelity of
a data object. As a function related to security, a data integrity service maintains information
exactly as it was inputted, and is auditable to affirm its reliability.
- Data integrity is the maintenance of, and the assurance of the accuracy and consistency
of, data over its entire life-cycle, and is a critical aspect to the design, implementation and
usage of any system which stores, processes, or retrieves data.
- Database security professionals employ any number of practices to assure data integrity,
including:
Data encryption, which locks data by cipher
Data backup, which stores a copy of data in an alternate location
Input validation, to prevent incorrect data entry
Data validation, to certify uncorrupted transmission
Control over Data Privacy
- Information privacy, or data privacy (or data protection), is the relationship between
collection and dissemination of data, technology, the public expectation of privacy, and
the legal and political issues surrounding them.
- Privacy concerns exist wherever personally identifiable information or other sensitive
information is collected, stored, used, and finally destroyed or deleted – in digital form or
otherwise. Improper or non-existent disclosure control can be the root cause for privacy
issues. Data privacy issues can arise in response to information from a wide range of
sources, such as:
Healthcare records
Criminal justice investigations and proceedings
Financial institutions and transactions
Biological traits, such as genetic material
Residence and geographic records
Ethnicity
Privacy breach
Location-based service and geolocation
Web surfing behavior or user preferences using persistent cookies
�MANAGING SECURITY OF INFORMATION
ITE 2 | Accounting Information System | Ablao. Andres. Callo. Magayano
Control over Data Security
- are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or other assets.
- They can be classified by several criteria. For example, according to the time that they act,
relative to a security incident:
Before the event, preventive controls are intended to prevent an incident from
occurring e.g. by locking out unauthorized intruders;
During the event, detective controls are intended to identify and characterize an
incident in progress e.g. by sounding the intruder alarm and alerting the security
guards or police;
After the event, corrective controls are intended to limit the extent of any damage
caused by the incident e.g. by recovering the organization to normal working status
as efficiently as possible.
- According to their nature, for example:
Physical controls e.g. fences, doors, locks and fire extinguishers;
Procedural controls e.g. incident response processes, management oversight,
security awareness and training;
Technical controls e.g. user authentication (login) and logical access controls,
antivirus software, firewalls;
Legal and regulatory or compliance controls e.g. privacy laws, policies and
clauses.
INFORMATION SECURITY RISKS AND ATTACKS
Given the popularity of the Internet and mobile devices and the complexity of computer
technologies, important business information and IT assets are exposed to risks and attacks from
internal (such as disgruntled employees) and external parties (such as hackers, foreigners,
competitors, etc.). Some of the common information security risks and attacks include:
Virus – a self-replicating program that runs and spreads by modifying other programs or
files.
Worm – a self-replicating, self-propagating, self-contained program that uses networking
mechanisms to spread itself.
Trojan horse – a non-self-replicating program that seems to have a useful purpose in
appearance, but in reality has a different malicious purpose.
Ransomware – a type of malicious software designed to block access to a computer system
until a sum of money is paid
Spyware - software that enables a user to obtain covert information about another's
computer activities by transmitting data covertly from their hard drive.
Spam – sending unsolicited bulk information.
Botnet (bot) – a collection of software robots that overruns computers to act automatically in
response to the bot-herder’s control inputs through the Internet.
Denial-of-service (DoS) - the prevention of authorized access to resources (such as
servers) or the delaying of time-critical operations.
Spyware - software that is secretly installed into an information system to gather information
on individuals or organizations without their knowledge
Spoofing - sending a network packet that appears to come from a source other than its
actual source
�MANAGING SECURITY OF INFORMATION
ITE 2 | Accounting Information System | Ablao. Andres. Callo. Magayano
Social engineering - manipulating someone to take certain action that may not be in that
person’s best interest, such as revealing confidential information or granting access to
physical asset, networks, or information.
CORE INFORMATION SECURITY PRINCIPLES
The three fundamental principles of security are availability, integrity, and confidentiality and are
commonly referred to as CIA or AIC triad which also form the main objective of any security
program.
CONFIDENTIALITY
Ensures that the necessary level of secrecy is enforced at each junction of data processing
and prevents unauthorized disclosure. This level of confidentiality should prevail while data
resides on systems and devices within the network, as it is transmitted and once it reaches
its destination.
Threat sources
o Network Monitoring
o Stealing password files
o Social Engineering- one person posing as the actual
Countermeasures
o Encrypting data as it is stored and transmitted.
o Implementing strict access control mechanisms and data classification
o Training personnel on proper procedures.
INTEGRITY
Integrity of data is protected when the assurance of accuracy and reliability of information
and system is provided, and unauthorized modification is prevented.
Threat sources
o Viruses
Countermeasures
o Strict Access Control
AVAILABILITY
Availability ensures reliability and timely access to data and resources to authorized
individuals.
Threat sources
o Device or software failure.
o Environmental issues like heat, cold, humidity, static electricity, and contaminants
can also affect system availability.
o Denial-of-service (DoS) attacks
Countermeasures
o Maintaining backups to replace the failed system
o IDS to monitor the network traffic and host system activities
o Use of certain firewall and router configurations
�MANAGING SECURITY OF INFORMATION
ITE 2 | Accounting Information System | Ablao. Andres. Callo. Magayano
Trade-off between cost of security and amount of security
A tradeoff is a situation that involves losing one quality or aspect of something in return for gaining
another quality or aspect. Speaking about the tradeoff between performance and security indicates
that both, performance and security, can be measured, and that to increase one, we have to pay in
terms of the other. While established metrics for performance of systems exist this is not quite the
case for security. The dilemma of inferior metrics can be solved by considering indirect metrics such
as computation cost of security mechanisms.
In perfect world you can get all of the best things in one place. But not in the real world. In software
development there are some basic trade‐offs when you consider a specific design feature. Exploring
these considerations will help you to create the architecture that matches best with the given
context.
Trade‐off between security, usability, and cost. The fundamental tradeoff between security,
usability, and cost is extremely important to recognize. Yes, it is possible to have both security and
usability, but there is a cost, in terms of money, in terms of time, and in terms of personnel. It is
possible to make something both cost‐efficient and usable, and making something secure and
cost‐efficient is not very hard. However, making something both secure and usable takes a lot of
effort and thinking. Security takes planning, and it takes resources.
Usability VS Functionality • Studies revealed that most consumers will choose products that contain
many features, even though they know that product usability will be compromised. However, after
using these products, they will choose usability over features. This finding implies a dilemma for
product designers – they have to develop products that contain many features to boost initial sales,
but minimize features and increase usability to ensure repeated sales.
REFERENCES:
Accounting Information Systems by: Richardson, Chang and Smith
Accounting Information Systems by: Simkin, Rose and Norman
http://er.educause.edu/articles/2013/4/an-incremental-approach-to-building-an-information-security-
program
https://www.veracode.com/search/site-search/data%20privacy
https://en.wikipedia.org/wiki/Information_security
http://whatis.techtarget.com/definition/information-security-management-system-ISMS
https://en.wikipedia.org/wiki/Information_privacy
https://en.wikipedia.org/wiki/Data_security
https://en.wikipedia.org/wiki/Security_controls
https://www.researchgate.net/publication/225118240_Performance_and_Security_Tradeoff
