INFORMATION SECURITY Availability

§ Availability enables authorized users—people or computer

HISTORY systems—to access information without interference or
§ begins with the concept of computer security obstruction and to receive it in the required format
§ The need for computer security arose during World War II § Example, research libraries that require identification before
when the first mainframe computers were developed and entrance. Librarians protect the contents of the library so that
used to aid computations for communication code breaking they are available only to authorized patrons. The librarian
messages from enemy cryptographic devices like the Enigma must accept a patron’s identification before the patron has
§ Multiple levels of security were implemented to protect these free access to the book stacks. Once authorized patrons have
devices and the missions they served. This required new access to the stacks, they expect to find the information they
processes as well as tried-and-true methods needed to need in a usable format and familiar language
maintain data confidentiality
BALANCING INFORMATION SECURITY AND ACCESS
Security § Information security cannot be absolute: it is a process, not a
§ Security is protection goal.
§ Protection from adversaries—those who would do harm, § To achieve balance —that is, to operate an information
intentionally or otherwise—is the ultimate objective of system that satisfies the user and the security professional —
security the security level must allow reasonable access, yet protect
§ National security, is a multilayered system that protects the against threats.
sovereignty of a state, its assets, its resources, and its people
§ A successful organization should have multiple layers of APPROACHES TO INFORMATION SECURITY IMPLEMENTATION
security in place to protect its operations, physical Bottom-up approach
infrastructure, people, functions, communications, and § A method of establishing security policies and/or practices
information that begins as a grassroots eSort in which systems
administrators attempt to improve the security of their
Information Security systems.
§ The Committee on National Security Systems (CNSS) defines § The key advantage of the bottom-up approach is the technical
it as the protection of information and its critical elements, expertise of individual administrators.
including the systems and hardware that use, store, and § These administrators possess in-depth knowledge that can
transmit the information greatly enhance the development of an information security
§ includes the broad areas of information security system. They know and understand the threats to their
management, data security, and network security systems and the mechanisms needed to protect them
successfully.
The C.I.A Triad (Confidentiality, Integrity, Availability) § seldom works because it lacks critical features such as
§ the standard for computer security in both industry and participant support and organizational staying power
government since the development of the mainframe
Top-down approach
Confidentiality § A methodology of establishing security policies and/or
§ Information has confidentiality when it is protected from practices that is initiated by upper management
disclosure or exposure to unauthorized individuals or § initiated by upper level managers who issue policies,
systems. procedures, and processes; dictate the goals and expected
§ ensures that only users with the rights, privileges, and need to outcomes; and determine accountability for each required
access information are able to do so action
§ When unauthorized individuals or systems view information, § The most successful kind of top-down approach also involves
its confidentiality is breached. a formal development strategy known as a systems
development life cycle.
SEVERAL MEASURES TO PROTECT THE CONFIDENTIALITY OF
INFORMATION SECURITY IN THE SYSTEMS DEVELOPMENT LIFE CYCLE
• Information classification § Information security should be implemented into every major
• Secure document storage system in an organization.
• Application of general security policies § One approach for implementing information security into an
• Education of information custodians and end us organization’s information systems is to ensure that security
is a fundamental part of the organization’s systems
Integrity development life cycle (SDLC).
§ Information has integrity when it is whole, complete, and § Each organization has a unique set of needs when it comes to
uncorrupted how they might develop information (and security) systems.
§ The integrity of information is threatened when it is exposed
to corruption, damage, destruction, or other disruption of its SECURITY SYSTEM DEVELOPMENT LIFE CYCLE (SSDLC)
authentic state § framework used to manage the development, maintenance,
§ Corruption can occur while information is being stored or and retirement of an organization’s information security
transmitted. Many computer viruses and worms are designed systems
with the explicit purpose of corrupting data. For this reason, a § Defined as the set of procedures that are executed in a
key method for detecting a virus or worm is to look for sequence in the software development cycle (SDLC).
changes in file integrity, as shown by the file size § designed such that it can help developers to create software
§ Another key method of assuring information integrity is file and applications in a way that reduces the security risks at
hashing, in which a file is read by a special algorithm that later stages significantly from the start.
uses the bit values in the file to compute a single large
number called a hash value. The hash value for any
combination of bits is unique.
 DISADVANTAGES OF USING THE SECURITY SYSTEM
DEVELOPMENT LIFE CYCLE (SSDLC) FRAMEWORK

Cost
§ It may require additional resources, such as security experts,
to manage the process.

Time-consuming
§ The SSDLC is a cyclical process that involves multiple
phases, which can be time-consuming to implement.

Complexity
SECURITY IN THE SYSTEMS DEVELOPMENT LIFE CYCLE § The SSDLC process can be complex, especially for
PHASES organizations that have not previously used this framework.

System Investigation Limited Adaptability

§ An Information Security Policy is defined which contains the § The SSDLC is a predefined process, which is not adaptable to
descriptions of security applications and programs installed new technologies, it may require updating or revising to
along with their implementations in organization’s system accommodate new technology.

System Analysis
§ detailed document analysis of the documents from the
System Investigation phase are done.
§ Upcoming threat possibilities are also analyzed.
§ Risk management comes under this process only

Logical Design
§ deals with the development of tools and following blueprints
that are involved in various information security policies, their
applications and software.
§ Backup and recovery policies are also drafted in order to
prevent future losses

Physical Design
§ diSerent solutions are investigated for any unforeseen issues
which may be encountered in the future.
§ They are analyzed and written down in order to cover most of
the vulnerabilities that were missed during the analysis phase

Implementation
§ The solution decided in earlier phases is made final whether
the project is in-house or outsourced.
§ The proper documentation is provided of the product in order
to meet the requirements specified for the project to be met

Maintenance
§ After the implementation of the security program it must be
ensured that it is functioning properly and is managed
accordingly.
§ The security program must be kept up to date accordingly in
order to counter new threats that can be left unseen at the
time of design

ADVANTAGES OF USING THE SECURITY SYSTEM

DEVELOPMENT LIFE CYCLE (SSDLC) FRAMEWORK

Improved security
§ Organizations can ensure that their information security
systems are developed, maintained and retired in a
controlled and structured manner, which can help to improve
overall security.

Compliance
§ The SSDLC can help organizations to meet compliance
requirements, by ensuring that security controls are
implemented to meet relevant regulations.

Risk management
§ The SSDLC provides a structured and controlled approach to
managing information security risks, which can help to
identify and mitigate potential risks.