Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

K
...
Wagh Polytechnic, Nasik-3
Department of Information Technology
Chapter 1: Introduction to information Security

Information is the vital part of any organization It can be divided into three parts:
1) There are data that bring together all kinds of information that can be stored
(such as personal data, customer related data, accounting etc)
2) Knowledge : Aspects that are not immaterial but brought in by experienced
employees
3) Action: This is to send information to someone or something through the
information system [IS= data +users & methods]

Need and Importance of Information:
 Today we live in Information Age mainly because of advances in computer
and communications technology, that is information and communication
technology (ICT)
...

 A new dimension of emerging ‘mobile workers’ work away from their offices
are also present
...

 IS now have become an inseparable part of business organization as shown
in figure:
Nowadays a large organizations prefers global businesses
To enable this large organizations should have complex management support
systems and global communications to control their supply chains
...

The recognition of information technology (IT) facilitating global coordination of
organizations is today recognized as a key component of competitive strategy
...

To sustain the pressures from business and to satisfy the decision making
requirements in today’s dynamic environment, the nature of modern IS is such that
they call for intensive and complex interaction between physically remote but
interdependent units)


...
M
...
Karande (I/C HOD-IF)

An information system(IS) is a set of interrelated components that collect(or retrieve),
process, store and distribute information to support decision-making and control in
an organization
IS accept data from their environment and manipulate the data to produce
information that is used to solve a problem or address a business need
...


Information Classification
Generally organizations like to classify their information for suitable treatment in
terms of Information security
...

Some data are more valuable to the people who make strategic decisions (senior
management) because they aid them in making long-range or short range business
direction decisions
...
Thus it is obvious that information classification provides a higher ,
enterprise–level benefit
...

Information classification is well established in government sector and is primarily
used to prevent the unauthorized disclosure and the resultant failure of
confidentiality
...

Classification of information and information assets help organizations to apply
security policies and security procedures toward protection of information assets that
are considered critical
...

2) It helps identify which information is most sensitive or vital to an organization
...

7) The data owners are responsible for defining the sensitivity level of the data
...

Information Security (17518)

Prepared By: Ms
...
S
...
The public
release of this information does not violate confidentiality
...
Answers to
tests are an example of this kind of information for eg consider health care
information of a hospital
...
The
unauthorized disclosure of this information could cause damage to the
country’s national security
...

4) Secret: Information that is designated to be of a secret nature
...

5) Top Secret: This is the highest level of information classification (e
...

information in defense organizations)
...

6) The organizations make data available to those concerned on a ‘need-toknow’ basis
...

However if it is disclosed, it is not expected to seriously or adversely impact
the company
...
This information is protected from a loss of confidentiality as well as
from a loss of integrity owing to an unauthorized alteration
...
e considered of a personal nature
and is intended for company use only
...

Criteria for Information Classification
1) Value: It is the most commonly used for criteria for classifying data in th e
private sector
...

2) Age: The classification of the information may be lowered if the information’s
value decreases over time
...

3) Useful Life: If the information has been made obsolete owing to the new
information, substantial changes in the company or other reasons, the
information can often be declassified
...
Investigative information that
reveals informing names may need to remain classified
...
M
...
Karande (I/C HOD-IF)

Security
Security is the method which makes the accessibility of information or system
more reliable
...

Security layers:
For protecting any organizations, following multi-layers of securities are
important
...

Personal Security: It will protect the individual users or groups in the
organization who are authorized to use operations and organization
...

Network Security: It will protect networking component like routers, bridges,
connections and contents etc
...
It contains
management information security, computer and data security and network
security
...

The Three Pillars of Information Security
Confidentiality

Integrity

Availability

The following three concepts are considered the pillars of Info sec All of the
infosec controls and safeguards, and all the threats, vulnerabilities and
security processes are subject to this CIA yardstick
...

Loss of confidentiality can occur in many ways such as through the
intentional release of private company information or through a
misapplication of network rights
2) Integrity: The concept of integrity ensures that
a
...

b
...


Information Security (17518)

Prepared By: Ms
...
S
...
The data are internally and externally consistent, i
...

3) Availability: The concept of ‘availability’ ensures the reliable and timely
access to data or computing resources by the appropriate personnel
...


Basic Principles of Information System Security
These security goals are key requirements for security and it is also known an
“Pillars of information Security”
...

Defense-in-depth is the concept of protecting an information assets and the system
with a series of defensive mechanisms in such a way that if one mechanism fails
another will already be in place to stop an attack
...

An operating system
A communication system
Organization staff, structure, policies, procedures etc as a collection
...

Need of security
Now a day information security is the emerging field because of wide use of
computers in day to day life
...

It is very much important to protect system or network from unauthorized access or
modification like insertion or deletion of some part of information
Security means to protection of information or data in some form from unauthorized
use
...

1) Protect the organization’s ability to function:
 It is the responsibility of both IT management and general management to
implement information security which protects the organizational ability to
function
...
Than technology for eg
...

 Policy and its implementations are important in information security than
technology which is implementing it
...

2) Enables Safe Operations of Applications:

Information Security (17518)

Prepared By: Ms
...
S
...

 These applications are very much important for the organizations
infrastructure like email, messaging applications, OS Platforms etc
...

 Such applications can either be purchased/developed by organization
itself
...

3) Protecting Data that Organizations Collect and Use
 Data is the most important factor of any organization, without it
organization loses its records of transactions, customers etc
...

 The valuable data attract attackers to steal or corrupt the data, hence the
protections of data in motions or at rest are the important for information
security
...

4) Safeguarding Technology Assets in Organizations:
 To work effectively, an organization should add secure infrastructure
services
...

 When organization grows it must develop additional security service for eg
organizational growth could lead to public key infrastructure (PKI) which
involves the use of digital certificates to ensure the confidentiality of
Internet Communications and transactions
...

Data Obfuscation:
 It involves protection of sensitive information with techniques other than
encryption
...

 Protecting credit card numbers, medical data and other sensitive information has
become more important
...
They
also must be reasonably secure that is they must not be easily decrypted without
the proper key
...

 Data obfuscation makes the data unusable by some means, but are not
considered as a serious form of encryption
...
This report may
be generated for an external auditor and contains sensitive information
...


Information Security (17518)

Prepared By: Ms
...
S
...

The data need to be presented to auditor but in a way that allows the examination
of all data, so that only patterns in the data may be detected
...
He could obtain this by calling a customer service
representative at the insurance company that supplied the report and ask for the
real information
...

The importance of using pronouncable characters become very clear
...

To summarize, data obfuscation, it would not be very difficult to decipher the
obfuscation scheme given enough data
...

2) Crisis: An abnormal situation that presents some extra ordinary high risks to a
business and that will develop into a disaster unless carefully managed
...
(Major Earthquake, Hurricane)
Crisis -> Disaster- > Catastrophe

Information Security (17518)

Prepared By: Ms
...
S

---