Information security refers to preservation of three very important aspects: Confidentiality, Integrity and Availability (CIA)
- Confidentiality: prevention of unauthorised disclosure of information.
- Integrity: assets can be modified only by authorised, parties or only in authorised ways.
- Availability: information and critical services are available when needed to meet the business requirements.
ISO/IEC 17799 says that "Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities".
Information is indispensable asset of any business organisation. It exists in several forms and it is vital to keep the information safe and secure. Information security is mainly concerned with protecting information from various threats and vulnerabilities. This can be achieved by implementing a suitable set of controls. In order to ensure that the security issues of a business organisation are fulfilled, these controls should be well established. Careful planning and detailed understanding is required in order to identify and select these controls. - http://17799-news.the-hamster.com/issue09-news2.htm
Need for Information Security
Information security is needed for legal compliance and to prevent the damage to our organisation's reputation. Recently, the use of computer in business has increased greatly. Many companies now store and maintain business information on computer and use the network to communicate and share the information with its customers, suppliers and other business partners. Not all of the information available with the companies is meant for public viewing and hence it is important to maintain the confidentiality of the business information. Therefore, a need arises to protect the information by implementing suitable information security controls and policies.
IT systems and networks are now becoming prone to malicious attacks and the number of computer crimes is increasing day-by-day. Computer hacking, computer threats and vulnerabilities, computer-assisted fraud is more common these days. The main objective of information security is to protect and enhance the value of the information. Information security has many business advantages. It helps in having reliable and secure exchange of information. At the same time, it provides efficient and effective delivery of services to its customers and other business partners.
Information Security Assurance
Information security assurance is term that is used to describe the internal management controls that are adopted by an organisation to maintain information security in their information systems. Therefore, information assurance will identify the methods and measures which will be adopted to deliver the elements of "CIA triad" such as:
- Authentication - confirming the identity of the individual who undertook a transaction.
- Non-repudiation - the individual who undertook the transaction cannot subsequently deny it.
Introduction to client's information infrastructure
The Sirius Council Borough of Betelgeuse is still using the networks design whose foundation was laid in the late 1980's. Though the design has become outdated, it has helped them achieve their purpose and is now serving as platform for new technologies to support high speed and high capacity communications. To deliver its services in the future, the Sirius Council Borough accredited CIAN Services to execute network strategy based on the communications technologies used by the Council.
Analyzing the Council's developed plans to improve the quality of its services, it is expected that a high degree of technology support will be required to upgrade and renew the existing architecture and hardware. This is necessary because there has been a change in the method of communication, from paper-based to electronic.
Based on the given scenario, we are going to design the information security assurance plan for the Council. The information security assurance plan is developed with a clear understanding of the business needs and examining the existing network strategy of the Council. In particular, the following step-by-step approach is adopted to develop the information security assurance plan:
- Analyzing the existing network infrastructure and the security policy.
- Identification of information assets.
- Estimation of risks, threats and vulnerabilities and creating risk analysis table.
- Develop countermeasures to minimize the threats.
- Creating Risk Assessment Plan.
- User training and awareness.
Information Lifecycle and Classification
In identifying and classifying the information and information systems, it is important to understand how the Council uses the information in daily operations. For example, the council has several service groups, each having their own information system like customer service desk, automatic call distribution, direct dial in, which is based on the business requirements. It is also important to consider how the service groups share the information with the customers to assign the priority of security.
Therefore after the identification of assets, the information owners are determined who are considered to be responsible for regular monitoring and maintenance of security of the asset. The basic idea behind classification is to ensure that the information and other critical business data are protected consistently throughout the system. It also helps to focus on the controls and efforts in an efficient and structured manner.
In order to estimate the amount of time, money and efforts needed to maintain and implement security policies, it is necessary to identify and assess the value of the assets. It is also vital in determining the level of security that should be implemented to safeguard the asset. Therefore, asset identification and classification is of critical importance in information security management.
Taking into account the above concepts, the assets can be classified into the following four types:
- Information assets.
- Software assets.
- Physical assets.
- Service assets.
An Information Asset is a definable piece of information, stored in any manner which is recognised as 'valuable' to the organisation. The information which comprises an Information Asset may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete with competitors. -http://www.yourwindow.to/information-security/gl_informationasset.htm.
The Sirius Council Borough of Betelgeuse has a number of information assets that are valuable to the organisation since they form a part of organisations identity and hence require a high level of security. These include centrally maintained databases, group data marts, fax etc. These assets are not easily replaceable without cost, skill, time, resources and hence it is necessary to keep high confidentiality of these assets.
Software assets include all the software applications that are being used and installed by the organisation to deliver its services. The software assets include both application and system software. Let us categorise the software assets into two types as application software and system software.
Application software allows accomplishing particular task and involves integration of various other computer capabilities like business software, education software, and information system databases. The application software of Sirius Council Borough of Betelgeuse comprises of document management system, call management system, document image processing system, expenditure management system, geographic information system.
The system software includes the files and programs that constitute the operating system and is responsible for the running the application software.
Physical assets are items of economic, commercial or exchange value that has tangible or material existence. In business context, physical assets usually refer to cash, equipment, inventory and properties owned by business.  - http://www.investopedia.com/terms/p/physicalasset.asp
The equipments that are used by the Council for the purpose of communication, storage and to provide technical support to the system fall under this category. The council uses communication equipments like telephones, routers, switches, mobile telephony etc for the exchange of information. Storage equipments used are magnetic disks, tapes and provision for technical support is made through cables, electricity, air conditioners in the server rooms. All of the mentioned things are considered as physical assets of the council.
The Council is using various assets to provide services to its customers and also the employees to create a healthy environment for business. These include LAN/WAN services, internet and intranet services, voice and data networks.
It is the purpose of Information Security to identify the threats against, the risks and the associated potential damage to, and the safeguarding of Information Assets.
After identifying and classifying the assets, it is important to understand who should be assigned the ownership to protect the assets. By assigning ownership we are basically segregating the duties and responsibilities so that the prevention, detection and recovery of any asset become easier. It also helps to provide effective access control and thereby implement security policies.
The information owner will be responsible for the maintenance of security of the assets and determining the value of an asset. Hence, it is important to identify and appoint the right owner for a particular asset. Since a single asset can be used by many users, it is essential that the information owner monitors periodically the accuracy and security of the asset. Therefore, a detailed analysis and understanding of how the assets are being used by the organisation is needed.
Considering these vitality issues, we have identified the information owner accordingly. However, this task is critical and important; the owners of the physical assets were identified comparatively easily. Since the MNSU provides all basic networking infrastructures within the council, most of the physical assets are assigned to it. Other than MNSU, IT department is also assigned to be the owner of the physical asset.
The information asset mainly includes the databases, so they should be managed by someone to maintain consistency and confidentiality. So, the IT manager is the owner of these assets as he can handle these assets in an efficient manner. As the services offered by the council are already distributed among the service groups, we have decided the respective managers to be the owners for the service asset.
Finally, the software asset owner is identified. Since the entire set of business rules are reflected through the software, the owner should maintain this asset accurately and preserve the confidentiality too.
The next major step is to assign the values to the assets based on three goals of security: - confidentiality, integrity and availability of the information. These are the key factors in determining the adverse impacts of security which can be described in terms of loss or degradation of any three goals or a combination of these.
Brief descriptions of the security goals has already been given and hence let's consider the importance and rate these three mentioned factors on the basis of how much loss or degradation of these is permissible.
Confidentiality: All the information and information system that are sensitive to the organisation and not meant for public disclosure are rated on a scale of 5. In other words, it means that these assets are solely meant for certain staff members within the council and some customers.
Integrity: Integrity may be lost if there is an improper modification or alteration of information illegally. The assets are ranked for integrity on the scale of 1 to 5. The value 5 indicates that the assets need to be perfectly accurate and no loss or modification of information is allowed.
Availability: The unavailability of IT systems and services can affect the growth of the organisation. The rank 5 in this case indicates the services and systems should be available immediately and the rank 1 indicates that the assets should be available within a week.
Compliances and Regulations
The ISO / IEC 27002: 2005 is an information security management standard. It encompasses a very broad range of information that includes all forms of communication data from digital data and email to faxes and telephone conversations. Actually the standard was previously known as ISO / IEC 17799: 2005. This security standard provides a guideline to establish a comprehensive information security management program or improve its current security practices. The council's