Question

Discuss the human safeguards that need to be put in place in order to secure organisational systems. Provide examples.write one page essay question . this is information systems subject.

Answer 1

As computers and other digital tools become indispensable for business and commerce, they have become the target of more and more attacks. For a company or individual to use a computing device with confidence, they must first be assured that the device is in no way compromised and that all communications has been secure. In this chapter, we will review the basic concepts of information systems security and discuss some steps that can be taken to mitigate security threats. We'll start with a review that focuses on how organizations can stay safe. Several different steps a company can take to improve security will be discussed. We will continue to review the security precautions that individuals can take to secure the personal computing environment.

Information Security Triad: Confidentiality, Integrity, Availability (CIA)

Confidentiality

When protecting information, we want to restrict access to those who are allowed to view it; Don't let anyone else learn anything about its contents. This is the essence of confidentiality. For example, federal law mandates that universities restrict access to private student information. The university must ensure that only those who are authorized to view grade records are admitted.

Integrity

Integrity is the assurance that the information accessed has not been altered and that it represents what is intended. Information integrity means that information truly represents its intended meaning, just as a person with integrity means that he or she believes what is said and consistently represents the truth. Integrity of information can be lost by malicious intent, such as when an unauthorized person makes a deliberate mistake to correct something. An example of this is when you hire a hacker to go to the university system and change a grade.

Integrity is lost, such as when a computer power surgeon corrupts a file or accidentally deletes a file or provides false information.

Availability

Access to information is the third part of the CIA Triad. Availability means that information can be accessed and modified within a reasonable timeframe. Depending on the type of information, the optimal timing can mean different things. For example, a stock trader needs information that is readily available, while a seller delights in getting sales numbers in a report the next morning. Companies like Amazon.com require their servers to be available 24 hours a day, seven days a week. Other companies may not experience their web servers if they hang for a while.

Tools for information security

Encryption

An organization needs to transfer information over the Internet or to external media such as a CD or flash drive. In these cases, even with the proper authentication and access control, an unauthorized person has access to the data. Encryption is a process of encoding data in its broadcast or storage so that only authorized persons can read it. This encoding is accomplished by a computer program that encodes plain text to be broadcast; The recipient then receives and decodes the cipher text (decryption). For this to work, both the sender and the recipient need to accept the encoding method so that both parties can communicate properly. Both parties share the encryption key, enabling them to encode and decode each other's messages. This is called symmetric key encryption. This type of encryption is problematic since the key is available in two different places.

Symmetric key encryption is public key encryption instead. In public key encryption, two keys are used: a public key and a private key. To send an encrypted message, you get the public key and encode and send the message. The recipient uses the private key to decode it. The public key can be issued to anyone who wishes to send a message to the recipient. Each user needs a private key and a public key to secure the messages. The private key is required to decrypt anything sent using the public key.

________________________________________

Sidebar: Password Security

Why not use a simple user ID / password as a secure method of authentication? It turns out that this single-factor authentication is very easy to compromise. Good password policies should be implemented to ensure passwords cannot be compromised. Below are more general policies that organizations should implement.

Lex requires complex passwords. One of the reasons passwords are compromised is that they are easy to guess. A recent study found that the most popular passwords used in 2012 were password, 123456 and 12345678. [1] Password is not a simple word, or a word that can be found in a dictionary. The first thing a hacker does is to try every word in the dictionary and try to break a password! Instead, a good password policy must use at least eight characters, at least one capital letter, a special character, and a number.

Change passwords regularly. Users need to change passwords regularly. Users must change their passwords every sixty to ninety days, ensuring that any stolen or essayed passwords cannot be used against the company.

Train employees not to provide passwords. One of the primary methods used to steal passwords is to ask users or administrators to find them. Pretexting occurs when an attacker calls a helpdesk or security administrator and pretends to be a special authorized user who is having trouble logging in. Then the attacker convinces the security person to reset the password by giving some personal information about the authorized user and telling him what to do. It is. Another way to trick employees into entering passwords is through e-mail phishing. Phishing occurs when a user receives an e-mail that appears to be from a trusted source, such as their bank or employer. In the e-mail, the user clicks on a link and enters a website that mimics the original website and enters their ID and password, which are then captured by the attacker.

Backups

Another essential tool for information security is a comprehensive backup plan for the entire organization. Not only should data on corporate servers be backed up, but also personal computers used throughout the organization. A good backup plan should contain several components.

Complete understanding of organizational information resources. What information does the organization actually have? Where is it stored? Some data may be stored on the organization's servers, other data on users' hard drives, some on the cloud, and some on third-party sites. An organization must make a complete list of all the information that needs to be backed up and determine the best way to back it up.

Regular backups of all data. Basic on how important the data is to the company, combined with the company's ability to replace any lost data

Organizations can choose from a variety of tools to ensure the confidentiality, integrity and availability of information. All of these tools can be used as part of the overall information and security policy, which will be discussed in the next section.

Authentication

Authentication can be accomplished by identifying someone with one or more components ex something they know, something they have, or something. In this case, authentication is done by confirming something the user knows (their ID and password). But this authentication method is easy to compromise (see sidebar) and requires strong authentication forms. Identifying someone with a key or card can be problematic. When that identity token is lost or stolen, the identity can be easily stolen. The final factor, you say something, is very hard to compromise. This component identifies a user through physical characteristics such as eye-scan or fingerprint. The identification of someone by their physical characteristics is called biometrics.

Multi-factor authentication is the safest way to authenticate a user. By combining two or more elements listed above, it is very difficult for someone to misrepresent themselves. An example of this is the use of an RSA secured token. The RSA device is with you and will generate a new access code every sixty seconds. To log into an information source using the RSA tool, you combine something you know, a four-pin, with the device generated code. The only way to properly authenticate is to code and have an RSA tool.

Access control

Once a user is authenticated, the next step is making sure they only have access to relevant information sources. This is done through the use of access control. Access control determines which users are authorized to read add and / or delete information. There are many different access control models. Here we will discuss two: Access Control List (ACL) and Role Based Access Control (RBAC).

Every information source that an organization wants to manage has the ability to perform specific actions