FORMS OF SECURITY II{TWO}
FORMS OF SECURITY II
Meaning of Information Security
Information security can be defined as a means of protecting information systems from any illegitimate access and use, theft, amendment, or malicious attacks or penetration. Information security can also be described as “the process by which an organization protects and secures its systems, media, a
nd facilities that process and maintain information vital to its operations” (://www.ffiec.gov/ffiecinfobase /booklets/information_security/information_security.pdf). Conceptually, it is important to clarify the differences in the meaning between the terms information security and computer security, which are often mistaken for each other. There is no doubt that the two concepts are inter-related because professionally speaking, they aim to advance the protection of information through the principles of confidentiality, integrity and availability. Despite the similar goals they both articulate or simply pursue, the two terms still have some differences. These differences are fundamentally found in their approaches, methodologies and variability in their areas of focus. Here, information security concentrates on ways to provide adequate confidentiality, integrity and availability of information but is less concerned with the data form be it electronic or print or any other forms of data. So, information security goes beyond the use of computer to create, modify, delete or store information. Therefore, its boundary goes beyond mere electronic medium. On the other hand, in computer security, the central focus dwells on the techniques that enhance the availability and correct operation of a computer system with little attention on information stored and processed by the computer. One thing to note from the foregoing is the limited boundary that computer security acquires in information discourse. The point is that computer is entirely electronic, and there are other means like print through which we generate, amend, store or discard information. It is against this background that we conclude that information security is wider in scope than computer security, but each of them complements the functions and operations of the other. Away from conceptual differences between information security and computer security, the experience of state and actors in the contemporary world has shown the growing relevance of information security. The increasing complexity of the modern state and sophisticated nature of contemporary business environment and corporations underscore the importance in mounting relevant mechanisms towards the protection of information and information system. For instance, let us look at the commercial banks in Nigeria in the 20th century, by the close of that century, virtually none of the banks could boast of having a capital base of US$ 1 billion. Again, during that period, online financial transactions like the use of ATMs, online shopping etc, were either non-existent or very limited.
Similarly, the period saw majority of the banks not having services that could enable their customers to save and withdraw their money from any of their branches without any geographic limitation, while most banks did not have up to one hundred thousand customers. But due to the opportunities provided by information technology revolution and recapitalization agenda of the Nigerian government, initiating the financial sector to be proactive in increasing their capital base and improving on their information system. The emergent information technology breakthrough especially the development of groundbreaking computer software and electronic machines like ATM have really helped in gradually fizzling-out long queues and the use of tally number as well as manual counting money by cashiers. Nostalgically, I could remember those days when customers would wake up as early as 4am in order to reach their respective banks latest by 6am in order to be attended to early enough due to heavy traffic of customers. One could even reach the bank and meet some people already on the queue outside the bank premises. Then one would be asking himself if those met on the queue slept at home. But now, with the introduction of ATM, people can withdraw their money electronically anytime and anywhere. Considering the opportunities provided by innovations in information technology, you may agree with me that financial transactions, trading, information exchange, mailing, communication etc, have been made so easy. You should however note that there are always two sides to a coin. Though, there is much convenience and fun derivable from modern information system but it can be awful considering the risk and danger one can fall into. For instance, if one wants to purchase items online and logs on a wrong web platform hosted to perpetrate scam, and you ignorantly provide your credit card details, and before you know, you have been duped. For this reason, people are being alerted to be very careful when doing online transactions. One of the ways to reduce such risk is to install very strong security software that can easily detect and inform you if you are on a malicious site. Many organizations have gone into comatose or collapsed as a result of stealing, modifying, corrupting or deleting of vital information. It is therefore very important to put in place viable structures and programmes to protect your information. Now, let us quickly explain some of the methods we can use to safeguard our information systems and protect our information. 3.1.1 Approaches to Information Security
a) Confidentiality: In securing information systems, it is very germane to mount necessary machineries to advance the confidentiality of information. It is very paramount for the management of any organization to enlighten its staff on the need to take the issue of information very seriously. They need to know that it is very essential to prevent the organisation’s vital information from disclosure to unauthorized person(s) or system(s). Stiff penalty should be applied against any erring staff to deter others from doing the same. By commission or omission, if confidential information gets into
the wrong hands of unauthorized person(s) or system(s), it will amount to a breach of confidentiality.
In procuring an international passport, you can log-on the website of the Nigerian Immigration Service to begin the process for your e-passport application. After filling the necessary forms online, you are requested to proceed with your payment, and here, you are given two options: offline or online payment. You may decide to do the payment online with use of your ATM card. In the process, the system will demand for your ATM details through ETRANSACT platform, and you provide it correctly. The gateway will debit your account where the ATM card domiciles, and consequently you will be allowed into the next stage of the application process after the confirmation of your payment, which will be electronically receipted. Here, you need to be careful by not allowing anybody to peep into your financial transaction to avoid an unauthorized person to have access to your secret (pin) code, and if you allow such to happen before, during or after the period of transaction, you have committed a breach of confidentiality. You should know that it is incumbent on the organization(s) you transact with online to uphold the principle of confidentiality. Expectedly, when you are making your transaction, your credit card or ATM card details including pin-code will be transmitted from you to the organization/party with which you transact, and the details will also be transmitted from the said organization to a transaction processing network. The system will ensure that confidentiality is enforced by encrypting (refer to 3.1.1 of last unit for the meaning of encryption) your ATM details especially the pin-code during the transmission, which are stored in a very secure location with highly restricted access. In a situation whereby you confirm that unauthorized person(s) has access into your financial details while the fault or criminal intent does not emanate from you, you have the right to institute a legal action against such erring organization for a breach of confidentiality. Even if your spouse is allowed to access your bank statement account without authorisation is a breach of confidentiality, and the affected person can institute a legal action or warning to the bank management for the breach, or may close down his/her account for lack of security necessitated by the confidentiality breach. If one has the right to sue for a breach of confidentiality that involves his/her own spouse let alone a stranger or a distanced person, it is evident that information security is very important. It will be baseless, if the management of an organization argues that it will not be liable if an offence of breach of confidentiality is committed by any of its staff without its involvement against any customer especially if it involves loss of money.
Recently, due to importance of information, the approach of due care and due diligence has been adapted in information security. Due care involves measures and actions that are taken by a company not only to protect its corporate image but also show liability for all activities that take place within it, and establish regulations that will help to protect the company, its resources and employees. Due diligence means “continual activities that make sure the protection mechanisms are continually maintained and operational” (Harris, 2003). Therefore, if an organization fails in its responsibilities to check the activities of its staff, it will definitely be liable for any misdeed perpetrated by any of its staff such as disclosure of a customer’s information to an unauthorized person, leading to a breach of confidentiality;
b) Integrity
Undoubtedly, this kind of violation occurs in many organizations where employees exhibit nonchallant attitude or criminal intent to compromise the integrity of the system. For instance, in some organizations with large network of information systems, family members, siblings or friends and even neighbours visit some employees, and many of these visitors may be allowed to use the organization’s computers especially where they are connected to the internet. These use all sorts of storage facilities to down-load information from the internet. This attitude is likely to violate the integrity of the information system because apart from exposing the system to malware or virus attack, it will also allow strangers or visitors to have access to information, which ordinarily they are not supposed to; : Integrity can be described as a way of protecting information by restricting access to modification of data without authorization. Here, no amendment can be made on the data without authorization. In information security, efforts should be made to restrict activities of users of the systems from any data modification without being authorized. There are several ways through which the integrity of an information system can be violated. One of such ways is accidental or deliberate exposing of the system to malicious attacks.
c) Availability: Information system cannot be complete if there is no availability of information. It is the availability of information that makes information system what it is. Therefore, it is imperative to have a network of actions functioning well. These actions include the computer system that is tasked with the storing and processing of the information while the security controls do the protection of the system, and the communication channels enable the users to access that information.
If we consider this network of functions, we may agree that it is difficult to have ‘high availability systems’ in countries like Nigeria where there is frequent power outage that can easily disrupt the operation of the system. High availability systems are those systems that are always available, and
demand necessary mechanisms to be brought to bear in order to prevent disruptions that may result from hardware failures, power outages, physical destruction of the information systems, to mention a few;
d) Authenticity: Information security demands that we can just collect information whether electronic or print for the sake of it, but we should endeavour to clarify the authenticity or genuineness of such information. It is by so doing we can have reliable and quality information;
e) Risk Management
…..the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. Risk is the everyday business of each man. Sometimes, we decide out of the blues to see a loved one in his/her place work, even after calling him/her of our coming, the subconscious still has a doubt about meeting him/her at the office because every second is clouded with eventuality. It is possible for the receptionist to inform us that he/she had an emergency from the headquarters and he/she tried to get you on phone to inform you about the new development (urgent call to report at the headquarters) but he/she could not reach on phone. Considering the above scenario, you may agree with me that risk is second nature to man. The decision of a man and a lady to get married is a risk: the marriage may succeed or fail. It is against this background that many people adopt various approaches or measures to manage risk in their relationships. In information security, risk management is very essential because it determines the preparedness of an organization against any threat as it relates its information system. : Everything about life is a risk. There is risk, even in the relationship between two or more people. How do we describe risk management? According to CISA Review Manual (2006), risk management can be described as:
Furthermore, in as much that information from its collection, modification to erasure involves risk, it is pertinent to develop countermeasures or controls to manage the risks but it is more important to “strike a balance between productivity, cost, effectiveness of the countermeasures, and the value of the informational asset being protected” (Error! Hyperlink reference not valid.), meaning that it is not appropriate to spend too much money or employing highly productive and effective in securing an information asset that has little importance to the overall interest of an organisation; and
f) Information Classification
For instance, the head of an organization is having an extra-marital affair with a former female staff who he communicates on regular basis. May be because he is not internet-literate and always asks his male secretary to help him send mails to his ‘lady-friend’ while mandating the secretary to classify the mails as top secret, giving more importance to such mails than the very important information of the organization. This reflects a clear case of misuse of office and misclassification because it abnormal to place private issues above those that concern the organization and the work environment. Within an organizational setting, we can classify information based on the value of it to the organization. In private organizations, classification models are usually labelled as: public, sensitive, private, confidential. But in big security outfits and government organizations the classification labels used include: unclassified, sensitive, but unclassified, restricted, confidential, secret, top secret. These classification labels are listed according to the security controls needed in protecting them, and the classification exercise should be continually reviewed
Meaning of Information Security
Information security can be defined as a means of protecting information systems from any illegitimate access and use, theft, amendment, or malicious attacks or penetration. Information security can also be described as “the process by which an organization protects and secures its systems, media, a
Similarly, the period saw majority of the banks not having services that could enable their customers to save and withdraw their money from any of their branches without any geographic limitation, while most banks did not have up to one hundred thousand customers. But due to the opportunities provided by information technology revolution and recapitalization agenda of the Nigerian government, initiating the financial sector to be proactive in increasing their capital base and improving on their information system. The emergent information technology breakthrough especially the development of groundbreaking computer software and electronic machines like ATM have really helped in gradually fizzling-out long queues and the use of tally number as well as manual counting money by cashiers. Nostalgically, I could remember those days when customers would wake up as early as 4am in order to reach their respective banks latest by 6am in order to be attended to early enough due to heavy traffic of customers. One could even reach the bank and meet some people already on the queue outside the bank premises. Then one would be asking himself if those met on the queue slept at home. But now, with the introduction of ATM, people can withdraw their money electronically anytime and anywhere. Considering the opportunities provided by innovations in information technology, you may agree with me that financial transactions, trading, information exchange, mailing, communication etc, have been made so easy. You should however note that there are always two sides to a coin. Though, there is much convenience and fun derivable from modern information system but it can be awful considering the risk and danger one can fall into. For instance, if one wants to purchase items online and logs on a wrong web platform hosted to perpetrate scam, and you ignorantly provide your credit card details, and before you know, you have been duped. For this reason, people are being alerted to be very careful when doing online transactions. One of the ways to reduce such risk is to install very strong security software that can easily detect and inform you if you are on a malicious site. Many organizations have gone into comatose or collapsed as a result of stealing, modifying, corrupting or deleting of vital information. It is therefore very important to put in place viable structures and programmes to protect your information. Now, let us quickly explain some of the methods we can use to safeguard our information systems and protect our information. 3.1.1 Approaches to Information Security
a) Confidentiality: In securing information systems, it is very germane to mount necessary machineries to advance the confidentiality of information. It is very paramount for the management of any organization to enlighten its staff on the need to take the issue of information very seriously. They need to know that it is very essential to prevent the organisation’s vital information from disclosure to unauthorized person(s) or system(s). Stiff penalty should be applied against any erring staff to deter others from doing the same. By commission or omission, if confidential information gets into
the wrong hands of unauthorized person(s) or system(s), it will amount to a breach of confidentiality.
In procuring an international passport, you can log-on the website of the Nigerian Immigration Service to begin the process for your e-passport application. After filling the necessary forms online, you are requested to proceed with your payment, and here, you are given two options: offline or online payment. You may decide to do the payment online with use of your ATM card. In the process, the system will demand for your ATM details through ETRANSACT platform, and you provide it correctly. The gateway will debit your account where the ATM card domiciles, and consequently you will be allowed into the next stage of the application process after the confirmation of your payment, which will be electronically receipted. Here, you need to be careful by not allowing anybody to peep into your financial transaction to avoid an unauthorized person to have access to your secret (pin) code, and if you allow such to happen before, during or after the period of transaction, you have committed a breach of confidentiality. You should know that it is incumbent on the organization(s) you transact with online to uphold the principle of confidentiality. Expectedly, when you are making your transaction, your credit card or ATM card details including pin-code will be transmitted from you to the organization/party with which you transact, and the details will also be transmitted from the said organization to a transaction processing network. The system will ensure that confidentiality is enforced by encrypting (refer to 3.1.1 of last unit for the meaning of encryption) your ATM details especially the pin-code during the transmission, which are stored in a very secure location with highly restricted access. In a situation whereby you confirm that unauthorized person(s) has access into your financial details while the fault or criminal intent does not emanate from you, you have the right to institute a legal action against such erring organization for a breach of confidentiality. Even if your spouse is allowed to access your bank statement account without authorisation is a breach of confidentiality, and the affected person can institute a legal action or warning to the bank management for the breach, or may close down his/her account for lack of security necessitated by the confidentiality breach. If one has the right to sue for a breach of confidentiality that involves his/her own spouse let alone a stranger or a distanced person, it is evident that information security is very important. It will be baseless, if the management of an organization argues that it will not be liable if an offence of breach of confidentiality is committed by any of its staff without its involvement against any customer especially if it involves loss of money.
Recently, due to importance of information, the approach of due care and due diligence has been adapted in information security. Due care involves measures and actions that are taken by a company not only to protect its corporate image but also show liability for all activities that take place within it, and establish regulations that will help to protect the company, its resources and employees. Due diligence means “continual activities that make sure the protection mechanisms are continually maintained and operational” (Harris, 2003). Therefore, if an organization fails in its responsibilities to check the activities of its staff, it will definitely be liable for any misdeed perpetrated by any of its staff such as disclosure of a customer’s information to an unauthorized person, leading to a breach of confidentiality;
b) Integrity
Undoubtedly, this kind of violation occurs in many organizations where employees exhibit nonchallant attitude or criminal intent to compromise the integrity of the system. For instance, in some organizations with large network of information systems, family members, siblings or friends and even neighbours visit some employees, and many of these visitors may be allowed to use the organization’s computers especially where they are connected to the internet. These use all sorts of storage facilities to down-load information from the internet. This attitude is likely to violate the integrity of the information system because apart from exposing the system to malware or virus attack, it will also allow strangers or visitors to have access to information, which ordinarily they are not supposed to; : Integrity can be described as a way of protecting information by restricting access to modification of data without authorization. Here, no amendment can be made on the data without authorization. In information security, efforts should be made to restrict activities of users of the systems from any data modification without being authorized. There are several ways through which the integrity of an information system can be violated. One of such ways is accidental or deliberate exposing of the system to malicious attacks.
c) Availability: Information system cannot be complete if there is no availability of information. It is the availability of information that makes information system what it is. Therefore, it is imperative to have a network of actions functioning well. These actions include the computer system that is tasked with the storing and processing of the information while the security controls do the protection of the system, and the communication channels enable the users to access that information.
If we consider this network of functions, we may agree that it is difficult to have ‘high availability systems’ in countries like Nigeria where there is frequent power outage that can easily disrupt the operation of the system. High availability systems are those systems that are always available, and
demand necessary mechanisms to be brought to bear in order to prevent disruptions that may result from hardware failures, power outages, physical destruction of the information systems, to mention a few;
d) Authenticity: Information security demands that we can just collect information whether electronic or print for the sake of it, but we should endeavour to clarify the authenticity or genuineness of such information. It is by so doing we can have reliable and quality information;
e) Risk Management
…..the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. Risk is the everyday business of each man. Sometimes, we decide out of the blues to see a loved one in his/her place work, even after calling him/her of our coming, the subconscious still has a doubt about meeting him/her at the office because every second is clouded with eventuality. It is possible for the receptionist to inform us that he/she had an emergency from the headquarters and he/she tried to get you on phone to inform you about the new development (urgent call to report at the headquarters) but he/she could not reach on phone. Considering the above scenario, you may agree with me that risk is second nature to man. The decision of a man and a lady to get married is a risk: the marriage may succeed or fail. It is against this background that many people adopt various approaches or measures to manage risk in their relationships. In information security, risk management is very essential because it determines the preparedness of an organization against any threat as it relates its information system. : Everything about life is a risk. There is risk, even in the relationship between two or more people. How do we describe risk management? According to CISA Review Manual (2006), risk management can be described as:
Furthermore, in as much that information from its collection, modification to erasure involves risk, it is pertinent to develop countermeasures or controls to manage the risks but it is more important to “strike a balance between productivity, cost, effectiveness of the countermeasures, and the value of the informational asset being protected” (Error! Hyperlink reference not valid.), meaning that it is not appropriate to spend too much money or employing highly productive and effective in securing an information asset that has little importance to the overall interest of an organisation; and
f) Information Classification
For instance, the head of an organization is having an extra-marital affair with a former female staff who he communicates on regular basis. May be because he is not internet-literate and always asks his male secretary to help him send mails to his ‘lady-friend’ while mandating the secretary to classify the mails as top secret, giving more importance to such mails than the very important information of the organization. This reflects a clear case of misuse of office and misclassification because it abnormal to place private issues above those that concern the organization and the work environment. Within an organizational setting, we can classify information based on the value of it to the organization. In private organizations, classification models are usually labelled as: public, sensitive, private, confidential. But in big security outfits and government organizations the classification labels used include: unclassified, sensitive, but unclassified, restricted, confidential, secret, top secret. These classification labels are listed according to the security controls needed in protecting them, and the classification exercise should be continually reviewed
Comments
Post a Comment