Information system security insurance

Size: px
Start display at page:

Download "Information system security insurance"

Transcription

1 Information system security insurance Alexandru TATU*, Mircea COSMA**. *National Defense University "Carol I", Bucharest, 68-72, Panduri Street, Sector 5, , Bucharest, Phone/Fax: , **Alma Mater University, Sibiu, 57 Someşului Street, Sibiu, Phone/Fax , Abstract Through this paper we intend to show that technological developments in recent decades have created a strong society dependence of the means of communication and information technology. This has been increasingly made aware to ordinary people, but also military and political leaders. Increasing global dependence of sophisticated information systems and interconnection of these can produce significant opportunities and bigger information vulnerabilities. Also technological developments in electronics, communications and computer science offers new ways of achieving national security goals, while the risk factors for unprotected information structures grow exponentially. Keywords: information system security, information security, information system, information flow, security management, control information, information. Rezumat Prin intermediul acestui referat ne propunem să arătăm faptul că evoluţiile tehnologice din ultimele decenii au creat o puternică dependenţă a societăţii de mijloacele de comunicaţii şi tehnologia informaţiei, fapt conştientizat din ce în ce mai mult de oamenii obişnuiţi, dar şi de liderii militari şi politici. Creşterea dependenţei mondiale faţă de sistemele informaţionale sofisticate şi interconectarea dintre acestea pot produce oportunităţi semnificative şi vulnerabilităţi informaţionale din ce în ce mai mari. De asemenea realizările tehnologice din domeniile electronicii, comunicaţiilor şi a informaticii oferă noi căi de atingere a scopurilor securităţii naţionale, concomitent cu creşterea exponenţială a factorilor de risc pentru structurilor informaţionale neprotejate. Cuvinte cheie: securitatea sistemelor informaţionale, securitatea informaţiilor, sistem de informaţii, fluxuri de informaţii, managementul informaţiilor, controlul informaţiilor, protecţia informaţiilor, informaţii. Technological developments in recent decades have created a strong dependence of society to the means of communication and information technology, fact increasingly made aware to ordinary people, but also military and political leaders. Increasing global dependence of sophisticated information systems and interconnection of these can produce significant opportunities and bigger informational vulnerabilities. Also technological developments in consumer electronics, communications and computer science offer new ways of achieving national security goals, but also determine exponential growth of risk factors for unprotected lock information structures. Military, as well as civil domains currently depend on information systems of various sizes. We could even say that the whole world has become a large-scale information system in which communications systems are interconnected. Simply unplugging the systems off the global information network is not sufficient at now we need to adopt specific measures for security of information systems in accordance with new needs for information and face new threats to security of information systems. At this point it is not enough to implement and ensure information management systems because once created these information systems must be protected and secured against all vulnerabilities, both internal and external, to be able to fulfill the purpose for which they were designed. 46

2 Information system security - theoretical boundaries Information system security issue is of high interest, acquiring new meanings, which requires a new unitary concept correlated with destruction or penetration responses, but also under constant pressure of scientific, technological and cognitive perish danger. Information security is determined by the diversity and specificity of fields, issues and profiles of activity, by the particular informational environment, the current improvement and diversification of means, techniques and technologies for obtaining, analyzing, processing and transmission of operational data, information and information products and the danger of theft, illegal access and use of information by unauthorized persons. To meet these requirements, information systems must be provided with protective measures in all stages of life of information from generation, collection and processing to its use. Security of information systems is an ongoing process that includes many activities such as: defining the areas of uncertainty, identifying specific threats for these systems, developing security strategy, evaluating the security of information systems and resumption in certain specific situations. In our opinion, the following definitions meet the requirements listed. Therefore, security of information systems is a complex of legal, scientific, economic, organizational, and technical measures and countermeasures capable of ensuring confidentiality, physical and semantic integrity of information in a system and their dynamics of changes against crime, exceptions, errors, or mistakes of intentional or accidental nature, within an assumed risk and with a consumption of forces (huma n and material) resulted from a cost assigned to the mission completion. Security is recognized as a multidimensional concept so that all fields (political, diplomatic, economic, defense, cultural, scientific, etc.) establish measures to ensure that promotion of specific interests. At this time there is a new approach of the information security sector with direct implications on military organizations also. Romania as a member of NATO and the EU must take account of these global concerns on the new concepts in information security, special concerns embodied in concepts like "cibersecurity", and more. Ensuring the security of information systems - theoretical and functional aspects Currently, information dependence is bigger and dangerous, creating special facilities but also risks resulting from vulnerabilities of information systems to internal and external threats. There are states fully dependent on information provided by national cyberspace components. Their breakdown for several hours can lead to chaos in the respective country, affecting at a large extent, not only national security but also global information system security. Information systems security has become a priority for both public institutions, private companies and military organizations, given that their information flow is managed electronically and the volume of information has increased dramatically in recent years. The beginning of this millennium is dominated by the mankind s concern to effectively use and develop information technologies, together with the adoption of effective measures to counter illegal access of database activity, perceived as a new threat to international peace and security to which even the electronic information systems of the most advanced countries in terms of technology are vulnerable. Information systems security is the area that provides the functionality and efficiency of information systems (confidentiality, integrity, availability and non-repudiation of data and information), the defense of structures of national security, of specific activities and staff, particularly the decision makers, to possible espionage, terrorism, sabotage, 47

3 unauthorized disclosure, disruption and any destructive actions aimed at information and communication systems. In this respect, there are modern applications of which point out: cryptographic protection of communications channels, computer networks, public key systems, antiviral cryptography, cryptographic fault-tolerant systems with single and random keys to protect data bases, error-correcting codes, cryptographic protocols and cryptographic processing of unauthorized access to information. Now, at the beginning of the third millennium, we can say that the plan of operations for the protection and security of information, techniques and environments have advanced and have improved greatly. Even the traditional system based on a central computer has become obsolete, speaking to the world on the Internet or Intranet, after inclusion in their structure of personal computers, various generations of mobile networks and the emergence of the concept of network of networks, which gives new dimensions to cyberspace. The purpose of information security is to ensure confidentiality, integrity and physical semantic information to withstand wide range of crimes or mistakes of deliberate or accidental character within an assumed risk posed by consumption of human and material forces for protection. Information systems go beyond national barriers and the ways of ensuring information and services with a relatively low cost, including military and national security, prompted an explosion in new facilities, expanded services, increased efficiency, reduced costs, communication online allowing quick decisions and expanding procurement markets. At the strategic level, this explosive growth of information and communication channels brings concern for the protection of their data, but also the desire to exploit new advantages and facilities. Analysts and specialists studies conclude that information systems security is constantly subject to specific threats, such as: - Unauthorized access to databases of decision and control systems for mining, data entry, distortion, alteration or falsification of information; - Collection of information through capture and analysis of information carrying signals or electromagnetic radiation; - Introduction of software deliberately, to penetrate or bypass the protection system and determine the computation and communication systems (weapons systems) to work differently than they were scheduled (viruses, logic bombs, Trojan horses malsoftware etc.). - Psychological actions to mislead service staff; - Electronic attack measures, such as nonlethal weapons (particle accelerators, non - nuclear electromagnetic pulse, laser radiation, etc.), sending false information (disinformation), jamming or destruction of communication channels etc. The analysis of the role of information systems security stresses out its complexity, feature that is emphasized with specific functions presentation. Information systems security is a major concern not only to specialists in the field of information security and intelligence but also to the whole society. Role and functions The new global culture of electronic information exchange in networks increases the risk of fraud and data theft and interception for government and private companies as well as individuals. To this end, the role of information systems security is to ensure safety requirements and trust in the information that flows through these channels. This goal is achieved by: - Authorized staff access to information and data; - Confidentiality, which effectively prohibits unauthorized access to information; - Ensuring integrity, which involves the transmission without modification (accidental or intentional); 48

4 - The availability, which means ensuring access to information for use by authorized personnel; - Protection of structures, activities and decision makers to specific destructive action. To reduce the threats, vulnerabilities and risks faced by the information in information systems, information systems security has certain features: Confidentiality as specific function involves protecting an information channel and information itself against unauthorized access and disclosure. Through confidentiality users can access only to the information specified in the security certificate. Authorized and official access to information for institution staff materializes in a security certificate and in the need to know as per job description. Through confidentiality services, data and information from computer and communication networks will be accessed and will be available only to authorized users, even if these data are stored on servers or workstations, or in transit through the network. The second function, ensuring the integrity involves preservation of the information from threats of any kind, the action of human factors, technical or natural. Integrity of an information system requires that permanent preservation of information stored, processed or transmitted unaltered by threatening factors. Integrity is ensured through the use of security mechanisms and specific products such as encryption, digital signatures and intrusion detection mechanisms. In communication networks, integrity is addressed in a specific form called authenticity, which provides data origin verification, workstation and user determination and integration of the moment when the operation was executed. Ensuring availability is the function that requires guaranteeing access to information and services and their use by authorized personnel only. Lack of availability may be in denial of service or loss of data processing as a result of natural disasters (earthquakes, floods, etc.), accidents (fire or flooding) or destructive human actions. 49 To ensure availability, four types of measures are important: physical, technical, administrative and personal. Physical measures involve access control, fire and humidity detection systems, data restoration facilities other than the data processing facilities. Technical measures include fault tolerance mechanisms; electronics switching for automatically data savings, applications for access control to prevent unauthorized interruption of services. Administrative measures add to the problems related to access control policies and operating procedures, contingency plans for emergencies, users training. Adequate training of operators, developers and security personnel constitutes a special measure for avoiding availability damage situations. Non-repudiation as distinct function involves removing any uncertainty about the source or destination of a transmission using reliable records that can be checked independently to determine the origin / destination of information. Without being a specific function, audit is the creation and protection of evidence needed for the investigation of facts generating security events. Samples can result in activity logs that record data series such as user name, time points and associated actions. Very important in the operation of information systems, restoration is the function that information systems can be recovered if their availability was affected. Restoration is perhaps the most important function if one or more functions have not been successfully met. To achieve a competitive security, any real threats and vulnerabilities of the information system must be anticipated (wrong operation, external attacks, accidental or intentional interference or interconnection, delivering useful information spurious emissions, etc.) and appropriate security measures must be taken. This can be achieved through a complex of legal, organizational, economic, physical, technological and informational measures, able to prevent and limit the destructive action of disasters, ensuring safe and stable

5 functionality of a system and to resume work conditions in a short time. Information systems security functions become critical when addressing national security, since the breach of any of these lead to compromising data and mission failure, resulting in loss of life, property damage, and re-planning or performing additional missions. Means of achievement Mutations occurred in recent years, conflicts of interests movement from the military field to the economic one, and the development of information society and information exchange liberalization have produced profound changes in the approach to security of information systems. As such, the information systems security has acquired new dimensions, as confirmed by some arguments proved in recent years informational confrontation, as follows: - Electronic and informational confrontation generalization; - Auspicious influence of information processing on the effectiveness of modern weapons and harmful influence of computer viruses on smart weapons; - Moral pressure of misinformation and ease of important forces remained without effective management destruction; - Effectiveness of smart weapons - robot planes, cruise missiles, self-directed missiles, and laser guided bombs and missile systems. With the development of computer science, although organizational, administrative and technical measures were taken to limit unauthorized access to information, there is an alarming increase of cases, forms and methods of stealing information. Management strategies to prevent, manage and overcome crises require priority military information security measures both to prevent aggression and to ensure normal and safe movement of the information. The complexity of these measures, their effectiveness, sometimes difficult to appreciate, the dynamics of the situation and time pressure confer specificity and multidimensionality to information protection. Information systems security issue is complex and derives from the fact that not always, secret information by their nature are properly and completely defined and this fact is complicated when information becomes classified by extension and cannot be controlled unless in cases of conflict by military censorship. For ensuring trust in information systems is necessary to understand the risks and to adopt effective ways to reduce them. This goal can be achieved only by providing funds for investment in information protection for both the purchase and implementation of security equipment and products, as well as for specialist training and organizational protection measures. It can be said that the security of information systems is a profession and a business; a profession because protective measures require a high degree of professionalism and a business because it cannot be achieved within a reasonable and affordable cost. Like any business, information systems security information management involves decisions under risk, predicting what should be protected within the limits of probability of loss caused by the cost of protection. Communication and computer networks have many features for obtaining, processing and storage of information, but are also the most vulnerable. Therefore, when designing a security system for such networks, a relationship has to be established between the costs of achieving the network and the costs to ensure protection in conditions of maximum efficiency with minimum investment. We can say that future conflicts will revolve around the future handling of information and miss-information, and around the change human behavior through proper operation and routing of information. 50

6 New threats will not be likely to generate violent actions, the focus will move across the spectrum of information on activities designed to determine certain desirable behaviors in different activities and areas. Information systems security sector will experience an accentuated growth in the coming years, determined by the evolution of the Internet and social networks, and the increasing of the globalization phenomenon. References Dumitru, Vasile şi colectiv Sisteme informaţionale militare, Editura Ceres, Bucureşti, Mihai Ioan Micle si Florin Alexandrescu, Resursele Umane şi Protecţia Informaţiilor, Bucureşti, Ioan Cosmin MIHAI, Securitatea sistemului informatic, Ed. Dunărea de Jos, Oprea Dumistru, Protectia si securitatea informatiilor, Editura Polirom, Bucureşti, 2007 Militaru, Gheorghe Sisteme informatice de management, Editura All, Bucureşti, Oprea, Dumitru, Meşniţă, Gabriela Sisteme informaţionale pentru manageri, Editura Polirom, Iaşi, Radu, Ioan şi alţii Informatică şi management, Editura Universitară, Bucureşti,

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1 Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:

More information

Cryptography and Network Security Sixth Edition by William Stallings

Cryptography and Network Security Sixth Edition by William Stallings Cryptography and Network Security Sixth Edition by William Stallings Chapter 1 Overview The combination of space, time, and strength that must be considered as the basic elements of this theory of defense

More information

SECURITY TRENDS-ATTACKS-SERVICES

SECURITY TRENDS-ATTACKS-SERVICES SECURITY TRENDS-ATTACKS-SERVICES 1.1 INTRODUCTION Computer data often travels from one computer to another, leaving the safety of its protected physical surroundings. Once the data is out of hand, people

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

IY2760/CS3760: Part 6. IY2760: Part 6

IY2760/CS3760: Part 6. IY2760: Part 6 IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily

More information

Physical Security of Remote Pilot Stations and Aircrafts (when On Ground)

Physical Security of Remote Pilot Stations and Aircrafts (when On Ground) Physical Security of Remote Pilot Stations and Aircrafts (when On Ground) Airbus Defence and Space / Military Aircraft / INFOSEC Juan Domingo Airbus Defence and Space INFOSEC Expert IF-G-MES84-15002 Table

More information

Chap. 1: Introduction

Chap. 1: Introduction Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed

More information

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY 1. PURPOSE In respect to this policy the term physical and environmental security refers to controls taken to protect

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Security Risk Management - Approaches and Methodology

Security Risk Management - Approaches and Methodology 228 Informatica Economică vol. 15, no. 1/2011 Security Risk Management - Approaches and Methodology Elena Ramona STROIE, Alina Cristina RUSU Academy of Economic Studies, Bucharest, Romania ramona.stroie@gmail.com,

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Type Threats Origin. Destruction of equipment or media. Dust, corrosion, freezing. Climatic phenomenon. Seismic phenomenon. Volcanic phenomenon

Type Threats Origin. Destruction of equipment or media. Dust, corrosion, freezing. Climatic phenomenon. Seismic phenomenon. Volcanic phenomenon nnex C (informative) xamples of typical threats The following table gives examples of typical threats. The list can be used during the threat assessment process. Threats may be deliberate, accidental or

More information

COSC 472 Network Security

COSC 472 Network Security COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html

More information

Managing Information Resources and IT Security

Managing Information Resources and IT Security Managing Information Resources and IT Security Management Information Code: 164292-02 Course: Management Information Period: Autumn 2013 Professor: Sync Sangwon Lee, Ph. D D. of Information & Electronic

More information

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Advanced Topics in Distributed Systems Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech Security Introduction Based on Ch1, Cryptography and Network Security 4 th Ed Security Dr. Ayman Abdel-Hamid,

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

Network Security. Introduction. Security services. Players. Conclusions. Distributed information Distributed processing Remote smart systems access

Network Security. Introduction. Security services. Players. Conclusions. Distributed information Distributed processing Remote smart systems access Roadmap Introduction Network services X.800 RFC 2828 Players Marco Carli Conclusions 2 Once.. now: Centralized information Centralized processing Remote terminal access Distributed information Distributed

More information

Overview of computer and communications security

Overview of computer and communications security Overview of computer and communications security 2 1 Basic security concepts Assets Threats Security services Security mechanisms 2 Assets Logical resources Information Money (electronic) Personal data

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:bhu261@gmail.com Outline of Information Security Introduction Impact of information Need

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 Outline Infosec, COMPUSEC, COMSEC, and Network Security Why do we need Infosec and COMSEC? Security

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services 1. Computer Security: An Introduction Definitions Security threats and analysis Types of security controls Security services Mar 2012 ICS413 network security 1 1.1 Definitions A computer security system

More information

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

Guidelines 1 on Information Technology Security

Guidelines 1 on Information Technology Security Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical

More information

Weighted Total Mark. Weighted Exam Mark

Weighted Total Mark. Weighted Exam Mark CMP4103 Computer Systems and Network Security Period per Week Contact Hour per Semester Weighted Total Mark Weighted Exam Mark Weighted Continuous Assessment Mark Credit Units LH PH TH CH WTM WEM WCM CU

More information

GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER

GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER GETTING PHYSICAL WITH NETWORK SECURITY WHITE PAPER Molex Premise Networks EXECUTIVE SUMMARY This article discusses IT security, which is a well documented and widely discussed issue. However, despite the

More information

Exam 1 - CSIS 3755 Information Assurance

Exam 1 - CSIS 3755 Information Assurance Name: Exam 1 - CSIS 3755 Information Assurance True/False Indicate whether the statement is true or false. 1. Antiquated or outdated infrastructure can lead to reliable and trustworthy systems. 2. Information

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Third Edition by William Stallings Lecture slides by Shinu Mathew John http://shinu.info/ Chapter 1 Introduction http://shinu.info/ 2 Background Information Security requirements

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11. Content 1.Introduction to Data and Network Security. 2. Why secure your Network 3. How Much security do you need, 4. Communication of network systems, 5. Topology security, 6. Cryptosystems and Symmetric

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Incident Object Description and Exchange Format

Incident Object Description and Exchange Format Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY HTTP://SCIENCE.HAMPTONU.EDU/COMPSCI/ The Master of Science in Information Assurance focuses on providing

More information

Modern Accounting Information System Security (AISS) Research Based on IT Technology

Modern Accounting Information System Security (AISS) Research Based on IT Technology , pp.163-170 http://dx.doi.org/10.14257/astl.2016. Modern Accounting Information System Security (AISS) Research Based on IT Technology Jiamin Fang and Liqing Shu Accounting Branch, Jilin Business and

More information

A Structured Approach to Computer Security *

A Structured Approach to Computer Security * 1 A Structured Approach to Computer Security * Tomas Olovsson Department of Computer Engineering Chalmers University of Technology S-412 96 Gothenburg SWEDEN Technical Report No 122, 1992 ABSTRACT Security

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

More information

Cybersecurity Awareness. Part 1

Cybersecurity Awareness. Part 1 Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat

More information

Introduction to Security

Introduction to Security 2 Introduction to Security : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l01, Steve/Courses/2013/s2/its335/lectures/intro.tex,

More information

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing Department of Defense INSTRUCTION NUMBER 8560.01 October 9, 2007 ASD(NII)/DoD CIO SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing References: (a) DoD

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Fifth Edition by William Stallings Chapter 1 Introduction On War The combination of space, time, and strength that must be considered as the basic elements of this theory of

More information

LESSONS FROM THE FINANCIAL CRISIS FOR RISK MANAGEMENT

LESSONS FROM THE FINANCIAL CRISIS FOR RISK MANAGEMENT LESSONS FROM THE FINANCIAL CRISIS FOR RISK MANAGEMENT Gabriela PAVAL Alexandru Ioan Cuza University of Iasi Iasi, Romania gabriela.paval@gmail.com Abstract Lately, in the literature in the field there

More information

INFORMATION SECURITY PROCEDURES

INFORMATION SECURITY PROCEDURES INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures

More information

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1 PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS

More information

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500 INFO 1500 9. Information Assurance and Security, Protecting Information Resources 11. ecommerce and ebusiness Janeela Maraj Tutorial 9 21/11/2014 9. Information Assurance and Security, Protecting Information

More information

Computer Forensics Preparation

Computer Forensics Preparation Computer Forensics Preparation This lesson covers Chapters 1 and 2 in Computer Forensics JumpStart, Second Edition. OBJECTIVES When you complete this lesson, you ll be able to Discuss computer forensics

More information

Cybersecurity for the C-Level

Cybersecurity for the C-Level Cybersecurity for the C-Level Director Glossary of Defined Cybersecurity Terms A Active Attack An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources,

More information

Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1 Cryptography and Network Security Chapter 1 Acknowledgments Lecture slides are based on the slides created by Lawrie Brown Chapter 1 Introduction The art of war teaches us to rely not on the likelihood

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing Service. By Comsec Information Security Consulting Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace Triangle InfoSeCon Alternative Approaches for Secure Operations in Cyberspace Lt General Bob Elder, USAF (Retired) Research Professor, George Mason University Strategic Advisor, Georgia Tech Research Institute

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

DATABASE SECURITY - ATTACKS AND CONTROL METHODS

DATABASE SECURITY - ATTACKS AND CONTROL METHODS DATABASE SECURITY - ATTACKS AND CONTROL METHODS Emil BURTESCU 1 PhD, Associate Professor, Department of Accounting and Management Informatics, University of Pitesti, Pitesti, Romania E-mail: emil.burtescu@yahoo.com,

More information

Harmful Interference into Satellite Telecommunications by Cyber Attack

Harmful Interference into Satellite Telecommunications by Cyber Attack Kobe and QM Symposium on International Law "Diversity of Transnational Criminal Justice" Harmful Interference into Satellite Telecommunications by Cyber Attack 10 April 2015 Yuri Takaya Research Fellow/Lecturer,

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04

BUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:

More information

Contact: Henry Torres, (870) 972-3033

Contact: Henry Torres, (870) 972-3033 Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures

More information

Chapter 4 Information Security Program Development

Chapter 4 Information Security Program Development Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

Policy for the Acceptable Use of Information Technology Resources

Policy for the Acceptable Use of Information Technology Resources Policy for the Acceptable Use of Information Technology Resources Purpose... 1 Scope... 1 Definitions... 1 Compliance... 2 Limitations... 2 User Accounts... 3 Ownership... 3 Privacy... 3 Data Security...

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 1 September 2, 2015 CPSC 467, Lecture 1 1/13 Protecting Information Information security Security principles Crypto as a security

More information

Audit for Information Systems Security

Audit for Information Systems Security Informatica Economică vol. 14, no. 1/2010 43 Audit for Information Systems Security Ana-Maria SUDUC 1, Mihai BÎZOI 1, Florin Gheorghe FILIP 2 1 Valahia University of Targoviste, Targoviste, Romania, 2

More information

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose... IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Public Private Partnerships and National Input to International Cyber Security

Public Private Partnerships and National Input to International Cyber Security Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington,

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines U.S. Department of Health and Human Services Administration for Children and Families Washington, D.C. 20447 Information

More information

Security Issues with Integrated Smart Buildings

Security Issues with Integrated Smart Buildings Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern

More information

Network Security. Network Security Hierarchy. CISCO Security Curriculum

Network Security. Network Security Hierarchy. CISCO Security Curriculum Network Security Network Security Hierarchy Material elaborat dupa: CISCO Security Curriculum Kenny Paterson s Lectures for: M.Sc. in Information Security, Royal Holloway, University of London 1 Objectives

More information

Information System Security

Information System Security Information System Security Chapter 1:Introduction Dr. Lo ai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Chapter 1 Introduction The

More information

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7 PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy 1. Overview Nicholas Financial Inc. s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Nicholas Financial s established culture

More information

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations. Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 0 Reader s s Guide The art of war teaches us to rely

More information

Acceptable Use Policy

Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established culture of openness,

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy Contents 1. Internet Abuse... 2 2. Bulk Commercial E-Mail... 2 3. Unsolicited E-Mail... 3 4. Vulnerability Testing... 3 5. Newsgroup, Chat Forums, Other Networks... 3 6. Offensive

More information

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response Date 06/10/10 Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response 1.0 PURPOSE Implementing Procedure APPROVED: (Signature on File) EMCBC Director ISSUED

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

ISO 27000 Information Security Management Systems Foundation

ISO 27000 Information Security Management Systems Foundation ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality

More information

Security Goals Services

Security Goals Services 1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;

More information

Cyber security is a shared responsibility and each of us has a role to play in making it safer, more secure and resilient.

Cyber security is a shared responsibility and each of us has a role to play in making it safer, more secure and resilient. Overview of Cyber Security: Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. We rely on this vast array of networks to communicate and travel,

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information

Overview of Information Security. Murat Kantarcioglu

Overview of Information Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Information Security Murat Kantarcioglu Pag. 1 Purdue University Outline Information Security: basic concepts Privacy: basic

More information

Security Compliance Assessment Checklist

Security Compliance Assessment Checklist Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards 2010.

More information