Multimedia Information Security Architecture Framework

Transcription

1 Multimedia Information Security Architecture Framework Heru Susanto PMC Information Security Technology King Saud University - Kingdom of Saudi Arabia & Indonesian Institute of Sciences hsusanto@ksu.edu.sa Fahad bin Muhaya PMC Information Security Technology King Saud University Riyadh - Kingdom of Saudi Arabia fmuhaya@ksu.edu.sa Abstract - This paper presents a state-of-the-art overview of distinguishable approaches, overview of some writings that have themes and a similar discussion, with the background to provide an overview to the readers of control and things related to multimedia information security, all attempting to define multimedia information security architecture, followed by a proposition of requirements for multimedia integrated security architecture. Multimedia information security as part of Information security has holistic approach towards the implementation of information security by introducing the concept and model of multimedia security architecture. Keywords - Multimedia information security, ISA architecture, MISA architecture, PDCA, CIA I. INTRODUCTION In the early days of computing, security breaches mainly included viruses and worms that would flash a message or advertisement on the screen without causing any serious damage to the information or systems being used. Organizations across the globe conduct communication in an interconnected and information rich environment. Security in a company has many forms and variations; operational security, machinery & production security, political security, environmental security, etc [7]. There are many types of data and information to be communicated by the parties that interact. Both type of information are multimedia information and information nonmultimedia. Some aspects will greatly affect the treatment of both types of information above. Multimedia information security is a necessary and absolutely needed to transfer information from one place to another places. In this paper, our contribution is to propose and introduce architecture and security model for multimedia information. This architecture and security model refers to the information security architecture (ISA) which was introduced by Eloff []. Other ISA reference is the architecture that was introduced by Rees [] which has main phases in its architecture. Tudor [9] introduced about risk awareness, the assessment of current controls. Also architecture introduced by Gunnar Paterson [9] regarding Provides a framework for understanding disparate design and process considerations. II. RELATED WORK State of the art of this paper are about information security architecture introduced that provides a framework for understanding disparate design and process considerations; [9] to organize architecture and actions toward improving enterprise security. [] Introduced security architecture includes the process of developing risk awareness, the assessment of current controls, and finally the alignment of current and new controls to meet the organization s information security requirements. This integrated information security architecture (ISA) is the mechanism to ensure that all individuals know their responsibilities and how they need to go about protecting the company s information security resources. [9] His architecture is based on the balanced and holistic mix of five different aspects; there are security infrastructures; security policies, security culture; monitoring compliance; and security program. Referring to the previous paper, we propose a security architecture that focus on multimedia security multimedia information security architecture (MISA). III. ISMS The Information Security Management System (ISMS) is proposed in ISO 7799 Part, also COBIT (00) []. This ISMS is based on the continuous cycle of activities as proposed by the so-called PDCA model (Plan-Do-Check-Act) figure. The ISMS is a cyclic model that aims to ensure that the best practices of an organization are documented, reinforced and improved over time. During the Plan phase, the scope of the ISMS will be defined and the Information Security policy be established. If the organization has a security policy, it will be evaluated in order to determine whether it is still valid and appropriate /0/$ IEEE

2 The Plan Do Check Act process []: Plan phase will establish a security policy and relevant procedures and controls; then prepare a statement of the scope of its application, justifying why the controls were selected and why others were not. The formulation of a security policy is done at e planning stage []. Do phase implements the security policy and relevant procedures approach refers to the ISO 7799 code-ofpractice, which provides a comprehensive set of controls covering aspects such as information security policy, personnel security, network security, business continuity management and compliance. The Check phase implemented assesses and measure the process performance, and report the results to management The Act phase takes appropriate corrective actions. The decision as to what is appropriate depends upon understanding the risks and costs involved. Since risk appraisal includes all organizations and all departments, areas, staff and activities, the rationality and conformity of the appraisal is still a topic for research []. Understanding the risk means knowing what the assets are, what the possible threats to those assets are, and the likelihood and possible impact of a security breach on the business. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments [8]. As defined by ISO 7799, information security is characterized as the preservation of CIA []: Confidentiality ensuring that information is accessible only to those authorized to have access. Integrity safeguarding the accuracy and completeness of information and processing methods. Availability ensuring that authorized users have access to information and associated assets when required. V. ISO 7799 Part vs. ISO 7799 Part It is important things to understand the distinctions and differences between Part and Part of the ISO 7799 standard in order to understand the dilemma facing architecture and standardize of information security right issues. Figure : PDCA Model to ISM Process IV. SECURITY MANAGEMENT STANDARD ISO 7799 ISO 7799 is designed to assure the confidentiality, integrity and availability of information assets. ISO 7799 is exclusive to information security, and only addresses that issue []. The key areas identified by ISO 7799 for the implementation of an information security management system are: An information security policy Allocation of information security responsibilities within the organisation Asset classification and control Personnel security, responsibilities and training Physical and environmental security Communications and operational systems security Access controls Part is an implementation guide, based on suggestions. It is used as a means to evaluate and build comprehensive information security infrastructure. It details information security concepts an organization should do. ISO 7799 Part can also be referred to as Information Technology - Code of practice for information security management Part is an auditing guide based on requirements. It details information security concepts an organization shall do. ISO 7799 Part can also be referred to as Information Security Management Systems - Specification with guidance for use. Focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified this rigidity precluded widespread acceptance and support [8]. VI. E-BUSINESS SECURITY ARCHITECTURE Rees et al [] was initially developed for e-commerce activities but has since been adapted to address the security policy needs of any organization involved in information technology and Internet operations. It is important to note that suggest constant feedback throughout all four phases.

3 Each of these phases as indicated below: Assess phase policy assessment and risk assessment Plan phase policy development and requirements definitions Deliver phase definition and implementation of controls Operate phase monitoring of operations, review of trends and management of events VII. INFORMATION SECURITY ARCHITECTURE Tudor [9] introduced security architecture includes the process of developing risk awareness, the assessment of current controls, and finally the alignment of current and new controls to meet the organization s information security requirements. Clearly states that the security architecture is a process, Information Security Architecture is not something one can purchase. This integrated information security architecture (ISA) is the mechanism to ensure that all individuals know their responsibilities and how they need to go about protecting the company s information security resources. The architecture is based on the balanced and holistic mix of five different aspects; there are security infrastructures; security policies, security culture; monitoring compliance; and security program, figure. ISA. Security infrastructure. Security Policies. Security Culture. Monitoring Compliance. Security Program Figure : Information Security Architecture - ISA ISA Figure : Continuous Feed Back Approach for ISA The purpose of the information security architecture is to bring focus to the key areas of concern for the highlighting decision criteria and context for each domain [9]. Figure, provides a framework for understanding disparate design and process considerations; to organize architecture and actions toward improving enterprise security. Policy & Standards Identify Vulnerability Threat Goals Risk Management Data Application Host Network Assurance Security Management Risk Report Domain Figure : Information Security Architecture Blueprint by Gunnar Peterson VIII. MULTIMEDIA INFORMATION SECURITY ARCHITECTURE -MISA After we discussed the various kinds and types of framework and architecture from various kinds of information security and everything related to information security. Now we discuss about the architecture for multimedia information security. Basically multimedia information security is part of information security itself. Multimedia is media and content that uses a combination of different content forms. Multimedia includes a combination of text, audio, still images, animation, video, and interactivity content forms. Multimedia is usually recorded and played, displayed or accessed by information content processing devices, such as computerized and electronic devices, but can also be part of a live performance. Multimedia also describes electronic media devices used to store and experience multimedia content. Multimedia is distinguished from mixed media in fine art; by including audio,

4 for example, it has a broader scope. The term "rich media" is synonymous for interactive multimedia. Hypermedia can be considered one particular multimedia application. IX. PROPOSED MISA In order to meet the requirements of information security [], speed and ease of access to multimedia information retrieval from the place, it is necessary to consider several criteria and parameters that must be met [], which refers to the information security architecture that has been presented by some previous authors. In this paper the author provides alternatives and asks about the multimedia information security architecture (MISA). The MISA is a development of the ISA which has many known and proposed by the authors of previous papers. The development is meant to include a multimedia object, or issue into the existing architecture. To propose Multimedia Information Security Architecture authors take reference from the ISA architecture proposed by Eloff [] which has main components, which in the main component itself occurred updating, monitoring and evaluation of himself, figure. With this reference the author developed MISA architecture has 8 major components. Why 8 components? Because of the multimedia information security has a difficulty level higher than the general security of information issues, figure. ISA architecture introduced by Peterson [9] also has several advantages. In the last stage there is the layer that serves as an evaluation and monitoring of information assurance as an important requirement of information security itself. Figure 6, explained that the multimedia information sharing and security issue - policy has several stages down more detailed it to Encryption to include multimedia information that will be sharing these activities performed by the server (provider), while users are doing Decryption for restore information that has been in encrypt. Intruders can perform actions through a channel or a part that is not secure, as shown figure 7, so do the multimedia safety information through Encryption and Decryption methods are absolutely necessary to maintain the security of multimedia information. This method, often known as the Key and Lock methods, each side, servers and users, has the identical key to open the door of information. Cryptographic algorithms are needed to transform plaintext into ciphertext and vice versa [8] ISA MISA Figure : Proposed of Multimedia Information Security Architecture MISA A. Security Compliance / Governance Recognizing the importance of bringing collaboration and governance process many corporate governance guidelines have been published over the last decade [7]. Realizing that information security is a corporate governance responsibility [6] and clearly a Corporate Governance responsibility [6]. B. Security Program The purpose of security program is to make recommendations for improving the security of computer systems and the information residing on them and provide security initiative recommendations and priorities, and to perform high level threat and risk analysis. Reducing risks is the target of ISMS protection mechanism []. C. Multimedia Information Sharing It is critical to establish relationships and communication, architecture given alternative has developed key relationships. Security infrastructure. Security Policies. Security Culture. Monitoring Compliance. Security Program. Security Infrastructure. Security Policies. Security Culture. Monitoring Compliance. Security Program 6. Multimedia Information Sharing 7. Enterprise Security 8. Security Awareness

5 and started key initiatives to share information with other important and relevant components. Why should involve other components? The answer is because the philosophy of multimedia itself which is a good combination and harmony between the format of data and information in plain text and data or information in the format of audio and video. E. Security Awareness Security awareness training is a vital component of the MISA overall approach. Information security awareness is a dynamic process, made even more difficult in that risks continuously change [0]. MISA is a key issue of the Multi-State Multimedia Information Sharing. The MISA, whose mission is to provide a common mechanism for raising multimedia security readiness, for whole user. D. Enterprise Security Enterprise Architecture has led initiatives to create technology standards. One key goal is to ensure that architecture are using and deploying security technology in a consistent manner. Key security technology standards that have been deployed and managed include: Enterprise Antivirus. A centralized solution resulting in consistent support, consistent enforcement, and enterprise reporting. Enterprise Patch Management. A centralized solution which enables agencies to manage their own patching but allows for enterprise compliance reporting. Enterprise Security Agent. Primarily defense against insider threats and zero-day worms. Internet Content Filtering & Access Control. A standard implementation of a Web filtering solution and enterprise policy to enforce a minimum filter set. Enterprise Administrator Monitoring. Figure 6: Multimedia Information Security Channel Approached by Proposed MISA Figure7: Potential Intruder to Hack Multimedia Unsecure Channel It ensures that users are familiar with information technology security especially in multimedia information security, best practices, policies, procedures and standards as well as the importance of protecting confidential and sensitive information. X. CONCLUSION REMARKS I discussed and showed definitions on keywords used in multimedia information security architecture -MISA. I showed step by step how I came MISA management and theory. The theory is about how to finding and coolaborate ISA architecture, security awareness and governance for defining multimedia information security itself. XI. REFERENCES [] Andrew Ren-Wei Fung, Kwo-Jean Farn & Abe C. Lin. Paper: a study on the certification of the information security management system. Computer Standards & Interfaces (00) 7-6. Elsevier Science Ltd. [] A. Da Veiga & J.H.P. Eloff A Framework and assessment instrument for information security culture. Computer & Security XXX (009) -. Elsevier Science Ltd. [] Basie Von Solms. 00. Information Security A Multidimensional Discipline. Computer & Security 0(00) Elsevier Science Ltd. [] Basie von Solms. 00. Information Security Governance: COBIT or ISO 7799 or both? Computer & Security Journal. Elsevier. Science Direct. [] Basie von Solms. 00. Information Security Governance Compliance Management vs Operational Management. Computer & Security Journal. Elsevier. Science Direct. [6] Basie von Solms & Rossouw von Solms. 00. The 0 deadly sins of Information Security Management. Computer & Security (00) Elsevier Science Ltd. [7] Debi Ashenden Information Security Management: A Human Challenge? Information Security Technical Report (008) 9-0. Elsevier Science Ltd. [8] Denis Trcek. 00. An integral framework for information system security management. Computer & Security (00) Elsevier Science Ltd. [9] Gunnar Peterson Security Architecture Blueprint. Arctec Group

6 [0] H.A. Kruger & W.D. Kearney. A Prototype for assessing information security. Computer & Security (006) Elsevier Science Ltd. [] J.H.P. Eloff, M.M. Eloff. 00. Information Security Architecture. Computer Fraud & Security. [] Kwo-Jean Farn. Shu-Kuo Lin & Andrew Ren-Wei Fung. 00. A Study on information security management evaluation-assets, threat and vulnerability. Computer Standards & Interfaces 6 (00) 0-. Elsevier Science Ltd. [] Maria Karyda, Evangelos Kiountouzis & Spyros Kokolakis. 00. Information System Security Policies: a Contextual Perspective. Computer & Security (00) Elsevier Science Ltd. [] Mikko Siponen & Robert Willison Information security standards: Problems and Solution. Information & Management 6(009) Elsevier Science Ltd. [] Rees J, Bandyopadhyay S & Spafford EH. 00 PFIRES: A Policy Framework for Information Security. Communications of the ACM July 00/Vol.6 (7) pp [6] Rossouw von Solmsa, S.H. (Basie) von Solmsb Information security governance: Due care. Computer & Security Journal. Elsevier. Science Direct. [7] Thomas Finne A conceptual Framework for Information Security Management. Computer & Security, 7 (998) Elsevier Science Ltd. [8] Tom Carlson. 00. Information Security Management: Understanding ISO Lucent Technologies Worldwide Services. [9] Tudor JK Information Security Architecture. Proceedings of the 6th International Conference on Software Engineering (ICSE 0) 070-7/0 $ IEEE.