Uttar Pradesh Textile Technology Institute, Kanpur

B. Tech 2nd Year (3rd Sem)

Cyber Security (KNC301)
Unit 3
Developing Secure Information Systems

Application development security is a key task when it comes to looking to the future of
cyber security. A recent industry study shows it is the fastest-growing cyber security skill for
the year ahead. Demand is expected to increase by 164% over the next five years. Such
growth would bump up the total number of job openings requiring this skill from 29,635 in
2020 to 48,601 a few years from now.

Application Development Security at a Glance

This is about strengthening the defences of an app by finding and fixing openings. As the
name implies, this process most often takes place within the development phase before an
app goes into production. But it can occur after the owner has deployed those apps, as well.

There’s not just one approach to looking at application development security, otherwise
known as application security testing (AST). The several methods people in this field will
probably use include the following:

• Static Application Security Testing (SAST): In this type of web application security
testing, the defence experts on the job have some knowledge about an application’s

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 1 of 14

 architecture. They can use this knowledge to report weaknesses within the source
code.
• Dynamic Application Security Testing (DAST): As opposed to SAST, DAST assumes no
knowledge of an application’s code. Its purpose is to find a potential opening within
a specific app’s running state.
• Interactive Application Security Testing (IAST): This method combines SAST and
DAST together into a hybrid approach.

Keep Your Business Secure

Those holes pose a threat to businesses. Weak server-side controls, unsafe data storage,
broken cryptography and other problems open the door for external attackers to scrape
information. Potential customers might hesitate to do business with groups that suffered a
data breach because of poor application development security. That’s assuming those groups
can continue to operate after paying for repairs, paying the legal fees and other damages that
come with a breach.

Lastly, some customers aren’t even waiting that long to demand application development
security matters. Customers are telling companies whose apps and other products they use to
write more secure code before they’ve even faced an attack. In some cases, the pressure
supplied by customers dwarfed the pressure provided by regulators and compliance auditors.
This shows how application development security is becoming a means by which
organizations can maintain trusting partnerships with their customers from the moment they
begin doing business together, not just in the aftermath of a publicly disclosed problem.

Application Development Security for the Future

Application development security is the way for organizations to ensure their place in the
future. The tools and methods for putting application security in place might change, but the
basics of security will remain relevant throughout the next few years and beyond.

Governance, Risk Management and Compliance (GRC)

Governance, Risk Management and Compliance, also known as GRC, is an umbrella
term for the way organisations deal with three areas that help them achieve their objectives.
The main purpose of GRC as a business practice is to create a synchronized approach to these
areas, avoiding repetition of tasks and ensuring that the approaches used are effective and
efficient. GRC is about what you can do to implement the right processes in your business.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 2 of 14

 Governance

As the name suggests, this looks at the way companies are managed at the highest levels,
including the mechanisms, processes and relations that allow for smooth allocation and
understanding of the rights and responsibilities of the various decision makers within the
business.

Risk management

Every aspect of every business has the potential for risk, whether it’s a risk to reputation,
health & safety, financial security, etc. It’s nearly impossible to avoid risks and certainly very
difficult to do so whilst also achieving successes, so risk management is the set of processes
that identify, analyze and respond appropriately to each potential risk.

Compliance

Managing risks is one thing but it’s possible for multiple conflicting risks to occur, leaving a
business having to decide between minimizing the risk to safety or minimizing the risk to
profits, so it’s necessary to ensure that the right decisions are always made. This is where
compliance comes in, with businesses needing to comply with various standards, laws,
regulations, etc, to avoid the penalties that result from non-compliance.

Governance, Risk Management and Compliance (GRC) Benefits

An obvious and understandable reaction to the idea of bringing in yet more corporate
processes and procedures would be to wonder if this isn’t all just yet more red tape and
bureaucracy. However, GRC isn’t about adding to the complexity of already-overstuffed
processes, but to help condense and clarify them to enable smooth running. But what are the
main benefits of starting to utilise GRC capabilities?

• Cutting costs – The integrated approach of GRC often brings real financial benefits as
unnecessary spending can be cut, while the clearer focus can help boost revenue at
the same time. The bigger the business, the more likely it is that there will be plenty
of areas where there is crossover and wastage, so a process like this can transform
efficiency.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 3 of 14

 • Less duplicated work – This is where most of the cost-cutting can be made, but it’s
about more than just the money. Having similar processes duplicated across a
business is a hugely inefficient way to operate and GRC can free up whole teams to
work on other projects.
• Less negative impact – Having too many procedures, especially ones that aren’t
working in a logical manner, can waste a lot of time for staff across a business. Tying
everything together in GRC strategy cuts down on the paperwork and bureaucracy,
which will boost your staff’s productivity, not to mention their morale.
• Greater information quality – A more centralized and consistent approach to
governance, risk management and compliance helps to not only speed up the
processes for gathering the necessary information, but also improve the quality of
what is gathered, helping decisions be made more rapidly and with greater
confidence.
• More ability to repeat processes – Another huge benefit is that processes can be
standardised across these areas, allowing for them to be repeated more easily and
with greater consistency and efficiency.
• Reputation security – Risk management and compliance are both essential parts of
any attempts to secure your business’s reputation, so it goes without saying that
managing these aspects more efficiently provides a more effective method of
reputation security.
• Better allocation of resources – Getting more information and understanding more
about areas that are duplicating work can help determine the most effective
directions for your business to go in.
• No more silos – Any large business has numerous issues with staff working in ‘silos’
where information doesn’t flow in or out in a productive manner. GRC won’t
completely eradicate these issues, but it will certainly minimise their potential
impact on key areas.

Introducing GRC to Your Business

What their roles need to be and the steps you need to take to make GRC strategies and
tools work for you?

GRC Guide: The People

The simple answer to the question of who needs to be involved in a successful adaptation of
GRC is ‘everybody’ as there are elements of governance, risk management and compliance
(particularly the latter two) which go from the very top of an organisation down to deep
within business units and teams. A CEO cannot possibly have the knowledge and
responsibility for all matters involving risk management and compliance, there’s simply too
much going on, and even management of them needs to sit with business unit managers as
well as specific compliance officers.

This will vary depending on the size and complexity of your business, but what is consistent
across all shapes and sizes is the need for effective collaboration and communication and the
need for all involved to be aware and mindful of the bigger picture rather than simply their
role in it. From the top down, the benefits of GRC need to be communicated as part of a
change management strategy to ensure that everyone has bought into the need and expected
benefits.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 4 of 14

 GRC Guide: The Roles

The main roles that each category of staff member needs to undertake to be
involved with GRC:
CEO/Board level – Anyone in a role at this level needs to able to provide strategic oversight
and decision-making capacities along with timely and clear communication down the chain to
enable colleagues to fulfil their roles effectively.

Finance chiefs – Whoever has overall responsibility for the financial operations of a business
have a large part to play in GRC implementation, not least when it comes to spelling out the
financial drivers for the changes.

Risk managers – Any large organisation should already have people at managerial level who
are responsible for risk management and their roles in GRC are extensive. They need to
identify threats (and opportunities) and come up with strategic responses to minimize the
risks to the business, as well as being responsible for the ongoing monitoring.

Compliance officers – Similarly, anyone with responsibility for compliance need to be

involved in all planning decisions, driving forward strategies that help the business meet the
requirements needed for standards, laws, etc.

HR managers – When it comes to how GRC is implemented across the business and
communicated to staff to ensure buy-in, much of this responsibility lands within the remit of
human resources. Without an effective HR department, any kind of major strategic overhaul
like this is doomed to fail.

IT managers – They are responsible for whatever technological solution is bought in or

developed to meet the needs of the GRC strategy and will certainly need to be involved in the
decision-making process. They will also be responsible for the way information is gathered
across the business and how is it delivered where it is needed.

GRC Guide: Implementation

We identified the key players in your implementation of GRC into your business, but there’s
still a lot to consider before you can make the process a success. As part of our GRC Guide,
there are five steps to take to make sure GRC is successfully installed at the heart of your
corporate strategies:

1. Define what you aim to achieve – If this sounds like an obvious step, it’s because it
is. However, it’s a step too often overlooked and one that can make all the
difference between success and failure. After all, if you don’t know what you want to
achieve and whether your new strategy can even help you get there, how can you
possibly hope to effect any meaningful change? The key here is to gather key
stakeholders and project staff together to understand collectively what GRC can
mean to your organisation and to come up with priorities based on that
understanding.
2. Take stock of your current situation – You have clarified what GRC can mean to your
organisation, but another key step is to understand what is currently happening in
the fields of governance, risk management and compliance before you change
anything. A survey of your regulatory activities will not only give you a better
understanding of what you will gain from GRC but also any other weaknesses that
can also be addressed that had previously been out of the scope of the project.
Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 5 of 14
 3. Pick a trial entry point – It is certainly possible to jump straight into rolling out GRC
across all of your business’s operations, and for smaller companies that is the only
option really, but the ideal scenario would be to pick a test subject. If you can
identify an area that will benefit from GRC and can focus your energies on
implementing it there first, there will be learnings that can be incorporated in the
gradual roll-out.
4. Demonstrate the benefits – With the approach above, there’s also the potential to
gain some early wins that can help with the internal communications aimed at
winning buy-in from staff. It’s not just a case of heading off the confusion and lack of
support that can result from a poorly communicated change like this, it’s about
demonstrating to key staff and managers the clear benefits of GRC, covering subjects
like the drivers for it, the implication on staff, the controls in place and the next
steps.
5. Define what would represent success – This is one of the most important steps
because defining what would represent success is the way that you can demonstrate
that the project has been worthwhile. Out of the benefits listed earlier, pick out the
ones that are most relevant and put a number by them, whether it’s a financial
target or one based on policies and procedures that be measured to show that GRC
is making things better.
If you can work through these five steps and document the findings, you will have most of
the information you need to be able to move forwards with GRC from a position of
knowledge, research and authority. The process will always be ongoing, meaning that there
will always be more to learn, so the steps from this GRC Guide can and should be repeated
each time.

Top GRC Tips

When it comes to implementing a GRC strategy or starting to use related tools and
processes, there are many potential pitfalls, so here are some top GRC guide tips on what to
expect and some lessons learned from businesses that have been down that road already:

• Do your research – Make sure you understand what you are buying if you are
purchasing a product to manage GRC, because if it doesn’t completely do what you
are expecting of it, you will be wasting money and creating extra work for yourselves
doing something that is meant to minimize expenditure and workload bloat. Most of
all, understand what GRC represents and what the impacts of it will be, as well as
what needs to be put into it to get the right results out of it.
• Take an iterative approach – Good advice for any major corporate strategy change,
it applies just as well with GRC. There is no way to get it 100% right the first time out
as there are too many factors and stakeholders involved, opening up the likelihood
of needing to revise and revisit aspects over and over again. So it’s best to plan
ahead for this, especially given the nature of risk management and compliance, both
of which need to be monitored and revisited on a regular basis as a matter of course.
• Work collaboratively – The project team for GRC implementation needs to be a
diverse one in terms of representing all of the various roles mentioned above,
otherwise the decisions made will not be representative and may not achieve
everything they are intended to achieve. It also ensures that developments are
communicated around everyone who needs to know and avoids work being
duplicated – which is one of the main points of introducing GRC in the first place, of
course.
Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 6 of 14
 • Communicate – As previously mentioned in this GRC Guide, good communication
across the business is critical to avoid colleagues misunderstanding the nature of
GRC and what it is being brought in to achieve. This is especially important when it
comes to the areas of the business where workflows will be directly affected,
particularly those where there might be staff changes to reflect the more
streamlined approach. GRC is meant to be a positive step in the right direction, but
poor internal communications can turn it into a potential – and completely
unnecessary – problem.
• Prepare and provide the right resources – Another potential issue could be that the
GRC solution is seen as an easy win when it comes to cutting costs and so the right
financial and staffing resources aren’t put into place to manage it at the early stages.
As well as making sure these resources are available, the planning needs to be in
place for how to properly utilize them.

Security Architecture and Design

Security Architecture is one component of a products/systems overall architecture and is
developed to provide guidance during the design of the product/system.

Security Architecture is the design artifacts that describe how the security controls (=
security counter measures) are positioned and how they relate to the overall systems
architecture. These controls serve the purpose to maintain the system’s quality attributes
such as confidentiality, integrity and availability.

A security policy is a statement that outlines how entities access each other, what
operations different entities can carry out, what level of protection is required for a system
or software product, and what actions should be taken when these requirements are not
met.

A security model outlines the requirements necessary to properly support and implement a
certain security policy.

1. Computer Systems Architecture

2. Systems Security Architecture
3. Security Models
4. Security Product Evaluation Methods and Criteria

Hardware / Downloadable Devices

Hardware/Downloadable Devices (Peripherals)/Data storage

The entity must ensure that proper protocols are in place to secure such devices (such as
docking stations for laptops), re-emphasizing login/logout practices and safeguarding
passwords. For example, if a PI uses a laptop between workstations or worksites which
contain any elements of BSAT security information, the PI must follow proper laptop
security procedures. Such protocols may include:

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 7 of 14

 • Computers should be located within controlled space since the room will already have
some level of physical security.
• Users should physically secure the device and password/encrypt the laptop if it
contains BSAT security information of any kind. This practice should be extended to
desktops if a PI has an office outside the BSAT registered space.
• An entity should be wary of the inherent insecurity of tablet devices that have
information storage and Wi-Fi capabilities, especially if they cannot be encrypted.

The development of well-defined policies and procedures should be considered in the entity’s
overall information systems security control program.

Peripheral devices

Entities should include peripheral devices as a part of the overall information systems
security control if they are used to process information required by Section 17 of the select
agent rule. These devices include, but are not limited to:

• Smartphones
• USB devices (e.g. flash drives)
• USB patch cords with mini/micro connectors
• Electronic notebooks
• BlackBerrys
• PDA’s
• Future technological development

Any device which can be hidden from sight or viewed as a non-threat (smartphones, flash
drives, etc.) poses a security vulnerability to information systems security. The regulated
community may want to include these types of devices in their information systems security
protocols, or, at a minimum, include them in their information security systems training
program. Risks involving peripheral devices could include but are not limited to:

• A flash drive to download BSAT security information.

• Uploaded malicious code designed to corrupt BSAT data or computer systems.
• If the network is isolated but the USB drive touches the internet, it can transmit a
virus and that risk must be addressed.

Section 11(d)(7)(ii) of the select agent regulations requires procedures for reporting
suspicious persons or activities. This provision is not limited to physical security and should
be applied to information systems security as well.

Data storage

A data storage device is any device used for recording (storing) information (data). The entity
should have written policies regarding the storage of BSAT information on media that can be
removed and stored separately from the recording device such as:

• Computer disks
• CD-Rs
• Flash drives
• Memory cards

If the entity uses these means of archiving, even on a temporary basis, they should be handled
and secured as if they were a paper hardcopy (i.e., stored in a secured cabinet and in a
location with the appropriate physical security measures in place). Items such as these are
easily concealed and could get past institution physical security.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 8 of 14

 Physical Security
Physical security is the protection of personnel, hardware, software, networks and data
from physical actions and events that could cause serious loss or damage to an
enterprise, agency or institution. This includes protection from fire, flood, natural disasters,
burglary, theft, vandalism and terrorism. While most of these are covered by insurance,
physical security's prioritization of damage prevention avoids the time, money and resources
lost because of these events.

The physical security framework is made up of three main components: access control,
surveillance and testing. The success of an organization's physical security program can
often be attributed to how well each of these components is implemented, improved and
maintained.

Access control

The key to maximizing one's physical security measures is to limit and control what people
have access to sites, facilities and materials. Access control encompasses the measures taken
to limit exposure of certain assets to authorized personnel only. Examples of these corporate
barriers often include ID badges, keypads and security guards. However, these obstacles can
vary greatly in terms of method, approach and cost.

The building is often the first line of defence for most physical security systems. Items such
as fences, gates, walls and doors all act as physical deterrents to criminal entry. Additional
locks, barbed wire, visible security measures and signs all reduce the number of casual
attempts carried out by cybercriminals.

More sophisticated access controls involve a technology-supported approach. ID card

scanners and near-field communication (NFC) ID cards are methods of physical
authentication that security teams can use to verify the identities of individuals entering and
exiting various facilities. Some Swedish companies have recently experimented with
embedding NFC microchips below the skin of their employees -- making it extremely
difficult to forge or replicate their credentials. Invasive devices like this, however, are much
less popular among labor unions, given the degree of physical pain and bodily concern.

Using tactically placed obstacles, organizations can make it more difficult for attackers to
access valuable assets and information. Similarly, these barriers increase the time it takes for
threat actors to successfully carry out acts of thievery, vandalism or terrorism. The more
obstacles that are in place, the more time organizations have to respond to physical security
threats and contain them.

But criminals are not the only threat that access controls can minimize. Barriers such as walls
and fences can also be used to harden buildings against environmental disasters, such as
earthquakes, mudslides and floods. These risks are extremely location-dependent.
Organizations that divert resources toward such hardening measures should balance the cost
and benefit of their implementation prior to investment.

Surveillance

This is one of the most important physical security components for both prevention and post-
incident recovery. Surveillance, in this case, refers to the technology, personnel and resources
that organizations use to monitor the activity of different real-world locations and facilities.
These examples can include patrol guards, heat sensors and notification systems.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 9 of 14

 The most common type of surveillance is closed circuit television (CCTV) cameras that
record the activity of a combination of areas. The benefit of these surveillance cameras is that
they are as valuable in capturing criminal behavior as they are in preventing it. Threat actors
who see a CCTV camera are less inclined to break in or vandalize a building out of fear of
having their identity recorded. Similarly, if a particular asset or piece of equipment is stolen,
surveillance can provide the visual evidence one needs to identify the culprit and their tactics.

Testing

Physical security is a preventative measure and incident response tool. Disaster recovery
(DR) plans, for example, center on the quality of one's physical security protocols -- how
well a company identifies, responds to and contains a threat. The only way to ensure that such
DR policies and procedures will be effective when the time comes is to implement active
testing.

Testing is increasingly important, especially when it comes to the unity of an organization.

Fire drills are a necessary activity for schools and buildings because they help to coordinate
large groups, as well as their method of response. These policy tests should be conducted on a
regular basis to practice role assignments and responsibilities and minimize the likelihood of
mistakes.

Importance of physical security

As businesses become more dependent on the internet of things (IoT), so does the need for
digital and physical security. IoT demands a significant amount of physical security to
safeguard data, servers and networks. The rising interconnectedness of IoT has expanded the
sphere of physical security. Virtual machines (VMs) and applications that run in the cloud,
for example, are only as protected as their physical servers.

Whether organizations invest in first-party or third-party cloud computing services, these data
centers need to be sufficiently protected using physical security measures to avoid severe data
losses.

Physical security examples

Physical security can take many shapes and forms. The strategies, barriers and techniques
that organizations use to support general physical information technology (IT) security, for
example, are significantly different from those used to facilitate consistent physical network
security. Here are a few physical security examples used to contain and control real-world
threats.

Log and trail maintenance

Keeping a record of what is accessed -- and what people attempt to access -- is a reliable way
to not only discourage unauthorized users, but create a forensic-friendly data environment.

Multiple failed login attempts and attempted access using a lost card are both physical
security tools that organizations can use to reliably track their asset activity. In the case of a
security breach, these records can prove incredibly valuable for identifying security
weaknesses.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 10 of 14

 Risk-based approach

One of the most effective ways to optimize a physical security investment is to use a risk-
based approach. This is a data analysis technique used to evaluate scenarios based on one's
risk profile.

If a business is particularly risk-averse -- such as a credit union or a restaurant -- it will opt to

invest in a more expensive physical security system that is more equipped to mitigate risk.
Therefore, the amount of resources a company dedicates to its physical security using a risk-
based approach should be equivalent to the value it places on risk mitigation.

Accountable access control

By tying access control to individuals, an organization can improve its visibility over
personnel activity. Imagine a particular room can only be accessed by a single key, and that
key is given to two people. If an asset in that room goes missing, then only those two people
are accountable for its disappearance.

Importance of Intrusion Detection System in Cyber

security
An Intrusion detection system (IDS) helps to identify anomalies and prevent attacks.

As businesses shift to distributed environments, the threat landscape gets broader, and
hackers are now shifting their focus to attacking the systems of remote workers. In this
context, the importance of an intrusion detection system or IDS becomes more important than
ever, in protecting endpoint devices and enterprise networks from sophisticated attacks.

An Intrusion Detection System (IDS) is an application to detect suspicious activity on

network traffic. Also known as an Intrusion Prevention System, it is widely used to identify
suspicious or unknown malware activities on a protected asset. It is not impossible for
hackers to penetrate networks; therefore, intrusion detection system importance is paramount
here. Traditional enterprise systems and organizations can benefit from IDS to improve their
security controls and protect their network environment.

IDS gathers and analyzes malicious actions before reporting them to the system administrator
and other users. It can also be stored in a Security Information and Event Management
System (SIEM).

Functions of an Intrusion Detection System

IDS serves three main functions: detecting anomalies, reporting potential threats, and
blocking traffic using two methods – Signature-based detection and Anomaly-based
detection.

1. Signature-based IDS

With the rise in cyber attacks, it is wise to safeguard your personal or business network from
malware, viruses, Trojans, etc. Signature-based detection is a popular technique to detect and
identify suspicious software or malware attacks in your system. It analyzes inbound network
activity and looks for known fingerprints (signatures) or vulnerable patterns in the signature

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 11 of 14

 database, also known as attack signatures. Antivirus developers use Signature-based IDS to
detect suspicious activity in the system files or database. However, it cannot detect unknown
suspicious activity.

2. Anomaly or Behavior-based IDS

Anomaly-based IDS is more effective than signature-based detection systems. Unlike

signature-based, the anomaly-based detection system can monitor and analyze significant
network traffic and data to detect anomalies. It does not rely on known signature attacks to
identify potential threats but looks for behaviors that could be a threat or attack. Therefore,
there are higher chances of identifying and lowering the risks of malicious attacks. Anomaly-
based IDS monitors network traffic with the help of AI (Artificial Intelligence), statistical
models, and machine learning to safeguard your network.

Types of Intrusion Detection Systems

IDS is a great way to protect your businesses’ network environment from cyber attacks.
Network-based and host-based intrusion detection systems are the two major classifications
of an Intrusion Detection System.

1. Network-based Intrusion Detection System (NIDS)

Network intrusion detection systems keep track of all traffic coming in and out of the
network. The tool can look for threats and identify potential intrusions from within the
network. It can also warn the administrator of the potential risks and block the source from
accessing the network.

The NIDS analyzes the traffic to spot trends and strange actions, after which a warning is
given. When a port scanner is used on a network that is protected by an IDS, it is highlighted
and further investigated in ethical hacking.

A few advantages of NIDS include:

• Relatively safe from direct attacks as hackers may be unable to trace it.
• Faster than a host-based detection system.
• Helpful in detecting internal and external threats or attacks.

A few disadvantages of NIDS include:

• Cannot read or identify encrypted data.

• Chances of false positives are high.
• Time-consuming as it monitors a large volume of data.

2. Host-based Intrusion Detection System (HIDS)

A host-based intrusion detection system (HIDS) analyzes entire system activity, including
application logs and system calls. It differs from NIDS in this regard – while NIDS monitors
network behavior, HIDS monitors all system activity. HIDS looks for both internal and
external threats in your system. They can locate or identify known signatures or malicious
patterns that are a threat to your network security, either generated by people or software. If
someone tries to log into another’s computer or tamper with someone’s files or data, HIDS
can be helpful to detect anomalies. It can capture snapshots of the machine’s data and in
running processes and can generate an alert if they are altered over time; HIDS examines
change management in operating system files, logs, software, and other areas.
Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 12 of 14
 A few pros of a Host-based IDS include:

• Encrypted data is also accessible.

• Detects anomalies by focusing on systems/devices.
• Can identify both internal and external activities.

A few cons of Host-based IDS include:

• Substantial risk of false positives.

• Tedious and time-consuming process.
• Chances of network traffic congestion.

Based on your network size, you can choose to use NIDS or HIDS for your organization.

Backup Security Measures

Backup and recovery policies are essential for most of operating systems. Many system
managers use a layered backup schedule. Written procedures and rules are required elements
of system management. Backing up files is an important system administrator task. The
backup files are used for restoring system to previous state whenever system fails. Backup
encryption is one of many activities that contribute to a comprehensive security strategy.

Types of Backup:

1. Full Backup – A full backup is a backup where every single file (including system and
user files) is written to backup media. Full backup does not check if a file has
changed since last backup it just blindly writes everything to the backup media.
2. Incremental Backup – It checks file modification time. If modification time is recent
than its last backup time, then it takes a backup otherwise not. Incremental backup
is also used with a full backup. It is faster than a full backup. A major disadvantage
with incremental backup is that it takes a longer time for restoration. Incremental
backups pose threat of operator error.
3. Differential Backup – It contains all files modified since last full backup, making it
possible to perform a complete restoration with only last full backup and last
differential backup.
4. Network Backup – It backing up a file system from one machine onto a backup
device connected to another machine. It is referred to as a remote or network
backup.

Data is life-blood of business and must be guarded against malicious intent while in active
state on production servers or preserved state on tape.

Backup security measures are as follows:

• Assign accountability, responsibility, and authority – Storage security function

should be included in company’s security policy. Some companies create a storage
team for taking backup. Even after creating a separate team, company still must
integrate any storage and backup security measures with those that secure rest of
infrastructure It provides defense-in-depth protection. If data is highly sensitive,
then duties are divided into a number of working members.
Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 13 of 14
 • Assess storage risk as it pertains to information security – Risk assessment is a
structured and systematic procedure, which is dependent upon correct identification
of hazards. Managers must examine each step of their backup methodology looking
for security vulnerabilities. lt is necessary to perform a risk analysis of entire backup
process. Many times data is duplicated throughout environment. It is important to
have policies and procedures that provide a good understanding of where data lives
at any point in time.
• Develop an information protection program – Multilayer data protection system is
used for providing security to storage network. Authentication, authorization,
encryption, and auditing are examples of multilayer protection system. Encrypt data
as it’s stored to hard disk preventing even other people with access to that system to
access those files.
• Communicate processes around information protection and security – Its time to
define process to ensure that sensitive data is properly protected and handled. It is
important to ensure that people responsible for carrying out their security are
informed and trained. Security policies are most important aspect of assigning
accountability, responsibility, and authority.

Shashank Saxena (8090315900) Unit 3 – Developing Secure Information System Page 14 of 14