FM-AA-CIA-15 Rev.

0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

1
STUDY GUIDE FOR MODULE NO. ___

INTRODUCTION TO
INFORMATION SECURITY
MODULE OVERVIEW

This chapter provides an introduction to information security. It focuses on generic computer and Internet

security concepts and describes a way to develop a comprehensive security plan for organization. The chapter

explains the nuances of network security in general and Internet security in particular; and explores why it is

necessary and how a comprehensive security policy can be created to protect networks from unauthorized

access.

MODULE LEARNING OBJECTIVES

At the end of this learning activity, you should be able to:

1. Understand the definition of information security
2. Comprehend the history of computer security and how it evolved into information security.
3. Understand the key terms and critical concepts of information security.
4. Outline the phases of the security systems development life cycle.
5. Understand the roles of professionals involved in information security within an organization.

LEARNING CONTENTS | INFORMATION SECURITY

▪ Information security: a “well-informed sense of assurance that the information risks and controls are

in balance.” —Jim Anderson, Inovant (2002)

▪ Information Security refers to the processes and methodologies which are designed and implemented

to protect print, electronic, or any other form of confidential, private and sensitive information or data

from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.

▪ Necessary to review the origins of this field and its impact on our understanding of information security

today

PANGASINAN STATE UNIVERSITY 1

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

LEARNING CONTENTS | History of Information Security

▪ The history of information security begins with computer security. The need for computer security—

that is, the need to secure physical locations, hardware, and software from threats— arose during World

War II when the first mainframes, developed to aid computations for communication code breaking (see

Figure 1-1), were put to use. The history of information security begins with computer security. The

need for computer security—that is, the need to secure physical locations, hardware, and software from

threats— arose during World War II when the first mainframes, developed to aid computations for

communication code breaking (see Figure 1-1), were put to use.

▪ Began immediately after the first mainframes were developed.

▪ Created to aid code-breaking computations during World War II.

▪ Physical controls to limit access to sensitive military locations to authorized personnel: badges, keys,

and facial recognition.

▪ Rudimentary in defending against physical theft, espionage, and sabotage.

▪ One of 1st documented problems

▪ Early 1960s

PANGASINAN STATE UNIVERSITY 2

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

▪ Not physical

▪ Accidental file switch

▪ Entire password file

▪ printed on every output file

▪ The 1960s

▪ Additional mainframes online

▪ Advanced Research Procurement Agency (ARPA) began to examine feasibility of redundant

networked communications

▪ Larry Roberts developed ARPANET from its inception

▪ ARPANET is the first Internet

▪ The 1970s and 80s

▪ ARPANET grew in popularity as did its potential for misuse

▪ Fundamental problems with ARPANET security were identified

▪ No safety procedures for dial-up connections to ARPANET

▪ Non-existent user identification and authorization to system

▪ R-609

▪ Information security began with Rand Report R-609 (paper that started the study of computer

security)

PANGASINAN STATE UNIVERSITY 3

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

▪ Scope of computer security grew from physical security to include:

▪ Safety of data

▪ Limiting unauthorized access to data

▪ Involvement of personnel from multiple levels of an organization

▪ First identified role of management and policy

▪ Multics

▪ Operating System

▪ Security primary goal

▪ Didn’t go very far

▪ Several developers created Unix

▪ Late 1970s: microprocessor expanded computing capabilities and security threats

▪ From mainframe to PC

▪ Decentralized computing

▪ Need for sharing resources increased

▪ Major changed computing

▪ The 1990s

▪ Networks of computers became more common; so too did the need to interconnect networks

▪ Internet became first manifestation of a global network of networks

▪ In early Internet deployments, security was treated as a low priority

▪ Many of the problems that plague e-mail on the Internet are the result to this early lack of

security

▪ The Present

▪ The Internet brings millions of computer networks into communication with each other—many

of them unsecured

▪ Ability to secure a computer’s data influenced by the security of every computer to which it is

connected

LEARNING CONTENTS | Security

What is Security?

PANGASINAN STATE UNIVERSITY 4

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

▪ “The quality or state of being secure—to be free from danger”

▪ A successful organization should have multiple layers of security in place:

▪ Physical security

▪ Personal security

▪ Operations security

▪ Communications security

▪ Network security

▪ Information security

What is Information Security?

▪ The protection of information and its critical elements, including systems and hardware that use, store,

and transmit that information

▪ Necessary tools: policy, awareness, training, education, technology

▪ C.I.A. triangle was standard based on confidentiality, integrity, and availability

▪ C.I.A. triangle now expanded into list of critical characteristics of information

LEARNING CONTENTS | Critical Characteristics of Information

▪ The value of information comes from the characteristics it possesses:

▪ Timeliness

PANGASINAN STATE UNIVERSITY 5

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

▪ No value if it is too late

▪ Availability

▪ No interference or obstruction

▪ Required format

▪ Accuracy

▪ Free from mistakes

▪ Authenticity

▪ Quality or state of being genuine, i.e., sender of an email

▪ Confidentiality

▪ Disclosure or exposure to unauthorized individuals or system is prevented

▪ Integrity

▪ Whole, completed, uncorrupted

▪ Cornerstone

▪ Size of the file, hash values, error-correcting codes, retransmission

▪ Utility

▪ Having value for some purpose

▪ Possession

▪ Ownership

▪ Breach of confidentiality results in the breach of possession, not the reverse

PANGASINAN STATE UNIVERSITY 6

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

LEARNING CONTENTS | Components of an Information System

Information System (IS) is entire set of software, hardware, data, people, procedures, and networks

necessary to use information as a resource in the organization.

▪ Software

▪ Perhaps most difficult to secure

▪ Easy target

▪ Exploitation substantial portion of attacks on information

▪ Hardware

▪ Physical security policies

▪ Securing physical location important

▪ Laptops

▪ Flash memory

▪ Data

▪ Often most valuable asset

▪ Main target of intentional attacks

▪ People

▪ Weakest link

▪ Social engineering

▪ Must be well trained and informed

▪ Procedures

▪ Threat to integrity of data

▪ Networks

▪ Locks and keys won’t work

PANGASINAN STATE UNIVERSITY 7

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

LEARNING CONTENTS | Securing Components

▪ Computer can be subject of an attack and/or the object of an attack

▪ When the subject of an attack, computer is used as an active tool to conduct attack

▪ When the object of an attack, computer is the entity being attacked

▪ 2 types of attack

▪ Direct

▪ Hacker uses their computer to break into a system

▪ Indirect

▪ System is compromised and used to attack other systems

LEARNING CONTENTS | Balancing Information Security and Access

▪ Impossible to obtain perfect security—it is a process, not an absolute.

▪ Security should be considered balance between protection and availability.

▪ To achieve balance, level of security must allow reasonable access, yet protect against threats.

▪ Even with best planning and implementation, it is impossible to obtain perfect security, that is, it is a

process, not an absolute. Security should be taken as balance between the protection and availability.

To achieve balance, level of security should allow reasonable access, yet protect against threats. Figure

given below illustrates the basic idea of balancing between security and access of information system.

PANGASINAN STATE UNIVERSITY 8

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

LEARNING CONTENTS | Approaches to Information Security Implementation: Bottom – Up

Approach
▪ Grassroots effort: systems administrators attempt to improve security of their systems.

▪ Key advantage: technical expertise of individual administrators.

▪ Seldom works, as it lacks a number of critical features:

▪ Participant support

▪ Organizational staying power

PANGASINAN STATE UNIVERSITY 9

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

LEARNING CONTENTS | Approaches to Information Security Implementation: Top - Down

▪ Initiated by upper management

▪ Issue policy, procedures and processes

▪ Dictate goals and expected outcomes of project

▪ Determine accountability for each required action

▪ The most successful also involve formal development strategy referred to as systems

development life cycle.

LEARNING CONTENTS | Systems Development Life Cycle

▪ Systems development life cycle (SDLC) is methodology and design for implementation of information

security within an organization.

▪ Methodology is formal approach to problem-solving based on structured sequence of procedures.

▪ Using a methodology

▪ ensures a rigorous process

▪ avoids missing steps

▪ Goal is creating a comprehensive security posture/program

▪ Traditional SDLC consists of six general phases

PANGASINAN STATE UNIVERSITY 10

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

▪ The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS

project

▪ Identification of specific threats and creating controls to counter them

▪ SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions

▪ Investigation

▪ Identifies process, outcomes, goals, and constraints of the project

▪ Begins with enterprise information security policy

▪ Analysis

▪ Existing security policies, legal issues,

▪ Perform risk analysis

▪ Logical Design

▪ Creates and develops blueprints for information security

▪ Incident response actions: Continuity planning, Incident response, Disaster recovery

▪ Feasibility analysis to determine whether project should continue or be outsourced

▪ Physical Design

▪ Needed security technology is evaluated, alternatives generated, and final design selected

▪ Implementation

▪ Security solutions are acquired, tested, implemented, and tested again

▪ Personnel issues evaluated; specific training and education programs conducted

▪ Entire tested package is presented to management for final approval

▪ Maintenance and Change

▪ Most important

▪ Constant changing threats

▪ Constant monitoring, testing updating and implementing change

LEARNING CONTENTS | Security Professionals and the Organization

▪ Security is an area that can make or break a company. Keeping sensitive digital information private and

protecting technical systems from viruses and hackers is critical. Because of this, it is one of the few

PANGASINAN STATE UNIVERSITY 11

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

specialty areas within information technology where companies will continue to invest money even in an

economic downturn.

▪ Wide range of professionals required to support a diverse information security program.

▪ Senior management is key component; also, additional administrative support and technical expertise

required to implement details of IS program.

Senior Management

▪ Chief Information Officer (CIO)

▪ Senior technology officer

▪ Primarily responsible for advising senior executives on strategic planning

▪ Chief Information Security Officer (CISO)

▪ Primarily responsible for assessment, management, and implementation of IS in the organization

▪ Usually reports directly to the CIO

Information Security Project Team

▪ A number of individuals who are experienced in one or more facets of technical and non-technical areas:

▪ Champion: Senior executive who promotes the project

▪ Team leader: project manager, departmental level manager

▪ Security policy developers

▪ Risk assessment specialists

▪ Security professionals

▪ Systems administrators

▪ End users

Data Ownership

▪ Data Owner: responsible for the security and use of a particular set of information.

▪ Data Custodian: responsible for storage, maintenance, and protection of information.

▪ Data Users: end users who work with information to perform their daily jobs supporting the mission of

the organization.

PANGASINAN STATE UNIVERSITY 12

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

Communities of Interest

▪ Group of individuals united by similar interest/values in an organization

▪ Information Security Management and Professionals

▪ Information Technology Management and Professionals

▪ Organizational Management and Professionals

LEARNING CONTENTS | Key Terms, Summary

Key Terms

▪ Access

▪ Asset

▪ Attack

▪ Control, Safeguard or Countermeasure

▪ Exploit

▪ Exposure

▪ Hacking

▪ Object

▪ Risk

▪ Security Blueprint

▪ Security Model

▪ Security Posture or Security Profile

▪ Subject

▪ Threats

▪ Threat Agent

▪ Vulnerability

PANGASINAN STATE UNIVERSITY 13

 FM-AA-CIA-15 Rev. 0 10-July-2020

Study Guide in Information Assurance and Security Module No. 1

Summary:

▪ Information security is a “well-informed sense of assurance that the information risks and controls are in

balance.”

▪ Computer security began immediately after first mainframes were developed

▪ Successful organizations have multiple layers of security in place: physical, personal, operations,

communications, network, and information.

▪ Security should be considered a balance between protection and availability

▪ Information security must be managed similar to any major system implemented in an organization using

a methodology like SecSDLC

▪ Implementation of information security often described as a combination of art and science

LEARNING ACTIVITY 1

Read the following Philippine law https://lawphil.net/statutes/repacts/ra2012/ra_10175_2012.html.

Question: In R.A. 10175, was the term information security defined? Why do you think the law needs to, or NOT

to, define it? Do you think the law needs revision to catch-up with the world’s fast-changing technology? Why

or why not?

REFERENCES

Books

Principles of Information Security, 6th Edition, Michael E. Whitman; Herbert J. Mattord

Online materials

https://lawphil.net/statutes/repacts/ra2012/ra_10175_2012.html

https://www.innovativearchitects.com/KnowledgeCenter/basic-IT-systems/system-development-life-cycle.aspx

https://www.thebalancecareers.com/leading-information-security-organizations-2071545

https://www.sans.org/informationsecurity#:~:text=Information%20Security%20refers%20to%20the,destruction

%2C%20modification%2C%20or%20disruption.

https://www.sciencedirect.com/science/article/pii/B978193183690650042X

PANGASINAN STATE UNIVERSITY 14