INFORMATION SECURITYWhat Is Security? security is the quality or state of being secureto be free from danger. security means protecting our assets.

Assetis any data, device, or other component of the environment that supports information-related activities.

hardware (e.g. servers and switches) and software etcA successful organization should have multiple layers of security in place: Physical security, which encompasses strategies to protect people, physical assets, and the workplace from various threats including fire, unauthorized access, or natural disasters

Personal security, which overlaps with physical security in the protection of the people within the organization

Communications security, which encompasses the protection of an organizations communications media, technology, and content, and its ability to use these tools to achieve the organizations objectives

Network security, which addresses the protection of an organizations data networking devices, connections, and contents, and the ability to use that network to accomplish the organizations data communication functions

Information security includes the broad areas of information security management, computer and data security, and network security. What is Information Security ?Information security is defined as protecting information and information system from unauthorized access, use, disclosure, disruption, modification, or destruction,

( information system or systems)Information security (InfoSec), is the protection of information and its critical elements(confidentiality, integrity, and availability), including the systems and hardware that use, store, and transmit that information.National Security Telecommunications and Information Systems Security Committee (NSTISSC), Information security includes the broad areas of information security management, computer and data security, and network security.

Components of Information Security

It is the entire set of 1.)Hardware 2.)Software 3.)Data (information for decision making),4.) Procedures (design, development and documentation), and 5.) People (individuals, groups, or organizations) necessary to use information as a resource within and outside the organization. To protect the information and its related systems from danger, tools, such as Necessary tools: policy, awareness, training, education, technology The NSTISSC model of information security evolved from a concept developed by the computer security industry known as the C.I.A. triangle. C.I.A. triangle was standard based on confidentiality, integrity, and availabilityC.I.A. triangle now expanded into list of critical characteristics of informationNSTISSC Security Model: NationalSecurityTelecommunications andInformationSystemsSecurityCommittee The McCumber Cube as represented in Figure , shows three dimensions. The three dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure todays information systems.To ensure system security, each of the 27 areas must be properly addressed during the security process. Critical Characteristics of Information

Availability,Accuracy,Authenticity,Confidentiality,Integrity,Utility,Possessionhttp://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/ConfidentialityInformation is protected from disclosure or exposureInformation has value, especially in todays world. Bank account statements, personal information, credit card numbers, trade secrets, government documents.

Every one has information they wish to keep a secret. Protecting such information is a very major part of information security.

A very key component of protecting information confidentiality would be encryption. Encryption ensures that only the right people (people who knows the key) can read the information.Dataencryptionis a common method of ensuring confidentiality.Confidentiality(privacy) of information ensures that only those with sufficient privileges may access certain information. When unauthorized individuals or systems can access information, confidentiality is breached. To protect the confidentiality of information, a number of measures are used: Information classification(Top secret,secret,confidential) Secure document storage

Application of general security policies(IT Policiesarticulate the university's values, principles, strategies, and positions relative to a broad IT topic. They are designed to guide organizational and individual behavior and decision-making. They are concise, high-level, and independent of a given technology. University IT policies are mandatory.

IT standardsspecify requirements for becoming compliant with university IT policies, other university policies, as well as applicable laws and regulations. Standards may include technical specifications and are mandatory.

IT guidelinesprovide guidance and best practices relative to a particular IT topic. They may accompany, interpret, or provide guidance for implementing IT policies, other university policies, or applicable laws and regulations. University IT guidelines are not mandatory.

IT Proceduresdocument "how to" accomplish specific IT tasks or use IT services. These procedures may be localized to reflect the practices or requirements of a specific unit.)

Example, a credit card transaction on the Internet.1. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in data bases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored.

2. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information, it could result in a breach of confidentiality.

Integrity

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being compiled, stored, or transmitted. Many computer viruses and worms are designed with the explicit purpose of corrupting data.Eg: file hashing and checksum Eg: Integrity is violated when an employee deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a website, when someone is able to cast a very large number of votes in an online poll, and so on. Information only has value if it is correct. Information that has been tampered with could prove costly. For example, if you were sending an online money transfer for $100, but the information was tampered in such a way that you actually sent $10,000, it could prove to be very costly for you.

Availability

Information is accessible by authorized usersAvailability enables authorized users -persons or computer systems to access information without interference or obstruction and to receive it in the required format. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

For any information system to serve its purpose, the information must be available when it is needed.

Eg: High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.Eg UPS, BackupHow does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the damage caused by damage to hard drives or natural disasters. For information services that is highly critical,redundancymight be appropriate. Having a off-site location ready to restore services in case anything happens to your primary data centers will heavily reduce the downtime in case of anything happens.Accuracy:

Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate. Consider, for example, a checking account. You assume that the information contained in your checking account is an accurate representation of your finances. Incorrect information in your checking account can be caused by external or internal means. If a bank teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information is changed. Also, as the user of your bank account, you may accidentally enter an incorrect amount into your account register. This also changes the value of the information. Either way, the inaccuracy of your bank account could cause you to make mistakes, such as bouncing a check. Utility

Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful. Thus, the value of information depends on its utility.

Possession

The possession of Information security is the quality or state of having ownership or control of some object or item.

Components of an Information System:

Information System (IS) is an entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organizationThese six critical components enable information to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknessesits own characteristics and uses.

Software:

The software components of IS comprises application software and system software. Software is perhaps the most difficult IS component to secure.

System Software,such as an operating system program, which can controls and supports the operations of a computer system. They include software such as the operating system, database management systems, networking software, translators, and software utilities. Application Software,which are programs that direct processing for a particular use of computers by end users. Examples are a sales analysis program, a payroll program, and a work processing program.

Hardware:

Hardware is the physical technology that executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system.

Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft.

Information system's hardware refers to all types of hardware and the media used for input, processing, managing, distributing and saving information that are being used in an organisation. Examples of the hardware are the physical computers, networks, communication equipment, scanners, digital drives, and so on. Specially, it includes not onlymachines,such as computers and other equipment, but also all datamedia, magnetic disks.

Data:

Data stored, processed, and transmitted through a computer system must be protected.

The raw, unorganized, discrete(separate, isolated) potentially-useful facts and figures that are later processed(manipulated) to software utilities Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks.

Data refers to the raw facts on any thing or entities like student names, courses and marks. The raw data that has not yet been provided can be processed to become more useful information.

Information is an organised, meaningful and useful interpretation of data such as a companys performances or a student's academic performance.

Information systems change data into information, which is useful and capable of giving a certain meaning to its users.

Based on the example in the above figure, we can understand that records inside every attribute under the DATA item do not give any specific meaning. Every data or record here is a raw fact. After going through processes such as addition, ordering, combining, manipulating and so on, many kinds of information can be produced. The information generated is not limited to a certain form. It can be interpreted in many ways according to the needs and wills of customersPeople

People are required for the operation of all information systems. These people resources include end users and IS specialists.

End users(also called users or clients) are people who use an information system or the information it produces. They can be accountants, salespersons, engineers, clerks, customers, or managers. Most of us are information system end users.

IS Specialistsare people who develop and operate information systems. They include systems analysts, programmers, computer operators, and other managerial technical, and clerical IS personnel. Systems Analyst

Programmer

Technician

Engineer

Network Manager

MIS ( Manager of Information Systems )

Data entry operator

Procedures:

Procedures are written instructions for accomplishing a specific task.

When an unauthorized user obtains an organizations procedures, this poses a threat to the integrity of the information.Networks:

Communications networks consist of computers, communications processors, and other devices interconnected by communications media and controlled by communications software. Network resources include:

Communication media,Examples include twisted pair wire, coaxial cable, fiber-optic cable, microwave systems, and communication satellite systems.

Examples include communications control software such as network operating systems and Internet packages.Critical Characteristics of Information

Availability,Accuracy,Authenticity,Confidentiality,Integrity,Utility,Possessionhttp://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/Confidentiality:

Information is protected from disclosure or exposureConfidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people."

Dataencryptionis a common method of ensuring confidentiality.Integrity

Information remains whole, complete, and uncorruptedAvailability

Information is accessible by authorized users

Accuracy

Information is free from mistakes or errors

Authenticity

Information is genuine or original

Utility

Information has value for some purpose

Possession

Information object or item is owned or controlled by somebody

http://en.wikipedia.org/wiki/Information_systemsAuthentication

Authentication occurs when a control provides proof that a user possesses the identity that he or she claims. Positive verification of identity (man or machine)

We can verify authenticity throughauthentication. The process of authentication usually involves more than one "proof" of identity (although one may be sufficient). The proof might be something a userknows, like a password. Or, a user might prove their identity with something they have, like a keycard. Modern (biometric) systems can also provide proof based on something a useris. Biometric authentication methods include things like fingerprint scans, hand geometry scans, or retinal scans.

Verifying your identity

asecurity tokenor 'dongle',

anATM card, or

amobile phonePhysical Biometrics:

Fingerprint

Iris

Hand Geometry

Finger Geometry

Face Geometry

Retina

Good security requires two of these factors

Two factor authenticationalso known as Two-Step Verification also known as Two factor Security

Most websites rely on one-factor authentication

Two way

Problem with passwords:

Many people choose weak passwords.

Brute force hacking technology is getting more powerful

Securing Components

Protecting the components from potential misuse and abuse by unauthorized users. It is important in studying computer security to know the difference between the two. When a computer is thesubject of an attack, it is used as the active tool to conduct the attack. When the computer is theobject of an attack, it is the entity being attacked. Two types of attacks:

1. Direct attack

2. Indirect attack

Direct attackWhen a Hacker uses his personal computer to break into a system.

Indirect attackWhen a system is compromised and used to attack other system.

Securing Components

-Protecting the components from potential misuse and abuse by unauthorized users.

Subject of an attack Computer is used as an active tool to conduct the attack.

Object of an attack Computer itself is the entity being attacked

.Two types of attacks

- Direct attack

- Indirect attack

Internet

Stolen Information

Hacker request

Hacker using a computer Remote system that

as the subject of attack is the object of an attack

1. Direct attack

When a Hacker uses his personal computer to break into a system.[Originate from the threat itself]

2. Indirect attack

When a system is compromised and used to attack other system.

[Originate from a system or resource that itself has been attacked, and is malfunctioning or working under the control of a threat].An indirect attack is an attack launched by a third-party computer. By using someone else's computer to launch an attack, it becomes far more difficult to track down the actual attacker.A computer can, therefore, be both the subject and object of an attack when ,for example, it is first the object of an attack and then compromised and used to attack other systems, at which point it becomes the subject of an attack.

Balancing Information Security and Access

Has to provide the security and is also feasible to access the information for its application.

Information Security cannot be an absolute: it is a process, not a goal.

Should balance protection and availability.

Approaches to Information Security Implementation

Bottom- up- approach.

Top-down-approach

Has higher probability of success.

Project is initiated by upper level managers who issue policy & procedures & processes.

Dictate the goals & expected outcomes of the project.

Determine who is suitable for each of the required action.

What is SDLC? The Systems Development Life Cycle is a methodology for the design and implementation of an information system in an organization. What is a methodology? Methodology is a formal approach to solve a problem based on a structured sequence of procedures.The Systems Development Life Cycle (SDLC)

Repeat

SDLC Waterfall Methodology

SDLC-is a methodology for the design and implementation of an information system in an organization.

A methodology is a formal approach to solving a problem based on a structured sequence of procedures.

SDLC consists of 6 phases.Investigation

It is the most important phase and it begins with an examination of the event or plan that initiates the process.

During this phase, the objectives, constraints, and scope of the project are specified.

At the conclusion of this phase, a feasibility analysis is performed, which assesses the economic, technical and behavioral feasibilities of the process and ensures that implementation is worth the organizations time and effort.

Analysis

It begins with the information gained during the investigation phase.

It consists of assessments (quality) of the organization, the status of current systems, and the capability to support the proposed systems.

Analysts begin by determining what the new system is expected to do, and how it will interact with existing systems.

This phase ends with the documentation of the findings and an update of the feasibility analysis.

Logical Design

In this phase, the information gained from the analysis phase is used to begin creating a systems solution for a business problem.

Based on the business need, applications are selected that are capable of providing needed services.

Based on the applications needed, data support and structures capable of providing the needed inputs are then chosen.

In this phase, analysts generate a number of alternative solutions, each with corresponding strengths and weaknesses, and costs and benefits.

At the end of this phase, another feasibility analysis is performed.

Physical design

In this phase, specific technologies are selected to support the solutions developed in the logical design.

The selected components are evaluated based on a make-or-buy decision.

Final designs integrate various components and technologies.

Implementation

In this phase, any needed software is created.

Components are ordered, received and tested.

Afterwards, users are trained and supporting documentation created.

Once all the components are tested individually, they are installed and tested as a system.

Again a feasibility analysis is prepared, and the sponsors are then presented with the system for a performance review and acceptance test.

Maintenance and change

It is the longest and most expensive phase of the process.

It consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle.

Periodically, the system is tested for compliance, with business needs.

Upgrades, updates, and patches are managed.

As the needs of the organization change, the systems that support the organization must also change.

When a current system can no longer support the organization, the project is terminated and a new project is implemented.

http://www.ustudy.in/node/11804IT Stands for "Information Technology," and is pronounced "I.T." It refers to anything related to computing technology, such as networking, hardware, software, the Internet, or the people that work with these technologies. Many companies now have IT departments for managing the computers, networks, and other technical areas of their businesses. IT jobs include computer programming, network administration, computer engineering, Web development, technical support, and many other related occupations. Since we live in the "information age," information technology has become a part of our everyday lives. That means the term "IT," already highly overused, is here to stay.Information technology(IT) is the application ofcomputersandtelecommunications equipmentto store, retrieve, transmit and manipulate data,often in the context of a business or other enterprise.The term is commonly used as a synonym for computers and computer networks, but it also encompasses otherinformationdistribution technologies such as television and telephones. Severalindustriesare associated with information technology, includingcomputer hardware,software,electronics,semiconductors,internet,telecom equipment,e-commerceand computer services.

In a business context, theInformation Technology Association of Americahas defined information technology as "the study, design, development, application, implementation, support or management of computer-based information systems".[39]The responsibilities of those working in the field include network administration, software development and installation, and the planning and management of an organization's technology life cycle, by which hardware and software are maintained, upgraded and replaced.Information Technology A Definition:

We use the term information technology or IT to refer to an entire industry. In actuality, information technology is the use of computers and software to manage information. In some companies, this is referred to as Management Information Services (or MIS) or simply as Information Services (or IS). The information technology department of a large company would be responsible for storing information, protecting information, processing the information, transmitting the information as necessary, and later retrieving information as necessary.

Modern Information Technology Departments:

In order to perform the complex functions required of information technology departments today, the modern Information Technology Department would use computers, servers,database management systems,andcryptography.The department would be made up of severalSystem Administrators,Database Administratorsand at least one Information Technology Manager. The group usually reports to the Chief Information Officer (CIO).Popular Information Technology Skills:

Some of the most popular information technology skills at the moment are:

Computer Networking Information Security IT Governance ITIL Business Intelligence Linux Unix Project ManagementFor more information about technical skills that are popular in the job market, check out theIT Career Skills List..

Information Technology Certifications:

Having a solid education and specific specialty certifications is the best way to progress in an information technology career. Here are some of the more popular information technology certifications:

Information Security Certifications Oracle DBA Certifications Microsoft Certifications Cisco Certifications PMP CertificationJobs in IT:

There can be a lot of overlap between many of the job descriptions within information technology departments. In order to clarify the descriptions, skills and career paths of each, I have put together aJobs in ITlisting. The jobs in IT listing includes information on education and training required for each position. It also includes lists of companies that typically have IT jobs open, as well as links to IT-specific resumes, cover letters and IT interview questions.

Information Technology - Trends:

Information Technology Departments will be increasingly concerned with data storage and management, and will find thatinformation securitywill continue to be at the top of the priority list.Cloud computingremains a growing area to watch. The job outlook for those within Information Technology is strong, with data security and server gurus amongst the highest paid techies. Check out theInformation Security CertificationsandHighest Paying Certificationsfor more information. In order to stay current in the Information Technology Industry, be sure you subscribe to toptechnology industry publications.http://www.youtube.com/watch?v=Qujsd4vkqFI information systemhttp://www.youtube.com/watch?v=6p_q_Xp--RsConfidentiality:

Information is protected from disclosure or exposure

Integrity

Information remains whole, complete, and uncorrupted

Availability

Information is accessible by authorized users

Accuracy

Information is free from mistakes or errors

Authenticity

Information is genuine or original

Utility

Information has value for some purpose

Possession

Information object or item is owned or controlled by somebody

REMOTE SYSTEM

SYSTEM

Investigation

Analysis

Logical design

Physical design

Implementation

Maintenance and change