INFORMATION SECURITY

RISK ASSESSMENT AND

Module 1 – Introduction
Module I: Introduction
History,
What is Information Security?,
Critical Characteristics of Information,
Components of an Information System,
NSTISSC Security Model,
Securing the Components,
Balancing Security and Access.
Components of Information System

 An Information System (IS) is a framework or structure that organizations use to collect, process,
store, and distribute information for various purposes. It consists of several components that work
together to achieve these objectives. The main components of an Information System are:

 Hardware: This includes all the physical equipment used to process and store data, such as
computers, servers, storage devices, networking equipment, and peripheral devices like printers and
scanners.

 Software: Software refers to the programs and applications that enable users to interact with the
hardware and perform specific tasks. This includes operating systems, databases, productivity
software, and custom applications developed for specific business needs.

 Data: Data is the raw information that an IS collects, processes, and stores. It can come in various
forms, including text, numbers, images, audio, and video. Effective data management is crucial for an
IS to function properly.

 Procedures: Procedures are the documented or established methods and guidelines for how an
organization uses its information system. They define how data is collected, processed, and used, as
well as how system maintenance and security are handled.

 People: People are the users and stakeholders who interact with the information system. This includes
employees, customers, suppliers, and other individuals who use the system to access, input, or
manipulate data. Effective training and user support are essential for the system's success.

 Networks: Networks enable communication and data exchange between different components of the
information system. This includes local area networks (LANs), wide area networks (WANs), and the
internet. Network infrastructure is critical for data sharing and system integration.
Components of Information System
 Security: Security measures are essential to protect data and the integrity of the information
system. This includes user authentication, access control, encryption, firewalls, antivirus software,
and other security protocols to safeguard against unauthorized access, data breaches, and
cyberattacks.

 Feedback and Control: An information system should have mechanisms for monitoring and
controlling its performance. Feedback loops and controls help ensure that the system operates
effectively and efficiently. Monitoring tools and metrics are used to assess system performance and
identify areas for improvement.

 Database Management System (DBMS): In many cases, data is organized and stored in
databases. A DBMS is software that manages the creation, retrieval, updating, and deletion of data in
these databases. It ensures data consistency, integrity, and security.

 Middleware: Middleware is software that acts as an intermediary between different applications and
systems, facilitating communication and data exchange. It plays a crucial role in integrating various
components of an information system.

 User Interface: The user interface (UI) is the point of interaction between users and the information
system. It includes graphical user interfaces (GUIs), command-line interfaces (CLIs), and other
means through which users input commands and receive feedback from the system.

 Backup and Recovery: A robust information system includes backup and recovery mechanisms to
ensure that data can be restored in case of hardware failures, data corruption, or other disasters.

 These components work together to support an organization's information needs, improve decision-
making, enhance productivity, and achieve its business objectives. The effectiveness of an
information system depends on the integration and coordination of these components.
Securing the components of an
information system

 Securing the components of an information system is paramount to protect data, maintain
system integrity, and ensure the confidentiality, availability, and integrity of information.
Here are some key security measures for each component:

 Hardware Security:

 Physical Access Control: Limit physical access to servers and critical hardware
components to authorized personnel only through measures like secure data centers and
card/key access systems.
 Hardware Encryption: Use hardware encryption for data stored on drives to protect
against theft or unauthorized access to physical devices.

 Software Security:

 Regular Patching and Updates: Keep all software, including the operating system and
applications, up to date with security patches to address vulnerabilities.
 Antivirus and Anti-Malware: Employ antivirus and anti-malware software to detect and
prevent malicious software from compromising the system.
 Application Security: Conduct regular security testing, such as penetration testing and
code reviews, to identify and remediate vulnerabilities in custom applications.

 Data Security:

 Data Encryption: Encrypt sensitive data, both in transit and at rest, using
strong encryption algorithms to protect against unauthorized access.
 Access Controls: Implement strict access controls and role-based
permissions to limit who can view, modify, or delete data.
 Data Backups: Regularly backup data and ensure backups are stored
securely and can be restored in case of data loss or ransom ware attacks.

 Procedures Security:

 Security Policies: Develop and enforce security policies and procedures
that define acceptable use, password management, incident response, and
other security-related practices.
 Employee Training: Provide cyber security training and awareness
programs to educate employees about security best practices and threats.
 Securing the components of an
information system
 People Security:

 User Authentication: Enforce strong password policies and consider implementing multi-factor
authentication (MFA) for user accounts.
 Employee Screening: Conduct background checks and reference checks when hiring employees to
reduce insider threats.
 Access Monitoring: Continuously monitor user activity and establish alerts for suspicious behavior.

 Network Security:

 Firewalls: Implement firewalls to filter network traffic and protect against unauthorized access.
 Intrusion Detection and Prevention Systems (IDPS): Deploy IDPS to detect and respond to
suspicious network activities.
 Network Segmentation: Isolate sensitive data and systems in separate network segments to limit the
spread of threats.

 Security:

 Security Awareness: Educate personnel about security best practices, social engineering tactics, and
phishing awareness.
 Incident Response Plan: Develop and regularly test an incident response plan to address security
incidents promptly and effectively.
 Security Auditing and Monitoring: Continuously monitor system logs and perform security audits to
detect and respond to security incidents.
 Database Management System (DBMS) Security:

 Database Encryption: Encrypt sensitive data within databases to protect it from
unauthorized access.
 Access Controls: Implement strong access controls, including user roles and
permissions, to restrict access to data based on need-to-know.

 Middleware and User Interface Security:

 Ensure that middleware components are up to date and follow security best practices.
 Secure user interfaces by implementing authentication and authorization mechanisms
and protecting against common web application vulnerabilities like SQL injection and
cross-site scripting (XSS).

 Backup and Recovery Security:
 Secure backup copies to prevent unauthorized access or tampering.
 Test the recovery process regularly to ensure it functions as expected during
emergencies.
Balancing Security and Access

 Balancing security and access is a critical challenge for organizations. On one hand, organizations need to protect
sensitive information and systems from unauthorized access and cyber threats. On the other hand, they must ensure
that authorized users can access the resources they need to perform their tasks efficiently. Achieving this balance is
essential to maintain productivity and minimize security risks. Here are some strategies to strike the right balance
between security and access:

 Implement Access Control:

 Use role-based access control (RBAC) and least privilege principles to grant users the minimum access rights
necessary to perform their job functions.
 Regularly review and update access permissions based on user roles and responsibilities.

 Authentication Methods:

 Implement multi-factor authentication (MFA) to add an extra layer of security without significantly impacting user
experience.
 Use strong and adaptive authentication methods, such as biometrics or smart cards, for sensitive systems and data.

 User Training and Awareness:

 Educate users about the importance of security and the risks associated with careless behavior.
 Provide training on secure practices and how to recognize and report security threats like phishing attacks.

 Monitoring and Logging:

 Implement robust monitoring and logging solutions to track user activity and system events.
 Set up alerts for suspicious activities and automate responses to certain types of incidents.


Balancing Security and Access
 Incident Response Plan:

 Develop a well-defined incident response plan that outlines procedures for handling security
incidents while minimizing disruption to legitimate users.
 Test the plan regularly to ensure it's effective and efficient.

 User-Friendly Security Solutions:

 Invest in security solutions that are user-friendly and easy to use, minimizing friction while
maintaining protection.
 Balance security with user convenience to reduce the likelihood of users attempting to bypass
security measures.

 Segmented Networks:

 Implement network segmentation to isolate sensitive systems and data from less critical ones.
 This allows you to apply stricter security controls to high-value assets while maintaining more open
access for less sensitive resources.

 Regular Security Audits:

 Conduct regular security audits and vulnerability assessments to identify weaknesses in the
system.
 Address identified vulnerabilities promptly to reduce the risk of unauthorized access.

Balancing Security and Access
 Data Encryption:

 Implement encryption for data in transit and at rest, particularly for sensitive information.
 This protects data even if unauthorized access occurs.

 User Feedback and Collaboration:

 Encourage users to provide feedback on security measures and access restrictions.
 Involve users in the decision-making process when implementing new security solutions to ensure
usability.


 Continuous Monitoring and Adaptation:

 Continuously assess the security posture of your organization and adapt security measures as needed
to address evolving threats and technology changes.


 Compliance and Regulation:

 Ensure that your organization complies with relevant data protection and security regulations.
 These regulations often provide guidance on balancing security and access.