B07BMRCB33 Ebsp

2
Keeping the essence of the first edition, this new edition of Nina Godbole has vast experience in the
Foreword by nd
2
Information Systems Security is restructured to meet the ever IT industry – System Analysis & Design and nd
growing demand for books that give a comprehensive Development, as well as Application
Dr. Bhuvan Unhelkar EDITION
treatment of Information Security topic. Designed with ample
figures to illustrate key points and Review Questions and
Support Services, MIS, IT Perspective
Planning Training, Security Audits, Quality
EDITION
Reference Material Pointers at the end of each chapter, it is Management, Operations Management.
truly a treatise on the subject. This book should prove a Nina has also led BPR initiatives and has
valuable reference on the topic to students as well as played an instrumental role in successfully driven GODBOLE
professionals. It is useful for candidates appearing for the CISA organizational initiatives – the ISO 9001, P-CMM and
certification exam and maps well with the CBOK for CSTE and CMM-I. She is an active member of many professional
CSQA Certifications. bodies and academic research groups.
INFORMATION SYSTEMS SECURITY

New to this Edition Nina holds a Master’s degree from IIT and MS
Engineering (Computer Science) degree from Newport
Security Management, Metrics, Frameworks and Best Practices

l Completely restructured, chapters now divided into 8 University, USA. She is a CQA, CSTE, CISA, PMP and ITIL
broad themes: Foundation Certified professional. She is also a Certified
n PART I: Introduction Privacy Professional for Information Technology
n PART II: Cloud, Mobile Applications, Smartphone, IoT, (CIPP/IT) from the International Association of Privacy
Professionals (IAPP), USA.
Smart Cities and Wireless Networks in Security
Perspective
n PART III: Network Security and Other Controls
n PART IV: Security of Applications and Operating Companion CD ccontains:
Systems
n PART V: Models, Frameworks and Metrics for l 39 Appendices with checklists, guidelines and more,
Maturing Security Practices on the topics covered.
n PART VI: Metrics, Legal Aspects and Privacy l 17 Case Illustrations to help readers appreciate/
Consideration for Information Security reinforce the understanding of the concepts.
n PART VII: Security Best Practices l A Workshop Mapping document with ideas for
mapping contents of chapters to workshops/
n PART VIII: Other Important Concepts in Information seminars on security and privacy.
Systems Security
l A Web Link document, which has a list of URLs given
l Four new chapters included: Chapter 7, Security in Cloud in the chapters.
Computing; Chapter 8, Smartphone Security; Chapter 10,
The Internet of Things (IoT) and Smart Cities: Security and
Privacy Challenges; and Chapter 19, The Security of
Electronic Commerce.
follow u
s on
INFORMATION Security Management,
SYSTEMS Metrics, Frameworks
and Best Practices
SHELVING CATEGORY
Computer Science
Wiley India Pvt. Ltd.
4435-36/7, Ansari Road, Daryaganj
New Delhi-110 002
Customer Care +91 11 43630000
ISBN: 978-81-265-6405-7
SECURITY
Fax +91 11 23275895
csupport@wiley.com
www.wileyindia.com
NINA GODBOLE
9 788126 564057
ISS_FM.indd 6 4/24/2017 4:43:11 PM
and Best Practices
SECURITY
2 nd
EDITION

and Best Practices
SECURITY
NINA GODBOLE
INFORMATION SYSTEMS SECURITY
Security Management, Metrics, Frameworks and Best Practices
2EDITION
nd
Copyright © 2017 by Wiley India Pvt. Ltd., 4435-36/7, Ansari Road, Daryaganj, New Delhi-110002.
Cover Image: teekid/Getty Images
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or scanning without the written permission of the
publisher.
Limits of Liability: While the publisher and the author have used their best efforts in preparing this book, Wiley and
the author make no representation or warranties with respect to the accuracy or completeness of the contents of this
book, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. There are
no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or
extended by sales representatives or written sales materials. The accuracy and completeness of the information provided
herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice
and strategies contained herein may not be suitable for every individual. Neither Wiley India nor the author shall be liable
for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or
other damages.
Disclaimer: While every effort has been made to trace copyright holders, trademark holders and obtain permission; any
omissions are inadvertant and will be rectified in future editions if brought to our notice. The contents of this book have
been checked for accuracy. Since deviations cannot be precluded entirely, Wiley or its author cannot guarantee full
agreement. As the book is intended for educational purpose, Wiley or its author shall not be responsible for any errors,
omissions or damages arising out of the use of the information contained in the book. This publication is designed to
provide accurate and authoritative information with regard to the subject matter covered. It is sold on the understanding
that the Publisher is not engaged in rendering professional services.
Trademarks: All brand names and product names used in this book are trademarks, registered trademarks, or trade
names of their respective holders. Wiley is not associated with any product or vendor mentioned in this book.
All the images that appear in the book are merely for the purpose of providing visual examples for readers to enable a
better understanding because as the old adage goes - “picture is worth a thousand words”; they are not intended as a hint
(direct or indirect) towards the promotion of recommendation of the products associated with those images.
Other Wiley Editorial Offices:

John Wiley & Sons, Inc. 111 River Street, Hoboken, NJ 07030, USA
Wiley-VCH Verlag GmbH, Pappellaee 3, D-69469 Weinheim, Germany
John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia
John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809
John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada, M9W 1L1
First Edition: 2009

Second Edition: 2017
ISBN: 978-81-265-6405-7
ISBN: 978-81-265-8360-7 (ebk)
www.wileyindia.com
Printed at:
To
My Family
ISS_FM.indd 5 4/24/2017 4:43:11 PM

ISS_FM.indd 6 4/24/2017 4:43:11 PM
Foreword
Security is easy. Simply stop all communications with the external world; be a recluse, and you are secured. One is reminded of
an ancient fable: a king built the most secured palace in the world; it had no doors! Can businesses and the software applications
and services that help us transact with the external world really afford to do this? The answer is not worth spelling out.
Security was, is and will always be a double-edged sword. You have to expose your systems and applications to the external
world in order to conduct business, but you want to remain in control. Every business wants to keep its data, information and
knowledge secured from intruders and competitors. Every business also wants to expose the right kind of data, information
and knowledge to its business partners, employees, customers, government and stakeholders. How does one achieve this
balance?
The best approach, it seems, is to understand information and communication systems themselves, from a security
viewpoint. Then one needs to understand the ‘soft spots’, where the systems can be exposed to intrusion and risks, within
the overall architecture and design of these systems. These areas of risks can span the entire gamut of information systems
including databases, networks, applications, Internet-based communication, web services, mobile technologies and people
issues associated with all of them. Effective strategy to ameliorate the risks associated with these aspects of IT systems then
needs to be developed, to provide businesses with the confidence to operate in the real world. Furthermore, with increasingly
stringent legislations, such as the Sarbanes–Oxley (SOX) legislation, that impose rigid auditing controls over businesses –
particularly through their information and communication systems – it is vital for businesses to be fully aware of the security
risks associated with their systems, and develop and implement an effective strategy to handle those risks.
In this book, Godbole has done an excellent job of covering all of the aforementioned issues; and that too at the right depth.
She has impressively covered all significant aspects of security, as it deals with information communication technology (ICT),
with the appropriate depth. Being a practitioner herself, and with decades of experience to back her approach, Godbole has
provided the practicing ICT security professionals with a lucid text that explains various significant aspects of information
systems, their corresponding security risks and how to embark on a strategic approach to reducing and, preferably, eliminating
those risks. The coverage is impressive and relevant to industry practice.
Godbole starts the book with a discussion of information and communications system in the global context before quickly
moving to the threats to these systems. With the backdrop of the first two chapters, the book moves to Chapter 3 on mobile
technologies, which provides an excellent description of the security risks associated with these emerging technologies and
warrants special mention. Discussion on security aspect of cutting-edge technologies continues throughout the book – for
example, Chapter 18 discusses security risks associated with web services and enterprise application integration and Chapter 20
explains security issues with federated databases which have special relevance in the extended enterprise paradigm. This
work discusses almost all significant aspects of security including its management and organization, physical and electronic
protection, risk analysis of security aspects of ICS, biometrics controls, networks and operating systems, firewalls and database
security, eventually culminates in the discussion on standards relevant to modern-day security.
ISS_FM.indd 7 4/24/2017 4:43:12 PM

viii FOREWORD
This book is a yet another addition from Godbole to her earlier book on software quality and indicates an excellent
evolution in thinking that is also rapidly maturing, providing valuable benefits to practitioners in the industry. This book is,
thus, a valuable reference for practitioners as well as students and is highly recommended.
Bhuvan Unhelkar
Director MIRAG (Mobile Internet Research and Application Group)
University of Western Sydney
Sydney, Australia
April, 2007
ISS_FM.indd 8 4/24/2017 4:43:12 PM

About the Author
Nina Godbole has a vast experience in the IT industry – SW development, system analysis and design,
business development and support services, training, quality management, operations management,
design and implementation of computer-based MIS applications. The author was instrumental in
preparing IT perspective plans for the client organizations as well as BPR initiatives, analysis for ERP
package deployment patterns in the USA and as a systems analyst for web-based application in France.
She has played an instrumental role in several successfully driven organizational initiatives – the ISO,
P-CMM, and CMM-I.
The author is an active member of professional bodies and academic research groups: ISACA-USA,
PMI-USA, the Mobile Internet Research and Applications Group (MIRAG) at an Australian University,
SW Process Improvement Network (SPIN), Institute of Management Consultants of India (IMCI), Computer Society of
India (CSI) and Pune Management Association (PMA).
Nina Godbole holds a Masters degree from IIT, Bombay and MS Engineering (Computer Science) degree from Newport
University, USA. She has several international professional certifications to her credit – CQA, CSTE from the QAI-USA, CISA
from ISACA-USA, BVQI Certified ISO Auditor and a certified PMP from PMI. She is also a Certified Privacy Professional for
Information Technology (CIPP/IT) from the International Association of Privacy Professionals (IAPP), USA.
The author is also an ITIL foundation certified professional and has handled numerous training workshops and seminars
devoted to her domain expertise. She has been a visiting lecturer to various academic programs of Pune university for their
courses such as MCM, MCA, DCM, MDBR and ADCSSA. She has also addressed overseas students at Australian universities
as the guest faculty. The author is currently working in a large multinational organization in the business controls team, where
she has been the head for QA activities at one of its major export locations. As a CISA, she is actively involved in security audit
engagements for business units of the organization in India as well as for overseas customer accounts.
ISS_FM.indd 9 4/24/2017 4:43:13 PM

ISS_FM.indd 10 4/24/2017 4:43:13 PM
Preface to the Second Edition
Information Security as the Professional Domain of Emerging Importance

Over the years, the world has become dependent on the use of digital technologies for a myriad of reasons−corporations
use them for managing their information assets and people use them for managing their day-to-day activities. The growing
number of mobile apps and the changing face of digital asset management in the corporate world hold the testimony.
On one hand, Information and Communication Technology (ICT) allows information to be collected, compiled and
delivered around the world at the wink of the eyelid and yet, on the other hand, it raises a huge risk given the threats of hacking
and phishing in their various forms and the victims of it that we see today. Like never before, we are holding information in
the digital form. Although it was once difficult, time-consuming and expensive to obtain and compile information, it is now
possible for us to do it with a few clicks of the mouse attached to our computers or with a flick of finger on our mobile phones/
smartphones. This, of course, has increased vulnerability of our information as well as our data privacy. Information worth
billions of dollars gets lost each year due to security breaches and other intrusions. Given the high-profile security breaches and
the endless stream of disastrous virus infections, businesses have recognized information security as mission critical. Information
security is not limited only to computer security; the latter is only a part of it. Outsourcing is another business area where one
must consider implementing controls to protect the security of the information. Customers entrust their confidential/sensitive
data to service organizations, who must respect the trust placed by the client and also the privacy of clients’ data.
Structural Changes and New Chapters

The first edition of the book published in 2009 became a grand success which can be judged by the appreciation it has received
and also by the fact that it has been adopted in the academic courses as well as used by industry professionals as the thematic
reference book.
We strived to collect feedback from the readers and after analyzing it incorporated the best possible suggestions in this
second edition. Therefore, this edition has undergone a few changes: four new chapters have been added to address the
state-of-the-art issues in the area and a few chapters have been merged to provide a more condensed treatment of the themes
that now may be considered to have taken a backseat; needless to say, they cannot be completely ignored as they continue to
be a part of information security.
Electronic commerce has now taken strong roots in our society and therefore pondering on its security aspects is the need
of the hour. The request for incorporation of e-commerce security aspects was requested by many of our readers.
Following are the structural changes made in the second edition:
• Chapters 1 and 2 are the same as Chapters 1 and 2, respectively, of the first edition.
• Chapters 3, 4 and 5 are Chapters 4, 5 and 6, respectively, of the first edition.
• Chapter 6 is Chapter 3 of the first edition.
• Chapters 12 to 17 are, respectively, Chapters 11 to 16 of the first edition.
ISS_FM.indd 11 4/24/2017 4:43:13 PM

xii PREFACE TO THE SECOND EDITION
• The new chapters developed for the second edition are as follows:
• Chapter 7: Security in Cloud Computing
• Chapter 8: Smartphone Security
• Chapter 10: The Internet of Things (IoT) and Smart Cities: Security and Privacy Challenges
• Chapter 19: Security of Electronic Commerce
The correspondence of the rest of the chapters in the second edition with respect to the chapters of the first edition is shown
in the following table:
First edition Second edition

Chapter number Chapter title Chapter number Chapter title
Chapter 7 Overview of Physical Security for Information Chapter 35 Physical Security: An Overview
Systems
Chapter 8 Perimeter Security for Physical Protection Chapter 36 As in the first edition
Chapter 9 Biometric Controls for Security Chapter 11 Biometrics for Security
Chapter 10 Biometrics-Based Security: Issues and Challenges
Chapter 18 Business Applications Security: An EAI Perspective Chapter 37 As in the first edition
Chapter 19 Security of Electronic Mail Systems Chapter 18 As in the first edition
Chapter 20 Security of Databases Chapter 20 As in the first edition
Chapter 21 Security of Operating Systems Chapter 21 As in the first edition
Chapter 22 Security Models, Frameworks, Standards and Chapter 22 As in the first edition
Methodologies
Chapter 23 ISO 17799/ISO 27001 Chapter 23 As in the first edition
Chapter 24 Systems Security Engineering Capability Maturity Chapter 38 As in the first edition
Model: The SSE-CMM
Chapter 25 COBIT, COSO-ERM and SAS 70 Chapter 24 COBIT, COSO-ERM and SOC
Chapter 26 Information Security: Other Models and Chapter 39 As in the first edition
Methodologies
Chapter 27 Laws and Legal Framework for Information Chapter 26 As in the first edition
Security
Chapter 28 Security Metrics Chapter 25 As in the first edition
Chapter 29 Privacy: Fundamental Concepts and Principles Chapter 27 As in the first edition
Chapter 30 Privacy: Business Challenges Chapter 28 Privacy: Business Challenges and
Chapter 31 Privacy: Technological Impacts Technological Impacts
Chapter 32 Web Services and Privacy Chapter 29 Privacy Aspects of Web Services
Chapter 33 Staffing the Security Function Chapter 30 As in the first edition
Chapter 34 Business Continuity and Disaster Recovery Chapter 31 As in the first edition
Planning
Chapter 35 Auditing for Security Chapter 32 As in the first edition
Chapter 36 Privacy Best Practices in Organizations Chapter 33 As in the first edition
Chapter 37 Asset Management Chapter 34 IT Asset Management
Chapter 38 Ethical Issues and Intellectual Property Concerns Chapter 40 Ethical Issues and Intellectual
for InfoSec Professionals Property Concerns in Information
Security
ISS_FM.indd 12 4/24/2017 4:43:14 PM

PREFACE TO THE SECOND EDITION xiii
The book is divided into eight parts whose broad themes are indicated below. In each part, there are multiple chapters
devoted to the theme of the part.
Part of the book Part title Chapters

Part I Introduction Chapters 1 to 5
Part II Cloud, Mobile Applications, Smartphone, IoT, Smart Cities and Wireless Chapters 6 to 10
Networks in Security Perspective
Part III Network Security and Other Controls Chapters 11 to 17
Part IV Security of Applications and Operating Systems Chapters 18 to 21
Part V Models, Frameworks and Metrics for Maturing Security Practices Chapters 22 to 24
Part VI Metrics, Legal Aspects and Privacy Consideration for Information Security Chapters 25 to 29
Part VII Security Best Practices Chapters 30 to 34
Part VIII Other Important Concepts in Information Systems Security Chapters 35 to 40
We have carried forward in this second edition all the Case Illustrations and seven checklists that the previous edition had.
The Appendices continue to be in the CD companion of the book. In addition, we have prepared an appendix, titled Web
links, which has a list of the URLs that each chapter mentions as the extended information resource. This addition is as per
the feedback received from the readers that it is difficult to type the long URLs in order to access the material on the Internet.
We believe this is an improvement and given that the book is now being heavily referred to in academic papers, plugging the
URLs into browsers, to access online material, is now much easier for our esteemed readers.
Audience for this Book

The target audience for the second edition continues to be the same segment that the previous edition had targeted. In
addition, it is also for the students of those engineering courses where information security is now one of the key subjects.
The book also serves the need of the academic/teaching staff of engineering colleges. It is a useful reference text for candidates
aspiring for various professional certification programs in information security and related areas. The second edition of the
book also helps researchers as our experience with the first edition shows.
Overall, this book is a valuable syllabus reference for students of computer science or business management, as well as useful
for practitioners seeking professional certifications in security and those interested in learning about information security and
data privacy. Having said that, this is a very special book, given the large range of topics it covers in the information security
domain. The contents have been designed keeping in mind the need of a large audience from a wide spectrum.
Mapping to a Workshop
We have modified the names of the chapters mentioned in the guidance, given the restructuring of the book mentioned.
The Companion CD
The new edition too has its companion CD. The CD contents are listed as part of the Table of Contents.
Nina Godbole
March 2017
ISS_FM.indd 13 4/24/2017 4:43:14 PM

ISS_FM.indd 14 4/24/2017 4:43:14 PM
Preface to the First Edition
Purpose of this Book

Computer security as a discipline was first studied in the early 1970s; today, the discipline has evolved into a vital yet highly
complex domain. This book is about understanding and applying in practice this domain of Information Systems Security
as well as its management issues and challenges. This book also addresses privacy concepts in recognition of the ever-growing
importance of data privacy. The aim of the book is to create security and privacy awareness among students and researchers
as well as to sensitize industry practitioners to the importance of security and privacy. This is so because information security
is perhaps not fully understood in practice owing to its complex and dynamically changing nature. Not surprisingly, very few
organizations have integrated security policies, measures and technologies to protect their information assets against internal
and external threats. The need to underscore the importance of security as a business issue cannot be overemphasized.
Security as the Emerging Focus Area

Today’s technologies allow information to be collected, compiled, analyzed and delivered around the world quickly and
inexpensively like never before. Where it was once difficult, time-consuming and expensive to obtain and compile information,
it is now often available with a few simple clicks of a computer mouse. This has increased access to information of all kinds
and this brings in the vulnerabilities. Billions of dollars’ worth of productivity and information assets are lost each year due
to security breaches and other intrusions. In light of many recent high-profile security breaches and the endless stream of
disastrous virus infections, businesses are finally recognizing security as mission critical. Outsourcing is on its highest surge;
customers entrust their confidential/sensitive data to the service organization, who must respect this trust; and hence the
importance of data privacy.
Motivation for Writing this Book

Having worked in the industry for the past 15+ years, I have been a witness to many business issues whose origins are in the
inadequate security practices and missing business controls. Past work experience, as the quality manager in a large multi-
national organization, has been a testimony to projects grappling with the issue of data management and data quality. The
time for confluence has come, wherein security professionals as well as quality professionals need to put their minds together
for a holistic approach to the ensuing issues of information security and data privacy – it is the need of the hour because, in
many ways, ‘information’ is the ‘currency’ of the electronic age and the eCommerce era. Information is life blood of our digital
economy. Awareness about security and privacy needs to be created at all levels – this is the primary motivation for writing
this book – a project that was taken up with support from Wiley India for developing a single-point-reference on the topic of
security along with privacy aspects.
ISS_FM.indd 15 4/24/2017 4:43:14 PM

xvi PREFACE TO THE FIRST EDITION
Audience for this Book

This book is for the global audience. However, I have derived significant part of my work experience from the Indian sub-
continent. Hence, there is a predilection in this book towards medium to large Indian software organizations. Several books
on the topic of information security are available in the market; among those, this is a very special book, given its width of
coverage. Its contents are designed keeping in mind the need of a large audience from wide spectrum of IT/computer industry
as well as business audience at large. This book will be a valuable syllabus reference for students of computer science or business
management, and useful for practitioners seeking professional certifications in security, those interested in learning about
information security and data privacy. The book would help researchers too.
Themes Addressed and Structure of the Book

The topic of ‘security’ is as large and broad as the topic of ‘quality’; it has multiple facets. Security has evolved from protecting
the network perimeter to protecting data at the source. Perimeter security is no longer effective in an age when data access
models (once designed for employees only) now extend to partners, vendors and customers. It is in this context that the
concept of ‘extended enterprise’ and ‘net-centric digital economy’ is mentioned throughout as the central themes echoing in
the chapters of this book. Keeping the growth of the digital economy and globalization of businesses, the book is developed
to have the following context. It is divided into seven parts whose broad themes are indicated below; in each part, there are
multiple chapters devoted to the theme of the part:
Part I Introduction (6 chapters)
Part II Physical and Environmental Security (4 chapters)
Part III Network Security and Logical Access Control (7 chapters)
Part IV Applications Security (4 chapters)
Part V Models, Frameworks and Metrics for Security (7 chapters)
Part VI Privacy (4 chapters)
Part VII Security Best Practices (6 chapters)
For those, who have security exposure, this book need not be perused back-to-back, while students approaching the topic
for the first time need to read it in sequential order because later chapters have reference links to the topics in the earlier
chapter.
Appendices and Case Illustrations

The appendices are on the CD companion of the book; they cover a wide repertoire of topics – SAS 70, ISO 27001 controls,
COBIT domains, PHIPA (for the health sector), PIPEDA and PCI-DSS compliance (for the credit card industry), consumer
privacy protection, NDA, privacy policy samples, access controls template and template for User ID management, Cyber
Crime, Server Virtualization, Safe Harbor Principles, WiFi security, and security checks at data centers, risk management and
other best practices including security metrics development and disaster recovery and many others. The case illustrations, on
the CD companion, provide real-life insights from security audits, global-multi-location project scenarios, ethical dilemmas in
IT world, vulnerability assessment issues, VPN implementation, cyber crime impact on individuals and so on.
Mapping to a Workshop
The topics covered in the book can be mapped to a one day or two days workshop/seminar. The idea for mapping the chapters
to workshops comes from my numerous workshops and seminars conducted for practitioners as well as post graduate students
in and outside India. The concepts presented in the book are the culmination of my work experience in the IT/software
industry as well as the sessions delivered at the workshops/seminars and the questions heard from the audience. In a way,
I have learnt from the active practitioners and sincere students participating in these workshops/seminars. Each chapter in this
book corresponds to a three-hour lecture topic when the book is used in an academic setup.
ISS_FM.indd 16 4/24/2017 4:43:14 PM

PREFACE TO THE FIRST EDITION xvii
Semantics and Nomenclature

IT (information technology), ITS (information technology services), IS (information systems), PI (personal information) and
SPI (sensitive personal information) are some of the commonly occurring acronyms throughout the book. The convention
followed through the chapters is that an acronym is provided when a technical term is introduced for the first time; thereafter,
only the acronym is introduced. We have taken care, where appropriate, to re-introduce the term in case it is appearing after
a long time with respect to its initial introduction. However we apologize for possible inconveniences to the readers where
they may note this not happening. We have made the best attempt to maintain gender neutrality in the book with use of the
term s/he.
The Companion CD
The Companion CD is an integral part of the book and contains 37 appendices containing guidelines, checklists and additional
information. Also encased in the CD are 17 case illustrations to help readers appreciate/reinforce the understanding of the
concepts. The CD also provides ideas for mapping the contents of chapters to workshop or seminar on security and privacy.
Lists of Figures, Tables and Boxes that appear in the chapters are also provided in the CD. The CD has a Readme file which the
readers should go through.
The Message of this Book

While the Internet and Information Systems have contributed considerably in improving services, dissemination of information
and exchanging of views at a global level and have fostered better understanding amongst people of the world, they also bring
in many threats to our information systems. It is, therefore, crucial that we embed good practices for data/information security
and privacy as the DNA of organizations to mitigate security risks and privacy exposures. This is my humble attempt at
creating a knowledge artefact that, I believe, would be of value to academics as well as to the industry.
Tribute to Stalwarts and Institutions

Last but not the least, this is my tribute to security stalwarts and organizations, who, to my mind, have significantly influenced
my thinking about security and privacy. First of all, my salute to IBM, as the world’s largest IT organization – it is not just an
organization but an institution. IBM has significantly contributed to many areas, including ITIL. I would also like to mention
about Carnegie Mellon University and their research contribution in the privacy domain through their data privacy lab.
Purdue researchers, in collaboration with the IBM team and the CMU team, focus on topics dealing with fine-grained access
control techniques and applications to databases, analysis tools for access control policies and privacy-aware role-based access
control. Kudos to Whitfield Diffie who took cryptography out of the hands of the spooks and made privacy possible in the
digital age – by inventing the most revolutionary concept in encryption since the Renaissance. I wish to thank the Australian
privacy researcher and Privacy Expert Roger Clarke for leading thoughts on data privacy issues. Finally, I owe a bow to Harriet
Pearson, for her data privacy leadership, to guide the IT industry.
Nina Godbole
September 2008
ISS_FM.indd 17 4/24/2017 4:43:15 PM

ISS_FM.indd 18 4/24/2017 4:43:15 PM
Acknowledgments
Writing a book is like planning a long journey with a goal; it not only involves complex thought processes and efforts but also
results in achieving milestones. The journey of the author is not alone; it is a journey of thousand miles encompassing many
minds. The journey of this second edition, too, was fairly long; the manuscript development phase for the second edition was
spanned over a year.
I am thankful to Wiley India for their continued faith in me. I would like to put in print my grateful appreciation for the
copy editing work by Ankush Kumar under the leadership of Meenakshi Sehrawat. They worked diligently to ensure a high
caliber product.
I specially thank my PhD research supervisor Dr. John Lamb who worked many years with IBM, USA, and who is also
the co-author for our book project in the domain of Cloud and Green IT. My discussions with him immensely helped in the
development of cloud technology related chapters in this new edition. He presented the papers that we jointly developed for
The CEWIT International Conference & Expo on Emerging Technologies for a Smarter World, which have been published
by the IEEE.
I am thankful to Dr. Bhuvan Unhelkar for having written the Preface for the first edition of the book. With him I have
published technical papers and have also contributed chapters to the reference handbook edited by him in the domain of
Mobile Business and Green IT.
The author would also like to take this opportunity to thank Mr. Anwar Tamboowala who did the technical review of some
of the chapters.
I am very grateful to my family whose support has been pivotal in my career and during this project too.
Several other individuals contributed in their own special ways; I sincerely thank all of them, though I have not individually
mentioned their names.
Nina Godbole
ISS_FM.indd 19 4/24/2017 4:43:15 PM

ISS_FM.indd 20 4/24/2017 4:43:15 PM
Contents
Foreword vii
About the Author ix
Preface to the Second Edition xi
Preface to the First Edition xv
Acknowledgments xix
List of Figures xliii
List of Tables liii
List of Boxes lv
Part I Introduction
1 Information Systems in Global Context
Learning Objectives 3
1.1 History of Information Systems 3
1.2 Importance of Information Systems 4
1.3 Basics of Information Systems 5
1.4 The Changing Nature of Information Systems 6
1.5 Globalization of Businesses and the Need for Distributed Information Systems 9
1.6 Global Information Systems: Role of Internet and Web Services 10
1.7 Information Systems Security and Threats: A Glimpse 12
Summary 13
Review Questions 13
Further Reading 13
2 Threats to Information Systems

2.1 Introduction 15
ISS_FM.indd 21 4/24/2017 4:43:15 PM

xxii CONTENTS
2.2 New Technologies Open Door to the Threats 15

2.3 Information-Level Threats versus Network-Level Threats 16
2.4 Information Systems Security: Threats and Attacks 17
2.5 Computer Viruses: The bête noire of Computing Era 18
2.6 Classifications of Threats and Assessing Damages 19
2.7 Protecting Information Systems Security 21
Summary 23
Review Questions 23
Further Reading 23
3 Information Security Management in Organizations

3.1 The Context for Information Security Management (ISM) 25
3.2 Security Policy, Standards, Guidelines and Procedures 25
Security Policy and Policy Types 25
Types of Policies 26
3.3 Information Security Scenario in the Financial Sector 30
3.4 Information Security Management System (ISMS) 30
3.5 Organizational Responsibility for Information Security Management 31
3.6 Information Security Awareness Scenario in Indian Organizations 33
Summary 34
Review Questions 35
Further Reading 35
4 Building Blocks of Information Security

4.1 Introduction 37
4.2 Basic Principles of Information Systems Security 37
4.3 Security-Related Basic Terms and Definitions 39
4.4 The Three Pillars of Information Security 40
Confidentiality 40
Integrity 40
Availability 41
4.5 Other Important Terms in Information Security 42
4.6 Information Classification 42
4.7 Terms for Information Classification 43
4.8 Criteria for Classification of Data and Information 43
4.9 Information Classification: Various Roles 45
4.10 Data Obfuscation 46
4.11 Business Systems’ Classification 47
4.12 Event Classification 48
Summary 49
Review Questions 49
Further Reading 49
ISS_FM.indd 22 4/24/2017 4:43:15 PM

CONTENTS xxiii
5 Information Security Risk Analysis

5.1 Introduction 51
5.2 Terms and Definitions for Risk Analysis of Information Security 52
5.3 Risk Management and Risk Analysis: What it is and the Need for it 53
Staged Methodology for Risk Analysis 54
5.4 Approaches and Considerations in Information Security Risk Analysis 56
How Quantitative Risk Analysis is Done 56
How Qualitative Risk Analysis is Done 57
5.5 Auditing Perspective on Information Security Risk Analysis 60
Summary 62
Review Questions 62
Further Reading 62
Part II Cloud, Mobile Applications, Smartphone, IoT, Smart Cities

and Wireless Networks in Security Perspective
6 Security Considerations in Mobile and Wireless Computing
6.1 Introduction 67
6.2 Proliferation of Mobile and Wireless Devices 68
6.3 Trends in Mobility 69
6.4 Credit Card Frauds in Mobile and Wireless Computing Era 70
6.5 Security Challenges Posed by Mobile Devices 72
6.6 Registry Settings for Mobile Devices 73
6.7 Authentication Service Security 74
Cryptographic Security for Mobile Devices 76
LDAP Security for Handheld Mobile Computing Devices 76
RAS Security for Mobile Devices 77
Media Player Control Security 78
Networking API Security for Mobile Computing Applications 79
6.8 Mobile Devices: Security Implications for Organizations 80
Managing Diversity and Proliferation of Handheld Devices 80
Threats Through Lost and Stolen Devices 81
Protecting Data on Lost Devices 81
Educating the Laptop Users 82
6.9 Organizational Measures for Handling Mobile Devices Related Security Issues 83
Encrypting Organizational Databases 83
Including Mobile Devices in Security Strategy 83
6.10 Organizational Security Policies and Measures in Mobile Computing Era 84
Importance of Security Policies Relating to Mobile Computing Devices 84
Operating Guidelines for Implementing Mobile Device Security Policies 84
Organizational Policies for the Use of Mobile Handheld Devices 85
6.11 Laptops 85
Physical Security Countermeasures 85
ISS_FM.indd 23 4/24/2017 4:43:15 PM

xxiv CONTENTS
6.12 Use of RFID in Mobile Commerce and Information Asset Protection 88

6.13 Wearable Devices and Security Threats 89
Summary 94
Review Questions 94
Further Reading 95
7 Security in Cloud Computing

7.1 Introduction 97
7.2 Cloud Computing: Why? 98
Why Cloud Computing? 100
7.3 How Does Computing with the ‘Cloud’ Work 101
7.4 Conceptual View of Cloud Computing − Characteristics
and Deployment Models 106
Deployments for the Cloud 106
Cloud Deployment Models: Public, Private, Community and Hybrid 109
Cloud: Elasticity and Availability 111
7.5 Big Data and Cloud Computing 115
7.6 Security and Privacy Risks in Cloud Computing 116
The Pros and Cons of Cloud Computing 117
Security Issues in Cloud Computing Models 118
Cybercrime on Cloud Nine! – Protecting Data Privacy and Information
Security in the Cloud 121
7.7 Protecting Information Security and Data Privacy in Cloud Computing 123
Summary 126
Review Questions 126
Further Reading 126
8 Smartphone Security
8.1 Introduction: The Emergence of Smartphones 129
8.2 Smartphones: Security Risks, Issues and Challenges 130
Security Problems with Smartphones 132
8.3 Protected Health Information and Smartphones 134
8.4 Smartphones and Electronically Stored Medical Information: The Challenges 135
8.5 Smartphones: The Downside 140
8.6 Guidelines for using Smartphone Securely 141
Summary 143
Further Reading 143
9 Security of Wireless Networks

9.1 Introduction 147
9.2 An Overview of Wireless Technology 148
ISS_FM.indd 24 4/24/2017 4:43:15 PM

CONTENTS xxv
9.3 Wireless Network Usage Scenario Today and Implications 149

9.4 Wired World versus Wireless World: Putting Wireless Networks in
Information Security Context 151
9.5 Attacks on Wireless Networks 151
Unauthorized Access to Company Wireless Networks in Organizations 151
Other Security Risks in Wireless Networks 154
Management Countermeasures and Mitigations for Wireless Network Attacks 155
Summary 157
Further Reading 157
10 The Internet of Things (IoT) and Smart Cities:

Security and Privacy Challenges
10.2 The ‘Internet of Things’ (IoT): The New Kid on the Block 159
IoT: The Context 161
How Does the IoT Work? 163
IoT in Day-to-Day Life 167
10.3 Understanding Security and Privacy Issues in IoT 170
10.4 Intelligent Buildings: Security Threats 171
‘Intelligent Building’: The Concept 171
Intelligent Buildings and Security Risks 175
Security Best Practices for Intelligent Buildings 180
10.5 Smart Cities: Privacy and Security 182
10.6 Personal and Business Impact of IoT 188
Summary 190
Further Reading 191
Part III Network Security and Other Controls

11 Biometrics for Security
11.2 Access Control, User Identification and User Authentication 198
11.3 What is Biometrics? 198
11.4 Biometric Identification/Authentication Techniques 200
11.5 Biometric Techniques 202
11.6 Matching and Enrolment Process in Biometrics 208
11.7 Classification of Biometric Applications 210
11.8 Criteria for Selection of Biometric Application 212
11.9 Biometric Systems: Architectural Design Issues 213
Six Basic Steps in Biometric Systems 213
Design Issues in Biometric Systems 214
ISS_FM.indd 25 4/24/2017 4:43:15 PM

xxvi CONTENTS
11.10 Biometric Measurement Issues 215

11.11 Key Success Factors for Biometric Systems 215
Accuracy 215
Speed and Throughput Rate 216
Acceptability by Users 216
Uniqueness of Biometric Organ and Action 216
Reliability of Biometrics 216
Data Storage Requirements in Biometric Systems 217
Enrolment Time in Biometrics 217
Data Collection Intrusiveness 217
Requirements about Subject and System Contacts 217
11.12 Benefits of Biometrics over Traditional Authentication Methods 218
11.13 Standards for Biometrics 218
11.14 Economic and Social Aspects of Biometrics 219
11.15 Legal Challenges in Biometrics 221
11.16 The Future of Biometrics 222
Summary 222
Further Reading 223
12 Network Security in Perspective

12.1 Need for Security in the Networked World 227
12.2 Net-Centric Information Systems 229
12.3 Basic Concepts of Network Security 230
Computer Security 230
Network Security 231
Trusted and Untrusted Networks 231
Unknown Networks 233
Network Attacks 233
12.4 Network Security Dimensions 237
12.5 Establishing Security Perimeter for Network Protection 237
Basics of Security Perimeter 237
Security Perimeter Design Considerations 239
Summary 240
Further Reading 240
13 Networking and Digital Communication Fundamentals

13.2 Network Types 244
13.3 Network Architecture 245
13.4 Network Topologies 245
Physical Topology versus Logical Topology 246
Mesh Topology 247
ISS_FM.indd 26 4/24/2017 4:43:15 PM

CONTENTS xxvii
Star Topology 247

Bus Topology 248
Ring Topology 249
Tree Topology 250
13.5 The OSI Seven-Layer Model 251
13.6 Network Components 254
Network Cables 255
Network Adapter Cards 256
Hub and Switching Hub or the Switch 256
Routers 256
Gateways and Bridges 258
Firewalls 259
13.7 Network Protocols 260
Link Protocol 260
OSI Protocols 261
Routing Protocols 263
Tunneling Protocols 264
13.8 Working of Networks and the Internet 265
13.9 Telecommunication Links and Other Important Related Topics 266
Circuit Switching and Packet Switching 266
Host 266
Dedicated Server 266
Workstation 267
Channel and Node 267
Contention 267
CSMA/CD 267
Twisted-Pair Cable 267
Coaxial Cable 268
Fiber Optics 268
Token, Token Passing and Token-Ring Network 269
IEEE 802.5 Token Ring 269
CAM and Polling Mechanisms 271
Summary 272
Further Reading 272
14 Cryptography and Encryption

14.2 What is Cryptography? 276
14.3 Genesis and Application of Cryptography 277
14.4 Role of Cryptography in Information Security 278
14.5 Digital Signature – A Method for Information Security 278
Use of Keys for Data Encryption 279
Creating Digital Signature 280
Illicit Message – Message Tampering 281
Trusted Certificate 281
Use of Digital Certificate for Message Authentication 281
ISS_FM.indd 27 4/24/2017 4:43:15 PM

xxviii CONTENTS
14.6
Cryptographic Algorithms 282
Key Management 282
Asymmetric and Symmetric Keys 283
Secret Key Nuances 283
Summary 287
Further Reading 287
15 Intrusion Detection for Securing the Networks

15.2 Network Attacks – The Stages 290
15.3 Need for Intrusion Monitoring and Detection 292
15.4 Intrusion Detection for Information Systems Security 292
Conceptual Approaches to Intrusion Detection Methodologies 293
Categories of Intrusion Detection System 293
Characteristics of a Good Intrusion Detection System 294
Role of Router in Intrusion Detection System 295
Today’s Challenges for Intrusion Detection Systems 296
Implementing IDS 298
The Future of Intrusion Detection Systems 299
Summary 299
Further Reading 300
16 Firewalls for Network Protection

16.2 What are Firewalls? 304
Firewall Deployment 304
16.3 Demilitarized Zone (DMZ) 305
16.4 Why Firewalls are Needed – Protection Provided by Firewalls 306
16.5 Proxy Servers 307
16.6 Topologies for Different Types of Firewalls 308
Packet-Filtering Firewalls or Screening Routers 308
Application-Level Firewalls or Application Gateway Firewalls 310
Screened-Host Firewall 311
Stateful Inspection Firewall 312
16.7 Examining Firewalls in the Context of Intrusion Detection Systems 314
16.8 Firewalls vis-à-vis Routers 315
16.9 Design and Implementation Issues in Firewalls 316
16.10 Policies for Firewalls – The Importance 316
16.11 Using Firewalls Effectively 317
16.12 Vendors of Firewall Products 318
Summary 319
Further Reading 319
ISS_FM.indd 28 4/24/2017 4:43:15 PM

CONTENTS xxix
17 Virtual Private Networks for Security

17.2 What is a Virtual Private Network? 322
17.3 The Need for Virtual Private Networks 322
17.4 Role of a Virtual Private Network for an Enterprise 323
17.5 Use of Tunneling with Virtual Private Networks 324
17.6 Working of Virtual Private Networks 324
17.7 Authentication Mechanisms in Virtual Private Networks 325
17.8 Types of VPNs and Their Usage 326
Remote Access VPN or User VPN 326
Site-to-Site VPN 327
17.9 Tunneling Security 328
VPN Protocols 328
17.10 VPN Technologies 330
17.11 VPN Architecture 330
Firewall-Based VPNs 331
Router-Based VPNs 331
Remote Access-Based VPNs 331
Hardware (Black Box)-Based VPNs 331
Software-Based VPNs 331
17.12 Configurations/Topologies for Virtual Private Networks 332
17.13 Security Concerns in VPN 333
VPN Usage Scenarios Warranting Security 333
Generic Issues for Security of the VPN 334
Security Issues Specific to VPN Types 334
Summarizing VPN Security Considerations 335
17.14 VPN Best Practices 335
Summary 336
Further Reading 337
Part IV Security of Applications and Operating Systems

18 Security of Electronic Mail Systems
18.2 Today’s Electronic Mail Usage Scenario 341
18.3 Electronic Mail System Mechanism 342
18.4 The Growing Power of Electronic Mail Systems 343
E-mail is the New Messaging Media 343
Mail-Enabled Applications 343
18.5 Security Threats Posed By Electronic Mails 344
18.6 Countermeasures to Protect from Threats Posed Through E-Mails 345
18.7 Governance for Electronic Mail Systems 348
Standards for Secure Electronic Mail 348
ISS_FM.indd 29 4/24/2017 4:43:16 PM

xxx CONTENTS
Conditions/Rules for E-mail Access 349

Retaining Records from an E-mail System 349
Internet Security 350
Summary 351
Further Reading 352
19 Security of Electronic Commerce

19.2 ‘Electronic Commerce’ Paradigm 355
What is ‘Electronic Commerce’? 356
The Models and Internet Domains for Electronic Business/Electronic Commerce 357
Advantages of Electronic Commerce 360
19.3 Strategic Issues in EDI Security 360
19.4 The IT Environment and Infrastructure for Electronic Commerce 362
19.5 Security Issues and Concerns in the Electronic Commerce 366
Electronic Banking: Security Concerns 367
Ensuring Security in Electronic Commerce 381
Summary 382
Further Reading 382
20 Security of Databases
20.2 Database Security Challenge in the Modern World 388
20.3 Databases in the Context of Business Intelligence 388
20.4 Nature of Database Security Issues: Why it is Important? 390
20.5 Federated Databases: The Need and the Security Issues 390
What are Federated Databases? 392
How is a Federated Database System Used in Business 393
Understanding Federated Databases vis à vis Distributed Databases 395
Security Issues in Federated Database Systems 395
20.6 Securing the Contents of Mobile Databases 397
What and Why of Mobile Databases 397
Mobile Database Usage Scenarios 397
Mobile Databases: Security and Usage Issues 397
20.7 Securing Connectivity with Enterprise Databases 398
Database Security Issues 399
Guarding Against Database Vulnerabilities 399
20.8 Data Integrity as a Parameter for Database Security 402
20.9 Database Security Policy 403
User Access to the Database 403
Data Sensitivity 403
Audit Policy 404
Other Questions 404
ISS_FM.indd 30 4/24/2017 4:43:16 PM

CONTENTS xxxi
Summary 405
Further Reading 405
21 Security of Operating Systems

21.2 Role of Operating Systems in Information Systems Application 407
21.3 Operating System Types 409
21.4 Operating Systems, Functions and Tasks 409
21.5 Network Operating Systems (NOSs) 410
Role of Network Operating Systems 410
21.6 Operating System Security 411
21.7 Host Security and OS Hardening 412
Securing the Host 412
Hardening the Operating System 412
21.8 Patched Operating System 414
21.9 Current ‘Insecurity’ Scenario 414
Summary 415
Further Reading 415
Part V Models, Frameworks and Metrics for Maturing Security Practices

22 Security Models, Frameworks, Standards and Methodologies
22.2 Terminology 420
ISO 27001 421
COBIT – Control Objective for Information and Related Technology 421
Information Security Management Maturity Model 422
Systems Security Engineering Capability Maturity Model (SSE-CMM) 422
InfoSec Assurance Capability Maturity Model (IA-CMM) 422
ITIL and the BS 15000 422
The McCumber Cube 424
22.3 Methodologies for Information Systems Security 425
InfoSec Assessment Methodology (IAM) 425
InfoSec Evaluation Methodology (IEM) 425
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) 425
Open Source Security Testing Methodology Manual (OSSTMM) 426
Security Incident Policy Enforcement System (SIPES) 426
Summary 427
Further Reading 427
ISS_FM.indd 31 4/24/2017 4:43:16 PM

xxxii CONTENTS
23 ISO 17799/ISO 27001

23.2 Evolution of the Standard 430
23.3 ISO 27001 in Organizational Context: Relation to ISO 17799 432
23.4 Inside the ISO 17799 433
23.5 ISMS Implementation in Organizations Using Security Controls of ISO 27001 441
23.6 Security Certification Using the ISO 17799/ISO 27001 442
23.7 Benefits of ISO 27001 Certification 443
Summary 444
Further Reading 444
24 COBIT, COSO-ERM and SOC

24.2 Control Objectives for Information and Related Technologies – the COBIT 447
Structure and Objectives of COBIT 449
COBIT and IT Governance 451
24.3 COSO Enterprise Risk Management Model (COSO-ERM) 453
COSO Description 453
24.4 ERM: Definition and History 455
Why ERM is Important? 456
ERM Benefits 458
24.5 Service Organization Control (SOC) 458
Summary 460
Further Reading 461
Part VI Metrics, Legal Aspects and Privacy Consideration

for Information Security
25 Security Metrics
25.2 What are Measurements and Metrics? 466
25.3 Security Metrics Basics 467
25.4 Security Metrics Classification 468
25.5 Why Security Metrics are Important 469
25.6 Benefits of Using Security Metrics 470
25.7 InfoSec Metrics Management in Organizations 470
25.8 Quantitative versus Qualitative Approach to Security Risk Metrics 470
ISS_FM.indd 32 4/24/2017 4:43:16 PM

CONTENTS xxxiii
25.9 Security Metrics for Considerations 472

25.10 Implementing Security Metrics Program 478
25.11 Components of Security Metrics Program 478
25.12 Metrics Development Process 479
25.13 Metrics Implementation Process 480
25.14 Implementation Approach 482
25.15 Communication of Security Metrics in the Organization 482
25.16 Key Success Factors in Implementing InfoSec Metrics 483
25.17 Pitfalls and Challenges in Organizational Security Metrics Program 485
Summary 486
Further Reading 486
26 Laws and Legal Framework for Information Security

26.2 Information Security and the Law: The Rising Need 491
26.3 Understanding the Laws for Information Security: A Conceptual Framework 492
Legislative Solutions 494
Contractual Solutions 494
Evidential Issues 494
International Activity 494
26.4 The Indian IT Act 495
Scope and Coverage of the Indian IT Act 495
26.5 Laws for Intellectual Property Rights (IPR) 495
26.6 Patent Law 496
26.7 Copyright Law 496
26.8 Indian Copyright Act 497
26.9 Privacy Issues and Laws in Hong Kong, Japan and Australia 497
26.10 European Outlook on Laws for Information Security 499
26.11 Data Protection Act in Europe 500
UK Data Protection Act 501
Data Protection Law in France 501
American Laws on Data Protection, Privacy and Information Security 501
26.12 Health Insurance Portability and Accountability Act of 1996 (HIPAA) 502
Extension the HIPAA 503
HIPAA and Data Protection Act Implications for Healthcare Services BPO in India 505
26.13 Gramm–Leach–Bliley Act of 1999 (GLBA) 507
26.14 Overview of Sarbanes–Oxley (SOX) 507
26.15 Legal Issues in Data Mining Security 507
26.16 Building Security into Software/System Development Life Cycle 508
26.17 Federal Information Security Management Act (FISMA) 510
26.18 The Need for Global Action 511
Summary 511
Further Reading 512
ISS_FM.indd 33 4/24/2017 4:43:16 PM

xxxiv CONTENTS
27 Privacy – Fundamental Concepts and Principles

27.2 Why Privacy is a Business Issue? 518
27.3 Privacy and Security: Confusion and Conflict 523
27.4 Privacy and Related Key Terms and Concepts 525
27.5 Transactional Context and Historical Perspective for Privacy 527
27.6 The Growing Importance of Privacy 528
27.7 The Need for Privacy Awareness 529
27.8 Fair Information Practices (FIPs) 531
27.9 Information Privacy Principles (IPPs) 531
Principle 1 – Manner and Purpose of Collection of Personal Information 532
Principle 2 – Solicitation of Personal Information from Individual Concerned 532
Principle 3 – Solicitation of Personal Information Generally 532
Principle 4 – Storage and Security of Personal Information 533
Principle 5 – Information Relating to Records Kept By Record-Keeper 533
Principle 6 – Access to Records Containing Personal Information 533
Principle 7 – Alteration of Records Containing Personal Information 533
Principle 8 – Record-Keeper to Check Accuracy, etc., of Personal Information
Before Use 534
Principle 9 – Personal Information to be Used Only for Relevant Purposes 534
Principle 10 – Limits on Use of Personal Information 534
Principle 11 – Limits on Disclosure of Personal Information 534
Summary 535
Further Reading 535
28 Privacy – Business Challenges and Technological Impacts

28.2 Privacy and Direct Marketing 538
Threat of Digital Persona and Data Surveillance from Direct Marketing 540
Protecting Privacy Breaches in Direct Marketing: Regulatory Measures 541
28.3 Data Mining and Privacy Invasion 542
Privacy Threats through Data/Information Gathering and Database Proliferation 543
28.4 Privacy and Business Outsourcing 544
The Context for Privacy Issues in Outsourcing 545
28.5 Privacy Challenges in a Test Environment 548
The Context for Privacy during Systems Development Life Cycle (SDLC) 548
Data Privacy Issue during Testing 549
Privacy Implications for Test Data Environment Set-up 549
28.6 Masking the Test Data to Address Data Privacy during Testing 550
28.7 Best Practices – Data Privacy in Test Data Management 553
Who should be Responsible for Data Masking? 553
28.8 Privacy – Technological Impacts 556
Privacy Implications of RFID Technology 556
ISS_FM.indd 34 4/24/2017 4:43:16 PM

CONTENTS xxxv
RFID and Human Identification: Privacy and Security Issues 562

Privacy Issues with Use of Biometric Technology 564
Legal Issues in Biometrics 570
Organizational Implications for Using Biometrics Authentications Systems 571
Privacy and Smart Card Applications 573
Privacy Issues in Intelligent Software Agents 576
Summary 584
Further Reading/Viewing 584
29 Privacy Aspects of Web Services

29.2 Privacy on the Internet – A Legal Perspective and Organizational Implications 590
Privacy and the Internet: Privacy Violation 590
The Nature of Privacy Problems on the Web 590
Legal Issues with Use of Internet 591
Online Trust – The Government Scenario 591
Web Services and Their Privacy and Security Implications 591
Web Services Role in Today’s Businesses 592
Web Services Working: An Illustration 593
29.3 Privacy Considerations in Web Services 595
Data Privacy Considerations in Web Services 596
E-Privacy Considerations 596
Digital Credentials – For Privacy Protection While Interacting with Web Services 597
Data Filters to Preserve Privacy in Web Services 597
Understanding Web Privacy 598
Factors That Cause Web Privacy Violations 599
How Website Privacy Works with P3P? 601
29.4 Privacy in the Semantic Web 603
Digital Certificates and Privacy 604
Use of Private Credentials 606
Web Services – Context Specifications and Context Propagations 606
29.5 Privacy Considerations in the Use of Context-Sensitive Technologies 608
Context Sensitiveness and Concerns Around It 609
Use of Context-Sensitive Technologies for Tracking People 610
Design Issues for Context-Sensitive Applications Based on Web Services 610
29.6 Security and Privacy Aspects of Service-Oriented Architectures 610
Summary 614
Further Reading 615
Part VII Security Best Practices

30 Staffing the Security Function
ISS_FM.indd 35 4/24/2017 4:43:16 PM

xxxvi CONTENTS
30.2 Security Reporting Structure in Organizations 620

30.3 Choices for Placement of Security Function in Organizations 621
30.4 Managing Security Staffing – Possible Approaches 622
Focusing on the Key Issues in Staffing 622
Overcoming Security Staffing Budget Problems 622
30.5 Security Certifications 624
Summary 625
Mini Assignments 625
Further Reading 626
31 Business Continuity and Disaster Recovery Planning

31.2 The Genesis of DRP 629
31.3 Importance of BCP 631
The Essence of Business Continuity Planning 632
Vulnerability Assessment 632
31.4 Business Impact Analysis 633
31.5 Approaches to DRP 635
31.6 Defining Business Goals to Prepare for BCP and DRP 635
31.7 Types of Alternate Sites from BCP Perspective 637
31.8 DRP Test Types 638
31.9 Identification of Key Personnel 639
31.10 Business Interruption Preparedness Checklist 640
General Information 640
Offsite Storage 640
Asset Inventories 641
Employee Safety Issues 641
Ongoing Maintenance 641
31.11 Business Resilience 642
Summary 643
Further Reading 644
32 Auditing for Security

32.2 Basic Terms Related to Audits 646
32.3 Security Audits – What are They? 646
32.4 The Need for Security Audits in Organizations 648
32.5 Organizational Roles and Responsibilities for Security Audit 649
32.6 Auditor’s Responsibility in Security Audits 649
Auditor’s Attention to Access Controls 650
Auditor’s Attention to Change Controls 652
Auditor’s Attention to Virus Vulnerability, Pests and Spyware 652
Auditor’s Attention to Data Consistency 653
ISS_FM.indd 36 4/24/2017 4:43:16 PM

CONTENTS xxxvii
Auditor’s Attention to Documentation 653

Auditor’s Attention to Systems Development 653
Auditor’s Attention to Backup, Recovery and Contingency Planning 654
Auditor’s Attention to Copyright Violations 654
Auditor’s Attention to Home Use of Computers 654
32.7 Types of Security Audits 654
32.8 Approaches to Audits 655
32.9 Technology-Based Audits – Vulnerability Scanning and Penetration Testing 657
The Need for Technology-Based Audits 657
What is Penetration Testing and the Need for Penetration Testing 658
Vulnerability Scanning 666
Legal Implications of Port Scanning 669
Difference Between Penetration Testing and Vulnerability Assessment 674
Standards Compliance Context for Technology-Based Audits 675
32.10 Resistance to Security Audits 675
32.11 Phases in Security Audit 676
32.12 Security Audit Engagement Costs and Other Aspects 678
32.13 Budgeting for Security Audits 678
32.14 Selecting External Security Consultants 681
32.15 Key Success Factors for Security Audits 681
Summary 682
Further Reading 683
33 Privacy Best Practices in Organizations

33.2 Privacy – Organizational Implications 686
Protecting the Privacy of Customer and Employee Information 686
Adopting Privacy Policies 687
Website Privacy Best Practices in Organizations 688
Controls for Minimizing Privacy Violation/Protecting Privacy Violations on Websites 688
Responsibilities for Maintaining Web Privacy Practices 689
Misusing Personal Data Attracts Penalties 690
Legal Context for Privacy Audits 690
33.3 Privacy Audits – Driving Factors 691
Why Data Privacy Audits are Important? 691
Privacy Audit Framework and Approach 692
33.4 Privacy Practices: Caveats for Management – Planning and Oversight 693
Privacy Protection as Part of Management Cycle 693
Privacy Policy – Definition, Implementation and Assessment 694
Working with the Privacy Auditor 694
33.5 Privacy Auditing Standards and Privacy Audit Phases 696
The Privacy Audit Process 696
Privacy Audit Design 697
Risk Analysis for Privacy Audit 697
Planning a Privacy Audit 699
Conducting a Privacy Audit 699
ISS_FM.indd 37 4/24/2017 4:43:16 PM

xxxviii CONTENTS
Reporting the Results of Privacy Audit 700

Audit Evaluation and Closing Meeting 702
Using the Results of Privacy Audits 702
Use of External Agencies in Privacy Audits of Organizations 702
Organizational Measures for Data Privacy and Data Protection: Practical
Implementation Guidance 703
33.6 Privacy Officer: The Job and Responsibilities and Skills 705
Key Success Factors for the Privacy Officer 707
Can the Job of a Privacy Officer Conflict with the Job of a Security Officer? 708
To Whom Should the Privacy Officer Report? 708
33.7 Privacy Impact Assessments of Information Systems Application 709
33.8 Organizational Reactions to Privacy Audits 710
Summary 712
Further Reading 713
34 IT Asset Management
34.2 Understanding the Organizational Context for Asset Management 717
What is an Asset and Software Asset? 717
Information Technology Assets (IT Assets) and Business Assets 717
Information Assets in Organizations 722
Information in the Profit-Oriented World 724
Information in the Non-Profit World 724
34.3 Security Aspects in IT Asset Management 726
Assets, Risks and Asset Protection 726
34.4 Asset Management in Organizations: Issues and Challenges 727
IT Asset Management Challenges 727
Issues in Software License Management 728
Managing Distributed Software Assets 728
34.5 Asset Management Life Cycle 729
Planning for Assets 730
Evaluation/Asset Acquisition/Asset Procurement 730
Asset Deployment 731
Asset Usage and Change Management 731
Scrapping/Retiring/Salvaging the Asset 731
34.6 Tools for IT Asset Management 731
34.7 Benefits of Asset Management 732
34.8 Roles and Responsibilities in Asset Management 734
34.9 Identifying Asset Containers 735
Protecting Assets: Owners and Custodians 736
Custodian–Owners Scenarios in Asset Management 738
34.10 Organizational Best Practices in IT Asset Management 739
Asset Classification – Getting Ready for the Asset Register 740
Building the Asset Register/Asset Inventory: The Benefits 744
Software License Management 745
Managing Access to Organization’s Information Assets 746
ISS_FM.indd 38 4/24/2017 4:43:16 PM

CONTENTS xxxix
ITIL and Asset Management 748

Performance Metrics for Asset Management 749
34.11 Treatment of IT Assets in the Company’s Book of Accounts 750
34.12 SOX Compliance Requirements for IT Assets 751
SOX Section 404 and IT Controls in Asset Management Context 751
Role of Internal Controls for SOX Compliance in Asset Management 754
Auditors’ Responsibility in Examining Asset Management 756
34.13 SAS 70 and the Asset Manager 757
34.14 Managing Software Assets 759
Managing Customer-Loaned Assets – The Origins and the Need 760
Audit Issues in IT Asset Management 760
34.15 IT Assessment Management – Key Success Factors 761
Summary 762
Further Reading 763
Part VIII Other Important Concepts in Information Systems Security

35 Physical Security: An Overview
35.2 Need for Physical Security 767
35.3 What is Physical Security? 768
35.4 Natural Disasters and Controls 771
35.5 Basic Tenets of Physical Security of Information Systems Resources 772
Defense-in-Depth 772
Controlling the Physical Access 772
Intrusion Detection Systems 772
Physical Access on a ‘Need-to-Know’ Basis 773
35.6 Physical Entry Controls: Protecting Organization’s Physical Entry Points 773
Protection of Secure Areas 773
Controlling Visitors 774
Entry by Media Representatives 774
Physical Security of Facilities, Rooms and Office Premises 774
Fireproof Safes and Security Containers for Physical Protection of Data 775
Physical Security Through Use of Cables and Locks 776
Summary 776
Further Reading 777
36 Perimeter Security for Physical Protection

36.2 Scope of Perimeter Security 781
36.3 Typical Terms in Perimeter Security 781
ISS_FM.indd 39 4/24/2017 4:43:16 PM

xl CONTENTS
36.4
Elements of Perimeter Security 782
Facility Access Control 782
Personnel Access Control 782
Protection for External Boundaries 784
Intrusion Detection Systems (IDSs) 785
Summary 786
Further Reading 786
37 Business Applications Security: An EAI Perspective

37.2 Meaning and Evolution of EAI 790
IT Systems in Pre-EAI Era 790
IT Systems and IS Applications in Modern Era 791
37.3 Application Security: Basic Issues 794
DBMS and Security 794
Security Essentials for (Business) Applications 795
37.4 Understanding Web Services in the Context of EAI 797
37.5 Business Drivers for Enterprise Application Integration 797
37.6 Application Communication Through EAI 799
37.7 Role of Web Services in Enterprise Application Integration 800
37.8 Security Complexities and Complications Due to Enterprise Application Integration 801
Application Integration – Understanding Security Complexities: Example 1 802
Application Integration – Understanding Security Complexities: Example 2 803
37.9 Security Threats and Risks for the Extended Enterprise 805
37.10 Mitigating Security Issues in Enterprise Application Development 810
Summary 810
Further Reading 811
38 Systems Security Engineering Capability Maturity Model – The SSE-CMM

38.2 What is Security Engineering? 814
The Need for Security Engineering 815
38.3 SSE-CMM – Nature and Scope 816
38.4 Importance of the SSE-CMM Model 816
38.5 Target Audience for the SSE-CMM 817
Benefits to the Security Service Providers 817
Benefits to the Countermeasure Developers 817
Benefits to the Product Developers 818
Benefits to Industry Segments 818
Benefits to Engineering Organizations 818
Benefits to Acquiring Organizations 818
ISS_FM.indd 40 4/24/2017 4:43:16 PM

CONTENTS xli
38.6 SSE-CMM Usage Paradigm 818

38.7 SSE-CMM – Structure and Architecture 819
38.8 Process Areas of the SSE-CMM 820
PA01 – Administer Security Controls 820
PA02 – Assess Impact 822
PA03 – Assess Security Risk 822
PA04 – Assess Threat 822
PA05 – Assess Vulnerability 822
PA06 – Build Assurance Argument 823
PA07 – Coordinate Security 823
PA08 – Monitor Security Posture 823
PA09 – Provide Security Input 824
PA10 – Specify Security Needs 824
PA11 – Verify and Validate Security 824
38.9 Common Misconceptions About Capability Maturity Models 825
Summary 825
Further Reading 826
39 Information Security: Other Models and Methodologies

39.2 Other Frameworks for Information Security 828
The NSTISSC Security Model 828
ITIL and ISO 20000 (formerly BS 15000) 829
Information Security Management Maturity Model (ISM3) 833
InfoSec Assurance Capability Maturity Model (the IA–CMM) 837
The NIST Framework 838
The Common Criteria 841
BASEL II 844
39.3 Other Methodologies and Standards for Information Security 845
InfoSec Assessment and Evaluation Methodology (IAM and IEM) 845
ISACA Standards for IS Auditing 846
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) 848
Open Source Security Testing Methodology Manual (OSSTMM) 850
Turnbull Guidance 853
Summary 854
Further Reading 854
40 Ethical Issues and Intellectual Property Concerns in Information Security

40.2 Information Systems – Threats from Within 859
40.3 Characteristics of Insider Attacks on Organizational Information Systems 861
ISS_FM.indd 41 4/24/2017 4:43:16 PM

xlii CONTENTS
40.4 The Nature of Ethical Issues in the Networked Enterprise 862

Computer Ethics and Security and Privacy Issues 862
Ethical Issues Faced by Information Technology Professionals 864
Statistics on Unethical Internet Activities 865
40.5 Implications for the Healthcare Industry: Ethical and Legal Concerns 866
40.6 Data Auctioning, Data Hijacking and Data Laundering: Ethical Issues in
Paramedical Process Outsourcing 867
40.7 Ethical Issues Owing to Information Warfare 868
40.8 Cryptography, Cryptographic Tools and Ethical Issues 869
Issues About (Cryptographic) Key Escrow 871
Individual Access Rights in Cryptography 872
The Issue About Tracking People’s Work 872
40.9 Understanding Ethical Hacking 873
Who are Ethical Hackers and What They Do? 873
The Need for Ethical Hackers 874
Ethical Hacking as a Career Alternative 874
40.10 Social Engineering Issues 875
40.11 Concerns from Information Brokers’ Activities 876
40.12 The Need for Ethical Guidance for Security Professionals 877
40.13 Understanding Intellectual Property and its Various Forms 877
Copyright 878
Patents 879
Trademark 880
Trade Secret 880
Trade Name and Trademark 880
Domain Name 881
40.14 Trademark, Trade Name, Company Name, Business Name and Domain Name –
The Relationship 881
Implications of Domain Name Registration for Trademarks, Business Names
and Company Names 882
40.15 Ethical Domain for Information Security: Some Concluding Thoughts 882
Summary 882
Further Reading 883
Index 887
CD Content
Appendices
Case Illustrations
Workshop Mapping
Web Link
ISS_FM.indd 42 4/24/2017 4:43:16 PM

List of Figures
1.1 The interdependence between organizations and information systems 4

1.2 The extended enterprise 5
1.3 Functions of an information system 5
1.4 Mainframe-based information systems 7
1.5 Client/server-based information systems 7
1.6 Architecture of web-based information systems 8
1.7 The wider scope of information systems 10
1.8 The Internet 11
2.1 Generic threat profile 20
3.1 Policy hierarchy chart 26
3.2 Capability levels for maturity of security engineering practices 28
3.3 Building blocks of information security 29
3.4 Documentation levels in information security management system 31
3.5 Hierarchy of security policies, standards and procedures 32
3.6 Barriers to security 34
3.7 IT security challenges for Indian organizations 34
4.1 Security goals 38
4.2 Security layers 38
4.3 The CIA triad 40
4.4 Relationships among different security concepts 48
5.1 Threats, vulnerabilities, assets and risks 51
5.2 Risk analysis/risk management process 54
5.3 Relationship among entities in risk analysis model 55
5.4 Auditing perspective on risk analysis 61
6.1 Typical handheld devices 68
6.2 Mobile, wireless and handheld devices 69
6.3 Mobility types and implications 69
6.4 Online environment for credit card transactions 71
6.5 CLEW – closed loop environment for wireless 72
6.6 Important issues for managing mobile devices 73
6.7 Registry value browsing 74
ISS_FM.indd 43 4/24/2017 4:43:17 PM

xliv LIST OF FIGURES
6.8 Push attack on mobile devices 75

6.9 Pull attack on mobile devices 75
6.10 Crash attack on mobile devices 76
6.11 Communication from mobile client to organization information store 77
6.12 Most important management or support issues for laptops 82
6.13 Cable lock for laptops 86
6.14 Closer view of cable locks for laptops 86
6.15 Laptop alarm systems with sensors 87
6.16 Wearable technology (wearable gadgets) 90
6.17 Types of wearable devices 92
7.1 Cloud computing 99
7.2 A typical cloud computing configuration 101
7.3 What and where of ‘Middleware’ 105
7.4 Middleware 106
7.5 Conceptual view of cloud computing 107
7.6 Public cloud access 110
7.7 Private cloud access 111
7.8 Hybrid cloud access 111
7.9 Agile methodology 120
7.10 Gap analysis for cloud security 125
8.1 Cellular phone: The evolution 130
8.2 Smartphone security risks originating from the OS 132
8.3 How a ‘zombie’ works 134
8.4 IMD market in USA (2010−2018) 136
8.5 Implantable medical devices 136
8.6 Portable medical devices 137
8.7 Portable medical devices (brain scanners and imagers) 138
8.8 Wireless electrocardiogram 139
8.9 Shoulder surfing 142
9.1 An example of a wireless infrastructure mode network 148
9.2 Taxonomy of security attacks 152
9.3 Mobile ad hoc network 154
10.1 The Internet of Things (IoT): The concept 160
10.2 Mesh topology 162
10.3 Examples of wearable devices 164
10.4 More examples of wearable devices 164
10.5 The architecture of Internet 165
10.6 Smarter planet: Putting it all together 170
10.7 The IoT roadmap 171
10.8 Intelligent building from facility management perspective 172
10.9 Support systems for intelligent buildings 172
10.10 The strategic grid of IT applications 174
10.11 Intelligent buildings 175
10.12 Generic threat profile and threat, exposure and risk 176
10.13 Proprietary networks in intelligent buildings 177
10.14 Security goals and security layers 178
ISS_FM.indd 44 4/24/2017 4:43:17 PM

LIST OF FIGURES xlv
10.15 Modern sports stadium: IP-based systems 180

10.16 Network infrastructure of an iBMS 181
10.17 The basic concept of a ‘smart grid’ 183
10.18 Urban and rural population of the word in the decade 184
10.19 Data privacy challenge of smart cities 187
10.20 The Big Data bytes 189
10.21 Devices in use globally due to the IoT 190
11.1 Biometric identification through gait recognition 199
11.2 Biometric identification: Acquisition, localization and matching 201
11.3 Biometric authentication: Acquisition, localization and matching 201
11.4 Finger contour 202
11.5 Finger recognition system 203
11.6 Hand geometry recognition system 203
11.7 Human palm vein geometry 204
11.8 The anatomy of a human eye 206
11.9 Retinal scanning equipment 207
11.10 Process flow in biometrics matching 208
11.11 Process flow in obtaining a minutiae 209
11.12 Biometric enrolment and matching process 210
11.13 The six basic steps in a generic biometric system 214
12.1 Today’s network security threats 228
12.2 Information security layers 228
12.3 Network trust – trusted and untrusted networks 232
12.4 Network traffic analysis – daily statistics sample 234
12.5 Types of perimeter networks 238
12.6 Network vulnerabilities – sample network 238
13.1 Local area network and wide area network 244
13.2 Physical network topology versus logical network topology 246
13.3 Network topologies: mesh, star and bus 246
13.4 Network topologies: ring and tree 247
13.5 Star topology 247
13.6 Bus topology 248
13.7 Token passing in a ring topology 250
13.8 Ring topology 250
13.9 Tree topology 251
13.10 The seven layers of the OSI reference model separated into two sets,
application set and transport set 252
13.11 The seven layers of the OSI reference model 253
13.12 The OSI model compared to the TCP/IP model 254
13.13 Important hardware components of computer network 254
13.14 Fiber-optic patch cords, connectors and co-axial cables 255
13.15 RJ-45 connector 255
13.16 Routing in simple networks 257
13.17 IP address for networks 257
13.18 A gateway in operation 258
13.19 Synchronous transmission versus asynchronous transmission 261
ISS_FM.indd 45 4/24/2017 4:43:17 PM

xlvi LIST OF FIGURES
13.20 Fiber-optics principle 262

13.21 Computers woven in the Internet 265
13.22 Coaxial cable illustration 268
13.23 Fiber-optic cable illustration 268
13.24 Fiber-optic connectors 269
13.25 Working of token-ring network – 1 270
14.1 Block cipher and stream cipher systems 277
14.2 Public and private keys 279
14.3 Message encryption and decryption using public and private keys 279
14.4 Message digest creation 280
14.5 Digital signature 280
14.6 Digital certificate 281
14.7 Symmetric encryption method 283
14.8 Asymmetric encryption method 284
15.1 Essentials for information protection 290
15.2 Intrusion monitoring system 292
15.3 Router security: Layered view 296
15.4 Types of attacks 298
16.1 Firewalls in a two-tier network 304
16.2 Firewalls in a three-tier network 305
16.3 The demilitarized zone (DMZ) 305
16.4 A packet-filtering firewall 308
16.5 An application-level firewall 310
16.6 A simple dual-homed firewall 310
16.7 A screened-host firewall 311
16.8 A bastion host 312
16.9 Packet processing logic of firewall 313
16.10 Remote procedure calls 314
16.11 Architecture with router and firewall 315
17.1 Virtual private network 322
17.2 Service end points in a virtual private network 323
17.3 Business entities connected through a VPN 323
17.4 Wireless access point 326
17.5 Remote access VPN 327
17.6 Site-to-site VPN 327
17.7 The SSL protocol 328
17.8 Requirements in a public-key infrastructure 332
19.1 Electronic data interchange 354
19.2 The ‘drivers’ of e-Comm 356
19.3 e-Business types 358
19.4 The supply chain 360
19.5 The medium for e-Business 362
19.6 The physical and network infrastructure components of the Internet 363
ISS_FM.indd 46 4/24/2017 4:43:17 PM

LIST OF FIGURES xlvii
19.7 The web-based architecture for e-Comm 363

19.8 e-Business infrastructure: The layers. Here CRM is customer relationship management
and SCM is the supply chain management 365
19.9 e-Comm architecture: examples 366
19.10 Credit cards and online shopping 367
19.11 Online banking/e-Banking/Internet Banking: Possible safety tools (SMS challenge code) 369
19.12 e-Banking: Attacks on SMS challenge code 370
19.13 Online banking/e-Banking/Internet banking: Attacks on image verification 370
19.14 Online banking/e-Banking/Internet banking: Attacks on PKI-based security systems 371
19.15 PKI-based hardware token for e-banking security 371
19.16 Payment gateway: The flow of transactions 373
19.17 SSL secure connection flow 375
19.18 SET and e-Comm with credit cards 376
19.19 Secure electronic transactions 378
20.1 Use of databases in organizations 388
20.2 Federations of Heterogeneous Databases 391
20.3 Federated database system and its components; an example 393
20.4 Architecture of federated database system 395
20.5 Administrator methods for database authentication 401
20.6 An example of data integrity 402
20.7 Data center protection 404
21.1 Evolution of operating systems 408
21.2 Operating system 408
21.3 Operating system vulnerabilities 411
21.4 Operating system hardening 413
22.1 ISO and security audit awareness in organizations 420
22.2 Nine areas of InfoSec Assurance Capability Maturity Model (IA-CMM) 423
22.3 ITIL components 423
22.4 Three faces of the McCumber Cube 424
22.5 Security map in the OSSTMM model 426
23.1 History of the ISO 27001 standard 429
23.2 Well-known ISO standards in the 27xxx series 430
23.3 The PDCA approach of ISO 27001 432
23.4 Implementation context for the PDCA cycle in ISO 27001 433
23.5 The key contexts of ISO 27001 434
23.6 Hierarchy of information security management assets 441
23.7 Entities involved in ISO 17799/ISO 27001-based security certification scheme 442
23.8 ISO 27001 certification process 443
23.9 Reasons for adaptation of the ISO 27001 standard 444
24.1 COBIT framework’s principles 448
24.2 IT governance domains 449
24.3 COBIT’s hierarchy 450
24.4 COBIT’s IT governance structure 452
24.5 Inter-relationship of COBIT components 453
24.6 The ERM cube 454
24.7 Internal control process flow 455
ISS_FM.indd 47 4/24/2017 4:43:17 PM

xlviii LIST OF FIGURES
24.8 Risks and control layers in the COSO-ERM framework 456

24.9 ERM framework relationship with internal controls 456
24.10 CEO views on ERM 457
25.1 Security metrics for IS governance framework 466
25.2 Model and classification of security metrics 469
25.3 Components of security metrics 478
25.4 IT security metrics development process 480
25.5 IT security metrics program implementation process 481
25.6 Problems related to IS 485
26.1 Regulations and industry standards: Information security 490
26.2 Enterprise controls and threats 491
26.3 HIPAA compliance 504
26.4 Secure system development life cycle 509
26.5 The NIST risk management framework 511
27.1 Identity and anonymity 516
27.2 Dimensions of privacy space 516
27.3 Rise in the number of internal attacks 517
27.4 Business sectors impacted by data breaches (as of February 2006) 518
27.5 Common forms of identity theft 519
27.6 Security technologies used by organizations 520
27.7 Impact of data breaches on business (as of February 2006) 522
27.8 Loss of customer trust owing to data breaches 522
27.9 Major cyber crimes committed against organizations 523
27.10 Impact of cyber crimes on business 523
27.11 Privacy and security: Complementary roles 524
27.12 Security and privacy 524
27.13 Pervasive nature of security in organization 526
27.14 We all vouch for keeping your personal information as secret! 528
27.15 Privacy and identity protection: Acceptability of biometrics 530
27.16 Concerns among corporate executives 530
28.1 Privacy, Security and FIPs (Fair Information Practices) 538
28.2 Data warehouse approach to distributed data mining 542
28.3 Global model for software delivery 544
28.4 RFID system applications 557
28.5 Components of an RFID system 558
28.6 Privacy threats arising from within-enterprise use of RFID 560
28.7 Use of RFID between trading partners – privacy threats 561
28.8 Using RFID between trading partners – privacy threats 561
28.9 Biometrics authentication – 1 564
28.10 Biometrics authentication – 2 565
28.11 Technical and non-technical aspects of biometrics 571
28.12 Dimensions of software agents’ typology 577
28.13 Positioning of agents – intelligence and agency 578
28.14 Agent types 580
29.1 Web applications: The path of easiest exploit 592
29.2 Growth of web services 592
ISS_FM.indd 48 4/24/2017 4:43:17 PM

LIST OF FIGURES xlix
29.3 How web services work – broker, consumer and provider 593
29.4 How web services work – UDDI, SOAP and WSDL 593
29.5 WebSphere storefront for garden implements retail business 594
29.6 Web services standard stack and implementers 595
29.7 Data-filtering mechanism for privacy preservation 598
29.8 P3P-enabled HTTP transaction 602
29.9 A model for identity certificate 605
29.10 Context propagation protocols in web services 607
29.11 Use of service-oriented architecture (SOA) in day-to-day life 607
29.12 SOA for organizations 608
29.13 SOA 608
29.14 An example of secure service-based interactions 611
30.1 Reporting options for information security function 621
31.1 The business–IT interaction 628
31.2 DRP vis-à-vis BCP 630
31.3 Strategic grid 631
31.4 BCP roadmap 636
31.5 Business resiliency layers 643
32.1 Security audit context for organizations 647
32.2 Segregation of duties – SoD matrix 651
32.3 Typical IT infrastructure in an organization 658
32.4 Cross-site scripting attacks 662
33.1 Privacy certification roadmap 693
33.2 Phases of management cycle 695
33.3 Privacy audit life cycle activities 696
33.4 Privacy risk categories 699
33.5 Reporting structures for Privacy Officer 709
33.6 Data security attacts 709
33.7 Data privacy organization 711
34.1 Assets in organizations 716
34.2 Threats, vulnerabilities, assets and risks 718
34.3 The path to compromise an asset 718
34.4 Risk management matrix 720
34.5 Hardware assets of various kinds 721
34.6 VSAT usage scenarios 721
34.7 Sources of information for organizations 722
34.8 Trends affecting IT asset management 726
34.9 Stages in asset life cycle 729
34.10 Asset life cycle 730
34.11 Tokens for asset tracking 733
34.12 The asset life cycle and its workflows 734
34.13 Roles and responsibilities in the asset life cycle 735
34.14 Asset custodial responsibilities 737
34.15 Asset owners and custodians – possible scenarios 739
34.16 Benefits of asset inventory/asset register 744
34.17 Access management framework – key elements 747
ISS_FM.indd 49 4/24/2017 4:43:17 PM

l LIST OF FIGURES
34.18 Elevating access security across platforms 748

34.19 Major activities in software release 749
34.20 Asset classes and accounting 750
34.21 IT controls – SOX perspective 753
34.22 Risk-based approach to SOX implementation 756
34.23 The CMDB – holistic perspective for asset management 758
34.24 Optimizing asset repository – alignment with ITIL’s CMDB 759
35.1 A typical monitoring station for physical security 768
35.2 Physical security: Fire extinguishers 768
35.3 Real-life flood-induced damages to data centers 770
35.4 Classes of extinguishers 771
36.1 Perimeter protection systems for physical security 780
36.2 Physical access control devices for facilities 781
36.3 Proximity card used for physical access control 783
36.4 Fresnel unit for perimeter security 784
36.5 Intrusion detection system for physical security 785
37.1 The evolution of information systems 790
37.2 Traditional versus modern approach to application integration 792
37.3 Source of real-time information 792
37.4 Business dynamics of the extended enterprise 793
37.5 The extended enterprise: the driving force for enterprise application integration (EAI) 794
37.6 Interaction across multiple applications 798
37.7 Multiple business applications communicating through EAI 799
37.8 Using web services within an organization: An example 800
37.9 Integration need of large stock brokerage: An example 802
37.10 SCM environment and application integration: An example 804
37.11 Link-oriented security 807
37.12 End-to-end-oriented security 808
37.13 Web Services in the Context of SOA 809
38.1 The IDEAL cycle 814
38.2 Security engineering pervasiveness 815
38.3 Different views about security 815
38.4 The security engineering process 816
38.5 Maturity levels of the SSE-CMM engineering framework 819
38.6 Maturity levels characterization of the SSE-CMM 820
38.7 Common features of the SSE-CMM 820
38.8 Structure of the SSE-CMM 821
38.9 Architecture of the SSE-CMM – process areas 821
39.1 Holistic view and key components of ‘information security’ 828
39.2 The NSTISSC Security Model 828
39.3 ISO 20000: Relationship with QMS and ISMS 830
39.4 ITIL components 831
39.5 ISO 20000: Relationship with business, supplier and client sides 831
39.6 The Business–information technology interaction 832
39.7 ISM3 philosophy 834
39.8 CRAMM approach 835
ISS_FM.indd 50 4/24/2017 4:43:17 PM

LIST OF FIGURES li
39.9 Security investment and risk 837

39.10 IA–CMM capability levels 839
39.11 Common Criteria evolution 843
39.12 Evaluation–based information security risk management 849
39.13 Three–phase approach of OCTAVE 849
40.1 IT security versus information security 859
40.2 Insider attacks on information systems 860
40.3 Current and previous employees: insider attacks 861
40.4 Networked business environment 862
40.5 Hacker community 869
40.6 Digital right management architecture 872
40.7 Groups posing threats to information security 876
ISS_FM.indd 51 4/24/2017 4:43:17 PM

ISS_FM.indd 52 4/24/2017 4:43:17 PM
List of Tables
1.1 Business area-wise information 6

4.1 Roles and responsibilities of the owner, the custodian and the user 45
4.2 Business systems’ classfications 48
5.1 Formulae for risk analysis 53
5.2 Scale for exposure rating 57
5.3 Qualitative risk analysis example 58
5.4 Quantitative versus qualitative risk analyses 59
6.1 Security threats to wearable devices 93
7.1 Cloud computing service providers 100
7.2 Categories of cloud computing technology 107
7.3 Major areas of concerns in cloud computing domain 121
8.1 Smartphones: Security risks 131
8.2 Secure use of smartphones: Guidelines 141
9.1 Security attacks 152
10.1 Smart cities: Identity, anonymity and dimensions of privacy space 186
10.2 IoT benefits to businesses 189
11.1 Categorization of biometric applications 210
11.2 Criteria for selection of biometric characteristics 212
11.3 Strengths and limitations of biometric techniques 213
14.1 Cryptographic methods: Advantages and disadvantages 285
15.1 Knowledge-based IDSs versus behavior-based IDSs: Advantages and disadvantages 293
16.1 UDP protocol versus TCP protocol 309
16.2 Firewall products and their features 318
19.1 Internet domains used in e-Business 358
19.2 Payment gateways: Stepwise transactions flow 374
19.3 SSL: Advantages and disadvantages 375
19.4 Participants in SET 377
19.5 PCI-DSS: The scope of validation and the security requirements 380
21.1 Release, withdrawal and end of service dates of some major operating systems 411
23.1 Objectives and control aspects of 11 key contexts provided by ISO 17799 434
24.1 Hierarchy of COBIT domains 451
ISS_FM.indd 53 4/24/2017 4:43:17 PM

liv LIST OF TABLES
24.2 Type 1 versus Type 2 report 459

25.1 Quantitative and qualitative approaches to measuring security risk 472
25.2 Methods for security measurement 484
26.1 Results from the survey of 13 major commercially significant jurisdictions in Asia 497
27.1 Information privacy principles 532
28.1 Roles and responsibilities: Data privacy team within test data management 554
28.2 Privacy-related key questions about biometrics 568
28.3 Classification of agents 578
28.4 Protecting privacy violations with the use of intelligent (software) agents 582
29.1 Web privacy dimensions 599
29.2 Data magnet techniques 600
31.1 Vulnerability scanning tools 633
31.2 Systems classification 636
31.3 Relative advantages and limitations of alternate sites/facilities 637
32.1 Well-known port numbers 666
32.2 Vulnerability scanning tools 670
32.3 Perception problems with security audits 676
32.4 Reducing project risks 679
33.1 Inherent risk, privacy control risk and confirmatory audit risk 697
33.2 Questions about privacy/data protection 703
33.3 Job dimensions of a Privacy Officer in large organization 706
34.1 IT assets – the three key dimensions for protection prioritization 719
34.2 Information in organization – asset and anti-asset behaviors 724
34.3 Asset procurement – key focus areas 730
34.4 Asset classification 740
34.5 Asset reconciliation and monitoring – key focus areas 757
39.1 Capability principles 838
39.2 Control grouping in FISMA (NIST) 840
39.3 Program controls in FISMA network 840
40.1 Internet and illicit information – perception study 865
ISS_FM.indd 54 4/24/2017 4:43:17 PM

List of Boxes
1.1 Mainframe versus Client/Server-Based Architectures for Information Systems 8

1.2 Three-Tier Architectures for Information Systems 9
1.3 Web Services Standards 11
2.1 Threatening Online Activities 16
2.2 Signaling Under Attack: History 18
2.3 Reason for Security Breaches 21
2.4 InfoSec Assurance Capability Maturity Model (IA-CMM) 22
3.1 Security Engineering Principles 27
3.2 Security-Related Process Areas in Systems Security Engineering Capability
Maturity Model (SSE–CMM) (Version 3.0) 28
3.3 Electronic Mail (E-Mail) Policy: An Example 29
3.4 Password Policy: An Example 30
3.5 Mini Cases 31
3.6 Industry Leaders’ Thoughts on InfoSec 33
4.1 What Loss to Data Integrity and Confidentiality Means to Organizations 40
4.2 Data Integrity and Availability Issues in CRM Environment 44
4.3 How do Organizations ‘Classify’ Data and Information? 45
5.1 Annualized Rate of Occurrence: Illustrations 53
5.3 Historical Perspective on Business Risk Analysis 56
5.4 Model-based Risk Assessments versus Asset-based Risk Assessments 57
5.5 Risk Analysis with OCTAVE Method 58
6.1 Key Findings for Mobile Computing Security Scenario 70
6.2 Potential Wireless Users – Beware! 71
6.3 LDAP Directory Structure 77
6.4 RAS System Security for Mobile Device Clients 78
6.5 TrustZone Technology for Mobile Devices: Toward Security
of m-Commerce Applications 79
6.6 ISO 17799 – Main Clauses (Changes from 2000 to 2005 Release) 80
ISS_FM.indd 55 4/24/2017 4:43:18 PM

lvi LIST OF BOXES
6.7 Getting Lost!! 81

6.8 RFID-based Physical Protection for Laptops 89
6.9 The Amazing World of Wearware! 91
7.1 The Cloud: The ‘What’ and ‘Why’? 98
7.2 Riding on the Cloud! 99
7.3 Virtualizing the Server 103
7.4 Grid Computing 104
7.5 Middleware 106
7.6 Elastic Cloud, SLA and SLO 112
7.7 Hot, Warm Cold Sites for Disaster Recovery and Other Similar Arrangements 114
7.8 Cloud Computing, Grid Computing 115
7.9 ‘Green’ Cloud 116
7.10 Cloud and Data ‘Ownership’ 117
7.11 Server Virtualization 118
7.12 Agile and SCRUM in Cloud Context 120
7.13 PIPEDA and Cloud Data Privacy 123
8.1 The Journey: From PC to Mobile Phone to Smartphone 129
8.2 Malware on Mobile 133
8.3 Portable Devices used by and in the Healthcare Sector
and the Security Issues Associated with Them 138
8.4 Are Smartphones and Tablets more Secure? 141
9.1 Bluetooth 148
9.2 Going Wi-Fi 150
9.3 What Color is Your Hat in the Security World? 150
9.4 Extensible Authentication Protocol 153
9.5 Picking Digital Garbage – Dumpster Diving in its New Avatar 155
10.1 Sensors and Actuators 161
10.2 IoT Communication Standards: Biz-E-Bee, ZigBee and Others 163
10.3 Toward a ‘Smart Planet’: The Concept in Brief 169
10.4 Intelligent Building: What Is It? 173
10.5 Key Terms Relevant to Intelligent Buildings 179
10.6 Green Technologies 183
10.7 People in the Cities of the World and the ‘Triple Play’ 184
10.8 ‘Big’ Data 188
11.1 Walk the Walk – Gait Advances in Emerging Biometrics 199
11.2 Biometric Identification and Biometric Authentication 200
11.3 Biometric Signature and Digital Signature 205
11.4 How Biometrics Differ from Forensics 210
11.5 Physical Security During Wars: Biometric Bodysuits 211
11.6 Special Camera for Biometric Developers 217
11.7 Theft and Biometrics 220
12.1 Viruses, Worms and Trojan Horses 229
12.2 Hackers and Crackers – bête noir of the Digital Work 230
12.3 The Dark Passages of Telecommunications: Covert Channels 233
12.4 Traffic Analysis 233
12.5 Password Policies 235
ISS_FM.indd 56 4/24/2017 4:43:18 PM

LIST OF BOXES lvii
12.6 Hackers’ Targets: What do They Look for? 238

13.1 Bus: Vehicle for the Data to Travel on the Network! 249
13.2 Hybird Networks 251
13.3 Responsibilities for Routers in Networks 258
13.4 Intranets and Extranets 259
13.5 Fibre Optics: The Light of Modern Digital Communication 261
14.1 Cipher and Types of Ciphers 276
14.2 Travails of Cryptovirology 277
14.3 Steganography – The Art of Hiding! 285
14.4 IBM Contribution – Quantum Leap in Cryptography! 286
15.1 Network Port Scanning 291
15.2 Network Penetration Testing 294
15.3 Understanding Signature Detection, Anomaly Detection and Denial of Service Detection 297
16.1 Cookies – Monster or Your Diligent Assistant on the Internet! 307
16.2 User Datagram Protocol 309
16.3 Dual-Homed Host or a Dual-Homed Firewall 310
16.4 Bastion Host: Your Fortified Protection on the Internet 312
16.5 Remote Procedure Call (RPC) 314
17.1 The Art of Tunneling: Layer 2 Tunneling Protocol 324
17.2 Wi-Fi Access Point 325
17.3 NetBEUI and IPX 329
17.4 Public-Key Infrastructure (PKI) 332
18.1 KRESV Test – Be Careful When Reading E-Mail with Attachments!! 345
18.2 Message Integrity 347
18.3 Electronic Mail Systems Policy: An Example 350
19.1 Digital Market Place and Electronic Commerce 355
19.2 Electronic Business 356
19.3 e-Command e-Business: The Difference 357
19.4 The Supply Chain of Electronic Business 359
19.5 Security in Electronic Data Interchange (EDI) 361
19.6 Security e-Comm Middleware: Types and Function 364
19.7 Electronic Banking and its Brief History 368
19.8 Why Payment Gateways are Important for e-Comm Stores? 372
19.9 e-Comm: All Set with SET! 377
20.1 Current Trends in Database Usage: a New Driver for Database Security 389
20.2 Database Management System, Database Schema and Database Models 391
20.3 The Havoc of Slammer/Sapphire Worm 399
21.1 Operating Systems: The Brain of Our Computers 408
21.2 Security Patches 412
23.1 ISO/IEC TR 13335 431
24.1 Principles of Business Process Re-Engineering 448
24.2 Implementing COBIT: Typical Challenges 452
24.3 The SOX–ERM Connection 457
25.1 ABCs for Information Systems Security Metrics 467
25.2 What are Security Patches? 471
25.3 Communicating Security Metrics Scoreboard 483
ISS_FM.indd 57 4/24/2017 4:43:18 PM

lviii LIST OF BOXES
26.1 Law, Case Law, Legislation Statues and Jurisdiction: Alphabet Soup in Legal World 490
26.2 The Legal Side of Secure Electronic Commerce 492
26.3 Privacy versus Security: Two Sides of the Same Coin? 493
26.4 The US Computer Security Act of 1987 494
26.5 What Legal Status Does ‘Information’ Possess? 496
26.6 Toward a Culture of Security: OECD Guidelines 498
26.7 Data Protection Act 500
26.8 Need for Privacy in the Healthcare Industry 502
26.9 Does HIPAA Assure Protection and Privacy of Medical Data? 503
26.10 Health Data on Sale!!! 506
27.1 Types of Private Data 517
27.2 Privacy: Some Key Terms – Personal Information, Sensitive Personal
Information and Aggregate Information 518
27.3 Identity Theft – A Serious Personal and Business Issue 519
27.4 Do People Care for the Identify and Privacy: Survey Speaks! 520
27.5 Empowering Individuals for Control over their Data: Privacy Goals 521
27.6 Computer Forensics: Classic Example of Security and Privacy at Loggerhead 525
27.7 Protection of Privacy and Personal Data: The OECD Principles 527
27.8 Multi-Dimensions of Privacy 529
27.9 Why Should Companies Be Worried About Computer Fraud? 530
28.1 Channels of Direct Marketing 539
28.2 Privacy and Confidentiality 540
28.3 Fair Business Practices: Rules for Legal Marketing – Whether Online or Not 541
28.4 Customer Profiling through Clustering and Data Matching:
A Way of Business Intelligence 543
28.5 Offshore Outsourcing and Data Protection: Issues and Concerns 545
28.6 Safe Harbor Privacy Principles 546
28.7 Privacy in India: What a Survey Showed 547
28.8 Outsourcing and Privacy: Critical Questions 548
28.9 Protecting Valuable Information to Safeguard Clients’ Data 549
28.10 SSADM and Data Dictionary 555
28.11 RFID Technology Overview 557
28.12 RFID Tags 559
28.13 Characteristics of Technologies Used By Biometrics 565
28.14 Medical Biometrics − Personal Privacy and Medical Identity Theft 566
28.15 Biometrics and Privacy – Identification v/s Authentication 567
28.16 What is Chip Card? 574
28.17 A Day in the Life of a Software Agent: Scenario 579
28.18 Intelligent Software Agents Assess Machinery Health in Real Time 580
29.1 Federated Identity, Federated Trust Management and Federated Networks 601
29.2 P3P – A Direction in Website Privacy Preservation 602
29.3 PGP – Giving Privacy to Your E-Mails 604
29.4 Service-Oriented Architecture (SOA) 607
29.5 Context Sensitiveness: Some Illustrations 609
29.6 SSL and TLS 612
29.7 XML and XML Schema 613
ISS_FM.indd 58 4/24/2017 4:43:18 PM

LIST OF BOXES lix
30.1 What Surveys Tell Us About Best Practice Organizations 620

30.2 Security Certifications Pay! 624
31.1 DRP versus BCP 629
31.2 Minimizing Power Outages 630
31.4 Emergency Response Team 639
32.1 A Historical Perspective and Challenges – IT Security Audits 647
32.2 Security Audit: Real-Life Incidents and Examples 648
32.3 Segregation of Duties: The SoD Concept 650
32.4 Strong, Weak and Random Passwords – The ABC of Security Audit 656
32.5 Identity Theft – The New Challenge for Netizens 659
32.6 The PCI DSS for Security of Information in the Credit Cards Industry 660
32.7 Pen-Tester’s Responsibilities 661
32.8 OWASP 662
32.9 Attack Vectors – Your Trail in Penetration Testing 663
32.10 Challenges in Reporting the Results – Penetration Testing 665
32.11 How Vulnerabilities are Identified? 667
32.12 Semantics of Scanning and Numerology of Port Numbers 668
33.1 The ‘Trusted Balance’ of Privacy 686
33.2 Organizational Privacy Policy: An Example 687
33.3 What Privacy-Mature Organizations Think and Do About Privacy 689
33.4 Privacy Matters – Liability of Directors 690
34.1 Assets, Threats, Risks and Vulnerabilities 720
34.2 Tacit versus Explicit Knowledge – Knowledge is an Asset! 722
34.3 Crucial and Confidential Information Walks Away!! 723
34.4 Building a Knowledge-Based Enterprise: Information Harvesting
and Knowledge Harvesting 725
34.5 Technology in Asset Management – Using RFID and RSA Token for Asset Tracking 732
34.6 Risk of Material Misstatement (RMM): A ‘bete noire’ for Auditors 752
34.7 SOX: Section 302 and Section 404 752
34.8 The Concept of Audit ‘Materiality’ 755
34.9 SAS 70: Type I and Type II 757
35.1 Fire: Considerations During Building Construction 769
35.2 Physical Security: What Do You Check? 769
35.3 Physical Protection of Data: Ratings for Fireproof Products 775
35.4 Duress Alarms: An Aid to Physical Security Staff 776
36.1 Facility Types: Implications for Physical Security Implementation 780
36.2 Absolute IR/MW Dual-Technology Intrusion Detection System 786
37.1 EAI Experience in Day-to-Day Life 793
37.2 The Power of Supply Chain Management: Understanding What is at Stake for Net-Centric
Global Organization 797
37.3 Enterprise Application Integration: How Large Organizations Use It 798
37.4 Value-Added Networks: VANs 806
37.5 Service-Oriented Architecture (SOA) in the Context of Web Services 808
39.1 Using the NSTISSC Security Model along with the ISO 27001 Framework: An Example 829
39.2 What is ISO 20000? 829
ISS_FM.indd 59 4/24/2017 4:43:18 PM

lx LIST OF BOXES
39.3 Business–IT Alignment in Industry Projects: Using the ITIL Framework 833
39.4 ISM3 Specialty in the Jungle of Standards for InfoSec 834
39.5 CRAMM and Risk Management Methods 835
39.6 Common Certified Products 843
39.7 Audit Materiality and Audit Evidence 847
39.8 ISECOM Gives Birth to Open Source Security Testing 851
40.1 Terms of Reference – Computer Ethics 858
40.2 Computer Fraud and Abuses from Within 859
40.3 Software Piracy Issues 863
40.4 Ethical Dilemmas in the Real World 864
40.5 Information Warfare Classification 868
40.6 US Government Restrictions on Sharing of Cryptographic Technologies 870
40.7 The War of Key Escrow 871
40.8 Managing Copy Protection in the Digital World – DRM 873
40.9 New Kid on the Block – The Hacktivist!! 874
40.10 Ethical Guidance: A Crying Need for Today ’s Professionals 877
40.11 The Philosophy Behind Copyrights 878
40.12 Cybersquatting and Trademarks 881
ISS_FM.indd 60 4/24/2017 4:43:18 PM

Part I Introduction
CHAPTER 1 Information Systems in Global Context

CHAPTER 2 Threats to Information Systems
CHAPTER 3 Information Security Management in Organizations
CHAPTER 4 Building Blocks of Information Security
CHAPTER 5 Information Security Risk Analysis
ISS_Chapter_01.indd 1 4/24/2017 4:18:07 PM

Information Systems
in Global Context 1
Learning Objectives
After completing this chapter you will be able to:
understand the history of information systems.
understand why information systems are important.
understand the basics of information system as an overview.
note information system architectures in brief.
understand impact of globalization on information systems.
1.1 History of Information Systems

Information systems (IS) have always played a crucial role in civilization. In fact, IS existed in their simplistic form even in
early civilization. For example, over 500 years ago, the Inca Indians of South America developed fairly comprehensive IS with
databases, and processing models composed of thousands of knotted strings called quipus. To the Indians of South America,
the knots on the hanging strings, for example, represented the number of people in a village, their duties, the amount of grain
in a storehouse, business transactions (as of that time), poetry, cattle livestock, records of battles and other historical events. An
array of knots and different colors and sizes conveyed a combination of mnemonics, digits and narrative information.
In the mid-eighteenth century, pressures to process data increased. The Industrial Revolution shifted the basic means of
production from the home and small shop to the factory. With the development of large manufacturing facilities, there arose
a need for the service industry to market and transport the goods produced by the manufacturing systems. The increased size
and complexity of these organizations made it impossible for a single person to obtain adequate information, to manage them
effectively without the aid of data processing.
In the twentieth century, the need to record more data, analyze that data to produce more information and using it for
information-led decision-making have increased even further. Business investors need the details about the financial status
and future prospects of the business into which they wish to invest. Bankers and vendors need information to appraise the
performance and financial soundness of a business before making loans or providing business credit. Government agencies,
too, need a number of reports that disclose operating parameters of business entities. The individuals most involved with and
dependent on information are those charged with the responsibility of managing and operating organizations. Thus, when
businesses and other organizations try to keep track of many things, timely and accurate information is the essential resource

4 INFORMATION SYSTEMS SECURITY
to maintain the operations and to remain competitive. Therefore, information is considered as a corporate asset. As with most
assets, the security of this corporate asset, namely information, too becomes crucial. In fact, security of information assets is
considered to be one of the success factors for businesses.
1.2 Importance of Information Systems

Today, we live in ‘Information Age’ mainly because of advances in computer and communications technology, that is
information and communication technology (ICT). Most of the workforce today has jobs that are information-intensive.
Take, for example, the jobs of those in the field of training and teaching, accountants, lawyers, managers and executives;
these jobs are predominantly based on handling large amounts of information. Added to this is the dimension of the newly
emerging ‘mobile workers’ who work away from their ‘offices’. This paradigm greatly differs from that of earlier decades, in
which most jobs involved some type of physical labor applied in farms or in factories, that is progression of our society from
the agricultural age to the industrial age and now to the information age. IS now have become an inseparable part of business
organization. Figure 1.1 shows the interdependence of organizations and IS.
ENVIRONMENT
Supplier Customer
ORGANIZATION
INFORMATION SYSTEM
Processing
Classify
Input Arrange Output
Calculate
Feedback
Regulatory Stockholders Competitors

agencies
FIGURE 1.1 The interdependence between organizations and information systems.
In today’s global context, there is a consensus among strategists on a number of points regarding global businesses.
Large organizations piggy-back data flows on the complex management support systems and the global communications
they use to control their supply chains. Given this, business managers have reasons to believe that coordination of
organizational operations is the central tenet of globalization. Thus, smooth coordination of business activities [as
evidenced in supply chain management (SCM) and customer relationship management (CRM)] distinguishes the multi-
domestic and multinational organizations from a truly global business. The recognition of information technology
(IT) facilitating global coordination of organizations is today recognized as a key component of competitive strategy.
For successful operations in the global arena, multinational organizations need to be tightly linked in their information
and communication flow requirements. This amply brings out the nature and complexity of global coordination required
in organizations of the future. In the global perspective of businesses today, each geographical unit plays a distinctive role.
To sustain the pressures from business and to satisfy the decision-making requirement in today’s dynamic environment,
the nature of modern IS is such that they call for intensive and complex interaction between physically remote but
interdependent units. This is why our IS today are in a networked mode – in alliance with global business partners,
distributed and at multi-location giving rise to what we call the ‘extended enterprise’ in the digital economy. This concept
is depicted in Figure 1.2.

INFORMATION SYSTEMS IN GLOBAL CONTEXT 5
Enabling Technology The Promise The Change
Inter-enterprise Re-casting external

computing Extended relationships
Enterprise
Integrated web- Enterprise

Web-Integrated
enabled systems transformation
Organization
Web-based High Performance

Re-design
computing Distributed Teams
of e-business
processes
FIGURE 1.2 The extended enterprise.
1.3 Basics of Information Systems

In this section we take a brief overview of ‘information systems’. We provide here only an overview, not the basics and
fundamentals of information systems as there are many suitable texts available on this subject. See the Further Reading section
at the end of this chapter. Essentially, an information system is a set of interrelated components that collect (or retrieve),
process, store and distribute information to support decision-making and control in an organization. Figure 1.3 illustrates the
functions of an information system.
Hardware
Business
Strategy
Software Database
Rules
Procedures Interdependence
Tele-
communi-
cations
Organization Information System
FIGURE 1.3 Functions of an information system.
Thus, IS accept data from their environment and manipulate the data to produce information that is used to solve a
problem or address a business need. In the earlier days (say in the 1960s and 1970s), majority of information systems were
manual systems. These days, however, information systems are mostly computerized, software-intensive systems. Today, the
vast majority of computerized IS relies on data warehouses and database management system (DBMS) software to manage
the storage and retrieval of the data/information in the system. Information systems consist of data, hardware, software,
procedures and people. Their major functions are: input, storage, processing, control and output. IS are usually developed
to support specific business functions such as the administrative functions common to most organizations. For example, in
finance, we have accounting and resource management (facilities and equipment). In the finance area, organizations need

financial management information systems (FMIS). For manufacturing-focused organizations, enterprise resource planning
(ERP) systems are important. In the human resource (HR) area, there are HR information systems and in marketing and
sales area, there are CRM systems. It is important to note at this point that not all types of information can be computerized,
especially the ones with an external source. Table 1.1 shows business area-wise organization of information.
TABLE 1.1 Business area-wise information

Business area Coverage Typical examples Remarks
Business Business conditions external 1. Rules and compliance set by These may not be handled in a
environment to the organization that can regulatory agencies computerized manner inside a company
impact its business activities 2. Issues created by competitors data warehouse
3. Licensing authorities’
requirements
Customers and People and organizations 1. Prospects Organizations use these mechanisms for
other affinity who acquire and/or use the 2. Customers capturing potential customers (prospects)
organizations company’s products and for distinguishing between parties
who buy the product and those who use it
Communications Messages and the media used 1. Advertisement campaigns These often pertain to marketing/
to transmit them 2. Target audience prospecting activities. They can also apply
3. Company websites to internal and other communications
External Organizations, except customers 1. Complementors/business partners In the paradigm of ‘networked
organizations and suppliers, external to the 2. Existing competitors organizations’ of today, this inclusion is
company 3. Potential competitors important
Facilities and Real estate and structures 1. Buildings and surroundings Software that is integral to equipments is
equipments and their related components, 2. Heavy machinery included within this area; other software
movable machinery, devices, 3. Testing and other equipments is included within information area.
tools and their integrated 4. Factories Integrated components (e.g., security
components alarm system within an office or plant)
are often included as a part of the facility
In view of the discussion so far, conceptually, ‘information’ can be divided into three parts. First, there are data that bring
together all kinds of information that can be stored (such as personal data, information concerning customers, accounting,
etc.). Second, there is knowledge, that is, those aspects that are not immaterial but brought in by experienced employees.
Lastly, there is the action to send information to someone or something through the information system. However, a clear
distinction needs to be made between ‘information systems’ and ‘systems and data-processing networks’. An information
system refers not only to data but also to users and methods and thus is a more global notion. That is why some people
define an ‘information system’ as a system, whether automated or manual, that comprises people, machines and/or methods
organized to collect, process, transmit and disseminate data that represent user information.
1.4 The Changing Nature of Information Systems

In the past decade, the nature of IS has undergone a dramatic change, from mainframe-based IS to client/server computing
to today’s web-based information system, with the Internet having made the revolution. Alvin Toffler, in his books, talks
about the rate of change affecting humanity. In one of his most popular books, Third Wave, he mentions about the impact
on humanity by the three waves: first, the agricultural wave; second, the industrial wave; and third, the information wave. In
line with these thoughts expressed by Toffler, it can be argued that the fourth wave has begun – the wave created by mobile
technology, and web services follow suit. The four powerful worldwide changes that have altered the business environment are:
1. globalization;
2. rise of the information economy;
3. transformation of the business enterprise;
4. emergence of the digital firm.
Modern business applications of IS show a trend toward the development of systems that are decentralized, autonomous and
heterogeneous. The new generation of IS is characterized by the combination and integration of local IS (mostly databases),

TABLE 1.1 CONTINUED...
each with their own intended purpose and goal. Thus, today, the IS used by business enterprises and individuals are no more
monolithic and no more are they housed in a single location, residing on a single piece of hardware, that is server. Information
systems of today are distributed and component-based. For more details on the basics of information systems/management
information systems, readers can follow standard books on the topic; some texts are suggested in the Further Reading section.
In many of today’s information-intensive enterprises, the local structured procedures can be effectively and flexibly integrated
into the global work processes supporting the business goals. Figures 1.4–1.6 explain the configuration and paradigm of
mainframe-based systems, client/server-based systems and web-based architecture for IS.
INPUT LOGIC/RULES FILE SYSTEMS
Data entries Manipulate Read/write/

Data requests data store data
Data rules
User
User interface
OUTPUT
Database or
Feedback
file-based
requested
system
data
Dumb terminals
echoing text
Mainframe
FIGURE 1.4 Mainframe-based information systems.
INPUT LOGIC/RULES FILE SYSTEMS

Data entries Manipulate Read/write/
Data requests data store data
User Data rules
interface OUTPUT
Database or
Feedback
file-based
requested
system
User data
Desktop PC –Text or GUI

Server
Server
FIGURE 1.5 Client/server-based information systems.

Company Databases
Web Server
Web Browsers
Internet
Intranet
Extranet
Application Server
Firewall
Operating Systems
Back Office/ERP
FIGURE 1.6 Architecture of web-based information systems.
Boxes 1.1 and 1.2 explain mainframe-based systems vis-à-vis client/server architecture for IS and provide a business case for
the current trend toward client/server architecture of the IS.
Mainframe versus Client/Server-Based Architectures for Information Systems
In mainframe-based architectures used for IS (see Figure 1.4), all intelligence is within the central host computer.
Users interact with the host through a terminal that captures keystrokes and sends that information to the host.
Mainframe software architectures are not tied to a hardware platform. User interaction can be done using personal
computers (PCs) and Unix workstations. A limitation of mainframe software architectures is that they do not easily
support graphical user interfaces (GUIs) or access to multiple databases from geographically dispersed sites. In the
last few years, mainframes have found a new use as a server in distributed client/server architectures.
The term client/server was first used in the 1980s in reference to PCs on a network. The actual client/server
model started gaining acceptance in the late 1980s. The client/server software architecture is a versatile, message-
based and modular infrastructure that is intended to improve usability, flexibility, interoperability and scalability as
compared to centralized, mainframe, time-sharing computing. A client is defined as a requester of services and a
BOX 1.1 server is defined as the provider of services. A single machine can be both a client and a server depending on the
software configuration. Client/server system configuration is depicted in Figure 1.5.
In modern times, there is a general trend away from mainframe-based systems to client/server architecture. The
client/server technology makes it possible to provide dramatic improvements in customer service, while substantially
reducing the amount of time and training required for common service operations. Client/server computing may also
provide the best alternative for meeting new requirements for electronically interfacing with business partners; a
service that is very crucial in electronic business (e-business) era.
An important point to note is that contrary to many predictions and common belief, client/server computing is not
100% replacing traditional mainframe-based application systems. Instead, a blended system seems to be emerging
that combines the data-processing horsepower of the legacy mainframe applications with the opportunities for rapid
application development and electronic interfacing capabilities of the client/server technology. The cornerstone of
this solution is a three-tiered approach, in which an application layer provides an interface between the client/server
system and the legacy mainframe system.

Three-Tier Architectures for Information Systems
The three-tier architecture (also referred to as the multi-tier architecture) was developed to overcome the limitations of
the two-tier architecture. In the three-tier architecture, a middle tier was added between the user system interface client
environment and the database management server environment. There are a variety of ways of implementing this middle
tier, such as transaction processing (TP) monitors, message servers or application servers. The middle tier can perform
queuing, application execution and database staging. For example, if the middle tier provides queuing, the client can
deliver its request to the middle layer and disengage because the middle tier will access the data and return the answer
to the client. In addition, the middle layer adds scheduling and prioritization for work in progress. The three-tier client/
server architecture is known to improve the performance of groups with a large number of users (in thousands) and
improves flexibility when compared to the two-tier approach. Flexibility in partitioning can be as simple as ‘dragging and
dropping’ application code modules onto different computers in some three-tier architectures. A limitation with three-
tier architectures is that their development environment is reportedly more difficult to use than the visually oriented
development of the two-tier applications. Recently, mainframes have found a new use as servers in three-tier architectures.
The most basic type of three-tier architecture has a middle layer consisting TP monitor technology. The TP monitor
BOX 1.2 technology is a type of message queuing, transaction scheduling and prioritization service where the client connects to
the TP monitor (middle tier) instead of the database server. The transaction is accepted by the monitor, which queues it
and then takes the responsibility for managing it to completion, thus freeing up the client. When the capability is provided
by third-party middleware vendors, it is referred to as ‘TP Heavy’ because it can service thousands of users. When it is
embedded in the DBMS (and could be considered a two-tier architecture), it is referred to as ‘TP Lite’ because experience
has shown performance degradation when over 100 clients are connected. The TP monitor technology also provides:
1. the ability to update multiple DBMSs in a single transaction;

2. connectivity to a variety of data sources including flat files, non-relational DBMS and the mainframe;
3. the ability to attach priorities to transactions;
4. robust security.
Using the three-tier client/server architecture with TP monitor technology results in an environment that is
considerably more scalable than a two-tier architecture with direct client to server connection. For systems with
thousands of users, the TP monitor technology (not embedded in the DBMS) has been reported as one of the most
effective solutions. However, a limitation of the TP monitor technology is that the implementation code is usually
written in a lower level language (such as COBOL), and is not yet widely available in the popular visual toolsets.
1.5 Globalization of Businesses and the Need for Distributed

Information Systems
Liberalization, privatization and globalization have become the three ‘mantras’ of success in the digital economy led by the
rise of e-business. Business competition and pressures are on the rise like never before. Businesses now have no geographical
boundaries. With the rise of mobile commerce (m-commerce) fuelled by mobile technologies, we are now witnessing the
era of anywhere anytime computing! Naturally, ‘information’ that has been one of the vital corporate resources (in addition to
the traditional ‘3Ms’, i.e., man, materials and money) assumes a higher dimension when it comes to data and information
security (InfoSec). In the paradigm of mobile computing, information as a vital corporate resource has the threat of falling in
the hands of those for whom it is not intended. Protecting the data and information is crucial as businesses make knowledge-
based decisions. We certainly do not want the confidential data and information to be leaked outside the required boundaries.
We talked about the ‘waves’ in the previous section. There is an important point to be noted – while the industrial age
witnessed great developments in terms of engineering, a significant dimension, connectivity, was missing. Producers and
consumers of goods all remained disparate and unconnected. They operated in islands of geographical pockets without knowing
how the others were transacting their businesses. This isolation is not true anymore in today’s paradigm of ‘extended enterprise’
resulting from the new way of doing the business, namely the electronic business or, popularly known as, ‘e-business’. So,
prior to e-business days, not only did the suppliers and consumers remain separated, but the knowledge producers/knowledge
workers and business personnel also remained relatively unconnected.
The ‘third wave’ has what the ‘second wave’ did not have: connectivity. Connectivity is a great boon from the ‘Internet’ – one of
the most exciting revolutions of this century and truly a paradigm changing force. Connectivity in the Information Age not only

brought the consumers and producers together, but also built the bridge between the ‘thinkers’, business people, the governments,
the common people, the academicians and so on. We need to consider at the scope of modern-day IS in this global context.
In the new paradigm, IS are handling information in all forms, not just the text-based data of the 1970s that came typically
in flat files but also the rich text, images/graphics and voice. So, we are in the realm of not only terabytes of data but also
multimedia, multi-geo order of IS. The widening scope of IS can be summarized as follows:
1. 1950s: technical changes;
2. 1960s–1970s: managerial controls;
3. 1980s–1990s: institutional core activities;
4. Today: digital information webs extending beyond the enterprise.
Today’s firms are ‘digital’ in terms of their rapid operations mode. They are characterized by electronic commerce
(e-commerce) and e-business to operate in the ‘digital market’ where IS link the buyers and sellers to exchange information,
products, services and payments. Thus, today, the era is of the ‘extended enterprise’ and to serve the needs of such networked
enterprises; the IS, too, are no more confined to a single location, single computer. Figure 1.7 shows the wider boundaries of
the modern information system vis-à-vis the past.
Information Information Information Information

System System System System
Vendors,
Technical Managerial Institutional Customers Beyond
Changes Control Core Activites the Enterprise
Time 1950s 1960s 1970s 1980s 1990s 2000 2005
FIGURE 1.7 The wider scope of information systems.
1.6 Global Information Systems: Role of Internet and Web Services

The Internet, one of the most marvelous inventions of this century, in fact, a ‘killer application’, is the international network of
networks. The Internet is a universal technology platform that allows any computer to communicate with any other computer in
the world. Furthermore, one of the advantages of the Internet is that nobody really ‘owns’ it. It is a global collection of networks,
both big and small. These networks connect together in many different ways to form the single entity that we know as the Internet.
In fact, the very name comes from this idea of interconnected networks as shown in Figure 1.8.
The Internet has become so well-meshed in the day-to-day working of the knowledge workers that its contribution
is acknowledged by everybody. Although the Internet, indeed, has brought the world closer in a way, this very ‘free’ and
‘autonomous’ nature of the Internet does have some implications for the security of IS as we will see later. In this section, we
focus on the contribution of web services to modern IS in the global.
The Internet has revolutionized communication and thereby its contribution to information sharing. With access to a
computer and an appropriate connection, anyone can interact with others worldwide. However, the web is designed to
exchange unstructured information: while people can read web pages and understand their meaning, computers cannot.
If corporations want to conduct business over the web, humans have to be involved unless there is a way for computers to
communicate on their own. This is where web services come in. They make it possible for companies to do business through
their computer systems exploiting the Internet infrastructure.
Web services play a complementary and dominant role in building global IS for today’s dynamic business world. IBM’s
definition of web services states that ‘Web Services are self-contained, modular applications that can be described, published,
located and invoked over a network, generally, the World Wide Web (WWW).’ Companies send and receive a great deal
of information, by automating even a small part. However, one of the greatest benefits from web services comes from links
between companies, where extended processes between companies can be automated. This is very much essential in the
paradigm of today’s ‘extended enterprise concept’ (Figure 1.2).

WORLD
ISP
REGIONAL
ISP
LOCAL
ISP
Conventional phone, T1
cable modem line, Line
or digital subscriber
BUSINESS
HOME
LAN
FIGURE 1.8 The Internet.
Web services perform functions ranging from simple requests to complicated business processes. Once a web service
is developed, other applications and other web services can discover and invoke the deployed service through universal
description, discovery and integration (UDDI). The idea of web services is to leverage the advantages of the web as a platform
to apply it to the services themselves, not just to the static information. ‘Services’ refer to components and the services offered
that can be used to build larger application services. Web services make it easier to build service-based architectures without
the applications being locked-in to a particular software vendor’s products.
Web services have been proven to give a strong return on investment (ROI) and make computer-based IS more adaptable.
They also help bring productivity, flexibility and low maintenance cost in the development of IS by integrating components
from various third-party vendors (another avenue for implementing appropriate security measures in the IS). Web services make
information available from computer systems to other applications using well-defined standards (see Box 1.3). Discussion on
Web Services Standards
Common object request broker architecture (CORBA®) and electronic data interchange (EDI) were created as single
specifications, but web service vendors are adopting a series of standards that work together. In general, these
standards can handle specific tasks. The advantage of this approach is that web service standards can evolve more
easily as new requirements are identified.
The first standards to be agreed upon concern basic interoperation among applications, and since then, a series
of standards have covered web services discovery, security, transactions and coordination. There is also a body, the
Web Services Interoperability Organization (WS-I), charged with overseeing the establishment and promulgation of
standards. The standards include:
BOX 1.3
1. simple object access protocol (SOAP), used to format messages between web services;
2. web services definition language (WSDL), used to define how a web service can be used;
3. universal description, discovery and integration (UDDI) and the web services inspection language (WSIL), used
to find web services;
4. WS-security, used to manage security across web services;
5. WS-coordination, used to coordinate multiple web services into a larger composite system.
Many other web service standards remain under development. Organizations that publish these standards include
the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information Standards
(OASIS).

the details of standards adopted in web services is beyond the scope of this book. Interested readers can refer to web services-
related topics provided in Further Reading section.
Benefits of web services for developing IS of global nature are as follows:
1. Web services tools are available for most computer systems, including mainframes and packaged applications. This
means that not only the existing applications can be retained, but also the existing knowledge of staff can be applied
and extended using web services for business integration.
2. Web services are adaptable and can handle changes more readily than other integration solutions, because they use
structured text as their message format. Therefore, because the cost of maintenance is reduced, the overall cost of a web
services system also reduces.
3. IT managers now have the ability to exchange data between most applications, on most computers, in a consistent and
standard way. Tools and further standards are therefore emerging to build composite applications that can model and
manage business processes around these business-level components.
4. If necessary, an alternative application can be used to provide web services without changing the overall effect of
the system. This gives significant flexibility in the choice of a supplier. This aspect is particularly important in the
consideration of outsourcing security services.
1.7 Information Systems Security and Threats: A Glimpse

So far, we have seen that the use of IS has become mandatory for businesses to perform their day-to-day functions efficiently.
In this section, we set the context for understanding the issues related to IS misuse, resulting threats and countermeasures. This
section is only an overview about threats to IS. It sets the stage for the detailed discussion taken up in the next chapter on the
role of organization in security management.
Given the crucial role played by information systems, it is important that they remain secured and that the data contained in
them do not fall into the hands of those who are not intended to have access to it. Security of IS becomes particularly important
with the advent of the Internet. The access by Internet in particular allows a mass of information to remain up-to-date in real time,
but it also opens the door for external encroachment. Thus, it is essential to ensure the physical protection of the information
that, when stored without precautions on the hard disk of a computer connected to the Internet, can be read, copied, modified
or destroyed from a working station located somewhere on the planet without the owner realizing the tampering.
In the modern business era, the use of desktop PCs, laptops, and network connectivity including the Internet and electronic
mail (e-mail) is as essential as the telephone at workplace. The employees and networked IS are the most valuable assets for any
organization. The misuse of information systems by employees, however, poses serious challenges to organizations including
loss of productivity, loss of revenue, legal liabilities and other workplace issues. Organizations need effective countermeasures
to enforce their appropriate usage policies and minimize their losses as well as increase the productivity of knowledge workers.
The basics of` information systems security are related to:
1. Trademark, copyright, patent and trade secrets and protection strategies for each of them (discussion on this is available
in Chapter 40);
2. Software licensing issues (Chapter 34 has discussion on software license management);
3. Data privacy under legal framework (Laws and Legal Frameworks are addressed in Chapter 26. Data Privacy fundamentals
are addressed in Chapter 27);
4. InfoSec and control frameworks such as Control Objective for Information and related Technology (COBIT) and
International Organization for Standardization (ISO) 17799 (COBIT is addressed in Chapter 24 and the ISO 17799
framework is addressed in Chapter 23);
5. Evidence of digital forensic practices and ethics;
6. Computer Frauds and Abuse Acts boundaries for illegal access to computers/computer-based IS;
7. Electronic surveillance and cyber crimes.
InfoSec measures are mandated by statutes such as the Health Insurance Portability and Accountability Act (HIPAA) in
the United States, Gramm–Leach–Bliley Act (GLBA) and Sarbanes–Oxley Act (SOX) (because most Indian IT/software firms
have majority of their business with the United States, it is important to include this). HIPAA-HITECH, GLBA and SOX
are addressed in Chapter 26.

Summary
Information systems play a crucial role in today’s complex busi- complex in their structure. Information is an important asset
ness world. They have come a long way progressing from the and needs to be protected all the time. Threats to IS come from
precivilization era, through the agricultural era, to the present many avenues and these threats will continue, given our depen-
networked enterprise era in our digital economy. To fulfill the dence on information system. In the next chapter, an organiza-
demands placed on them, today’s IS are global in nature and tional context is set for managing information systems security.
Review Questions
1. Explain the historical role of information systems. In what 5. What are the factors that alter today’s enterprises? Have
way do you think, the industrial revolution impacted information systems changed over the years? In what way
information systems? have they changed and what challenges does this present
2. Explain the importance of information systems in the to the designers of information system? Explain with
global context. Do you think that only computer-based illustrations.
information systems will be successful today? Give reasons 6. Explain the various architectures for information systems as
for your argument. described in this chapter.
3. Do you feel geographical limits play a role in the effective 7. How do distributed information systems help the global
working of information systems? Give reasons. enterprises?
4. Explain the ‘extended enterprise concept’. In what way 8. Explain the crucial role of the Internet and Web Services.
information systems play the cementing role among the 9. What elements, as described in this chapter, form the basics
various components of the extended enterprise? Elaborate of information systems security?
your answer with suitable examples.
Further Reading
Bamforth, R. and Kavanagh, C. (November 2005) Transforming http://www.sei.cmu.edu/str/descriptions/clientserver_body.
the Workplace: The Impact of Mobile Technology on the html (accessed 25 November 2005) for descriptions of
Working Environment, Quocirca Insight Report. system architectures.
Bob, T. and Vile, D. (January 2005) Protecting the IT and Data Kroenke, D. and Hatch, R. (1994) Management Information
Assets of Small and Mid-Sized Businesses, Quocirca Report. Systems, 3rd edn, McGraw-Hill International, Watsonville,
Burch, J.G. and Grudnitski, G. (1989) Information Systems: CA, USA.
Theory and Practice, 5th edn, John Wiley & Sons, Inc., NY, Lambros, P., Schmidt, M.T. and Zentner, C. (May 2001)
USA. Combining Business Process Management Technology and
Colan, M. (June 2001) Dynamic E-Business: Using Web Services Business Services to implement Complex Web Services, IBM
to Transform Business, IBM White Paper. White Paper.
Collins, J. (May 2005) Content Security: Securing Internet Longbottom, C. (September 2004) The Evolution of Information
Communications, a business paper prepared for Aladdin Access: The Need for Seamless Connectivity, a report
Knowledge Systems. commissioned by Citrix Systems, Inc.
Collins, J. and Taylor, L. (2004) IT Security Collins, Collins, Longbottom, C. (January 2005) Change and Flexibility bringing
J. and Taylor, L. (2004) IT Security – Bridging the Gap: IT and the Business Together, a report commissioned by
Resolving the Paradox of IT Security, Quocirca ‘Sharp End’ BMC Software, Inc.
Series, Summer. Narsu, U. and Murphy, P. (2002) Web Services Adoption Outlook
Dynamic E-Business with DB2® and Web Services, IBM White Improves, Giga Information Group, Inc. Report.
Paper, n.d. Parker, C. and Case, T. (1993) Management Information Systems:
Hailstone, R. and Perry, R. (n.d.), IBM and the Strategic Potential Strategy and Action, 2nd edn, McGraw-Hill International,
of Web Services, an IDC White Paper sponsored by IBM. NY, USA.
http://www-106.ibm.com/developerworks/webservices/ Securing Web Services, IBM White Paper, May 2002.
library/w-ovr/ (accessed 12 August 2005) for web services Shenk, D. (1997) DATA SMOG: Surviving the Information Glut,
architecture overview. Harper Edge, San Francisco, CA, USA.

Supporting Open Standards for Web Services and J2EE, IBM Tian, M., Voigt, T., Naumowicz, T. et al. (2003) Performance
White Paper, May 2001. Impact of Web Services on Internet Servers, Freie Universität
Tapscott, D. (1996) Digital Economy – Promise and Peril in the Berlin Computer Systems & Telematics, Berlin, Germany.
Age of Networked Intelligence, McGraw-Hill International, Toffler, A. (1970) Future Shock, Bantam Books in agreement
NY, USA. with Random House, Inc., NY, USA.
Tapscott, D., Ticoll, D. and Lowy, A. (2000) Digital Capital: Using Web Services for Business Integration, a Borland® White
Harnessing the Power of Business Web, Nicholas Brealey Paper by Borland Software Corporation, September 2002.
Publishing, London, UK. Wilkes, L. (2001) Web Services – Right Here, Right Now delivering
Tarzey, B. and Vile, D. (July 2005) Achieving Best Practice in IT Web Services Today with IBM Solutions, CBDi Forum,
Management for SMBs, Quocirca SMB Report. available at www.cbdiforum.com.
Tcherevik, D. (July 2003) Management and Security in the
World of Web Services, sponsored by Computer Associates
International, Inc.
* Refer to case illustration ‘Beta Greval – Security in Manufacturing’ on the CD companion of the book for a scenario based
on the concept(s) discussed in this chapter.

Threats to Information
Systems 2
Learning Objectives
understand how new technologies can pose threats to information systems.
distinguish information-level threats from network-level threats
understand information systems security in terms of threats and attacks.
know about nuisance value of computer viruses.
classify threats to assess damages to information systems.
understand logical and physical types of assets; this will be useful later for understanding the concepts in
Chapter 34 about asset management.
re-assimilate the need for safeguarding information systems security.
learn about information systems controls.
2.1 Introduction
Information systems security is the integrity and safety of its resources and activities. In the cyber world, it can be almost
impossible to trace sophisticated attacks to their true source. The anonymity enjoyed by today’s cyber attackers poses a grave
threat to the global information society, the progress of an information-based international economy and the advancement of
global collaboration and cooperation in all areas of human endeavor.
In Chapter 1, we discussed about the strategic importance of information systems (IS) and their role in the global context.
In this chapter, our objective is to provide a context for management role and responsibility for ensuring the security of IS in
the organization. To achieve this, our focus in this chapter is to provide an overview of ‘threats to IS’. In Chapter 3, we take
up a discussion on security management in organizations and the role of security policies and procedures in this, to counter
the threats to IS.
2.2 New Technologies Open Door to the Threats

For companies in the modern era, in particular those engaged in electronic business (e-business), it is increasingly important
to be aware of the online threats because more and more people are using the Internet to access information about their
(prospective) business partners, customers and other business-related links. In today’s world, almost all business organizations
have IS that use integrated technologies such as the networks of computers, company intranets or Internet access to
communicate and transmit information for rapid business decisions, thereby opening the organization to the external world

like never before. Under these circumstances, threats from outside the organization must be addressed, because the damages
from non-secured information system can result in catastropic consequences for the organization.
Given this, organizations must investigate and evaluate the factors that could be a threat to the integrity of the information
system. Box 2.1 provides some snippets on what can happen while using electronic emails (e-mails) and the Internet.
Threatening Online Activities
Hacking of computer systems and launching of denial of service (DoS) attacks as well as spreading of malicious
code, such as viruses, are well-known online threats that deserve attention in the computer security and security
management domain. Far less attention is provided to the fact that the Internet has enabled a range of potentially
threatening activities that are based on the active or passive dissemination of certain information. Examples of such
information-based threatening activities are:
1. Myths, rumors and hoaxes: Hoaxes are false e-mail messages with the only purpose to spread to as many
people as possible. Along with myths and urban legends, they live on the Internet. Such messages may have
significant impact on companies, their reputations and thus on their businesses.
More recently, the globally operating mobile phone company Ericsson was the victim of a hoax promising
recipients free mobiles if they forward the letter to at least 20 people. Ericsson received thousands of e-mail
from people asking for their free phones. The article (Park, 2000) quotes an Ericsson Australia spokesman
BOX 2.1 claiming that the company was aware of the e-mail circulating for at least a couple of days and that the way it
was sent makes it impossible for them to see where the e-mail originated from.
Another report (Fumento, 1999) has the story about a Canadian manufacturer who used his/her website to
spread information that products of competitors may be dangerous. Moreover, the company’s marketing head has
been observed to actively support feminists preparing a petition to start a boycott of the company’s competitors.
According to Fumento (1999), however, scientific investigations suggest that the information is nothing but a myth.
2. Threats to websites: There are reports that the US-based car manufacturer Ford decided not to go online to
combat a certain revenge website as the company was afraid that anything they would do on their own website
would validate what is described on the revenge website!
3. Limited attention to cyber crimes: So far, threats on the information level, referred by lawyers as ‘commercial
terrorism through the Internet’, have not received much attention in the computer security and security
management literature. A look at the relevant literature suggests that these fields tend to focus on making
corporate computer systems and networks secure in order to protect systems. Interested readers may like to
refer to the paper by Lueg (2001).
2.3 Information-Level Threats versus Network-Level Threats

As a reference to the discussion in the rest of this chapter, we describe three basic terms: threat, vulnerability and countermeasures.
A threat is a possible event that can harm an information system, whereas vulnerability is the degree of exposure in view
of a threat. Finally, a countermeasure is a set of actions implemented to prevent threats. Next, let us consider a working
definition of information-level threats. Information-level threats (or information-based threats) are threats that involve the
(purposeful) dissemination of information in such a way that organizations, their operations and their reputations may be
affected. Dissemination may be active as in the case of sending an e-mail or it may be passive as in the case of setting up
websites (see Box 2.1).
It is important to distinguish ‘information-level threats’ from ‘network-level threats’. By network-based threats we mean
that in order to become effective, potential attackers require network access to corporate computer systems or to networks used
by corporate computer systems. Examples for network-based threats (or threats on the network layer) are hacking of computer
systems and launching of DoS attacks as well as spreading malicious code, such as viruses (more on this topic in Section 2.5).
Other security issues involved when data are transmitted over networks are confidentiality, authentication, integrity and non-
repudiation (these terms are discussed in detail in Chapter 4).
Information-level threats also make heavy use of network but at the primary level is the content of a message and not its
form. Sending fake inquiries to service accounts to eat up resources (e.g., flooding the mail server with many messages so that
it gets choked) would qualify as an information-based attack – as it is the content of the messages that would provide a basis
for the attack. Other examples of information-based threats are setting up revenge websites and disseminating false or biased

THREATS TO INFORMATION SYSTEMS 17
information as in the case of the false accusation (see Box 2.1). Such attacks can cause considerable damage to the goodwill of
the organization against which they may be launched, and customer loyalty is too good to lose.
Dissemination of information that is likely to trigger specific counter-reactions as in the case of say some falsified job
advertisement also qualifies as information-based threat. Essentially, a DoS attack that is based on flooding accounts with large
quantities of e-mail is a network-based attack as it is the size and the quantity of the e-mail that matters and not the content
of the e-mail.
2.4 Information Systems Security: Threats and Attacks

Attacks can be represented by the relation among threat, vulnerability and damage. Threat and vulnerability have already been
defined. Before the rise of Internet and the increase in the number of connections from and to the outside, threats were mainly
physical ones (intrusion into the company premises without authorization, robberies, vandalism, etc.). Protection could be
summed up in a very few access control rules using, for example, multi-locks and security guards. Nowadays the situation is
quite different. Admittedly, there are still thefts of equipment or intrusion through the main console. Attacks via the network
have reached a critical point and companies still do not know what the best measures to be taken are.
The above discussion brings us to classifying information systems security threats. Security threats have four principal
sources that include:
1. Human error: for example, inadvertent disclosure of confidential information.
2. Computer abuse or crime: these days crime is rampant. A generic example is when a person intends to be malicious and
starts to steal information from sites, or cause damage to, a computer or computer network. In particular, consider these
examples; An Internet-based computer fraud can happen when a victim is expecting a large payoff for helping to move
millions of dollars out of a foreign country. The victim may also believe s/he has won a large award in a non-existent
foreign lottery. In the US, for example, ‘wire-fraud’ is a specific form of computer-related crime where the means of
communications is a central feature of the offence, credit card data from hacked websites, password-sniffing programs
used to obtain information required to gain access to the password owner’s system.
3. Natural and political disasters: this can happen in the form of natural calamities and wars, riots, etc.
4. Failure of hardware or software: for example, server malfunctioning, software errors, etc.
Computer crime is defined as any illegal act in which a computer is used as the primary tool. Computer abuse is unethical
use of a computer. Security threats related to computer crime or abuse include:
1. Impersonation: The impersonator enjoys the privileges of a legitimate user by gaining access to a system by identifying
oneself as another person after having defeated the identification and authentication controls employed by the system.
2. Trojan horse method: Concealing within an authorized program a set of instructions that will cause unauthorized
actions.
3. Logic bomb: Unauthorized instructions, often introduced with the Trojan horse technique, which stay dormant until
a specific event occurs (or until a specific time comes, as the instructions may keep checking the computer’s internal
clock), at which time they bring into effect an unauthorized act.
4. Computer viruses: Segments of code that are able to perform malicious acts and insert copies of themselves into
other programs in the system and onto the diskettes placed in the computer. Because of this replication, a virus will
progressively infect healthy programs and systems. Close relatives of viruses are worms – independent programs that
make and transmit copies of themselves through telecommunications (TC) networks. Computer viruses have become
a pervasive threat in personal computing.
5. DoS: Rendering the system unusable by legitimate users.
6. Dial diddling: Changing data before or during input, often to change the contents of a database.
7. Salami technique: Diverting small amounts of money from a large number of accounts maintained by the system. These
small amounts will not be noticed.
8. Spoofing: Configuring a computer system to masquerade as another system over the network in order to gain
unauthorized access to the resources the system being mimicked is entitled to.
9. Super-zapping: Using a system’s program that can bypass regular system controls to perform unauthorized acts.
10. Scavenging: Unauthorized access to information by searching through the residue after a job has been run on a
computer. Techniques range from searching wastebaskets or dumpsters for printouts to scanning the contents of a
computer’s memory.

11. Data leakage: There are a variety of methods for obtaining the data stored in a system. The data may be encoded into
an innocuous report in sophisticated ways, for example, as the number of characters per line.
12. Wiretapping: Tapping computer TC lines to obtain information.
13. Theft of mobile devices: This is a new dimension that is coming up given the increase in mobile workforce.
Some of the above-mentioned crime techniques may be used for a direct gain of financial resources, others for industrial
espionage, while yet others simply for destructive purposes. Probably the most important unrecognized threat today is the
theft of portable computers, with access codes and information in their memories. Also to be considered are the losses owing
to the theft of intellectual property, such as software, product development information, customer information or internal
corporate documents. Chapter 6 is devoted to discuss security issues in the mobile computing arena.
Signaling Under Attack: History
The world of security threats has given rise to some interesting terms. For example, take the term ‘phone-phreakers’.
The term phone-phreaking refers to attack on signaling. Until the 1980s, phone companies used signaling systems that
worked in-band by sending tone pulses in the same circuit that carried the speech. The first signaling attack dates
back to 1952. By the mid-to-late 1960s, many phone-phreakers in both United States and Britain had worked out ways
of routing calls. They typically used homemade tone generators, called the ‘blue boxes’. The trick they used was the
following: call an 800 (toll free) number, and then send a tone that would clear down the line at the far end, that is,
disconnect the called party while leaving the caller with a trunk line connected to the exchange. The caller could now
enter the number s/he really wanted and be connected without paying.
BOX 2.2 According to some analysts (Diffe and Landau, 1998), there are at least as many unauthorized wiretaps as
authorized ones. The figures can be distorted from country to country, depending on the level of controls to
prevent illegal practices in wiretapping. Even if the official figures have to be doubled or tripled, it is still clear that
democratic regimes make very less use of wiretapping compared to the authoritarian ones. For example, lawful
wiretapping amounted to 63,243 line-days in the United States in 1999, or an average of just over 173 taps in
place.
Another point worth noting is that the incidence of wiretapping is highly variable in the developed democracies.
In the United States, for example, it is found that only about half the states use wiretapping. In Britain, wiretaps
need a ministered warrant, and so are rarer. The cost of wiretapping is a serious issue. This raises some obvious
policy questions: Should agencies cut back on wiretapping, and spend more money on deployment of civil crime
investigation squads?
2.5 Computer Viruses: The bête noire of Computing Era

Computer viruses deserve a special attention in the sense that they are really the ‘black beasts’ of modern computing era!
They are the most frequently encountered threats to end-user computing and are the best-known form of computer threat.
A computer virus is a piece of program code that attaches copies of itself to other programs and thus replicates itself. Computer
viruses possess certain characteristics:
1. The attacked program may work properly, but, at some point, will perform a malicious or destructive act intended by
the attacker who has written the virus.
2. Although a computer virus may attack a multi-user system with shared disk facilities, viruses are best known for their
rapid spread in a personal computer (PC) environment. In this environment, they proliferate through infected diskettes
or programs downloaded from the Internet or other networks.
3. Most viruses are insidious and their presence is not obvious after the infection. In the meantime, they infect other
programs.
4. Two principal types of viruses are boot infectors and program infectors. Boot infectors replace the contents of the first
sector of the diskette or hard disk. These are the viruses that most commonly occur in personal computing. Program
infectors copy themselves into the executable files stored on the hard disk.

2.6 Classifications of Threats and Assessing Damages

So far we have discussed the threats to IS. Discussion in this section forms the basis for understanding security management
in an organization in terms of security policies, security architectures and security procedures/processes. This will also serve as
a foundation for a discussion on disaster recovery planning (DRP) and business continuity planning (BCP) in Chapter 31.
Also, we will see later, preventive measures are the best to avoid threats. However, even after all this, since we do not operate in
a foolproof and ideal world, things may still go wrong and then the next action is to get into a recovery mode. Organizations
expect that their security managers are in a position to evaluate the damage caused when a security incident or an actual attack
takes place so that the management can draw the budget for security-related spending. For this, it is important that the threat
and resulting damages are categorized. Security managers need to know explicitly about the assets of their organizations, the
vulnerability of their IS to different threats and their potential damages.
A threat is an indication of a potential undesirable event. It refers to a situation in which a person could do something
undesirable (e.g., an attacker initiating a DoS attack against an organization’s e-mail server) or in which a natural occurrence
could cause an undesirable outcome (e.g., a fire damaging an organization’s information technology (IT) hardware).
Threats consist of the following properties (note that this maps to the fourth source of security threats mentioned in
Section 2.4):
1. Asset: something of value to the organization (information in electronic or physical form, IS, a group of people with
unique expertise, etc.).
2. Actor: who or what may violate the security requirements – confidentiality, integrity, and availability (CIA) – of an
asset. Actors can be from inside or outside the organization.
3. Motive (optional): indication of whether the actor’s intentions are deliberate or accidental.
4. Access (optional): how the asset will be accessed by the actor (network access or physical access).
• outcome: the immediate result of violating the security requirements of an asset (disclosure, modification,
destruction, loss, interruption, etc.).
The major categories of damages resulting from threats to the IS are:
• destruction of information and/or other resources;
• corruption or modification of information;
• theft, removal or loss of information and/or other resources;
• disclosure of information (confidential data);
• modification of important or sensitive information;
• interruption of access to important information, software, applications or services.
Each threat and vulnerability must be related to one or more of the organizational assets requiring protection. Thus, prior
to assessing damages (caused by security incidents), we need to identify assets. Typically, there are five categories of logical and
physical assets:
1. Information: documented (paper or electronic) data or intellectual property used to meet the mission of an organization.
2. Software: software applications and services that process, store or transmit information.
3. Hardware: IT physical devices considering their replacement costs.
4. People: the people in an organization who possess skills, competencies, knowledge and experience that are difficult to
replace.
5. Systems: IS that process and store information (conceptually, a system is a combination of information, software and
hardware assets. In computer networking terms, any host, client or server also can be considered a system).
Another way of grouping the threats is to put them together in groups based on some common themes suggested as follows:
1. Human actors using network access: The threats in this category are network-based threats to an organization’s critical
assets. They require direct action by a person and can be deliberate or accidental in nature.
2. Human actors using physical access: The threats in this category are physical threats to an organization’s critical assets.
They require direct action by a person and can be deliberate or accidental in nature.
3. System problems: The threats in this category are problems with an organization’s IT systems. Examples include
hardware defects, software defects, unavailability of related enterprise systems, viruses, malicious code and other system-
related problems.

4. Other problems: The threats in this category are problems or situations that are outside the control of an organization.
This category of threats includes natural disasters (such as floods, earthquakes and storms) that can affect an organization’s
IT systems as well as interdependency risks. Interdependency risks include the unavailability of critical infrastructures
(TC, electricity, etc.). Other types of threats outside the control of an organization can also be included here. Examples
of these threats are power outages, broken water pipes, etc.
Thus, we can see that threat profiles can be represented as a tree structure. This structure depicted in Figure 2.1 that shows
the assets, access, actors, motives and the possible outcomes. An important point to notice is that organizations should have a
suitable method for ‘asset classification’ to know which of their assets are critical.
Disclosure
Modification
Accidental
Loss, Destruction
Interruption
Inside
Disclosure
Modification
Loss, Destruction
Deliberate
Critical Network Access Interruption
Asset
Disclosure
Modification
Accidental
Loss, Destruction
Interruption
Outside Disclosure
Modification
Deliberate
Loss, Destruction
Interruption
Asset Access Actor Motive Outcome

FIGURE 2.1 Generic threat profile.
Organizational assets are evaluated using various suitable units of measurements. Monetary value of assets is the most
commonly used unit. It is not always easy to measure assets in absolute terms. In such cases, measurement for assessment
of damages can be done in relative ways, for example, information. The value of information can be measured as a fraction
or percentage of total budget, assets or worth of a business in relative fashion. Assets may also be ranked by sensitivity or
importance to an organization in relative ways.
The impact of information security (InfoSec) incidents may well be financial, in form of immediate costs and losses of
assets. For example, the cost of downtime per hour caused by a DoS attack can be computed by measuring the loss of:
1. Productivity: (number of employees impacted) × (hours wasted) × (burdened hourly rate). Note that burdened hourly
rate could be the notional cost of the employees – for example, billing rate of the employees to the customer or in terms
of their outgoing cost to the employing organization (salary of the employees).
2. Revenue: direct loss and lost future revenues.
3. Financial performance: credit rating and stock price.
4. Other expenses: equipment rental, overtime costs, extra shipping costs, travel expenses, etc.
Hidden costs are difficult to handle. Consider the example of a DoS attack (this situation was illustrated in Box 2.1) where
the damaged reputation of the company can have a negative impact on the relationship of the company with its customers,
suppliers, financial markets, banks and business partners. These hidden costs are extremely difficult to quantify and measure.

The bottom line is that the cost of an information systems security incident in a company has to be measured in terms of the
impact on its business; hence, identical incidents in two different companies can have different costs. To evaluate these costs
and measure the impact of a security incident on a company, organizations need a systematic approach and a comprehensive
risk management system. A discussion on this is taken up in Chapter 5.
BOX 2.3
2.7 Protecting Information Systems Security

The discussion in the previous section shows that the security of IS needs to be maintained by measures taken to prevent
threats to these systems or to detect and correct the effects of any damage. The aim of information systems security is to protect
corporate assets or, at least, to limit their loss. Security measures limit the access to information to authorized individuals; there
can be no privacy or confidentiality of data records without adequate security.
In view of the discussion so far in this chapter and Chapter 1, we need to understand that good InfoSec design starts
with a threat model – what the system is designed to protect, from whom, and for how long. Threat modeling involves
thinking about the system as a whole and imagining the vulnerability landscape. It must take into account the information
to be protected, the people who will use the system as well as how they will use it. Whether external or internal, threats are
opportunities that have the potential to cause harm or loss to organizations. As such, organizations need to adopt adequate
measures to combat such threats to mitigate the resulting risks.
Information systems controls play a crucial role to ensure secure operations of IS and thus to safeguard assets and the data
stored in these systems. Information systems controls need to be established to ensure that the business applications achieve
their objectives in an efficient manner, and that organizations need to institute a set of policies, procedures and technological
measures. Information systems controls are classified as follows:
1. Preventive controls: prevent an error or an attack from taking effect. These are designed to prevent or restrict an error,
omission or unauthorized intrusion.
2. Detective controls: detect a violation. These controls exist to detect and report when errors, omissions and unauthorized
use or entry occur.
3. Corrective controls: detect and correct an exceptional situation. These controls are designed to correct errors, omissions
and unauthorized users and intrusions once they are detected.

BOX 2.4
Information systems controls are classified as:

1. General controls: controls applying to the entire IS activity in the organization.
2. Application controls: controls that are specific to a given application (payroll). Application controls are employed at
application security layer. This topic will be discussed in detail in reference to the security audit best practices.
From the preceding discussions we learn that, for protecting the IS, threats must be stood before effective InfoSec measures
are devised. This is typically done through risk assessment for safeguarding IS. During risk assessment, vulnerabilities and
threats are analyzed (this is discussed in detail in Chapter 5). We had mentioned four sources of security threats in Section
2.4; threats can be classified according to the way they can occur – non-fraudulent, that is accidental, and fraudulent, that is
intentional. A more elaborate way to classify threats is to say that they can be fundamental, which represents what an attacker
really wants to do: information disclosure, information tampering, DoS, repudiation and illegitimate use – for example,
masquerade or authorization violation and underlying threats, for example, eavesdropping or administrative error.
Given the role of IS and threats to them, the matter of their security warrants senior management attention in an organization.
This is so because, in addition to assuring protection against threats and compliance with certain legal requirements, InfoSec
has evolved into a powerful tool for developing business solutions. Effective InfoSec promotes business objectives and expands
business opportunities; therefore, InfoSec can be viewed as a business enabler. When managed effectively, InfoSec can deliver
a competitive edge by generating new markets and revenue streams and leveraging new distribution channels. The nature and
degree of threats faced by organizations vary; therefore, a risk assessment of the likelihood that security will be compromised
is needed. An acceptable level of InfoSec can be introduced and maintained only if the set of security controls, procedural
and technical, is correctly identified, implemented and maintained. These activities must be seen as a never-ending process.
Furthermore, organizations should aim to gain an understanding of the specific characteristics of the emerging environment
that may generate new threats. The consequences of failure to do so may severely impair their ability to carry out their business
and may even lead to legal exposures and liabilities. This is where security policy plays a crucial role.

Summary
Information system is a unit that includes technologies, people tools can provide some protection against threats ranging from
and processes. Threats that organizations have to cope with are hackers trying to break into corporate computer systems to DoS
numerous and can have catastrophic consequences on the future attacks. Companies should be able to reduce vulnerabilities as
of the organizations. The last few years have seen a proliferation well as the potential impact of still successful attacks. However,
of automated IS, reliance on the Internet to enable most of the it is unlikely that there will ever be a ‘security end state’. The
essential services and infrastructures, and the growing threat situation is like accepting that software will be buggy; similarly,
of organized cyber attacks capable of causing debilitating when it comes to IS, some levels of threats are always residual.
disruption to our critical infrastructures. Proliferation of There is a need for an equally important step toward a realistic
computers and networks in the age of the Internet has enabled assessment of computer security and toward a lasting change of
not only novel services, such as e-mail, the web and electronic attitudes and expectations. One of the most overlooked threats
commerce (e-commerce), but also new ways to affect companies, in a corporate security program is the threat posed by employee
their businesses and their reputations. The Internet has the behavior. Prevention of the misuse of IS by employees has a
potential to become an even greater threat to computer security direct business value. User awareness and training also play a
than dial-up telephone modems. However, a look at the relevant role here. Controls and policies play a crucial role in mitigating
literature suggests that information-level threats are not yet threats to information systems security; although not fool-proof
sufficiently addressed. in themselves, they occupy a central role in information systems
It is now widely acknowledged that security of computer- security management. This is a subject area that will be explored
based IS is an important topic and the state-of-the-art security in Chapter 6.
Review Questions
1. Explain how new technologies open doors to potential 4. Why are computer viruses considered as one of the major
attackers on corporate information systems. threats to computer systems?
2. Distinguish between information-level threats and network- 5. What kind of thinking and approach should be applied
level threats. by organizations for protecting their information system
3. Provide a scheme for classifying threats to information assets?
systems and the resulting damages.
Further Reading
Bisson, J. and Saint-Germain, R. (2003) The BS 7799 ISO 17799 Godbole, N. and Unhelkar, B. (February 2006) Security Issues in
Standard for a Better Approach to Information Security, Callio Mobile Computing, Paper presented at the 2nd International
Technologies White Paper. Conference on Information Management and Business,
Diffe, W. and Landau, S. (1998) Privacy on the Line – The Politics Sydney, Australia.
of Wiretapping and Encryption, MIT Press, Cambridge, Lueg, C. (2001) The Role of Information Systems in Information
MA, USA. Level Security Management, Department of Information
Farahmand, F., Navathe, S., Sharp, G.P. and Enslow, P.H. Systems, University of Technology Sydney, Sydney,
(2001–2002) Evaluating Damages caused by Information Australia.
Systems Security Incidents, Georgia Institute of Technology, Park, B. (2000) Free mobile phones offer a hoax, says Ericsson. IT
Atlanta, GA, USA. News from The Age and the Sydney Morning Herald, available
Fumento, M. (1999) Tampon terrorism in Forbes Global, available at http://it.mycareer.com.au/breaking/20000407/A54797-
at http://www.forbes.com/global/1999/0517/0210033a. 2000 Apr7.html (accessed 15 October 2001).
html (accessed 1 January 2006). Vasiu, L., Mackay, D. and Warren, M. (2003) The Tri-
Godbole, N. (2003) Mobile Computing: Security Issues in Hand- Dimensional Role of Information Security in e-Business: A
Held Devices, Paper presented at NASONES 2003 National Managerial Perspective, School of Information Technology,
Seminar on Networking and E-Security by Computer Deakin University, Australia.
Society of India.
* Refer to case illustration ‘Super Tech – IT Risk Assessment in an ERP Setup’ on the CD companion of the book for a
scenario based on the concept(s) discussed in this chapter.

Information Security
Management in
Organizations
3
Learning Objectives
understand the context for information security management.
appreciate the role of security policies, standards, guidelines and procedures.
learn about various types of security policies.
know about InfoSec scenario in the financial sector.
learn about information security management system (ISMS) as the foundation for InfoSec management.
understand organization’s responsibility towards information security management.
get an overview of information security awareness in the industry.
3.1 The Context for Information Security Management (ISM)

In Chapter 2, we provided an overview of information systems security threats. In Chapter 6, the focus was on information
security (InfoSec) risks brought in by mobile and wireless computing. In this chapter, the main focus is to understand who is
responsible to provide information systems security in an organization, that is the role of management in information systems
security.
The prime driver for enterprise security is Internet connectivity. According to International Data Corporation (IDC), the
worldwide information security market was worth USD 6.7 billion in 2000. With a compounded annual growth rate (CAGR)
of 25.5%, this market was projected to more than triple to USD 21 billion by the end of 2005. According to an IDC analyst,
remote local area network (LAN), Internet, extranet/intranet and wireless access services will drive the need for advanced
InfoSec services, as technologies for circumventing network security systems continue to keep pace with the technologies
designed to defend against them. This provides us the context for the chapter. We use the context to learn about organization’s
responsibilities for managing InfoSec.
3.2 Security Policy, Standards, Guidelines and Procedures

Security Policy and Policy Types
We aim to discuss two important terms in this section: ‘policy’ as a general term along with various types of policies and the
meaning of ‘security policy’; as a specific term. A policy is one of those terms that can mean several things in the information
security domain. For example, consider a firewall (Chapter 16 is dedicated to the discussion of firewalls). There are security

policies on firewalls which refer to the access control and routing list information. Note that even standards, procedures and
guidelines are referred to as ‘policies’ in the larger sense of a global InfoSec policy. A well-written policy is more than an exercise
created on paper – it is an essential and fundamental element of sound security practice. A policy, for example, can literally be
a lifesaver during a disaster, or it might be a requirement of a governmental or regulatory function. A policy can also provide
protection from liability owing to an employee’s actions or can form a basis for the control of trade secrets.
Types of Policies
When the term ‘policies’ is used rather than ‘policy’, the intent is to refer to those policies that are distinct from the standards,
procedures and guidelines; these terms are discussed in the next section with respect to the terms in Figure 3.4.
Figure 3.1 relates well to Figure 3.3. It shows that ‘policies’ are considered as the first and the highest level of documentation.
Lower level elements of standards, procedures and guidelines flow from policies. However, this does not imply that the lower
level elements are not important. It is just that the higher level policies, being general in nature, should be created first for
strategic reasons and then the tactical elements should follow. With this brief introduction, we now list the policy types and
then describe each briefly. Essentially, there are the following types of policies:
Statement of Policy
by Senior Management
Organizational Policies
(General)
Functional Policies
(Department-wise)
Mandatory Standards Baselines
Recommended Standards
Detailed Procedures
FIGURE 3.1 Policy hierarchy chart.
1. Senior management statement of policy: This is the first step in the policy creation process. This is a general, high-level
statement of policy that contains the following elements:
• an acknowledgement of the importance of computing and networking resources, that are part of the information
system, to the organization’s business model;
• a statement of support for InfoSec throughout the business enterprise;
• a commitment to authorize and manage the definition of the lower level standards, procedures and guidelines.
2. Regulatory policy: These are security policies that an organization must implement owing to compliance, regulation
or other legal requirements as prevalent in the organization’s operating environment, both internal and external (e.g. as
shown in Table 1.1 of Chapter 1). The various entities with which the business organization interacts can be financial
institutions (such as those in the banking sector), public utilities or some other types of organizations that operate
in the public interest. Regulatory policies are usually very detailed and specific to the industry in which the business
organization operates. The two main purposes of the regulatory policies are:
• ensuring that an organization follows the standard procedures or base practices of an operation in its specific industry;
• giving an organization the confidence that it is following the standard and accepted industry policy.

INFORMATION SECURITY MANAGEMENT IN ORGANIZATIONS 27
3. Advisory policy: These are security policies that may not be mandated but are strongly recommended. Normally, the
consequences of not following them are defined (e.g., Business Conduct Guidelines in an organization – not following
these could result in job termination). An organization with such policies wants its employees to consider these policies
mandatory. Most policies fall under this broad category.
4. Informative policy: These are policies that exist simply to inform the reader. There are no implied or specified
requirements, and the audience for this information could be certain internal entities (within the organization) or
external parties.
Having discussed the term ‘policy’ in general, let us now turn to ‘security policy’. A security policy is a statement produced
by the senior management of an organization, or by a selected policy board or committee to dictate what type of role security
plays within the organization. A security policy, we will see in this chapter, can be an organizational policy, an issue-specific
policy or a system-specific policy.
Security policy can be defined as a codified set of processes and procedures applied to secure the fulfillment of its obligations
and the continuation of its activities even in the presence of possible interferences. This definition may appear to be vague as
compared to the others that may be found in technical computer-related publications – it is actually crafted by choosing each
word precisely. Security policies are most often referred to in the context of information technology (IT), telecommunications
(TC) or information and communications technologies (ICTs). Moreover they are often, erroneously though, associated
exclusively with the deployment of computer hardware or software and the configuration of the hardware or software, to the
point of the ‘configuration’ being called security policy.
The definition given in the International Organization for Standardization (ISO) standard 17799 is a slightly different
one: ‘Management should set a clear policy direction and demonstrate support for, and commitment to, information security
through the issue and maintenance of an information security policy across the organisation’. It should be remembered that
ISO standard 17799 assumes an implicit definition of what is a policy, and a separate indication is provided about the necessity of
a policy document including an indication of possible contents (not reproduced here): ‘A policy document should be approved by
management, published and communicated, as appropriate, to all employees’.
It must be pointed out that any other standard on security should not be applied or used in a mechanical way like a fixed
formula, but rather it should be interpreted keeping in perspective the needs and working model of the ‘entity’ (e.g., business,
non-profit organization, university, etc.) in which its application is planned, as well as the needs of the organization that
created it. This is because in an organizational security policy, the management establishes how a security program will be set
up, establishes the program’s goals, assigns responsibilities, shows the strategic and tactical value of security and outlines how
enforcement should be carried out. Thus, the security policy must address prevalent laws and regulations as applicable as well
as the liability issues that may arise and how they must be addressed to satisfy the statutory requirements. Box 3.1 shows the
goals of security engineering as a discipline and Box 3.2 has the SSE-CMM PAs.
Security Engineering Principles
Goals of Security Engineering

1. Understand security risks;
2. establish security needs;
3. develop security guidance (policies, standards, and procedures);
4. determine acceptable risks;
5. establish security assurance.
BOX 3.1
Who Practices Security Engineering?
1. Product developers;
2. product vendors;
3. product integrators;
4. product buyers;
5. security evaluation organizations;
6. system administrators;
7. consulting/IT service organizations;
8. program/project management teams.

Security-Related Process Areas in Systems Security Engineering Capability

Maturity Model (SSE–CMM) (Version 3.0)
The SSE-CMM provides a community-wide standard metric to establish and advance security engineering as a mature
measurable discipline. It contains five levels of maturity (further depicted in Figure 3.2):
1. level 1: performed informally;

2. level 2: planned and tracked;
3. level 3: well defined;
4. level 4: quantitatively controlled;
5. level 5: continuously improving.
The Security Best Practices in the SSE–CMM are given in the following list of process areas (PAs):
1. PA01: administer security controls;

2. PA02: assess impact;
3. PA03: assess security risk;
4. PA04: assess threat;
BOX 3.2
5. PA05: assess vulnerability;
6. PA06: build assurance argument;
7. PA07: coordinate security;
8. PA08: monitor security posture;
9. PA09: provide security input;
10. PA10: specify security needs;
11. PA11: verify and validate security.
Figure 3.2 SSE-CMM document includes excerpts from ‘A Systems Engineering Capability Maturity Model,
Version 1.1’, CMU/SEI-95-MM-003, published in November 1995. The SE-CMM, that is, Systems Engineering CMM
is Copyright © 1995 by Carnegie Mellon University. This work is a collaborative effort of Hughes Space and
Communications, Hughes Telecommunications and Space, Lockheed Martin, Software Engineering Institute (SEI),
Software Productivity Consortium and Texas Instruments Incorporated. Permission to reproduce this product and
to prepare derivative works from this product is granted royalty-free, provided the copyright is included with all
reproductions and derivative works.
Courtesy: //www.sse.cmm.org, http://www.sse-cmm.org/model/model.asp.
0 1 2 3 4 5
Not Performed Planned and Well Defined Quantitatively Continuously
Performed Informally Tracked Controlled Improving
FIGURE 3.2 Capability levels for maturity of security engineering practices.

Courtesy: Systems Security Engineering Capability Maturity Model – Model Description Document Version 3.0.

Standards, Guidelines and Procedures

Recall that Figures 3.1 and 3.5 (on page 32) represent the hierarchical nature of relationship between business goals and
objectives, technology strategy, information security strategy, standards and procedures. Figure 3.3 presents the components/
building blocks of information security. The word ‘policy’ is prominent in all these figures and therefore we must now discuss
some most common terms in connection with security management, namely policies, standards, guidelines and procedures.
Building Blocks
Security Security is a process,
Controls and not a product...
Assurance
Forensics
Testing
Reporting
Monitoring
Training
Security Business
Technology Applications and
Implementations Services
Security Policy
• VPN Networks, Internet
and Architecture
• Encryption • Risk Assessment
Intranet, Remote
• Firewalls • Security Policy
Access
• Authentication
• Intrusion Detection
Systems (IDS) Hardware
Operating Systems
• People
• Process
Solution Design • Technology
and Selection
Security Design
Technology Selection
FIGURE 3.3 Building blocks of information security.
In reference to Figures 3.1 and 3.5, it can be seen that the next level down from policies consists of the three elements
of policy implementation, namely standards, guidelines and procedures. These three elements hold the actual details of the
policy, such as how it should be implemented and what standards and procedures should be followed. They are published in
an organization via manuals stored on the company intranet, booklets for distribution to the employees and other entities
concerned with it, for spreading security awareness in the organization. An important point to note is that standards, guidelines
and procedures are separate yet linked documents from the general policies, especially the senior-level policy statement. It
is not a recommended practice to create a single document to cover the needs of all these elements. Some examples for the
policies mentioned above are provided in Boxes 3.3 and 3.4.
Electronic Mail (E-Mail) Policy: An Example
In an organization, the following may be stipulated with respect to the use of e-mails by employees and individuals
who work in the organization (say contractor personnel):
1. E-Mail policy coverage:

•• Confidentiality of information disclosed through e-mail communication;
BOX 3.3 •• sender’s responsibility for the contents of the e-mails;
•• disclosure of sensitive information such as passwords, personal identification number (PIN) and credit
card.
2. Appropriate use of e-mails: Employees and other personnel working for the organization and using the
organization e-mail facilities shall use e-mail strictly for business use only.
•• No obscene or profane message should be sent through e-mails.
•• E-Mail should not be used for sending spam mails, chain mails, graphics, etc.

••E-Mails should not be automatically forwarded to addresses outside the company.

••Size of the e-mail should be restricted within approved limits set by the organization.
3. Management’s authority on e-mails:
•• The management reserves the rights to monitor the use of e-mails.
•• The management could store the e-mails for retrieval at a later date for any legal purpose.
•• Any encryption done to e-mail attachments should be with the company’s approval and the encryption key
BOX 3.3 should be stored for retrieval when necessary.
(Continued ) 4. Disclaimer notice: Since an e-mail is not a secure medium and it is very easy to read, copy or alter an e-mail,
put a disclaimer similar to the one given as follows (the company can at least protect itself from any misuse):
‘The information in this mail is confidential and is intended solely for the addressee. Access to this mail by anyone
else is unauthorized. Any copying or further distribution beyond the original recipient is not intended and may
be unlawful. The opinion expressed in this mail is that of the sender and does not necessarily reflect that of the
XXX company’.
Password Policy: An Example
The policy on passwords can be used to define attributes with which the password must comply. The password policy,
for example, can enforce the following conditions:
1. whether the user identity (ID) and password can match;

BOX 3.4 2. maximum occurrence of consecutive characters;
3. maximum instances of any character;
4. maximum lifetime of the passwords;
5. minimum number of alphabetic characters;
6. minimum number of numeric characters;
7. minimum length of the password;
8. whether the user’s previous password can be reused.
3.3 Information Security Scenario in the Financial Sector

In the financial sector, the Reserve Bank of India (RBI) has created a comprehensive document that lays down a number of
security-related guidelines and strategies for banks to follow in order to offer Internet banking. The guidelines broadly talk
about the types of risks associated with Internet banking, the technology and security standards, legal issues involved and
regulatory and supervisory concerns. Any bank that wants to offer Internet banking must follow these guidelines and adhere
to them as a legal necessity.
Recent InfoSec surveys indicate that the banking and finance sector companies, most serious about security, are the major
investors in security solutions, and regularly revise their security policies following periodic audits. Next in line are the software
service companies, business process outsourcing (BPO) firms and IT-enabled services companies. However, verticals such as
manufacturing continue to lag, except the companies that have extensive enterprise resource planning (ERP) setups or those
that drive their supply chain through the web. Aside from these three verticals, companies in other verticals have a long way
to go in establishing InfoSec.
3.4 Information Security Management System (ISMS)

In the preceding sections, we discussed the working of security-related practices through policies, standards and procedures.
A mechanism that works well for this is an ISMS, whose objective is to provide a systematic approach to managing sensitive
information in order to protect it. It encompasses employees, processes and information. An ISMS is depicted in Figure 3.4.

We can see that some basic measures must be applied to secure the information system. Security threats must be managed and
controlled; establishing a global policy, that is, a broad security policy, with management involvement helps to do this. While
doing this, four levels of documentation emerge, as depicted in Figure 3.4.
Level 1 Policy, scope, risk assessment, Security manual

statement of applicability
Level 2 Describes processes – who, what, Procedures

when, where
Describes how tasks and specific Work instructions,

Level 3
activities are done checklists, forms, etc.
Provides objective evidence of compliance

Level 4 Records
with ISMS requirements
FIGURE 3.4 Documentation levels in information security management system.
In Chapter 2, we discussed threats to information systems (IS). In this chapter, in the earlier sections, the discussion was on
the management’s role for security formation. Given that it is necessary for the organizations to identify the nature of possible
threats to its IS, one of the best practices is to establish a set of measures, called ‘controls’. Controls are meant to ensure the
security of IS and, beyond that, to also ensure the privacy and confidentiality of information stored in the systems. It is then
necessary to continually evaluate the controls with the auditing process. A detailed discussion on this is available in Chapter 32
devoted to security audits. We end this section by providing two mini cases as an exercise in Box 3.5.
Mini Cases
Mini Case 1
Company XYZ is a small company (20 people) with a manager and a system administrator reporting to him/her. The
two prepare a security policy, according to which some operations will have to be authorized by the manager and
executed by the system administrator, and the manager will know all the passwords and commands needed and how
to access and modify the logs. What is wrong in this situation? What rule has been violated?
BOX 3.5
Mini Case 2
Company ABC is a part of an organization based in the United States. The company in the United States, as part of a
recent decision to create a presence outside the United States, has bought the control of small companies based in
India, Singapore, Taiwan and Malaysia. A part of the process for integrating the various parts is to create a common
security policy by a committee that includes a member of their legal department (to verify the legal compliance). The
company then plans to send managers from their headquarters (based in the United States) to each country to make
sure the policy is implemented correctly. What is wrong in this planning?
3.5 Organizational Responsibility for Information Security Management

We discussed security policies, standards, guidelines, etc. (refer to Figure 3.1). Ideally, ‘best practices’ begin at the top and
percolate down in the organization. The senior management team members of an organization are the ‘strategists’ with ‘vision’
and long-term view. They exemplify their asset protection intent with the well-set policies directed toward this.
However, often, as it happens, too small a budget, too few personnel and too little consciousness of the management
constitute approximately half of the obstacles for IT security according to a study of the META Group (see Figure 3.6).

Organization’s
Business Goals
and Objectives
Corporate Assessment of
Technology Strategy Threats and Risks
InfoSec Strategy
InfoSec Policy
Policy 1 Policy 2 Policy 3 Policy 4 Policy 5
Standard
Procedure
Procedure
FIGURE 3.5 Hierarchy of security policies, standards and procedures.
It may also happen that the IT budgets invested in IT security go wrong in the long term. Given this, one of the important
tasks for the top management in an organization is to make their employees aware of the IT security significance.
This starts with the formation of ‘security policies’ as we see in this chapter. Security policies, standards and procedures
stand in a certain hierarchical relationship in alliance with the organization’s overall business goals. This is illustrated
in Figure 3.5. There are a few important points to be noted with respect to Figure 3.5. First of all, to be understood
and effective, InfoSec policies must be traceable back to the corporate objectives. This is of foremost importance. As
an example of business goals/objectives, consider the following broad statement: ‘We shall embrace and expand the
use of electronic commerce (e-commerce) and related technologies in order to achieve cost reduction and business
efficiency to serve our world-wide customers’. A company might state: ‘We will increase the reach of our core business
applications to our customers through the use the Internet and the World Wide Web’. This is an example of corporate
technology strategy mentioned in Figure 3.5. Typically, the management works together with the Chief Security Officer
(CSO) and Chief Information Officer (CIO) taking their technical assistance to find the most possible way a hacker or
virus will take to get into the system. So, after performing a scan of its business operations environment, an organization
may arrive at a conclusion that they operate at a high level of risk in its protection of sensitive information assets. This
could be the result of having performed an assessment of the threats and the resulting risks as mentioned in Figure 3.5.
To counter this, an organization may form a strategy saying: ‘We will use cost-effective security measures to protect
our information assets.’ A statement for the overall security policy of an organization might read like: ‘All users will be
authenticated whether or not working remotely. This will be applicable to full time employees in permanent service of
the organization as well as those sourced from contractors.’ A ‘standard’ could be: ‘Remote access users will use dual-
factor authentication using (so-and-so) authentication tokens.’ Finally, the specific security procedure corresponding to
a chosen standard could be: ‘Users are to contact the remote access security administrator to receive their authentication
token after they have been approved for such access’.
Thus, we can see that the management role lies in defining business strategies, guidelines and processes/procedures as well as
considering the volume of data, systems, subprocesses and persons. This is endorsed by the SSE-CMM wherein the following
is the generic practices list under the common feature of ‘planning performance’:
1. allocate resources;
2. assign responsibilities;
3. document the process;

4. provide tools;
5. ensure training;
6. plan the process.
Hence, the management in an organization should erect an IT standard and security structure that is magisterial for all the
employees. It is thus important that the management deals with the topic of IT security and does not simply delegate it to
the IT departments. A central user administration is necessary in order to get a whole functional security system without the
need for a high budget. But technical solutions alone are not sufficient in order to guarantee an extensive security. In addition
to organizational methods, employee sensitization to security awareness is of great importance. Security does not represent a
product that can be installed uniquely, it is an ongoing process.
Industry Leaders’ Thoughts on InfoSec
1. ‘Information Security is a combination of various factors. It involves technology, people and policy.’– Sameer
Kapoor, Executive Director, PricewaterhouseCoopers Pvt. Ltd.
2. ‘Information Security is not just a technology issue – this is a people and process issue too. The answer to this
BOX 3.6 is education and awareness. You should talk to your employees.’ – Capt. Raghu Raman, Practice Head, Special
Services Group, Mahindra Consulting.
3. ‘Security has to move away from being a technology issue and become a business related issue.’ – Sunil
Chandiramani, Partner, Ernest & Young.
Courtesy: The above views are quoted from a public domain website (Network Magazine issue of April 2003).
3.6 Information Security Awareness Scenario in Indian Organizations

Majority of the Indian software businesses are driven by multinationals located mainly in the United States. Today, the
US InfoSec industry stands over USD 8.7 billion [see the uniform resource locator (URL) quoted in the Further Reading
section]. In the present global digital economy, information flows more often than not through the complex IT infrastructure
present. To be efficient at managing, operating and protecting this IT infrastructure, there is a need for having a common
set of guidelines for the use and access of information assets. Therefore, we discussed policies, guidelines and standards for
information systems security.
In the global context for IS and the threats to IS (Chapters 1 and 2), it is clear that many business processes do not work
without reliable IT systems’ confidentiality, and thus, integrity and availability of information are of high importance in today’s
business life. So, let us understand where do we stand on ‘IT/information security awareness’ as far as the Indian scenario is
concerned.
The complexity of security administration in managing large networks is, nowadays, a big issue. Although organizations
know about the ever more frequent security attacks, they update their safety devices only when it is already too late. This can
only be ascribed to ‘attitude’ and ‘mindset’ problems with respect to security. Although the scenario is progressively improving,
awareness of Indian companies in the matter of information systems security still is far behind that of European countries and
the United States. Figures 3.6 and 3.7 show the status on ‘security awareness’ and ‘security challenges’ faced by most Indian
organizations. Although it is based on some past surveys, it is illustrated here only to drive home the point that heightening
this awareness is important because India, among other countries in the South East Asian region, is now becoming one of
the preferred off-shore locations (mainly owing to cost reasons and availability of English-speaking IT-trained manpower) for
outsourcing businesses.
Owing to factors such as globalization and reasons of regulatory nature, certain Indian companies are now more serious
about information security. But the rest are complacent and need to do a lot more than just implementing solutions.
International companies, seeking to outsource work to Indian firms, insist on security assurance/security certification and
security governance. They insist on adherence to laws, standards and business practices prevalent in their respective countries.
Not surprisingly, the top software services companies, IT-enabled services companies and BPO outfits are going in for security
certifications such as BS 7799 or ISO 17799. Thus, regulatory requirements become one more driver for increased security
awareness.

Barriers to security
Labour expense
Lack of management support
Lack of department/group cooperation
Lack of mature tools

Poorly defined policy
Pace of change
Lack of qualified staff
Lack of time
Lack of training
Complexity of technology
Capital expense
0% 10% 20% 30% 40% 50% 60% 70%

Multiple responses allowed
Current year @ Global +
FIGURE 3.6 Barriers to security.
IT security challenges
Employee awareness 68%
Senior business management support 17%
Senior IT management support 6%
Unclear roles and responsibilities

26%
(e.g., between IT and business)
Budget 38%
Availability of tools/security solutions 36%
Availability of specialist people or skills internally

50%
Speed of change, increasing sophistication of threats 70%
Ill-defined/poorly understood risk

36%
management requirements
0% 20% 40% 60% 80%
FIGURE 3.7 IT security challenges for Indian organizations.
Summary
IS in an organization will continue to face threats given the global and all stakeholders must be involved to understand and commit
paradigm in today’s digital economy. It is the responsibility of the to the hierarchical relationship of the organization’s business
management to address the security issues by forming appropriate objectives to its security policies down to procedures. Standards and
security policy. The matter of security implementation is complex guidelines must also be considered for their role in security policy.

Review Questions
1. Explain the role of senior management in an organization 4. What is the intent of the SSE-CMM and what are the
with respect to information security management. various process areas in it?
2. Explain the hierarchical relationship between policies, 5. What are the four levels of documentation that result from
standards, guidelines and business objectives. the implementation of the ISMS?
3. What are the different types of policies that exist and what
purpose do they serve?
Further Reading
Babu, V.V.R. (CIO, ITC Limited) Embedding Security into A Global Challenge and Integrated Enterprise, published at
Corporate Life, article published in 2004 issue of Network www.i4donline.net.
Magazine India. www.freedoniagroup.com/Information-Security. (accessed 21
Gray, T. (October 2003) Security in the Post-Internet Era: The January 2006) for a brief of US information security
Needs of the Many vs. the Needs of the Few, University of industry size.
Washington, last update 1 March 2004. www.issea.org (accessed 14 March 2008) for SSE-CMM
http://www.sse-cmm.org/model/model.asp for the SSE-CMM (Security Engineering Capability Maturity Model) related
document. details and white papers and presentations.
NASSCOM-ITAA Poll, Information Security offers a Considerable http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf ”>
Competitive Advantage, 11 October 2004. http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf to access
Network Magazine Issue of April 2003. the Information Technology Security Evaluation Manual
Rogers, L. (2003) Security Matters: Can You Prove It?, published (ITSEM).
at news@sei interactive 1Q. www.sse-cmm.org for the details of the Systems Security
Subramanian, K. (Deputy Director General, National Informatics Engineering Capability Maturity Model.
Centre, Government of India). (2004) Security and Standards:
* Refer to Appendices S and AD for useful information related to the concepts discussed in this chapter.

Building Blocks of
Information Security 4
Learning Objectives
understand basic concepts that are the building blocks for InfoSec.
learn InfoSec related basic definitions.
understand the three pillars of information security.
understand information classification and the criteria for classification and learn to categorize business systems.
learn about various roles involved in information classification (this will help in appreciating concepts in asset
management re-emphasized in Chapter 34).
understand data obfuscation.
4.1 Introduction
So far, we have discussed about the role of information systems (IS) in the global context, the crucial role that IS play in
the modern digital economy, how information systems are getting complex given the combined effect of globalization and
liberalization, etc. (Chapter 1). In Chapter 2, we discussed how the developments in information technology (IT) open door
to new threats, typical attacks on computer-based IS, how various threats are classified, etc. Chapter 6 was devoted to the
new phenomenon called mobile computing and the unique threats that come in due to proliferation of handheld devices
and the impending security implications for organizations in this new paradigm of mobile workforce. In Chapter 3 we had
the important discussion on organizational scenarios in information systems security. We discussed about organizational
responsibility for the information systems security. We also explained the role of security policies and security procedures,
standards and guidelines, etc. With this background, we now present the layers of information security (InfoSec).
4.2 Basic Principles of Information Systems Security

With the background set through earlier chapters, our aim in the current chapter is to provide a comprehensive overview of
the fundamental concepts in InfoSec. This is essential for forming the right kind of background for the discussion on risk
assessment and analysis, which is the cornerstone for any security management exercise in organizations. Concepts developed
here are important as the reference point for the next chapter. Before proceeding further, we present the security goals in
Figure 4.1. These are also known as the ‘three pillars of InfoSec’.
The ideal approach to security is the ‘onion skin’ approach (depicted in Figure 4.2, in which the failure of any security
control will not leave an asset completely unprotected; this is the concept of ‘defense-in-depth’. In Chapter 1, we provided a

Confidentiality
Integrity Availability
FIGURE 4.1 Security goals.
Physical Security
Administrative and Procedural

Security
Application Security
• System Security
• Data Security
• Hardware and
Software Security
FIGURE 4.2 Security layers.
discussion to understand what IS mean. Reader must understand that the term ‘system’ is very generic and its meaning can
change with context. In the paradigm of information systems security, ‘system’ can denote a number of things:
1. A product or component, for example, a protocol for cryptograph, a card for wireless network access, a smart card or say
a motherboard or Personal Computer Memory Card Industry Association (PCMCIA) card (see the URL in the Further
Reading section) of a personal computer (PC), disk controller on a PC, that is a hardware unit that performs a certain
function with the virtue of its design.
2. An operating system (OS) and communication system on a network.
3. Organization staff, organization structure, security policies, standards, guidelines and procedures together as a collection.
4. The Internet, which is a system consisting of a large number of computers and computer networks.
5. An application system such as a financial accounting system, a payroll system, etc.

BUILDING BLOCKS OF INFORMATION SECURITY 39
4.3 Security-Related Basic Terms and Definitions

In this section, we introduce some fundamental terms important for discussions about security-related topics. These terms
are important in the domain of e-security, that is matters of electronic security. Only the major terms related to InfoSec and
e-security are addressed here. For Glossary of Security Terms visit the uniform resource locators (URLs) provided in the Further
Reading section.
1. Electronic security: Protection resulting from all measures designed to deny unauthorized persons information
of value that might be derived from the interception techniques or any other illegitimate means of obtaining
information.
2. Non-repudiation: Method by which the sender of data is provided with a proof of delivery and the recipient is assured
of the sender’s identity (ID), so that neither can later deny having processed the data. This concept is connected with
the concept of ‘electronic signature’.
3. Electronic signature: Process that operates on a message to assure message source authenticity and integrity, and source
non-repudiation.
4. Encryption: Modification of data for security purposes prior to their transmission so that they are not comprehensible
without the decoding method.
5. Cipher: Cryptographic transformation that operates on characters or bits of data (more on this in Chapter 14).
6. Cryptanalysis: Being able to ‘break’ the cipher so that the encrypted message can be read. It can be accomplished by
exploiting weaknesses in the cipher or in some fashion determining the key (more on this in Chapter 14).
7. Cryptography: Principles, means and methods for rendering information unintelligible and for restoring the encrypted
information to an intelligible form. The word ‘cryptography’ comes from the Greek words kryptos meaning hidden and
graphein meaning to write more on this in Section 14.2 of Chapter 14.
8. Denial of service (DoS) attacks: This term was mentioned in Chapters 2 and 5. The DoS attack might use some of the
following techniques to overwhelm a target’s resources:
• filling up a target’s hard drive storage space by using huge electronic mail (e-mail) attachments or file transfers;
• sending a message, which resets a target host’s subnet mask, causing a distribution of the target’s subnet
routing;
• using up all of a target’s resources to accept network connections, resulting in additional network connections being
denied.
Subnet mask is a scheme that distinguishes network ID from host ID. It is used to specify whether the ‘destination host’
is local or remote. For understanding the basics of subnet mask, readers are encouraged to visit the URLs provided in
the Further Reading section.
9. Interception: This term is typically used with defense systems and warfare. The term is introduced here because it is used
in explaining other security-related terms in this section.
10. TEMPEST: This is a short name that refers to investigation, study and control of compromising emanations from
telecommunications (TC) and automated IS equipment. This term is often used in connection with military/defense
applications.
11. TEMPEST test: This is yet another term used in connection with military/defense applications. It refers to laboratory
or on-site test to determine the nature of compromising emanations associated with TC or automated IS.
12. TC and automated information systems security: Protection afforded to TC and automated IS, in order to prevent
exploitation through interception, unauthorized electronic access or related technical intelligence threats and to ensure
authenticity.
13. Technical penetration: Deliberate penetration of a security area by technical means to gain unauthorized interception
of information-bearing energy.
14. Spoofing: Interception, alteration and retransmission of a cipher signal or data, in such a way as to mislead the recipient.
Spoofing refers to an attacker deliberately including a user (subject) or a device (object) into taking an incorrect action
by giving its incorrect information.
15. Steganography: Art of hiding the existence of a message. For example, in a digital image the least significant bit of each
word can be used to comprise a message without causing any significant change in the image. The word ‘steganography’
comes from the two Greek words: steganos meaning ‘covered’ and graphein meaning ‘to write’. Steganography can be
used to make a digital watermark to detect the illegal copying of digital images. Thus, it aids confidentiality and integrity
of the data.

4.4 The Three Pillars of Information Security

The following three concepts are considered the pillars of InfoSec (also known as the ‘big three’ in InfoSec, as shown in
Figure 4.3: confidentiality, integrity, and availability (CIA). These concepts represent the fundamental principles of InfoSec.
All the InfoSec controls and safeguards, and all the threats, vulnerabilities and security processes are subject to this CIA
yardstick.
Confidentiality
Integrity Availability
FIGURE 4.3 The CIA triad.
Confidentiality
In the domain of InfoSec, the concept of ‘confidentiality’ is used as an attempt to prevent the intentional or unintentional
unauthorized disclosure of message contents. Loss of confidentiality can occur in many ways, such as through the intentional
release of private company information or through a misapplication of network rights. Similar issues in mobile computing are
discussed in Chapter 6.
Integrity
This is yet another very important concept in InfoSec. The concept of integrity ensures that:
1. Modifications are not made to data by unauthorized personnel or processes.

2. Unauthorized modifications are not made to data by authorized personnel or processes.
3. The data are internally and externally consistent, that is the internal information is consistent among all subentities and
the internal information is consistent with the real world, external situation (Box 4.1 along with the included figure
illustrates an example of data integrity).
What Loss to Data Integrity and Confidentiality Means to Organizations
It is important that data adhere to a predefined set of rules, as determined by the database administrator (DBA)
or application developer. As an example of data integrity, consider the simple data as in a payroll application or
employee master data. Tables are called employees and departments and present the business rules for the
information in each of the tables, as illustrated in the figure on the next page (note that some columns in each
table have specific rules that constrain the data contained within them):
This illustration shows tables called DEPT and EMP. Table DEPT has three columns:
BOX 4.1 1. DEPTNO;
2. DNAME;
3. LOC.
Each value in the DNAME column must be unique. Table EMP has six columns:
1. EMPNO;
2. ENAME;
3. Other columns;
4. SAL;

5. COMM;
6. DEPTNO.
Each row must have a value for the ENAME column. Each row must have a value for the EMPNO column, and the
value must be unique. Each value in the DEPTNO column must match a value in the DEPTNO column of the DEPT
table. Each value in the SAL column must be lower than 10,000.
In addition to the above, there are many other examples of loss of data confidentiality and data integrity. For
example, through erroneous action, IT users can allow or cause loss of data confidentiality/integrity. The consequential
damage depends on the sensitivity of the data involved. Examples of such erroneous actions are:
1. Through oversight, printouts containing personal data are not fetched by staff members from the network
printer.
2. Floppy disks are dispatched without prior physical deletion of previously stored data.
3. Owing to incorrectly administered access rights, a staff member can modify data.
4. Unable to assess the critical impact of such a violation of integrity.
5. New software is tested using non-anonymous data. Unauthorized employees thus gain access to protected
files or confidential information. It is also possible that third parties also become aware of this information as
the disposal of ‘test printouts’ is not correctly handled.
Each value in the DNAME

Table DEPT
column must be unique
DEPT NO DNAME LOC
20 RESEARCH DALLAS
BOX 4.1 30 SALES CHICAGO
(Continued ) Each value in the
DEPTNO column
must match a value in
Each row must have a value the DEPTNO column
for the ENAME column of the DEPT table
Table EMP
EMP NO ENAME Other Columns SAL COMM DEPTNO

6666 MULDER 5500.00 20
7329 SMITH 9000.00 20
7499 ALLEN 7500.00 100.00 30
7521 WARD 5000.00 200.00 30
7566 JONES 2975.00 400.00 30
Each row must have a value Each value in the SAL column
for the EMPNO column, and must be less than 10,000
the value must be unique
Availability
This is the last of the important triad in InfoSec. The concept of ‘availability’ ensures the reliable and timely access to data or
computing resources by the appropriate personnel. In other words, ‘availability’ guarantees that the systems are up and running
when they are needed. In addition, this concept guarantees that the security services needed by the security practitioner are
in working order.
In the light of the illustration in Box 4.1, it is important to note that DAD is the reverse of CIA. DAD is disclosure
(opposite of confidentiality), alteration (opposite of integrity) and destruction (opposite of availability) of information.

4.5 Other Important Terms in Information Security

The term automated information systems security is synonymous with computer security. There are also several other important
concepts and terms that a security professional/security practitioner/students of InfoSec course must fully understand. These
concepts include identification, authentication, accountability, authorization and privacy. Let us have a brief description of
each of these terms:
1. Identification: It indicates the means by which users claim their identities to a system. It is most commonly used for
access control, and is necessary for authentication and authorization.
2. Authentication: This is the testing or reconciliation of evidence of a user’s ID. It establishes the user’s ID and ensures
that the users are who they say they are. Authentication is a security measure designed to establish the validity of a
transmission, message or originator, or a means of verifying an individual’s eligibility to receive specific categories of
information.
3. Accountability: A system’s ability to determine the actions and behavior of a single individual within a system, and to
identify that particular individual. Audit trails and logs support accountability.
4. Authorization: The rights and permissions granted to an individual (or process), which enable access to a computer
resource. Once a user’s ID and authentication are established, authorization levels determine the extent of system rights
that an operator can hold. Thus, authorization is the access rights granted to a user, program or process.
5. Privacy: This means the level of confidentiality and privacy protection that a user is given in a system. It is an important
component of security controls. Privacy guarantees not only the fundamental tenet of confidentiality of a company’s
data, but also the privacy level of data, which is being used by the operator. For detailed discussion on privacy concepts
refer to Chapter 27.
4.6 Information Classification

Having discussed some basic security terms, we now turn to another important topic from security perspective: information
classification. Generally speaking, organizations like to ‘classify’ their information for suitable treatment in terms of InfoSec.
It is not possible to protect all the information and IS in the organizations. There are several reasons why the organizations
(government, private, public and defense) like to classify information. The main reason is that not all data/information have
the same level of importance or same level of relevance/criticality to an organization. Some data are more valuable to the
people who make strategic decisions (senior management) because they aid them in making long-range or short-range business
direction decisions. Some data, such as trade secrets, formulae (used by scientific and/or research organizations) and new
product information (such as the one used by the marketing staff and sales force), are so valuable that their loss could create a
significant problem for the enterprise in the marketplace by creating public embarrassment or by causing a lack of credibility.
Events like those could damage the company’s goodwill.
Thus, it is obvious that information classification provides a higher, enterprise-level benefit. In Chapter 1, we discussed IS
in a global context indicating that the information can have an impact on a business globally, not just on the business unit or
line operation levels. The primary purpose is to enhance CIA, and to minimize the risks to the information. It is well known
that in most countries, information classification has had the longest history in the government sector. Its value has been
established, and it is a required component when securing trusted systems. In this sector, information classification is primarily
used to prevent the unauthorized disclosure and the resultant failure of confidentiality.
The other reason for information classification may also be the compliance required with privacy laws and legislations,
or other regulatory compliance. A company may wish to employ classification to maintain a competitive edge in a tough
marketplace. There may also be sound legal reasons for a company to employ information classification, such as to minimize
liability or to protect valuable business information. In all, classification of information and information assets helps
organizations to apply security policies and security procedures toward protection of information assets that are considered
critical. We can summarize the benefits of information classification as follows:
1. Information classification is a demonstration toward an organization’s commitment to security protections.
2. It helps identify which information is most sensitive or vital to an organization.
3. It supports the tenets of CIA as it pertains to data (the pillars of InfoSec discussed in earlier part of this chapter).
4. It helps identify which protections apply to which information.
5. It fulfils statutory requirements toward regulatory, compliance or legal mandates.

Thus, the key point is that the information produced or processed by an organization must be classified according to the
organization’s sensitivity to its loss or disclosure. These data owners are responsible for defining the sensitivity level of the data.
This approach enables the security controls to be properly implemented according to its classification scheme. In the next
section, terms used for classification of data/information are introduced.
4.7 Terms for Information Classification

The following definitions describe several schemes used for levels of data/information classification, ranging from the lowest
to the highest level of sensitivity:
1. Unclassified: Information that is neither sensitive nor classified. The public release of this information does not violate
confidentiality.
2. Sensitive but unclassified (SBU): Information that has been designated as a minor secret, but may not create serious
damage if disclosed. Answers to tests are an example of this kind of information. For example, consider health care
information of a hospital.
3. Confidential: Information that is designated to be of a confidential nature. The unauthorized disclosure of this
information could cause some damage to the country’s national security. This level is used for documents labeled
between SBU and secret in sensitivity.
4. Secret: Information that is designated to be of a secret nature. The unauthorized disclosure of this information could
cause serious damage to the country’s national security.
5. Top secret: This is the highest level of information classification (e.g., information in defense organizations). Any
unauthorized disclosure of top secret information will cause exceptionally grave damage to the country’s national security.
Given the ‘information overload’ in the present dynamic business environments, it is neither good to deal with too much
information nor good to provide employees and other business entities with ‘all’ the data. Therefore, the organizations make
data available to those concerned on a ‘need-to-know’ basis. For this reason, the following data/information classification is
also prevalent in most private organizations:
1. Public: Information that is similar to unclassified information (see above), that is all of an organization’s information
that does not fit into any of the other categories can be considered public. This information should probably not be
disclosed. However, if it is disclosed, it is not expected to seriously or adversely impact the company.
2. Sensitive: Information that requires a higher level of classification than normal data. This information is protected from
a loss of confidentiality, as well as from a loss of integrity owing to an unauthorized alteration.
3. Private: Typically, this is the information that is considered of a personal nature and is intended for company use only.
Its disclosure could adversely affect the company or its employees. Salary levels and medical information could be
considered as examples of ‘private information’.
4.8 Criteria for Classification of Data and Information

In view of the discussion so far and Box 4.2 illustrating data integrity issues, let us now discuss what criteria could be used
for classifying information that is treated as a corporate resource. Several of the following criteria are used to determine the
classification of an information object:
1. Value: It is the most commonly used criteria for classifying data in the private sector. If the information is valuable to
an organization or its competitors, it needs to be classified.
2. Age: The classification of the information may be lowered if the information’s value decreases over time. In the
Department of Defense, some classified documents are automatically declassified after a predetermined time period
has passed.
3. Useful life: If the information has been made obsolete owing to new information, substantial changes in the company
or other reasons, the information can often be declassified (considerations like these are especially important in CRM,
data warehousing and DM domain).
4. Personal association: If information is personally associated with specific individuals or is addressed by a privacy law, it may
need to be classified. For example, investigative information that reveals informant names may need to remain classified.

Data Integrity and Availability Issues in CRM Environment
CRM stands for customer relationship management (Parvatyar, Sheth & Shainesh, 2005; Gosney & Boehm, 2000;
Brown, 1999). CRM applications are dependent on good quality transactions data that can be captured into a
company’s data marts that, in turn, can be used for the purpose of data mining (DM). CRM along with DM is used for
making a number of strategic decisions for the business.
Despite the proliferation of enterprise resource planning (ERP) systems and other integration technologies, many
organizations store their related data in several disconnected systems, each of which is available to a limited number
of people within specific departments. For example, an accounting system contains customer records, transactions
and payment histories. Prospect or donor records may exist in a contact management system, or Outlook.
Correspondence may exist within saved Word documents on a server and e-mails are scattered across any number
of desktops in different departments.
Marketing campaign results and quarterly revenue forecasts may populate a series of spreadsheets. Other
information may reside on the laptops of individual consultants or field workers, where the information is
unavailable to many who may have a periodic need for it. Some of the information in these disparate sources
is of the same type (client contact information) and much of it is different, yet it is all related to the work of the
organization and its clientele. These ‘islands of data’ often create several disadvantages for the organization
that operates in this environment, but many of the disadvantages can be overcome by the broader features of a
CRM solution.
For the discussion on basic InfoSec concepts in this chapter, it is important to understand the operational
problems posed for an organization in the light of what is said above. This is explained as follows:
1. System management issues: The more applications and databases that a company has running, the more
potential ‘points of failure’ there are in the information environment. The workload in any IT department
increases with the number of applications and databases that it supports. It is a known fact that it is easier
to manage 1 software application than 10. Having information in hundreds of databases makes no sense – it
is extremely difficult to extract information out offragmented systems. Since several existing applications can
be subsumed by a single data integrity solution, it is important for the organizations to streamline corporate
BOX 4.2 information in an integrated database environment.
2. Duplication of efforts inputting data: Multiple systems that store some of the same information often require
the data to be entered multiple times. If two or more people are entering client data into different systems,
they are wasting both time and effort. Those separate systems may be replaced by a single CRM application
in which client information is entered one time, and made available to all groups and departments that need
it. But the problem does not stop there.
3. Data integrity issues – same information entered differently by different individuals: Duplicated data entry can
have extensive negative impact. Users may enter the data differently, leading to different interpretations of the
same information. If the data change over time, it can be difficult to know which data are current – this creates
serious problems for DM applications. For example, a client’s address can be stored in two separate systems.
Sales person might update the information on her laptop, but the address will remain unchanged in the
database at the back-end used for generating various business reports. One needs a system to consolidate
these records, so that only one record needs to be maintained, and the current information becomes available
to all. Therefore, the well-integrated corporate databases can help to improve the overall integrity of data within
the organization for their use in CRM.
4. No data synergy: When your client data are stored in different places, your view of ‘all that is happening’ with
respect to an issue is limited by the particular database with which you are working, and therefore, your ability
to make optimal business decisions can be limited. Or you cannot find out what is going on in your business
because the information is in too many places. This is a classic example of lack of data integrity. A single
repository of information allows you to see ‘the big picture’, allowing decision makers to clearly identify the real
issues, and make more effective strategic decisions.
5. More time searching for information, less time acting on it!! This is the real problem in most organizations
suffering from lack of data integrity. There are frustrating problems caused by disparate data – time wasted
searching for information. That information might simply be the contents of an e-mail that a coworker received
from a client. The e-mail is on the coworkers’ ‘C’ drive, and there is no access to it. Through integrated data
systems, there should be a provision to centrally store that information where it can be available to anyone that
needs it, freeing up time otherwise spent searching for the information, and instead, using the information to
make more effective decisions to generate results.

How do Organizations ‘Classify’ Data and Information?
There are many ways to do this. Several steps need to be taken for establishing a classification system. The following
are some primary procedural steps:
1. Identify the owner/administrator/custodian for data/information that are considered important.

2. Specify the criteria of how information will be classified and labeled (see Section 4.7).
BOX 4.3 3. Classify the data by their owner, who has the responsibility for reviewing the data/information before handing
it over for its storage as ‘corporate resource’.
4. Specify and document any exceptions to the classification policy.
5. Specify the ‘controls’ that will be applied to each classification level, that is depending on its classification,
who is authorized to access the data/information.
6. Specify the termination procedures for declassifying the information or for transfer of customer of the
information to another entity or procedures of data purging or data obfuscation.
7. Create an enterprise awareness program about the data/information classification controls.
4.9 Information Classification: Various Roles

From the security perspective, the roles and responsibilities of all participants in the information classification program
must be clearly defined. A key element of the classification scheme is the role the users, owners or custodians of the data
play in regard to the data. The roles that owner, custodian and user play in information classification are described in the
Table 4.1 along with their responsibilities. Concepts such as these are important for project leaders and project managers in
software development organization even from configuration management and data management perspective, aspects that are
emphasized by continuous improvement models such as the International Organization for Standardization (ISO) 9001:2000
and Software Engineering Institute’s (SEI) Capability Maturity Model Integration (CMM-I) (see www.iso.com and www.sei.
cmu.edu for details). The information on roles provided in the following table is also important from the legal perspective that
is very important in security domain.
TABLE 4.1 Roles and responsibilities of the owner, the custodian and the user
Role Responsibilities
Owner
An information owner may be an executive or This person is responsible for the information asset(s) that must be protected. In
manager of an organization. An owner is different particular, the responsibilities of an information owner include the following:
from a custodian. The owner has the final
1. making the original decision as to what level of classification the information
corporate responsibility of data protection, and
requires based on the business needs for the protection of the data
under the concept of due care, the owner may
2. reviewing the classification assignments periodically and making alterations as
be liable for negligence because of the failure to
the business needs change
protect these data. However, the actual day-to-day
3. delegating the responsibility of the data protection duties to the custodian
function of protecting the data belongs to a
custodian
Custodian
An information custodian is the delegated The duties of a custodian may include the following:
personnel
1. running regular backups and routinely testing the validity of the backup data
2. performing data restoration from the backups when necessary maintaining
those retained records in accordance with legal
3. requirements established based on information classification policy
Additional duties of the custodian may include being the administrator of the
classification scheme

B07BMRCB33 Ebsp

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

B07BMRCB33 Ebsp

Caricato da

Copyright:

Formati disponibili

2

INFORMATION SYSTEMS SECURITY

Security Management, Metrics, Frameworks and Best Practices

INFORMATION Security Management,

Other Wiley Editorial Offices:

First Edition: 2009

ISS_FM.indd 5 4/24/2017 4:43:11 PM

ISS_FM.indd 7 4/24/2017 4:43:12 PM

ISS_FM.indd 8 4/24/2017 4:43:12 PM

ISS_FM.indd 9 4/24/2017 4:43:13 PM

Information Security as the Professional Domain of Emerging Importance

Structural Changes and New Chapters

ISS_FM.indd 11 4/24/2017 4:43:13 PM

First edition Second edition

ISS_FM.indd 12 4/24/2017 4:43:14 PM

Part of the book Part title Chapters

Audience for this Book

ISS_FM.indd 13 4/24/2017 4:43:14 PM

Purpose of this Book

Security as the Emerging Focus Area

Motivation for Writing this Book

ISS_FM.indd 15 4/24/2017 4:43:14 PM

Audience for this Book

Themes Addressed and Structure of the Book

Appendices and Case Illustrations

ISS_FM.indd 16 4/24/2017 4:43:14 PM

Semantics and Nomenclature

The Message of this Book

Tribute to Stalwarts and Institutions

ISS_FM.indd 17 4/24/2017 4:43:15 PM

ISS_FM.indd 19 4/24/2017 4:43:15 PM

2 Threats to Information Systems

ISS_FM.indd 21 4/24/2017 4:43:15 PM

2.2 New Technologies Open Door to the Threats 15

3 Information Security Management in Organizations

4 Building Blocks of Information Security

ISS_FM.indd 22 4/24/2017 4:43:15 PM

5 Information Security Risk Analysis

Part II Cloud, Mobile Applications, Smartphone, IoT, Smart Cities

ISS_FM.indd 23 4/24/2017 4:43:15 PM

6.12 Use of RFID in Mobile Commerce and Information Asset Protection 88

7 Security in Cloud Computing

9 Security of Wireless Networks

ISS_FM.indd 24 4/24/2017 4:43:15 PM

9.3 Wireless Network Usage Scenario Today and Implications 149

10 The Internet of Things (IoT) and Smart Cities:

Part III Network Security and Other Controls

ISS_FM.indd 25 4/24/2017 4:43:15 PM

11.10 Biometric Measurement Issues 215

12 Network Security in Perspective

13 Networking and Digital Communication Fundamentals

ISS_FM.indd 26 4/24/2017 4:43:15 PM

Star Topology 247

14 Cryptography and Encryption

ISS_FM.indd 27 4/24/2017 4:43:15 PM

15 Intrusion Detection for Securing the Networks

16 Firewalls for Network Protection

ISS_FM.indd 28 4/24/2017 4:43:15 PM

17 Virtual Private Networks for Security

Part IV Security of Applications and Operating Systems

ISS_FM.indd 29 4/24/2017 4:43:16 PM

Conditions/Rules for E-mail Access 349

19 Security of Electronic Commerce

10 The Internet of Things (IoT) and Smart Cities: