Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Keeping the essence of the first edition, this new edition of Nina Godbole has vast experience in the
Foreword by nd
2
Information Systems Security is restructured to meet the ever IT industry – System Analysis & Design and nd
growing demand for books that give a comprehensive Development, as well as Application
Dr. Bhuvan Unhelkar EDITION
treatment of Information Security topic. Designed with ample
figures to illustrate key points and Review Questions and
Support Services, MIS, IT Perspective
Planning Training, Security Audits, Quality
EDITION
Reference Material Pointers at the end of each chapter, it is Management, Operations Management.
truly a treatise on the subject. This book should prove a Nina has also led BPR initiatives and has
valuable reference on the topic to students as well as played an instrumental role in successfully driven GODBOLE
professionals. It is useful for candidates appearing for the CISA organizational initiatives – the ISO 9001, P-CMM and
certification exam and maps well with the CBOK for CSTE and CMM-I. She is an active member of many professional
CSQA Certifications. bodies and academic research groups.
follow u
s on
INFORMATION Security Management,
SYSTEMS Metrics, Frameworks
and Best Practices
SHELVING CATEGORY
Computer Science
Wiley India Pvt. Ltd.
4435-36/7, Ansari Road, Daryaganj
New Delhi-110 002
Customer Care +91 11 43630000
ISBN: 978-81-265-6405-7
SECURITY
Fax +91 11 23275895
csupport@wiley.com
www.wileyindia.com
NINA GODBOLE
9 788126 564057
ISS_FM.indd 6 4/24/2017 4:43:11 PM
INFORMATION Security Management,
SYSTEMS Metrics, Frameworks
and Best Practices
SECURITY
2 nd
EDITION
NINA GODBOLE
INFORMATION SYSTEMS SECURITY
Security Management, Metrics, Frameworks and Best Practices
2EDITION
nd
Copyright © 2017 by Wiley India Pvt. Ltd., 4435-36/7, Ansari Road, Daryaganj, New Delhi-110002.
Cover Image: teekid/Getty Images
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or scanning without the written permission of the
publisher.
Limits of Liability: While the publisher and the author have used their best efforts in preparing this book, Wiley and
the author make no representation or warranties with respect to the accuracy or completeness of the contents of this
book, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. There are
no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or
extended by sales representatives or written sales materials. The accuracy and completeness of the information provided
herein and the opinions stated herein are not guaranteed or warranted to produce any particular results, and the advice
and strategies contained herein may not be suitable for every individual. Neither Wiley India nor the author shall be liable
for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or
other damages.
Disclaimer: While every effort has been made to trace copyright holders, trademark holders and obtain permission; any
omissions are inadvertant and will be rectified in future editions if brought to our notice. The contents of this book have
been checked for accuracy. Since deviations cannot be precluded entirely, Wiley or its author cannot guarantee full
agreement. As the book is intended for educational purpose, Wiley or its author shall not be responsible for any errors,
omissions or damages arising out of the use of the information contained in the book. This publication is designed to
provide accurate and authoritative information with regard to the subject matter covered. It is sold on the understanding
that the Publisher is not engaged in rendering professional services.
Trademarks: All brand names and product names used in this book are trademarks, registered trademarks, or trade
names of their respective holders. Wiley is not associated with any product or vendor mentioned in this book.
All the images that appear in the book are merely for the purpose of providing visual examples for readers to enable a
better understanding because as the old adage goes - “picture is worth a thousand words”; they are not intended as a hint
(direct or indirect) towards the promotion of recommendation of the products associated with those images.
Security is easy. Simply stop all communications with the external world; be a recluse, and you are secured. One is reminded of
an ancient fable: a king built the most secured palace in the world; it had no doors! Can businesses and the software applications
and services that help us transact with the external world really afford to do this? The answer is not worth spelling out.
Security was, is and will always be a double-edged sword. You have to expose your systems and applications to the external
world in order to conduct business, but you want to remain in control. Every business wants to keep its data, information and
knowledge secured from intruders and competitors. Every business also wants to expose the right kind of data, information
and knowledge to its business partners, employees, customers, government and stakeholders. How does one achieve this
balance?
The best approach, it seems, is to understand information and communication systems themselves, from a security
viewpoint. Then one needs to understand the ‘soft spots’, where the systems can be exposed to intrusion and risks, within
the overall architecture and design of these systems. These areas of risks can span the entire gamut of information systems
including databases, networks, applications, Internet-based communication, web services, mobile technologies and people
issues associated with all of them. Effective strategy to ameliorate the risks associated with these aspects of IT systems then
needs to be developed, to provide businesses with the confidence to operate in the real world. Furthermore, with increasingly
stringent legislations, such as the Sarbanes–Oxley (SOX) legislation, that impose rigid auditing controls over businesses –
particularly through their information and communication systems – it is vital for businesses to be fully aware of the security
risks associated with their systems, and develop and implement an effective strategy to handle those risks.
In this book, Godbole has done an excellent job of covering all of the aforementioned issues; and that too at the right depth.
She has impressively covered all significant aspects of security, as it deals with information communication technology (ICT),
with the appropriate depth. Being a practitioner herself, and with decades of experience to back her approach, Godbole has
provided the practicing ICT security professionals with a lucid text that explains various significant aspects of information
systems, their corresponding security risks and how to embark on a strategic approach to reducing and, preferably, eliminating
those risks. The coverage is impressive and relevant to industry practice.
Godbole starts the book with a discussion of information and communications system in the global context before quickly
moving to the threats to these systems. With the backdrop of the first two chapters, the book moves to Chapter 3 on mobile
technologies, which provides an excellent description of the security risks associated with these emerging technologies and
warrants special mention. Discussion on security aspect of cutting-edge technologies continues throughout the book – for
example, Chapter 18 discusses security risks associated with web services and enterprise application integration and Chapter 20
explains security issues with federated databases which have special relevance in the extended enterprise paradigm. This
work discusses almost all significant aspects of security including its management and organization, physical and electronic
protection, risk analysis of security aspects of ICS, biometrics controls, networks and operating systems, firewalls and database
security, eventually culminates in the discussion on standards relevant to modern-day security.
This book is a yet another addition from Godbole to her earlier book on software quality and indicates an excellent
evolution in thinking that is also rapidly maturing, providing valuable benefits to practitioners in the industry. This book is,
thus, a valuable reference for practitioners as well as students and is highly recommended.
Bhuvan Unhelkar
Director MIRAG (Mobile Internet Research and Application Group)
University of Western Sydney
Sydney, Australia
April, 2007
Nina Godbole has a vast experience in the IT industry – SW development, system analysis and design,
business development and support services, training, quality management, operations management,
design and implementation of computer-based MIS applications. The author was instrumental in
preparing IT perspective plans for the client organizations as well as BPR initiatives, analysis for ERP
package deployment patterns in the USA and as a systems analyst for web-based application in France.
She has played an instrumental role in several successfully driven organizational initiatives – the ISO,
P-CMM, and CMM-I.
The author is an active member of professional bodies and academic research groups: ISACA-USA,
PMI-USA, the Mobile Internet Research and Applications Group (MIRAG) at an Australian University,
SW Process Improvement Network (SPIN), Institute of Management Consultants of India (IMCI), Computer Society of
India (CSI) and Pune Management Association (PMA).
Nina Godbole holds a Masters degree from IIT, Bombay and MS Engineering (Computer Science) degree from Newport
University, USA. She has several international professional certifications to her credit – CQA, CSTE from the QAI-USA, CISA
from ISACA-USA, BVQI Certified ISO Auditor and a certified PMP from PMI. She is also a Certified Privacy Professional for
Information Technology (CIPP/IT) from the International Association of Privacy Professionals (IAPP), USA.
The author is also an ITIL foundation certified professional and has handled numerous training workshops and seminars
devoted to her domain expertise. She has been a visiting lecturer to various academic programs of Pune university for their
courses such as MCM, MCA, DCM, MDBR and ADCSSA. She has also addressed overseas students at Australian universities
as the guest faculty. The author is currently working in a large multinational organization in the business controls team, where
she has been the head for QA activities at one of its major export locations. As a CISA, she is actively involved in security audit
engagements for business units of the organization in India as well as for overseas customer accounts.
• The new chapters developed for the second edition are as follows:
• Chapter 7: Security in Cloud Computing
• Chapter 8: Smartphone Security
• Chapter 10: The Internet of Things (IoT) and Smart Cities: Security and Privacy Challenges
• Chapter 19: Security of Electronic Commerce
The correspondence of the rest of the chapters in the second edition with respect to the chapters of the first edition is shown
in the following table:
The book is divided into eight parts whose broad themes are indicated below. In each part, there are multiple chapters
devoted to the theme of the part.
We have carried forward in this second edition all the Case Illustrations and seven checklists that the previous edition had.
The Appendices continue to be in the CD companion of the book. In addition, we have prepared an appendix, titled Web
links, which has a list of the URLs that each chapter mentions as the extended information resource. This addition is as per
the feedback received from the readers that it is difficult to type the long URLs in order to access the material on the Internet.
We believe this is an improvement and given that the book is now being heavily referred to in academic papers, plugging the
URLs into browsers, to access online material, is now much easier for our esteemed readers.
Mapping to a Workshop
We have modified the names of the chapters mentioned in the guidance, given the restructuring of the book mentioned.
The Companion CD
The new edition too has its companion CD. The CD contents are listed as part of the Table of Contents.
Nina Godbole
March 2017
Mapping to a Workshop
The topics covered in the book can be mapped to a one day or two days workshop/seminar. The idea for mapping the chapters
to workshops comes from my numerous workshops and seminars conducted for practitioners as well as post graduate students
in and outside India. The concepts presented in the book are the culmination of my work experience in the IT/software
industry as well as the sessions delivered at the workshops/seminars and the questions heard from the audience. In a way,
I have learnt from the active practitioners and sincere students participating in these workshops/seminars. Each chapter in this
book corresponds to a three-hour lecture topic when the book is used in an academic setup.
The Companion CD
The Companion CD is an integral part of the book and contains 37 appendices containing guidelines, checklists and additional
information. Also encased in the CD are 17 case illustrations to help readers appreciate/reinforce the understanding of the
concepts. The CD also provides ideas for mapping the contents of chapters to workshop or seminar on security and privacy.
Lists of Figures, Tables and Boxes that appear in the chapters are also provided in the CD. The CD has a Readme file which the
readers should go through.
Nina Godbole
September 2008
Writing a book is like planning a long journey with a goal; it not only involves complex thought processes and efforts but also
results in achieving milestones. The journey of the author is not alone; it is a journey of thousand miles encompassing many
minds. The journey of this second edition, too, was fairly long; the manuscript development phase for the second edition was
spanned over a year.
I am thankful to Wiley India for their continued faith in me. I would like to put in print my grateful appreciation for the
copy editing work by Ankush Kumar under the leadership of Meenakshi Sehrawat. They worked diligently to ensure a high
caliber product.
I specially thank my PhD research supervisor Dr. John Lamb who worked many years with IBM, USA, and who is also
the co-author for our book project in the domain of Cloud and Green IT. My discussions with him immensely helped in the
development of cloud technology related chapters in this new edition. He presented the papers that we jointly developed for
The CEWIT International Conference & Expo on Emerging Technologies for a Smarter World, which have been published
by the IEEE.
I am thankful to Dr. Bhuvan Unhelkar for having written the Preface for the first edition of the book. With him I have
published technical papers and have also contributed chapters to the reference handbook edited by him in the domain of
Mobile Business and Green IT.
The author would also like to take this opportunity to thank Mr. Anwar Tamboowala who did the technical review of some
of the chapters.
I am very grateful to my family whose support has been pivotal in my career and during this project too.
Several other individuals contributed in their own special ways; I sincerely thank all of them, though I have not individually
mentioned their names.
Nina Godbole
Foreword vii
About the Author ix
Preface to the Second Edition xi
Preface to the First Edition xv
Acknowledgments xix
List of Figures xliii
List of Tables liii
List of Boxes lv
Part I Introduction
1 Information Systems in Global Context
Learning Objectives 3
1.1 History of Information Systems 3
1.2 Importance of Information Systems 4
1.3 Basics of Information Systems 5
1.4 The Changing Nature of Information Systems 6
1.5 Globalization of Businesses and the Need for Distributed Information Systems 9
1.6 Global Information Systems: Role of Internet and Web Services 10
1.7 Information Systems Security and Threats: A Glimpse 12
Summary 13
Review Questions 13
Further Reading 13
8 Smartphone Security
Learning Objectives 129
8.1 Introduction: The Emergence of Smartphones 129
8.2 Smartphones: Security Risks, Issues and Challenges 130
Security Problems with Smartphones 132
8.3 Protected Health Information and Smartphones 134
8.4 Smartphones and Electronically Stored Medical Information: The Challenges 135
8.5 Smartphones: The Downside 140
8.6 Guidelines for using Smartphone Securely 141
Summary 143
Review Questions 143
Further Reading 143
14.6
Cryptographic Algorithms 282
Key Management 282
Asymmetric and Symmetric Keys 283
Secret Key Nuances 283
Summary 287
Review Questions 287
Further Reading 287
20 Security of Databases
Learning Objectives 387
20.1 Introduction 387
20.2 Database Security Challenge in the Modern World 388
20.3 Databases in the Context of Business Intelligence 388
20.4 Nature of Database Security Issues: Why it is Important? 390
20.5 Federated Databases: The Need and the Security Issues 390
What are Federated Databases? 392
How is a Federated Database System Used in Business 393
Understanding Federated Databases vis à vis Distributed Databases 395
Security Issues in Federated Database Systems 395
20.6 Securing the Contents of Mobile Databases 397
What and Why of Mobile Databases 397
Mobile Database Usage Scenarios 397
Mobile Databases: Security and Usage Issues 397
20.7 Securing Connectivity with Enterprise Databases 398
Database Security Issues 399
Guarding Against Database Vulnerabilities 399
20.8 Data Integrity as a Parameter for Database Security 402
20.9 Database Security Policy 403
User Access to the Database 403
Data Sensitivity 403
Audit Policy 404
Other Questions 404
Summary 405
Review Questions 405
Further Reading 405
25 Security Metrics
Learning Objectives 465
25.1 Introduction 465
25.2 What are Measurements and Metrics? 466
25.3 Security Metrics Basics 467
25.4 Security Metrics Classification 468
25.5 Why Security Metrics are Important 469
25.6 Benefits of Using Security Metrics 470
25.7 InfoSec Metrics Management in Organizations 470
25.8 Quantitative versus Qualitative Approach to Security Risk Metrics 470
34 IT Asset Management
Learning Objectives 715
34.1 Introduction 715
34.2 Understanding the Organizational Context for Asset Management 717
What is an Asset and Software Asset? 717
Information Technology Assets (IT Assets) and Business Assets 717
Information Assets in Organizations 722
Information in the Profit-Oriented World 724
Information in the Non-Profit World 724
34.3 Security Aspects in IT Asset Management 726
Assets, Risks and Asset Protection 726
34.4 Asset Management in Organizations: Issues and Challenges 727
IT Asset Management Challenges 727
Issues in Software License Management 728
Managing Distributed Software Assets 728
34.5 Asset Management Life Cycle 729
Planning for Assets 730
Evaluation/Asset Acquisition/Asset Procurement 730
Asset Deployment 731
Asset Usage and Change Management 731
Scrapping/Retiring/Salvaging the Asset 731
34.6 Tools for IT Asset Management 731
34.7 Benefits of Asset Management 732
34.8 Roles and Responsibilities in Asset Management 734
34.9 Identifying Asset Containers 735
Protecting Assets: Owners and Custodians 736
Custodian–Owners Scenarios in Asset Management 738
34.10 Organizational Best Practices in IT Asset Management 739
Asset Classification – Getting Ready for the Asset Register 740
Building the Asset Register/Asset Inventory: The Benefits 744
Software License Management 745
Managing Access to Organization’s Information Assets 746
36.4
Elements of Perimeter Security 782
Facility Access Control 782
Personnel Access Control 782
Protection for External Boundaries 784
Intrusion Detection Systems (IDSs) 785
Summary 786
Review Questions 786
Further Reading 786
Index 887
CD Content
Appendices
Case Illustrations
Workshop Mapping
Web Link
29.3 How web services work – broker, consumer and provider 593
29.4 How web services work – UDDI, SOAP and WSDL 593
29.5 WebSphere storefront for garden implements retail business 594
29.6 Web services standard stack and implementers 595
29.7 Data-filtering mechanism for privacy preservation 598
29.8 P3P-enabled HTTP transaction 602
29.9 A model for identity certificate 605
29.10 Context propagation protocols in web services 607
29.11 Use of service-oriented architecture (SOA) in day-to-day life 607
29.12 SOA for organizations 608
29.13 SOA 608
29.14 An example of secure service-based interactions 611
30.1 Reporting options for information security function 621
31.1 The business–IT interaction 628
31.2 DRP vis-à-vis BCP 630
31.3 Strategic grid 631
31.4 BCP roadmap 636
31.5 Business resiliency layers 643
32.1 Security audit context for organizations 647
32.2 Segregation of duties – SoD matrix 651
32.3 Typical IT infrastructure in an organization 658
32.4 Cross-site scripting attacks 662
33.1 Privacy certification roadmap 693
33.2 Phases of management cycle 695
33.3 Privacy audit life cycle activities 696
33.4 Privacy risk categories 699
33.5 Reporting structures for Privacy Officer 709
33.6 Data security attacts 709
33.7 Data privacy organization 711
34.1 Assets in organizations 716
34.2 Threats, vulnerabilities, assets and risks 718
34.3 The path to compromise an asset 718
34.4 Risk management matrix 720
34.5 Hardware assets of various kinds 721
34.6 VSAT usage scenarios 721
34.7 Sources of information for organizations 722
34.8 Trends affecting IT asset management 726
34.9 Stages in asset life cycle 729
34.10 Asset life cycle 730
34.11 Tokens for asset tracking 733
34.12 The asset life cycle and its workflows 734
34.13 Roles and responsibilities in the asset life cycle 735
34.14 Asset custodial responsibilities 737
34.15 Asset owners and custodians – possible scenarios 739
34.16 Benefits of asset inventory/asset register 744
34.17 Access management framework – key elements 747
26.1 Law, Case Law, Legislation Statues and Jurisdiction: Alphabet Soup in Legal World 490
26.2 The Legal Side of Secure Electronic Commerce 492
26.3 Privacy versus Security: Two Sides of the Same Coin? 493
26.4 The US Computer Security Act of 1987 494
26.5 What Legal Status Does ‘Information’ Possess? 496
26.6 Toward a Culture of Security: OECD Guidelines 498
26.7 Data Protection Act 500
26.8 Need for Privacy in the Healthcare Industry 502
26.9 Does HIPAA Assure Protection and Privacy of Medical Data? 503
26.10 Health Data on Sale!!! 506
27.1 Types of Private Data 517
27.2 Privacy: Some Key Terms – Personal Information, Sensitive Personal
Information and Aggregate Information 518
27.3 Identity Theft – A Serious Personal and Business Issue 519
27.4 Do People Care for the Identify and Privacy: Survey Speaks! 520
27.5 Empowering Individuals for Control over their Data: Privacy Goals 521
27.6 Computer Forensics: Classic Example of Security and Privacy at Loggerhead 525
27.7 Protection of Privacy and Personal Data: The OECD Principles 527
27.8 Multi-Dimensions of Privacy 529
27.9 Why Should Companies Be Worried About Computer Fraud? 530
28.1 Channels of Direct Marketing 539
28.2 Privacy and Confidentiality 540
28.3 Fair Business Practices: Rules for Legal Marketing – Whether Online or Not 541
28.4 Customer Profiling through Clustering and Data Matching:
A Way of Business Intelligence 543
28.5 Offshore Outsourcing and Data Protection: Issues and Concerns 545
28.6 Safe Harbor Privacy Principles 546
28.7 Privacy in India: What a Survey Showed 547
28.8 Outsourcing and Privacy: Critical Questions 548
28.9 Protecting Valuable Information to Safeguard Clients’ Data 549
28.10 SSADM and Data Dictionary 555
28.11 RFID Technology Overview 557
28.12 RFID Tags 559
28.13 Characteristics of Technologies Used By Biometrics 565
28.14 Medical Biometrics − Personal Privacy and Medical Identity Theft 566
28.15 Biometrics and Privacy – Identification v/s Authentication 567
28.16 What is Chip Card? 574
28.17 A Day in the Life of a Software Agent: Scenario 579
28.18 Intelligent Software Agents Assess Machinery Health in Real Time 580
29.1 Federated Identity, Federated Trust Management and Federated Networks 601
29.2 P3P – A Direction in Website Privacy Preservation 602
29.3 PGP – Giving Privacy to Your E-Mails 604
29.4 Service-Oriented Architecture (SOA) 607
29.5 Context Sensitiveness: Some Illustrations 609
29.6 SSL and TLS 612
29.7 XML and XML Schema 613
39.3 Business–IT Alignment in Industry Projects: Using the ITIL Framework 833
39.4 ISM3 Specialty in the Jungle of Standards for InfoSec 834
39.5 CRAMM and Risk Management Methods 835
39.6 Common Certified Products 843
39.7 Audit Materiality and Audit Evidence 847
39.8 ISECOM Gives Birth to Open Source Security Testing 851
40.1 Terms of Reference – Computer Ethics 858
40.2 Computer Fraud and Abuses from Within 859
40.3 Software Piracy Issues 863
40.4 Ethical Dilemmas in the Real World 864
40.5 Information Warfare Classification 868
40.6 US Government Restrictions on Sharing of Cryptographic Technologies 870
40.7 The War of Key Escrow 871
40.8 Managing Copy Protection in the Digital World – DRM 873
40.9 New Kid on the Block – The Hacktivist!! 874
40.10 Ethical Guidance: A Crying Need for Today ’s Professionals 877
40.11 The Philosophy Behind Copyrights 878
40.12 Cybersquatting and Trademarks 881
to maintain the operations and to remain competitive. Therefore, information is considered as a corporate asset. As with most
assets, the security of this corporate asset, namely information, too becomes crucial. In fact, security of information assets is
considered to be one of the success factors for businesses.
ENVIRONMENT
Supplier Customer
ORGANIZATION
INFORMATION SYSTEM
Processing
Classify
Input Arrange Output
Calculate
Feedback
In today’s global context, there is a consensus among strategists on a number of points regarding global businesses.
Large organizations piggy-back data flows on the complex management support systems and the global communications
they use to control their supply chains. Given this, business managers have reasons to believe that coordination of
organizational operations is the central tenet of globalization. Thus, smooth coordination of business activities [as
evidenced in supply chain management (SCM) and customer relationship management (CRM)] distinguishes the multi-
domestic and multinational organizations from a truly global business. The recognition of information technology
(IT) facilitating global coordination of organizations is today recognized as a key component of competitive strategy.
For successful operations in the global arena, multinational organizations need to be tightly linked in their information
and communication flow requirements. This amply brings out the nature and complexity of global coordination required
in organizations of the future. In the global perspective of businesses today, each geographical unit plays a distinctive role.
To sustain the pressures from business and to satisfy the decision-making requirement in today’s dynamic environment,
the nature of modern IS is such that they call for intensive and complex interaction between physically remote but
interdependent units. This is why our IS today are in a networked mode – in alliance with global business partners,
distributed and at multi-location giving rise to what we call the ‘extended enterprise’ in the digital economy. This concept
is depicted in Figure 1.2.
Hardware
Business
Strategy
Software Database
Rules
Procedures Interdependence
Tele-
communi-
cations
Thus, IS accept data from their environment and manipulate the data to produce information that is used to solve a
problem or address a business need. In the earlier days (say in the 1960s and 1970s), majority of information systems were
manual systems. These days, however, information systems are mostly computerized, software-intensive systems. Today, the
vast majority of computerized IS relies on data warehouses and database management system (DBMS) software to manage
the storage and retrieval of the data/information in the system. Information systems consist of data, hardware, software,
procedures and people. Their major functions are: input, storage, processing, control and output. IS are usually developed
to support specific business functions such as the administrative functions common to most organizations. For example, in
finance, we have accounting and resource management (facilities and equipment). In the finance area, organizations need
financial management information systems (FMIS). For manufacturing-focused organizations, enterprise resource planning
(ERP) systems are important. In the human resource (HR) area, there are HR information systems and in marketing and
sales area, there are CRM systems. It is important to note at this point that not all types of information can be computerized,
especially the ones with an external source. Table 1.1 shows business area-wise organization of information.
In view of the discussion so far, conceptually, ‘information’ can be divided into three parts. First, there are data that bring
together all kinds of information that can be stored (such as personal data, information concerning customers, accounting,
etc.). Second, there is knowledge, that is, those aspects that are not immaterial but brought in by experienced employees.
Lastly, there is the action to send information to someone or something through the information system. However, a clear
distinction needs to be made between ‘information systems’ and ‘systems and data-processing networks’. An information
system refers not only to data but also to users and methods and thus is a more global notion. That is why some people
define an ‘information system’ as a system, whether automated or manual, that comprises people, machines and/or methods
organized to collect, process, transmit and disseminate data that represent user information.
each with their own intended purpose and goal. Thus, today, the IS used by business enterprises and individuals are no more
monolithic and no more are they housed in a single location, residing on a single piece of hardware, that is server. Information
systems of today are distributed and component-based. For more details on the basics of information systems/management
information systems, readers can follow standard books on the topic; some texts are suggested in the Further Reading section.
In many of today’s information-intensive enterprises, the local structured procedures can be effectively and flexibly integrated
into the global work processes supporting the business goals. Figures 1.4–1.6 explain the configuration and paradigm of
mainframe-based systems, client/server-based systems and web-based architecture for IS.
Dumb terminals
echoing text
Mainframe
Server
Company Databases
Web Server
Web Browsers
Internet
Intranet
Extranet
Application Server
Firewall
Operating Systems
Back Office/ERP
Boxes 1.1 and 1.2 explain mainframe-based systems vis-à-vis client/server architecture for IS and provide a business case for
the current trend toward client/server architecture of the IS.
In mainframe-based architectures used for IS (see Figure 1.4), all intelligence is within the central host computer.
Users interact with the host through a terminal that captures keystrokes and sends that information to the host.
Mainframe software architectures are not tied to a hardware platform. User interaction can be done using personal
computers (PCs) and Unix workstations. A limitation of mainframe software architectures is that they do not easily
support graphical user interfaces (GUIs) or access to multiple databases from geographically dispersed sites. In the
last few years, mainframes have found a new use as a server in distributed client/server architectures.
The term client/server was first used in the 1980s in reference to PCs on a network. The actual client/server
model started gaining acceptance in the late 1980s. The client/server software architecture is a versatile, message-
based and modular infrastructure that is intended to improve usability, flexibility, interoperability and scalability as
compared to centralized, mainframe, time-sharing computing. A client is defined as a requester of services and a
BOX 1.1 server is defined as the provider of services. A single machine can be both a client and a server depending on the
software configuration. Client/server system configuration is depicted in Figure 1.5.
In modern times, there is a general trend away from mainframe-based systems to client/server architecture. The
client/server technology makes it possible to provide dramatic improvements in customer service, while substantially
reducing the amount of time and training required for common service operations. Client/server computing may also
provide the best alternative for meeting new requirements for electronically interfacing with business partners; a
service that is very crucial in electronic business (e-business) era.
An important point to note is that contrary to many predictions and common belief, client/server computing is not
100% replacing traditional mainframe-based application systems. Instead, a blended system seems to be emerging
that combines the data-processing horsepower of the legacy mainframe applications with the opportunities for rapid
application development and electronic interfacing capabilities of the client/server technology. The cornerstone of
this solution is a three-tiered approach, in which an application layer provides an interface between the client/server
system and the legacy mainframe system.
The three-tier architecture (also referred to as the multi-tier architecture) was developed to overcome the limitations of
the two-tier architecture. In the three-tier architecture, a middle tier was added between the user system interface client
environment and the database management server environment. There are a variety of ways of implementing this middle
tier, such as transaction processing (TP) monitors, message servers or application servers. The middle tier can perform
queuing, application execution and database staging. For example, if the middle tier provides queuing, the client can
deliver its request to the middle layer and disengage because the middle tier will access the data and return the answer
to the client. In addition, the middle layer adds scheduling and prioritization for work in progress. The three-tier client/
server architecture is known to improve the performance of groups with a large number of users (in thousands) and
improves flexibility when compared to the two-tier approach. Flexibility in partitioning can be as simple as ‘dragging and
dropping’ application code modules onto different computers in some three-tier architectures. A limitation with three-
tier architectures is that their development environment is reportedly more difficult to use than the visually oriented
development of the two-tier applications. Recently, mainframes have found a new use as servers in three-tier architectures.
The most basic type of three-tier architecture has a middle layer consisting TP monitor technology. The TP monitor
BOX 1.2 technology is a type of message queuing, transaction scheduling and prioritization service where the client connects to
the TP monitor (middle tier) instead of the database server. The transaction is accepted by the monitor, which queues it
and then takes the responsibility for managing it to completion, thus freeing up the client. When the capability is provided
by third-party middleware vendors, it is referred to as ‘TP Heavy’ because it can service thousands of users. When it is
embedded in the DBMS (and could be considered a two-tier architecture), it is referred to as ‘TP Lite’ because experience
has shown performance degradation when over 100 clients are connected. The TP monitor technology also provides:
Using the three-tier client/server architecture with TP monitor technology results in an environment that is
considerably more scalable than a two-tier architecture with direct client to server connection. For systems with
thousands of users, the TP monitor technology (not embedded in the DBMS) has been reported as one of the most
effective solutions. However, a limitation of the TP monitor technology is that the implementation code is usually
written in a lower level language (such as COBOL), and is not yet widely available in the popular visual toolsets.
brought the consumers and producers together, but also built the bridge between the ‘thinkers’, business people, the governments,
the common people, the academicians and so on. We need to consider at the scope of modern-day IS in this global context.
In the new paradigm, IS are handling information in all forms, not just the text-based data of the 1970s that came typically
in flat files but also the rich text, images/graphics and voice. So, we are in the realm of not only terabytes of data but also
multimedia, multi-geo order of IS. The widening scope of IS can be summarized as follows:
1. 1950s: technical changes;
2. 1960s–1970s: managerial controls;
3. 1980s–1990s: institutional core activities;
4. Today: digital information webs extending beyond the enterprise.
Today’s firms are ‘digital’ in terms of their rapid operations mode. They are characterized by electronic commerce
(e-commerce) and e-business to operate in the ‘digital market’ where IS link the buyers and sellers to exchange information,
products, services and payments. Thus, today, the era is of the ‘extended enterprise’ and to serve the needs of such networked
enterprises; the IS, too, are no more confined to a single location, single computer. Figure 1.7 shows the wider boundaries of
the modern information system vis-à-vis the past.
Vendors,
Technical Managerial Institutional Customers Beyond
Changes Control Core Activites the Enterprise
WORLD
ISP
REGIONAL
ISP
LOCAL
ISP
Conventional phone, T1
cable modem line, Line
or digital subscriber
BUSINESS
HOME
LAN
Web services perform functions ranging from simple requests to complicated business processes. Once a web service
is developed, other applications and other web services can discover and invoke the deployed service through universal
description, discovery and integration (UDDI). The idea of web services is to leverage the advantages of the web as a platform
to apply it to the services themselves, not just to the static information. ‘Services’ refer to components and the services offered
that can be used to build larger application services. Web services make it easier to build service-based architectures without
the applications being locked-in to a particular software vendor’s products.
Web services have been proven to give a strong return on investment (ROI) and make computer-based IS more adaptable.
They also help bring productivity, flexibility and low maintenance cost in the development of IS by integrating components
from various third-party vendors (another avenue for implementing appropriate security measures in the IS). Web services make
information available from computer systems to other applications using well-defined standards (see Box 1.3). Discussion on
Common object request broker architecture (CORBA®) and electronic data interchange (EDI) were created as single
specifications, but web service vendors are adopting a series of standards that work together. In general, these
standards can handle specific tasks. The advantage of this approach is that web service standards can evolve more
easily as new requirements are identified.
The first standards to be agreed upon concern basic interoperation among applications, and since then, a series
of standards have covered web services discovery, security, transactions and coordination. There is also a body, the
Web Services Interoperability Organization (WS-I), charged with overseeing the establishment and promulgation of
standards. The standards include:
BOX 1.3
1. simple object access protocol (SOAP), used to format messages between web services;
2. web services definition language (WSDL), used to define how a web service can be used;
3. universal description, discovery and integration (UDDI) and the web services inspection language (WSIL), used
to find web services;
4. WS-security, used to manage security across web services;
5. WS-coordination, used to coordinate multiple web services into a larger composite system.
Many other web service standards remain under development. Organizations that publish these standards include
the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information Standards
(OASIS).
the details of standards adopted in web services is beyond the scope of this book. Interested readers can refer to web services-
related topics provided in Further Reading section.
Benefits of web services for developing IS of global nature are as follows:
1. Web services tools are available for most computer systems, including mainframes and packaged applications. This
means that not only the existing applications can be retained, but also the existing knowledge of staff can be applied
and extended using web services for business integration.
2. Web services are adaptable and can handle changes more readily than other integration solutions, because they use
structured text as their message format. Therefore, because the cost of maintenance is reduced, the overall cost of a web
services system also reduces.
3. IT managers now have the ability to exchange data between most applications, on most computers, in a consistent and
standard way. Tools and further standards are therefore emerging to build composite applications that can model and
manage business processes around these business-level components.
4. If necessary, an alternative application can be used to provide web services without changing the overall effect of
the system. This gives significant flexibility in the choice of a supplier. This aspect is particularly important in the
consideration of outsourcing security services.
Summary
Information systems play a crucial role in today’s complex busi- complex in their structure. Information is an important asset
ness world. They have come a long way progressing from the and needs to be protected all the time. Threats to IS come from
precivilization era, through the agricultural era, to the present many avenues and these threats will continue, given our depen-
networked enterprise era in our digital economy. To fulfill the dence on information system. In the next chapter, an organiza-
demands placed on them, today’s IS are global in nature and tional context is set for managing information systems security.
Review Questions
1. Explain the historical role of information systems. In what 5. What are the factors that alter today’s enterprises? Have
way do you think, the industrial revolution impacted information systems changed over the years? In what way
information systems? have they changed and what challenges does this present
2. Explain the importance of information systems in the to the designers of information system? Explain with
global context. Do you think that only computer-based illustrations.
information systems will be successful today? Give reasons 6. Explain the various architectures for information systems as
for your argument. described in this chapter.
3. Do you feel geographical limits play a role in the effective 7. How do distributed information systems help the global
working of information systems? Give reasons. enterprises?
4. Explain the ‘extended enterprise concept’. In what way 8. Explain the crucial role of the Internet and Web Services.
information systems play the cementing role among the 9. What elements, as described in this chapter, form the basics
various components of the extended enterprise? Elaborate of information systems security?
your answer with suitable examples.
Further Reading
Bamforth, R. and Kavanagh, C. (November 2005) Transforming http://www.sei.cmu.edu/str/descriptions/clientserver_body.
the Workplace: The Impact of Mobile Technology on the html (accessed 25 November 2005) for descriptions of
Working Environment, Quocirca Insight Report. system architectures.
Bob, T. and Vile, D. (January 2005) Protecting the IT and Data Kroenke, D. and Hatch, R. (1994) Management Information
Assets of Small and Mid-Sized Businesses, Quocirca Report. Systems, 3rd edn, McGraw-Hill International, Watsonville,
Burch, J.G. and Grudnitski, G. (1989) Information Systems: CA, USA.
Theory and Practice, 5th edn, John Wiley & Sons, Inc., NY, Lambros, P., Schmidt, M.T. and Zentner, C. (May 2001)
USA. Combining Business Process Management Technology and
Colan, M. (June 2001) Dynamic E-Business: Using Web Services Business Services to implement Complex Web Services, IBM
to Transform Business, IBM White Paper. White Paper.
Collins, J. (May 2005) Content Security: Securing Internet Longbottom, C. (September 2004) The Evolution of Information
Communications, a business paper prepared for Aladdin Access: The Need for Seamless Connectivity, a report
Knowledge Systems. commissioned by Citrix Systems, Inc.
Collins, J. and Taylor, L. (2004) IT Security Collins, Collins, Longbottom, C. (January 2005) Change and Flexibility bringing
J. and Taylor, L. (2004) IT Security – Bridging the Gap: IT and the Business Together, a report commissioned by
Resolving the Paradox of IT Security, Quocirca ‘Sharp End’ BMC Software, Inc.
Series, Summer. Narsu, U. and Murphy, P. (2002) Web Services Adoption Outlook
Dynamic E-Business with DB2® and Web Services, IBM White Improves, Giga Information Group, Inc. Report.
Paper, n.d. Parker, C. and Case, T. (1993) Management Information Systems:
Hailstone, R. and Perry, R. (n.d.), IBM and the Strategic Potential Strategy and Action, 2nd edn, McGraw-Hill International,
of Web Services, an IDC White Paper sponsored by IBM. NY, USA.
http://www-106.ibm.com/developerworks/webservices/ Securing Web Services, IBM White Paper, May 2002.
library/w-ovr/ (accessed 12 August 2005) for web services Shenk, D. (1997) DATA SMOG: Surviving the Information Glut,
architecture overview. Harper Edge, San Francisco, CA, USA.
Supporting Open Standards for Web Services and J2EE, IBM Tian, M., Voigt, T., Naumowicz, T. et al. (2003) Performance
White Paper, May 2001. Impact of Web Services on Internet Servers, Freie Universität
Tapscott, D. (1996) Digital Economy – Promise and Peril in the Berlin Computer Systems & Telematics, Berlin, Germany.
Age of Networked Intelligence, McGraw-Hill International, Toffler, A. (1970) Future Shock, Bantam Books in agreement
NY, USA. with Random House, Inc., NY, USA.
Tapscott, D., Ticoll, D. and Lowy, A. (2000) Digital Capital: Using Web Services for Business Integration, a Borland® White
Harnessing the Power of Business Web, Nicholas Brealey Paper by Borland Software Corporation, September 2002.
Publishing, London, UK. Wilkes, L. (2001) Web Services – Right Here, Right Now delivering
Tarzey, B. and Vile, D. (July 2005) Achieving Best Practice in IT Web Services Today with IBM Solutions, CBDi Forum,
Management for SMBs, Quocirca SMB Report. available at www.cbdiforum.com.
Tcherevik, D. (July 2003) Management and Security in the
World of Web Services, sponsored by Computer Associates
International, Inc.
* Refer to case illustration ‘Beta Greval – Security in Manufacturing’ on the CD companion of the book for a scenario based
on the concept(s) discussed in this chapter.
2.1 Introduction
Information systems security is the integrity and safety of its resources and activities. In the cyber world, it can be almost
impossible to trace sophisticated attacks to their true source. The anonymity enjoyed by today’s cyber attackers poses a grave
threat to the global information society, the progress of an information-based international economy and the advancement of
global collaboration and cooperation in all areas of human endeavor.
In Chapter 1, we discussed about the strategic importance of information systems (IS) and their role in the global context.
In this chapter, our objective is to provide a context for management role and responsibility for ensuring the security of IS in
the organization. To achieve this, our focus in this chapter is to provide an overview of ‘threats to IS’. In Chapter 3, we take
up a discussion on security management in organizations and the role of security policies and procedures in this, to counter
the threats to IS.
like never before. Under these circumstances, threats from outside the organization must be addressed, because the damages
from non-secured information system can result in catastropic consequences for the organization.
Given this, organizations must investigate and evaluate the factors that could be a threat to the integrity of the information
system. Box 2.1 provides some snippets on what can happen while using electronic emails (e-mails) and the Internet.
Hacking of computer systems and launching of denial of service (DoS) attacks as well as spreading of malicious
code, such as viruses, are well-known online threats that deserve attention in the computer security and security
management domain. Far less attention is provided to the fact that the Internet has enabled a range of potentially
threatening activities that are based on the active or passive dissemination of certain information. Examples of such
information-based threatening activities are:
1. Myths, rumors and hoaxes: Hoaxes are false e-mail messages with the only purpose to spread to as many
people as possible. Along with myths and urban legends, they live on the Internet. Such messages may have
significant impact on companies, their reputations and thus on their businesses.
More recently, the globally operating mobile phone company Ericsson was the victim of a hoax promising
recipients free mobiles if they forward the letter to at least 20 people. Ericsson received thousands of e-mail
from people asking for their free phones. The article (Park, 2000) quotes an Ericsson Australia spokesman
BOX 2.1 claiming that the company was aware of the e-mail circulating for at least a couple of days and that the way it
was sent makes it impossible for them to see where the e-mail originated from.
Another report (Fumento, 1999) has the story about a Canadian manufacturer who used his/her website to
spread information that products of competitors may be dangerous. Moreover, the company’s marketing head has
been observed to actively support feminists preparing a petition to start a boycott of the company’s competitors.
According to Fumento (1999), however, scientific investigations suggest that the information is nothing but a myth.
2. Threats to websites: There are reports that the US-based car manufacturer Ford decided not to go online to
combat a certain revenge website as the company was afraid that anything they would do on their own website
would validate what is described on the revenge website!
3. Limited attention to cyber crimes: So far, threats on the information level, referred by lawyers as ‘commercial
terrorism through the Internet’, have not received much attention in the computer security and security
management literature. A look at the relevant literature suggests that these fields tend to focus on making
corporate computer systems and networks secure in order to protect systems. Interested readers may like to
refer to the paper by Lueg (2001).
information as in the case of the false accusation (see Box 2.1). Such attacks can cause considerable damage to the goodwill of
the organization against which they may be launched, and customer loyalty is too good to lose.
Dissemination of information that is likely to trigger specific counter-reactions as in the case of say some falsified job
advertisement also qualifies as information-based threat. Essentially, a DoS attack that is based on flooding accounts with large
quantities of e-mail is a network-based attack as it is the size and the quantity of the e-mail that matters and not the content
of the e-mail.
11. Data leakage: There are a variety of methods for obtaining the data stored in a system. The data may be encoded into
an innocuous report in sophisticated ways, for example, as the number of characters per line.
12. Wiretapping: Tapping computer TC lines to obtain information.
13. Theft of mobile devices: This is a new dimension that is coming up given the increase in mobile workforce.
Some of the above-mentioned crime techniques may be used for a direct gain of financial resources, others for industrial
espionage, while yet others simply for destructive purposes. Probably the most important unrecognized threat today is the
theft of portable computers, with access codes and information in their memories. Also to be considered are the losses owing
to the theft of intellectual property, such as software, product development information, customer information or internal
corporate documents. Chapter 6 is devoted to discuss security issues in the mobile computing arena.
The world of security threats has given rise to some interesting terms. For example, take the term ‘phone-phreakers’.
The term phone-phreaking refers to attack on signaling. Until the 1980s, phone companies used signaling systems that
worked in-band by sending tone pulses in the same circuit that carried the speech. The first signaling attack dates
back to 1952. By the mid-to-late 1960s, many phone-phreakers in both United States and Britain had worked out ways
of routing calls. They typically used homemade tone generators, called the ‘blue boxes’. The trick they used was the
following: call an 800 (toll free) number, and then send a tone that would clear down the line at the far end, that is,
disconnect the called party while leaving the caller with a trunk line connected to the exchange. The caller could now
enter the number s/he really wanted and be connected without paying.
BOX 2.2 According to some analysts (Diffe and Landau, 1998), there are at least as many unauthorized wiretaps as
authorized ones. The figures can be distorted from country to country, depending on the level of controls to
prevent illegal practices in wiretapping. Even if the official figures have to be doubled or tripled, it is still clear that
democratic regimes make very less use of wiretapping compared to the authoritarian ones. For example, lawful
wiretapping amounted to 63,243 line-days in the United States in 1999, or an average of just over 173 taps in
place.
Another point worth noting is that the incidence of wiretapping is highly variable in the developed democracies.
In the United States, for example, it is found that only about half the states use wiretapping. In Britain, wiretaps
need a ministered warrant, and so are rarer. The cost of wiretapping is a serious issue. This raises some obvious
policy questions: Should agencies cut back on wiretapping, and spend more money on deployment of civil crime
investigation squads?
4. Other problems: The threats in this category are problems or situations that are outside the control of an organization.
This category of threats includes natural disasters (such as floods, earthquakes and storms) that can affect an organization’s
IT systems as well as interdependency risks. Interdependency risks include the unavailability of critical infrastructures
(TC, electricity, etc.). Other types of threats outside the control of an organization can also be included here. Examples
of these threats are power outages, broken water pipes, etc.
Thus, we can see that threat profiles can be represented as a tree structure. This structure depicted in Figure 2.1 that shows
the assets, access, actors, motives and the possible outcomes. An important point to notice is that organizations should have a
suitable method for ‘asset classification’ to know which of their assets are critical.
Disclosure
Modification
Accidental
Loss, Destruction
Interruption
Inside
Disclosure
Modification
Loss, Destruction
Deliberate
Critical Network Access Interruption
Asset
Disclosure
Modification
Accidental
Loss, Destruction
Interruption
Outside Disclosure
Modification
Deliberate
Loss, Destruction
Interruption
Organizational assets are evaluated using various suitable units of measurements. Monetary value of assets is the most
commonly used unit. It is not always easy to measure assets in absolute terms. In such cases, measurement for assessment
of damages can be done in relative ways, for example, information. The value of information can be measured as a fraction
or percentage of total budget, assets or worth of a business in relative fashion. Assets may also be ranked by sensitivity or
importance to an organization in relative ways.
The impact of information security (InfoSec) incidents may well be financial, in form of immediate costs and losses of
assets. For example, the cost of downtime per hour caused by a DoS attack can be computed by measuring the loss of:
1. Productivity: (number of employees impacted) × (hours wasted) × (burdened hourly rate). Note that burdened hourly
rate could be the notional cost of the employees – for example, billing rate of the employees to the customer or in terms
of their outgoing cost to the employing organization (salary of the employees).
2. Revenue: direct loss and lost future revenues.
3. Financial performance: credit rating and stock price.
4. Other expenses: equipment rental, overtime costs, extra shipping costs, travel expenses, etc.
Hidden costs are difficult to handle. Consider the example of a DoS attack (this situation was illustrated in Box 2.1) where
the damaged reputation of the company can have a negative impact on the relationship of the company with its customers,
suppliers, financial markets, banks and business partners. These hidden costs are extremely difficult to quantify and measure.
The bottom line is that the cost of an information systems security incident in a company has to be measured in terms of the
impact on its business; hence, identical incidents in two different companies can have different costs. To evaluate these costs
and measure the impact of a security incident on a company, organizations need a systematic approach and a comprehensive
risk management system. A discussion on this is taken up in Chapter 5.
BOX 2.3
BOX 2.4
Summary
Information system is a unit that includes technologies, people tools can provide some protection against threats ranging from
and processes. Threats that organizations have to cope with are hackers trying to break into corporate computer systems to DoS
numerous and can have catastrophic consequences on the future attacks. Companies should be able to reduce vulnerabilities as
of the organizations. The last few years have seen a proliferation well as the potential impact of still successful attacks. However,
of automated IS, reliance on the Internet to enable most of the it is unlikely that there will ever be a ‘security end state’. The
essential services and infrastructures, and the growing threat situation is like accepting that software will be buggy; similarly,
of organized cyber attacks capable of causing debilitating when it comes to IS, some levels of threats are always residual.
disruption to our critical infrastructures. Proliferation of There is a need for an equally important step toward a realistic
computers and networks in the age of the Internet has enabled assessment of computer security and toward a lasting change of
not only novel services, such as e-mail, the web and electronic attitudes and expectations. One of the most overlooked threats
commerce (e-commerce), but also new ways to affect companies, in a corporate security program is the threat posed by employee
their businesses and their reputations. The Internet has the behavior. Prevention of the misuse of IS by employees has a
potential to become an even greater threat to computer security direct business value. User awareness and training also play a
than dial-up telephone modems. However, a look at the relevant role here. Controls and policies play a crucial role in mitigating
literature suggests that information-level threats are not yet threats to information systems security; although not fool-proof
sufficiently addressed. in themselves, they occupy a central role in information systems
It is now widely acknowledged that security of computer- security management. This is a subject area that will be explored
based IS is an important topic and the state-of-the-art security in Chapter 6.
Review Questions
1. Explain how new technologies open doors to potential 4. Why are computer viruses considered as one of the major
attackers on corporate information systems. threats to computer systems?
2. Distinguish between information-level threats and network- 5. What kind of thinking and approach should be applied
level threats. by organizations for protecting their information system
3. Provide a scheme for classifying threats to information assets?
systems and the resulting damages.
Further Reading
Bisson, J. and Saint-Germain, R. (2003) The BS 7799 ISO 17799 Godbole, N. and Unhelkar, B. (February 2006) Security Issues in
Standard for a Better Approach to Information Security, Callio Mobile Computing, Paper presented at the 2nd International
Technologies White Paper. Conference on Information Management and Business,
Diffe, W. and Landau, S. (1998) Privacy on the Line – The Politics Sydney, Australia.
of Wiretapping and Encryption, MIT Press, Cambridge, Lueg, C. (2001) The Role of Information Systems in Information
MA, USA. Level Security Management, Department of Information
Farahmand, F., Navathe, S., Sharp, G.P. and Enslow, P.H. Systems, University of Technology Sydney, Sydney,
(2001–2002) Evaluating Damages caused by Information Australia.
Systems Security Incidents, Georgia Institute of Technology, Park, B. (2000) Free mobile phones offer a hoax, says Ericsson. IT
Atlanta, GA, USA. News from The Age and the Sydney Morning Herald, available
Fumento, M. (1999) Tampon terrorism in Forbes Global, available at http://it.mycareer.com.au/breaking/20000407/A54797-
at http://www.forbes.com/global/1999/0517/0210033a. 2000 Apr7.html (accessed 15 October 2001).
html (accessed 1 January 2006). Vasiu, L., Mackay, D. and Warren, M. (2003) The Tri-
Godbole, N. (2003) Mobile Computing: Security Issues in Hand- Dimensional Role of Information Security in e-Business: A
Held Devices, Paper presented at NASONES 2003 National Managerial Perspective, School of Information Technology,
Seminar on Networking and E-Security by Computer Deakin University, Australia.
Society of India.
* Refer to case illustration ‘Super Tech – IT Risk Assessment in an ERP Setup’ on the CD companion of the book for a
scenario based on the concept(s) discussed in this chapter.
policies on firewalls which refer to the access control and routing list information. Note that even standards, procedures and
guidelines are referred to as ‘policies’ in the larger sense of a global InfoSec policy. A well-written policy is more than an exercise
created on paper – it is an essential and fundamental element of sound security practice. A policy, for example, can literally be
a lifesaver during a disaster, or it might be a requirement of a governmental or regulatory function. A policy can also provide
protection from liability owing to an employee’s actions or can form a basis for the control of trade secrets.
Types of Policies
When the term ‘policies’ is used rather than ‘policy’, the intent is to refer to those policies that are distinct from the standards,
procedures and guidelines; these terms are discussed in the next section with respect to the terms in Figure 3.4.
Figure 3.1 relates well to Figure 3.3. It shows that ‘policies’ are considered as the first and the highest level of documentation.
Lower level elements of standards, procedures and guidelines flow from policies. However, this does not imply that the lower
level elements are not important. It is just that the higher level policies, being general in nature, should be created first for
strategic reasons and then the tactical elements should follow. With this brief introduction, we now list the policy types and
then describe each briefly. Essentially, there are the following types of policies:
Statement of Policy
by Senior Management
Organizational Policies
(General)
Functional Policies
(Department-wise)
Recommended Standards
Detailed Procedures
1. Senior management statement of policy: This is the first step in the policy creation process. This is a general, high-level
statement of policy that contains the following elements:
• an acknowledgement of the importance of computing and networking resources, that are part of the information
system, to the organization’s business model;
• a statement of support for InfoSec throughout the business enterprise;
• a commitment to authorize and manage the definition of the lower level standards, procedures and guidelines.
2. Regulatory policy: These are security policies that an organization must implement owing to compliance, regulation
or other legal requirements as prevalent in the organization’s operating environment, both internal and external (e.g. as
shown in Table 1.1 of Chapter 1). The various entities with which the business organization interacts can be financial
institutions (such as those in the banking sector), public utilities or some other types of organizations that operate
in the public interest. Regulatory policies are usually very detailed and specific to the industry in which the business
organization operates. The two main purposes of the regulatory policies are:
• ensuring that an organization follows the standard procedures or base practices of an operation in its specific industry;
• giving an organization the confidence that it is following the standard and accepted industry policy.
3. Advisory policy: These are security policies that may not be mandated but are strongly recommended. Normally, the
consequences of not following them are defined (e.g., Business Conduct Guidelines in an organization – not following
these could result in job termination). An organization with such policies wants its employees to consider these policies
mandatory. Most policies fall under this broad category.
4. Informative policy: These are policies that exist simply to inform the reader. There are no implied or specified
requirements, and the audience for this information could be certain internal entities (within the organization) or
external parties.
Having discussed the term ‘policy’ in general, let us now turn to ‘security policy’. A security policy is a statement produced
by the senior management of an organization, or by a selected policy board or committee to dictate what type of role security
plays within the organization. A security policy, we will see in this chapter, can be an organizational policy, an issue-specific
policy or a system-specific policy.
Security policy can be defined as a codified set of processes and procedures applied to secure the fulfillment of its obligations
and the continuation of its activities even in the presence of possible interferences. This definition may appear to be vague as
compared to the others that may be found in technical computer-related publications – it is actually crafted by choosing each
word precisely. Security policies are most often referred to in the context of information technology (IT), telecommunications
(TC) or information and communications technologies (ICTs). Moreover they are often, erroneously though, associated
exclusively with the deployment of computer hardware or software and the configuration of the hardware or software, to the
point of the ‘configuration’ being called security policy.
The definition given in the International Organization for Standardization (ISO) standard 17799 is a slightly different
one: ‘Management should set a clear policy direction and demonstrate support for, and commitment to, information security
through the issue and maintenance of an information security policy across the organisation’. It should be remembered that
ISO standard 17799 assumes an implicit definition of what is a policy, and a separate indication is provided about the necessity of
a policy document including an indication of possible contents (not reproduced here): ‘A policy document should be approved by
management, published and communicated, as appropriate, to all employees’.
It must be pointed out that any other standard on security should not be applied or used in a mechanical way like a fixed
formula, but rather it should be interpreted keeping in perspective the needs and working model of the ‘entity’ (e.g., business,
non-profit organization, university, etc.) in which its application is planned, as well as the needs of the organization that
created it. This is because in an organizational security policy, the management establishes how a security program will be set
up, establishes the program’s goals, assigns responsibilities, shows the strategic and tactical value of security and outlines how
enforcement should be carried out. Thus, the security policy must address prevalent laws and regulations as applicable as well
as the liability issues that may arise and how they must be addressed to satisfy the statutory requirements. Box 3.1 shows the
goals of security engineering as a discipline and Box 3.2 has the SSE-CMM PAs.
The SSE-CMM provides a community-wide standard metric to establish and advance security engineering as a mature
measurable discipline. It contains five levels of maturity (further depicted in Figure 3.2):
The Security Best Practices in the SSE–CMM are given in the following list of process areas (PAs):
Figure 3.2 SSE-CMM document includes excerpts from ‘A Systems Engineering Capability Maturity Model,
Version 1.1’, CMU/SEI-95-MM-003, published in November 1995. The SE-CMM, that is, Systems Engineering CMM
is Copyright © 1995 by Carnegie Mellon University. This work is a collaborative effort of Hughes Space and
Communications, Hughes Telecommunications and Space, Lockheed Martin, Software Engineering Institute (SEI),
Software Productivity Consortium and Texas Instruments Incorporated. Permission to reproduce this product and
to prepare derivative works from this product is granted royalty-free, provided the copyright is included with all
reproductions and derivative works.
0 1 2 3 4 5
Not Performed Planned and Well Defined Quantitatively Continuously
Performed Informally Tracked Controlled Improving
Building Blocks
Security Security is a process,
Controls and not a product...
Assurance
Forensics
Testing
Reporting
Monitoring
Training
Security Business
Technology Applications and
Implementations Services
Security Policy
• VPN Networks, Internet
and Architecture
• Encryption • Risk Assessment
Intranet, Remote
• Firewalls • Security Policy
Access
• Authentication
• Intrusion Detection
Systems (IDS) Hardware
Operating Systems
• People
• Process
Solution Design • Technology
and Selection
Security Design
Technology Selection
In reference to Figures 3.1 and 3.5, it can be seen that the next level down from policies consists of the three elements
of policy implementation, namely standards, guidelines and procedures. These three elements hold the actual details of the
policy, such as how it should be implemented and what standards and procedures should be followed. They are published in
an organization via manuals stored on the company intranet, booklets for distribution to the employees and other entities
concerned with it, for spreading security awareness in the organization. An important point to note is that standards, guidelines
and procedures are separate yet linked documents from the general policies, especially the senior-level policy statement. It
is not a recommended practice to create a single document to cover the needs of all these elements. Some examples for the
policies mentioned above are provided in Boxes 3.3 and 3.4.
In an organization, the following may be stipulated with respect to the use of e-mails by employees and individuals
who work in the organization (say contractor personnel):
‘The information in this mail is confidential and is intended solely for the addressee. Access to this mail by anyone
else is unauthorized. Any copying or further distribution beyond the original recipient is not intended and may
be unlawful. The opinion expressed in this mail is that of the sender and does not necessarily reflect that of the
XXX company’.
The policy on passwords can be used to define attributes with which the password must comply. The password policy,
for example, can enforce the following conditions:
We can see that some basic measures must be applied to secure the information system. Security threats must be managed and
controlled; establishing a global policy, that is, a broad security policy, with management involvement helps to do this. While
doing this, four levels of documentation emerge, as depicted in Figure 3.4.
In Chapter 2, we discussed threats to information systems (IS). In this chapter, in the earlier sections, the discussion was on
the management’s role for security formation. Given that it is necessary for the organizations to identify the nature of possible
threats to its IS, one of the best practices is to establish a set of measures, called ‘controls’. Controls are meant to ensure the
security of IS and, beyond that, to also ensure the privacy and confidentiality of information stored in the systems. It is then
necessary to continually evaluate the controls with the auditing process. A detailed discussion on this is available in Chapter 32
devoted to security audits. We end this section by providing two mini cases as an exercise in Box 3.5.
Mini Cases
Mini Case 1
Company XYZ is a small company (20 people) with a manager and a system administrator reporting to him/her. The
two prepare a security policy, according to which some operations will have to be authorized by the manager and
executed by the system administrator, and the manager will know all the passwords and commands needed and how
to access and modify the logs. What is wrong in this situation? What rule has been violated?
BOX 3.5
Mini Case 2
Company ABC is a part of an organization based in the United States. The company in the United States, as part of a
recent decision to create a presence outside the United States, has bought the control of small companies based in
India, Singapore, Taiwan and Malaysia. A part of the process for integrating the various parts is to create a common
security policy by a committee that includes a member of their legal department (to verify the legal compliance). The
company then plans to send managers from their headquarters (based in the United States) to each country to make
sure the policy is implemented correctly. What is wrong in this planning?
Organization’s
Business Goals
and Objectives
Corporate Assessment of
Technology Strategy Threats and Risks
InfoSec Strategy
InfoSec Policy
Standard
Procedure
Procedure
It may also happen that the IT budgets invested in IT security go wrong in the long term. Given this, one of the important
tasks for the top management in an organization is to make their employees aware of the IT security significance.
This starts with the formation of ‘security policies’ as we see in this chapter. Security policies, standards and procedures
stand in a certain hierarchical relationship in alliance with the organization’s overall business goals. This is illustrated
in Figure 3.5. There are a few important points to be noted with respect to Figure 3.5. First of all, to be understood
and effective, InfoSec policies must be traceable back to the corporate objectives. This is of foremost importance. As
an example of business goals/objectives, consider the following broad statement: ‘We shall embrace and expand the
use of electronic commerce (e-commerce) and related technologies in order to achieve cost reduction and business
efficiency to serve our world-wide customers’. A company might state: ‘We will increase the reach of our core business
applications to our customers through the use the Internet and the World Wide Web’. This is an example of corporate
technology strategy mentioned in Figure 3.5. Typically, the management works together with the Chief Security Officer
(CSO) and Chief Information Officer (CIO) taking their technical assistance to find the most possible way a hacker or
virus will take to get into the system. So, after performing a scan of its business operations environment, an organization
may arrive at a conclusion that they operate at a high level of risk in its protection of sensitive information assets. This
could be the result of having performed an assessment of the threats and the resulting risks as mentioned in Figure 3.5.
To counter this, an organization may form a strategy saying: ‘We will use cost-effective security measures to protect
our information assets.’ A statement for the overall security policy of an organization might read like: ‘All users will be
authenticated whether or not working remotely. This will be applicable to full time employees in permanent service of
the organization as well as those sourced from contractors.’ A ‘standard’ could be: ‘Remote access users will use dual-
factor authentication using (so-and-so) authentication tokens.’ Finally, the specific security procedure corresponding to
a chosen standard could be: ‘Users are to contact the remote access security administrator to receive their authentication
token after they have been approved for such access’.
Thus, we can see that the management role lies in defining business strategies, guidelines and processes/procedures as well as
considering the volume of data, systems, subprocesses and persons. This is endorsed by the SSE-CMM wherein the following
is the generic practices list under the common feature of ‘planning performance’:
1. allocate resources;
2. assign responsibilities;
3. document the process;
4. provide tools;
5. ensure training;
6. plan the process.
Hence, the management in an organization should erect an IT standard and security structure that is magisterial for all the
employees. It is thus important that the management deals with the topic of IT security and does not simply delegate it to
the IT departments. A central user administration is necessary in order to get a whole functional security system without the
need for a high budget. But technical solutions alone are not sufficient in order to guarantee an extensive security. In addition
to organizational methods, employee sensitization to security awareness is of great importance. Security does not represent a
product that can be installed uniquely, it is an ongoing process.
1. ‘Information Security is a combination of various factors. It involves technology, people and policy.’– Sameer
Kapoor, Executive Director, PricewaterhouseCoopers Pvt. Ltd.
2. ‘Information Security is not just a technology issue – this is a people and process issue too. The answer to this
BOX 3.6 is education and awareness. You should talk to your employees.’ – Capt. Raghu Raman, Practice Head, Special
Services Group, Mahindra Consulting.
3. ‘Security has to move away from being a technology issue and become a business related issue.’ – Sunil
Chandiramani, Partner, Ernest & Young.
Courtesy: The above views are quoted from a public domain website (Network Magazine issue of April 2003).
Barriers to security
Labour expense
Lack of management support
Lack of department/group cooperation
IT security challenges
Budget 38%
Summary
IS in an organization will continue to face threats given the global and all stakeholders must be involved to understand and commit
paradigm in today’s digital economy. It is the responsibility of the to the hierarchical relationship of the organization’s business
management to address the security issues by forming appropriate objectives to its security policies down to procedures. Standards and
security policy. The matter of security implementation is complex guidelines must also be considered for their role in security policy.
Review Questions
1. Explain the role of senior management in an organization 4. What is the intent of the SSE-CMM and what are the
with respect to information security management. various process areas in it?
2. Explain the hierarchical relationship between policies, 5. What are the four levels of documentation that result from
standards, guidelines and business objectives. the implementation of the ISMS?
3. What are the different types of policies that exist and what
purpose do they serve?
Further Reading
Babu, V.V.R. (CIO, ITC Limited) Embedding Security into A Global Challenge and Integrated Enterprise, published at
Corporate Life, article published in 2004 issue of Network www.i4donline.net.
Magazine India. www.freedoniagroup.com/Information-Security. (accessed 21
Gray, T. (October 2003) Security in the Post-Internet Era: The January 2006) for a brief of US information security
Needs of the Many vs. the Needs of the Few, University of industry size.
Washington, last update 1 March 2004. www.issea.org (accessed 14 March 2008) for SSE-CMM
http://www.sse-cmm.org/model/model.asp for the SSE-CMM (Security Engineering Capability Maturity Model) related
document. details and white papers and presentations.
NASSCOM-ITAA Poll, Information Security offers a Considerable http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf ”>
Competitive Advantage, 11 October 2004. http://www.bsi.bund.de/zertifiz/itkrit/itsem-en.pdf to access
Network Magazine Issue of April 2003. the Information Technology Security Evaluation Manual
Rogers, L. (2003) Security Matters: Can You Prove It?, published (ITSEM).
at news@sei interactive 1Q. www.sse-cmm.org for the details of the Systems Security
Subramanian, K. (Deputy Director General, National Informatics Engineering Capability Maturity Model.
Centre, Government of India). (2004) Security and Standards:
* Refer to Appendices S and AD for useful information related to the concepts discussed in this chapter.
4.1 Introduction
So far, we have discussed about the role of information systems (IS) in the global context, the crucial role that IS play in
the modern digital economy, how information systems are getting complex given the combined effect of globalization and
liberalization, etc. (Chapter 1). In Chapter 2, we discussed how the developments in information technology (IT) open door
to new threats, typical attacks on computer-based IS, how various threats are classified, etc. Chapter 6 was devoted to the
new phenomenon called mobile computing and the unique threats that come in due to proliferation of handheld devices
and the impending security implications for organizations in this new paradigm of mobile workforce. In Chapter 3 we had
the important discussion on organizational scenarios in information systems security. We discussed about organizational
responsibility for the information systems security. We also explained the role of security policies and security procedures,
standards and guidelines, etc. With this background, we now present the layers of information security (InfoSec).
Confidentiality
Integrity Availability
Physical Security
Application Security
• System Security
• Data Security
• Hardware and
Software Security
discussion to understand what IS mean. Reader must understand that the term ‘system’ is very generic and its meaning can
change with context. In the paradigm of information systems security, ‘system’ can denote a number of things:
1. A product or component, for example, a protocol for cryptograph, a card for wireless network access, a smart card or say
a motherboard or Personal Computer Memory Card Industry Association (PCMCIA) card (see the URL in the Further
Reading section) of a personal computer (PC), disk controller on a PC, that is a hardware unit that performs a certain
function with the virtue of its design.
2. An operating system (OS) and communication system on a network.
3. Organization staff, organization structure, security policies, standards, guidelines and procedures together as a collection.
4. The Internet, which is a system consisting of a large number of computers and computer networks.
5. An application system such as a financial accounting system, a payroll system, etc.
Confidentiality
Integrity Availability
Confidentiality
In the domain of InfoSec, the concept of ‘confidentiality’ is used as an attempt to prevent the intentional or unintentional
unauthorized disclosure of message contents. Loss of confidentiality can occur in many ways, such as through the intentional
release of private company information or through a misapplication of network rights. Similar issues in mobile computing are
discussed in Chapter 6.
Integrity
This is yet another very important concept in InfoSec. The concept of integrity ensures that:
It is important that data adhere to a predefined set of rules, as determined by the database administrator (DBA)
or application developer. As an example of data integrity, consider the simple data as in a payroll application or
employee master data. Tables are called employees and departments and present the business rules for the
information in each of the tables, as illustrated in the figure on the next page (note that some columns in each
table have specific rules that constrain the data contained within them):
This illustration shows tables called DEPT and EMP. Table DEPT has three columns:
BOX 4.1 1. DEPTNO;
2. DNAME;
3. LOC.
Each value in the DNAME column must be unique. Table EMP has six columns:
1. EMPNO;
2. ENAME;
3. Other columns;
4. SAL;
5. COMM;
6. DEPTNO.
Each row must have a value for the ENAME column. Each row must have a value for the EMPNO column, and the
value must be unique. Each value in the DEPTNO column must match a value in the DEPTNO column of the DEPT
table. Each value in the SAL column must be lower than 10,000.
In addition to the above, there are many other examples of loss of data confidentiality and data integrity. For
example, through erroneous action, IT users can allow or cause loss of data confidentiality/integrity. The consequential
damage depends on the sensitivity of the data involved. Examples of such erroneous actions are:
1. Through oversight, printouts containing personal data are not fetched by staff members from the network
printer.
2. Floppy disks are dispatched without prior physical deletion of previously stored data.
3. Owing to incorrectly administered access rights, a staff member can modify data.
4. Unable to assess the critical impact of such a violation of integrity.
5. New software is tested using non-anonymous data. Unauthorized employees thus gain access to protected
files or confidential information. It is also possible that third parties also become aware of this information as
the disposal of ‘test printouts’ is not correctly handled.
Table EMP
Each row must have a value Each value in the SAL column
for the EMPNO column, and must be less than 10,000
the value must be unique
Availability
This is the last of the important triad in InfoSec. The concept of ‘availability’ ensures the reliable and timely access to data or
computing resources by the appropriate personnel. In other words, ‘availability’ guarantees that the systems are up and running
when they are needed. In addition, this concept guarantees that the security services needed by the security practitioner are
in working order.
In the light of the illustration in Box 4.1, it is important to note that DAD is the reverse of CIA. DAD is disclosure
(opposite of confidentiality), alteration (opposite of integrity) and destruction (opposite of availability) of information.
Thus, the key point is that the information produced or processed by an organization must be classified according to the
organization’s sensitivity to its loss or disclosure. These data owners are responsible for defining the sensitivity level of the data.
This approach enables the security controls to be properly implemented according to its classification scheme. In the next
section, terms used for classification of data/information are introduced.
CRM stands for customer relationship management (Parvatyar, Sheth & Shainesh, 2005; Gosney & Boehm, 2000;
Brown, 1999). CRM applications are dependent on good quality transactions data that can be captured into a
company’s data marts that, in turn, can be used for the purpose of data mining (DM). CRM along with DM is used for
making a number of strategic decisions for the business.
Despite the proliferation of enterprise resource planning (ERP) systems and other integration technologies, many
organizations store their related data in several disconnected systems, each of which is available to a limited number
of people within specific departments. For example, an accounting system contains customer records, transactions
and payment histories. Prospect or donor records may exist in a contact management system, or Outlook.
Correspondence may exist within saved Word documents on a server and e-mails are scattered across any number
of desktops in different departments.
Marketing campaign results and quarterly revenue forecasts may populate a series of spreadsheets. Other
information may reside on the laptops of individual consultants or field workers, where the information is
unavailable to many who may have a periodic need for it. Some of the information in these disparate sources
is of the same type (client contact information) and much of it is different, yet it is all related to the work of the
organization and its clientele. These ‘islands of data’ often create several disadvantages for the organization
that operates in this environment, but many of the disadvantages can be overcome by the broader features of a
CRM solution.
For the discussion on basic InfoSec concepts in this chapter, it is important to understand the operational
problems posed for an organization in the light of what is said above. This is explained as follows:
1. System management issues: The more applications and databases that a company has running, the more
potential ‘points of failure’ there are in the information environment. The workload in any IT department
increases with the number of applications and databases that it supports. It is a known fact that it is easier
to manage 1 software application than 10. Having information in hundreds of databases makes no sense – it
is extremely difficult to extract information out offragmented systems. Since several existing applications can
be subsumed by a single data integrity solution, it is important for the organizations to streamline corporate
BOX 4.2 information in an integrated database environment.
2. Duplication of efforts inputting data: Multiple systems that store some of the same information often require
the data to be entered multiple times. If two or more people are entering client data into different systems,
they are wasting both time and effort. Those separate systems may be replaced by a single CRM application
in which client information is entered one time, and made available to all groups and departments that need
it. But the problem does not stop there.
3. Data integrity issues – same information entered differently by different individuals: Duplicated data entry can
have extensive negative impact. Users may enter the data differently, leading to different interpretations of the
same information. If the data change over time, it can be difficult to know which data are current – this creates
serious problems for DM applications. For example, a client’s address can be stored in two separate systems.
Sales person might update the information on her laptop, but the address will remain unchanged in the
database at the back-end used for generating various business reports. One needs a system to consolidate
these records, so that only one record needs to be maintained, and the current information becomes available
to all. Therefore, the well-integrated corporate databases can help to improve the overall integrity of data within
the organization for their use in CRM.
4. No data synergy: When your client data are stored in different places, your view of ‘all that is happening’ with
respect to an issue is limited by the particular database with which you are working, and therefore, your ability
to make optimal business decisions can be limited. Or you cannot find out what is going on in your business
because the information is in too many places. This is a classic example of lack of data integrity. A single
repository of information allows you to see ‘the big picture’, allowing decision makers to clearly identify the real
issues, and make more effective strategic decisions.
5. More time searching for information, less time acting on it!! This is the real problem in most organizations
suffering from lack of data integrity. There are frustrating problems caused by disparate data – time wasted
searching for information. That information might simply be the contents of an e-mail that a coworker received
from a client. The e-mail is on the coworkers’ ‘C’ drive, and there is no access to it. Through integrated data
systems, there should be a provision to centrally store that information where it can be available to anyone that
needs it, freeing up time otherwise spent searching for the information, and instead, using the information to
make more effective decisions to generate results.
There are many ways to do this. Several steps need to be taken for establishing a classification system. The following
are some primary procedural steps:
TABLE 4.1 Roles and responsibilities of the owner, the custodian and the user
Role Responsibilities
Owner
An information owner may be an executive or This person is responsible for the information asset(s) that must be protected. In
manager of an organization. An owner is different particular, the responsibilities of an information owner include the following:
from a custodian. The owner has the final
1. making the original decision as to what level of classification the information
corporate responsibility of data protection, and
requires based on the business needs for the protection of the data
under the concept of due care, the owner may
2. reviewing the classification assignments periodically and making alterations as
be liable for negligence because of the failure to
the business needs change
protect these data. However, the actual day-to-day
3. delegating the responsibility of the data protection duties to the custodian
function of protecting the data belongs to a
custodian
Custodian
An information custodian is the delegated The duties of a custodian may include the following:
personnel
1. running regular backups and routinely testing the validity of the backup data
2. performing data restoration from the backups when necessary maintaining
those retained records in accordance with legal
3. requirements established based on information classification policy
Additional duties of the custodian may include being the administrator of the
classification scheme