GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
GBA 578
Chapter 1
▪ Confidentiality, integrity, and availability (C-I-A) concepts
▪ Integrity: Maintain valid, uncorrupted, and accurate information.
▪ Availability refers to the measurement of time applied to how and whether systems,
applications, and data can be used.
▪ Uptime: The total amount of time that a system, application, and data is available for use.
It is typically measured in seconds, minutes, and hours per calendar month.
▪ Downtime: The total amount of time that a system, application, or data is not available.
This is also measured in seconds, minutes, and hours per calendar month.
▪ Availability: (Total Uptime) divided by (Total Uptime + Total Downtime)
▪ Mean Time to Failure (MTTF): The average amount of time between failures for a particular
system. MTTF varies according to the type of system being measured.
▪ Mean Time to Repair (MTTR): The average amount of time it takes to repair a system,
application, or component.
▪ Recovery Time Objective (RTO): The amount of time it takes to recover and make
systems, applications, and data available after an outage.
IT Security Policy Framework: POLICY – Standard – Procedure - Guideline
Information is a person’s private data, a company’s intellectual property, or a country’s national security
interest.
Information systems are the hardware, operating system software, and applications that make up
a system to provide access to information.
ISS(information system security) protects the system and the information stored in the system. It
also enables transmission and archival of information. It also takes care of accessibility of
information to users. ISS deals with risks, threats, and vulnerabilities.
Seven Domains of a Typical IT Infrastructure
User domain: Made up of typical IT users and the hardware, software, and data they use
Workstation domain: The “desktop domain” where most users enter the IT infrastructure
, GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
LAN domain: Small network organized by function or department, allowing access to all resources on the
LANs
LAN-to-WAN domain: The point at which the IT infrastructure joins a WAN and the Internet
WAN domain: The point at which the WAN connects to other WANs via the Internet
Remote Access domain: Connects remote employees and partners to the IT infrastructure
, GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
Systems/Applications domain: Holds all of the mission-critical systems, applications, and data
Common Threats in the User Domain
Lack of user awareness: Conduct security awareness training, display security awareness posters,
insert reminders in banner greetings, and send e-mail reminders to employees.
User apathy toward policies: Conduct annual security awareness training, implement AUP, update
staff manual and handbook, and discuss status during performance reviews.
User violating security policy: Place employee on probation, review AUP and employee manual, and
discuss status during performance reviews.
User inserting CD/DVD/USB with personal files: Enable automatic antivirus scans for inserted media
drives, files, and e-mail attachments. An antivirus scanning system examines all new files on your
computer’s hard drive for viruses. Enable e-mail antivirus scanning for e-mails with attachments.
User downloading photos, music, or videos: Enable content filtering and antivirus scanning
on e-mail attachments. Content filtering security appliances configured to permit or deny
specific domain names in accordance with AUP definition.
User destructing systems, applications, and data: Restrict access for users to only those systems,
applications, and data needed to perform their job. Minimize write or delete permissions to the
data owner only.
Disgruntled employee attacking organization or committing sabotage: Track and monitor abnormal
employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT
access control lockout procedures based on AUP monitoring and compliance.
Employee blackmail or extortion: Track and monitor abnormal employee behavior and use of IT
infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system
(IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances
examine the Internet Protocol (IP) data streams for inbound and outbound traffic. Alarms and alerts
programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic per policy
definition.
Common Threats in the Workstation Domain
Unauthorized workstation access: Enable password protection on workstations for access.
Unauthorized access to systems, applications, and data: Define strict access control policies,
standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to
gain access.
Desktop or laptop operating system vulnerabilities: Define workstation operating system vulnerability
window policy. A vulnerability window is the gap in time that you leave a computer unpatched with
a security update. Start periodic workstation domain vulnerability tests to find gaps.
, GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
Desktop or laptop application software vulnerabilities or patches: Define a workstation application
software vulnerability window policy. Update application software and security patches according
to defined policies, standards, procedures, and guidelines.
Viruses, malicious code, and other malware: Use workstation antivirus and malicious code policies,
standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and
updates individual workstations with proper protection.
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
GBA 578
Chapter 1
▪ Confidentiality, integrity, and availability (C-I-A) concepts
▪ Integrity: Maintain valid, uncorrupted, and accurate information.
▪ Availability refers to the measurement of time applied to how and whether systems,
applications, and data can be used.
▪ Uptime: The total amount of time that a system, application, and data is available for use.
It is typically measured in seconds, minutes, and hours per calendar month.
▪ Downtime: The total amount of time that a system, application, or data is not available.
This is also measured in seconds, minutes, and hours per calendar month.
▪ Availability: (Total Uptime) divided by (Total Uptime + Total Downtime)
▪ Mean Time to Failure (MTTF): The average amount of time between failures for a particular
system. MTTF varies according to the type of system being measured.
▪ Mean Time to Repair (MTTR): The average amount of time it takes to repair a system,
application, or component.
▪ Recovery Time Objective (RTO): The amount of time it takes to recover and make
systems, applications, and data available after an outage.
IT Security Policy Framework: POLICY – Standard – Procedure - Guideline
Information is a person’s private data, a company’s intellectual property, or a country’s national security
interest.
Information systems are the hardware, operating system software, and applications that make up
a system to provide access to information.
ISS(information system security) protects the system and the information stored in the system. It
also enables transmission and archival of information. It also takes care of accessibility of
information to users. ISS deals with risks, threats, and vulnerabilities.
Seven Domains of a Typical IT Infrastructure
User domain: Made up of typical IT users and the hardware, software, and data they use
Workstation domain: The “desktop domain” where most users enter the IT infrastructure
, GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
LAN domain: Small network organized by function or department, allowing access to all resources on the
LANs
LAN-to-WAN domain: The point at which the IT infrastructure joins a WAN and the Internet
WAN domain: The point at which the WAN connects to other WANs via the Internet
Remote Access domain: Connects remote employees and partners to the IT infrastructure
, GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
Systems/Applications domain: Holds all of the mission-critical systems, applications, and data
Common Threats in the User Domain
Lack of user awareness: Conduct security awareness training, display security awareness posters,
insert reminders in banner greetings, and send e-mail reminders to employees.
User apathy toward policies: Conduct annual security awareness training, implement AUP, update
staff manual and handbook, and discuss status during performance reviews.
User violating security policy: Place employee on probation, review AUP and employee manual, and
discuss status during performance reviews.
User inserting CD/DVD/USB with personal files: Enable automatic antivirus scans for inserted media
drives, files, and e-mail attachments. An antivirus scanning system examines all new files on your
computer’s hard drive for viruses. Enable e-mail antivirus scanning for e-mails with attachments.
User downloading photos, music, or videos: Enable content filtering and antivirus scanning
on e-mail attachments. Content filtering security appliances configured to permit or deny
specific domain names in accordance with AUP definition.
User destructing systems, applications, and data: Restrict access for users to only those systems,
applications, and data needed to perform their job. Minimize write or delete permissions to the
data owner only.
Disgruntled employee attacking organization or committing sabotage: Track and monitor abnormal
employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT
access control lockout procedures based on AUP monitoring and compliance.
Employee blackmail or extortion: Track and monitor abnormal employee behavior and use of IT
infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system
(IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances
examine the Internet Protocol (IP) data streams for inbound and outbound traffic. Alarms and alerts
programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic per policy
definition.
Common Threats in the Workstation Domain
Unauthorized workstation access: Enable password protection on workstations for access.
Unauthorized access to systems, applications, and data: Define strict access control policies,
standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to
gain access.
Desktop or laptop operating system vulnerabilities: Define workstation operating system vulnerability
window policy. A vulnerability window is the gap in time that you leave a computer unpatched with
a security update. Start periodic workstation domain vulnerability tests to find gaps.
, GBA 578 – Security and Privacy of Information Systems is a 4-unit
graduate-level course offered at California State Polytechnic
University, Pomona (Cal Poly Pomona). It adopts a practical, case-
study approach to address security challenges specific to
commercial data systems environments.
Desktop or laptop application software vulnerabilities or patches: Define a workstation application
software vulnerability window policy. Update application software and security patches according
to defined policies, standards, procedures, and guidelines.
Viruses, malicious code, and other malware: Use workstation antivirus and malicious code policies,
standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and
updates individual workstations with proper protection.
