lOMoARcPSD|59658805
Principles of Information Security 7E Module 2
Financial Accounting (University of Oxford)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
MODULE 2
The Need for Information
Security
Upon completion of this material, you should be able to: Our bad neighbor
1 Discuss the need for information security makes us early stir-
2 Explain why a successful information security program is the shared rers, which is both
responsibility of the entire organization healthful and good
3 List and describe the threats posed to information security and common attacks husbandry.
associated with those threats —William Shakespeare, King
Henry, in Henry V, Act 4, Scene 1
4 List the common information security issues that result from poor software
development efforts
Opening Scenario
Fred Chin, CEO of Sequential Label and Supply (SLS), leaned back in his leather chair and propped his feet up on the long
mahogany table in the conference room where the SLS Board of Directors had just adjourned from their quarterly meeting.
“What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information
officer (CIO). He was referring to the outbreak of a malicious worm on the company’s computer network the previous month.
Gladys replied, “I think we have a real problem, and we need to put together a real solution. We can’t sidestep this with
a quick patch like last time.” Six months ago, most of the systems on the company network had been infected with a virus
program that came from an employee’s personal USB drive. To prevent this from happening again, all users in the company
were now prohibited from using personal devices on corporate systems and networks.
Fred wasn’t convinced. “Can’t we just allocate additional funds to the next training budget?”
Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me
as CIO. I’ve seen this same problem at other companies, and I’ve been looking into our information security issues. My staff and
I have some ideas to discuss with you. I’ve asked Charlie Moody to come in today to talk about it. He’s waiting to speak with us.”
When Charlie joined the meeting, Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received
a report on the costs and lost production from the malware outbreak last month, and they directed us to improve the security
of our technology. Gladys says you can help me understand what we need to do about it.”
“To start with,” Charlie said, “Instead of simply ramping up our antivirus solution or throwing resources at an endpoint
protection product, we need to start by developing a formal information security program. We need a thorough review of our
policies and practices, and we need to establish an ongoing risk management program. Then we can explore the technical
options we have. There are some other things that are part of the process as well, but this is where I think we should start.”
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
28 Principles of Information Security
“Sounds like it is going to be complicated … and expensive,” said Fred.
Charlie looked at Gladys and then answered, “Well, there will probably be some extra expenses for specialized hardware
and software, and we may have to slow down some of our product development projects a bit, but this approach will call
more for a change in our attitude about security than just a spending spree. I don’t have accurate estimates yet, but you can
be sure we’ll put cost-benefit worksheets in front of you before we commit any funds.”
Fred thought about this for a few seconds. “Okay. What’s our next step?”
Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use
our usual systems development and project management approach. There are a few differences, but we can easily adapt our
current models. We’ll need to reassign a few administrators to help Charlie with the new program. We’d also like a formal
statement to the entire company identifying Charlie as our new chief information security officer and asking all of the depart-
ment heads to cooperate with his new information security initiatives.”
“Information security? What about computer security?” asked Fred.
Charlie responded, “Information security includes computer security, plus all the other things we use to do business:
securing our information, networks, operations, communications, personnel, and intellectual property. Even our paper records
need to be factored in.”
“I see,” Fred said. “Okay, Mr. Chief Information Security Officer.” Fred held out his hand for a congratulatory handshake.
“Bring me the draft project plan and budget in two weeks. The audit committee of the Board meets in four weeks, and we’ll
need to report our progress then.”
Introduction To The Need For Information Security
Unlike any other business or information technology program, the primary mission of an information security pro-
gram is to ensure that information assets—information and the systems that house them—are protected and thus
remain safe and useful. Organizations expend a lot of money and thousands of hours to maintain their information
assets. If threats to these assets didn’t exist, those resources could be used exclusively to improve the systems
that contain, use, and transmit the information. However, the threat of attacks on
information asset information assets is a constant concern, and the need for information security
The focus of information security; grows along with the sophistication of the attacks. While some organizations lump
information that has value to the both information and systems under their definition of an information asset, oth-
organization and the systems that
store, process, and transmit the
ers prefer to separate the true information-based assets (data, databases, data
information. sets, and the applications that use data) from their media—the technologies that
access, house, and carry the information. For our purposes, we will include both
media data and systems assets in our use of the term. Similarly, we’ll use the term infor-
As a subset of information assets, mation to describe both data and information, as for most organizations the
the systems, technologies, and terms can be used interchangeably.
networks that store, process, and Organizations must understand the environment in which information assets
transmit information.
reside so their information security programs can address actual and potential prob-
lems. This module describes the environment and identifies the threats to it, the
data
organization, and its information.
Items of fact collected by an organi-
zation; includes raw numbers, facts,
Information security performs four important functions for an organization:
and words.
Protecting the organization’s ability to function
Protecting the data and information the organization collects and uses,
information whether physical or electronic
Data that has been organized, Enabling the safe operation of applications running on the organization’s IT
structured, and presented to pro-
vide additional insight into its con-
systems
text, worth, and usefulness. Safeguarding the organization’s technology assets
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
Module 2 The Need for Information Security 29
Business Needs First
There is a long-standing saying in information security: When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information, the information may lose value, and
there would be no need for it. If the business cannot function, information security becomes less important. The key
is to balance the needs of the organization with the need to protect information assets, realizing that business needs
come first. This is not to say that information security should be casually ignored whenever there is a conflict, but to
stress that decisions associated with the degree to which information assets are protected should be made carefully,
considering both the business need to use the information and the need to protect it.
Protecting Functionality
The three communities of interest defined in Module 1—general management, IT management, and information security
management—are each responsible for facilitating the information security program that protects the organization’s
ability to function. Although many business and government managers shy away from addressing information security
because they perceive it to be a technically complex task, implementing information security has more to do with man-
agement than technology. Just as managing payroll involves management more than mathematical wage computations,
managing information security has more to do with risk management, policy, and its enforcement than the technology
of its implementation. As the noted information security author Charles Cresson Wood writes:
In fact, a lot of [information security] is good management for information technology. Many people think
that a solution to a technology problem is more technology. Well, not necessarily. … So a lot of my work, out
of necessity, has been trying to get my clients to pay more attention to information security as a management
issue in addition to a technical issue, information security as a people issue in addition to the technical issue.1
Each of an organization’s communities of interest must address information security in terms of business impact
and the cost of business interruption rather than isolating security as a technical problem.
Protecting Data That Organizations Collect and Use
Without data, an organization loses its record of transactions and its ability to deliver value to customers. Any business,
educational institution, or government agency that operates within the modern context of connected and responsive
services relies on information systems. Even when transactions are not online, information systems and the data they
process enable the creation and movement of goods and services. Therefore, protecting data in transmission, in pro-
cessing, and at rest (storage) is a critical aspect of information security. The value of data motivates attackers to steal,
sabotage, or corrupt it. An effective information security program implemented by management protects the integrity
and value of the organization’s data.
Organizations store much of the data they deem critical in databases, managed by specialized software known
as a database management system (DBMS). Database security is accomplished by applying a broad range of control
approaches common to many areas of information security. Securing databases encompasses most of the topics
covered in this textbook, including managerial, technical, and physical controls. Managerial controls include policy,
procedure, and governance. Technical controls used to secure databases rely on knowledge of access control, authenti-
cation, auditing, application security, backup and recovery, encryption, and integrity controls. Physical controls include
the use of data centers with locking doors, fire suppression systems, video monitoring, and physical security guards.
The fundamental practices of information security have broad applicability in database security. One indicator
of this strong degree of overlap is that the International Information System Secu-
rity Certification Consortium (ISC)2, the organization that evaluates candidates for
many prestigious information security certification programs, allows experience as a database
database administrator to count toward the experience requirement for the Certified A collection of related data stored
in a structured form and usually
Information Systems Security Professional (CISSP).
managed by specialized systems.
Enabling the Safe Operation of Applications
Today’s organizations are under immense pressure to acquire and operate integrated,
database security
A subset of information security
efficient, and capable applications. A modern organization needs to create an envi-
that focuses on the assessment and
ronment that safeguards these applications, particularly those that are important protection of information stored in
elements of the organization’s infrastructure—operating system platforms, certain data repositories.
Downloaded by olinder seth ()
Principles of Information Security 7E Module 2
Financial Accounting (University of Oxford)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
MODULE 2
The Need for Information
Security
Upon completion of this material, you should be able to: Our bad neighbor
1 Discuss the need for information security makes us early stir-
2 Explain why a successful information security program is the shared rers, which is both
responsibility of the entire organization healthful and good
3 List and describe the threats posed to information security and common attacks husbandry.
associated with those threats —William Shakespeare, King
Henry, in Henry V, Act 4, Scene 1
4 List the common information security issues that result from poor software
development efforts
Opening Scenario
Fred Chin, CEO of Sequential Label and Supply (SLS), leaned back in his leather chair and propped his feet up on the long
mahogany table in the conference room where the SLS Board of Directors had just adjourned from their quarterly meeting.
“What do you think about our computer security problem?” he asked Gladys Williams, the company’s chief information
officer (CIO). He was referring to the outbreak of a malicious worm on the company’s computer network the previous month.
Gladys replied, “I think we have a real problem, and we need to put together a real solution. We can’t sidestep this with
a quick patch like last time.” Six months ago, most of the systems on the company network had been infected with a virus
program that came from an employee’s personal USB drive. To prevent this from happening again, all users in the company
were now prohibited from using personal devices on corporate systems and networks.
Fred wasn’t convinced. “Can’t we just allocate additional funds to the next training budget?”
Gladys shook her head. “You’ve known for some time now that this business runs on technology. That’s why you hired me
as CIO. I’ve seen this same problem at other companies, and I’ve been looking into our information security issues. My staff and
I have some ideas to discuss with you. I’ve asked Charlie Moody to come in today to talk about it. He’s waiting to speak with us.”
When Charlie joined the meeting, Fred said, “Hello, Charlie. As you know, the Board of Directors met today. They received
a report on the costs and lost production from the malware outbreak last month, and they directed us to improve the security
of our technology. Gladys says you can help me understand what we need to do about it.”
“To start with,” Charlie said, “Instead of simply ramping up our antivirus solution or throwing resources at an endpoint
protection product, we need to start by developing a formal information security program. We need a thorough review of our
policies and practices, and we need to establish an ongoing risk management program. Then we can explore the technical
options we have. There are some other things that are part of the process as well, but this is where I think we should start.”
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
28 Principles of Information Security
“Sounds like it is going to be complicated … and expensive,” said Fred.
Charlie looked at Gladys and then answered, “Well, there will probably be some extra expenses for specialized hardware
and software, and we may have to slow down some of our product development projects a bit, but this approach will call
more for a change in our attitude about security than just a spending spree. I don’t have accurate estimates yet, but you can
be sure we’ll put cost-benefit worksheets in front of you before we commit any funds.”
Fred thought about this for a few seconds. “Okay. What’s our next step?”
Gladys answered, “First, we need to initiate a project plan to develop our new information security program. We’ll use
our usual systems development and project management approach. There are a few differences, but we can easily adapt our
current models. We’ll need to reassign a few administrators to help Charlie with the new program. We’d also like a formal
statement to the entire company identifying Charlie as our new chief information security officer and asking all of the depart-
ment heads to cooperate with his new information security initiatives.”
“Information security? What about computer security?” asked Fred.
Charlie responded, “Information security includes computer security, plus all the other things we use to do business:
securing our information, networks, operations, communications, personnel, and intellectual property. Even our paper records
need to be factored in.”
“I see,” Fred said. “Okay, Mr. Chief Information Security Officer.” Fred held out his hand for a congratulatory handshake.
“Bring me the draft project plan and budget in two weeks. The audit committee of the Board meets in four weeks, and we’ll
need to report our progress then.”
Introduction To The Need For Information Security
Unlike any other business or information technology program, the primary mission of an information security pro-
gram is to ensure that information assets—information and the systems that house them—are protected and thus
remain safe and useful. Organizations expend a lot of money and thousands of hours to maintain their information
assets. If threats to these assets didn’t exist, those resources could be used exclusively to improve the systems
that contain, use, and transmit the information. However, the threat of attacks on
information asset information assets is a constant concern, and the need for information security
The focus of information security; grows along with the sophistication of the attacks. While some organizations lump
information that has value to the both information and systems under their definition of an information asset, oth-
organization and the systems that
store, process, and transmit the
ers prefer to separate the true information-based assets (data, databases, data
information. sets, and the applications that use data) from their media—the technologies that
access, house, and carry the information. For our purposes, we will include both
media data and systems assets in our use of the term. Similarly, we’ll use the term infor-
As a subset of information assets, mation to describe both data and information, as for most organizations the
the systems, technologies, and terms can be used interchangeably.
networks that store, process, and Organizations must understand the environment in which information assets
transmit information.
reside so their information security programs can address actual and potential prob-
lems. This module describes the environment and identifies the threats to it, the
data
organization, and its information.
Items of fact collected by an organi-
zation; includes raw numbers, facts,
Information security performs four important functions for an organization:
and words.
Protecting the organization’s ability to function
Protecting the data and information the organization collects and uses,
information whether physical or electronic
Data that has been organized, Enabling the safe operation of applications running on the organization’s IT
structured, and presented to pro-
vide additional insight into its con-
systems
text, worth, and usefulness. Safeguarding the organization’s technology assets
Downloaded by olinder seth ()
, lOMoARcPSD|59658805
Module 2 The Need for Information Security 29
Business Needs First
There is a long-standing saying in information security: When security needs and business needs collide, business wins.
Without the underlying business to generate revenue and use the information, the information may lose value, and
there would be no need for it. If the business cannot function, information security becomes less important. The key
is to balance the needs of the organization with the need to protect information assets, realizing that business needs
come first. This is not to say that information security should be casually ignored whenever there is a conflict, but to
stress that decisions associated with the degree to which information assets are protected should be made carefully,
considering both the business need to use the information and the need to protect it.
Protecting Functionality
The three communities of interest defined in Module 1—general management, IT management, and information security
management—are each responsible for facilitating the information security program that protects the organization’s
ability to function. Although many business and government managers shy away from addressing information security
because they perceive it to be a technically complex task, implementing information security has more to do with man-
agement than technology. Just as managing payroll involves management more than mathematical wage computations,
managing information security has more to do with risk management, policy, and its enforcement than the technology
of its implementation. As the noted information security author Charles Cresson Wood writes:
In fact, a lot of [information security] is good management for information technology. Many people think
that a solution to a technology problem is more technology. Well, not necessarily. … So a lot of my work, out
of necessity, has been trying to get my clients to pay more attention to information security as a management
issue in addition to a technical issue, information security as a people issue in addition to the technical issue.1
Each of an organization’s communities of interest must address information security in terms of business impact
and the cost of business interruption rather than isolating security as a technical problem.
Protecting Data That Organizations Collect and Use
Without data, an organization loses its record of transactions and its ability to deliver value to customers. Any business,
educational institution, or government agency that operates within the modern context of connected and responsive
services relies on information systems. Even when transactions are not online, information systems and the data they
process enable the creation and movement of goods and services. Therefore, protecting data in transmission, in pro-
cessing, and at rest (storage) is a critical aspect of information security. The value of data motivates attackers to steal,
sabotage, or corrupt it. An effective information security program implemented by management protects the integrity
and value of the organization’s data.
Organizations store much of the data they deem critical in databases, managed by specialized software known
as a database management system (DBMS). Database security is accomplished by applying a broad range of control
approaches common to many areas of information security. Securing databases encompasses most of the topics
covered in this textbook, including managerial, technical, and physical controls. Managerial controls include policy,
procedure, and governance. Technical controls used to secure databases rely on knowledge of access control, authenti-
cation, auditing, application security, backup and recovery, encryption, and integrity controls. Physical controls include
the use of data centers with locking doors, fire suppression systems, video monitoring, and physical security guards.
The fundamental practices of information security have broad applicability in database security. One indicator
of this strong degree of overlap is that the International Information System Secu-
rity Certification Consortium (ISC)2, the organization that evaluates candidates for
many prestigious information security certification programs, allows experience as a database
database administrator to count toward the experience requirement for the Certified A collection of related data stored
in a structured form and usually
Information Systems Security Professional (CISSP).
managed by specialized systems.
Enabling the Safe Operation of Applications
Today’s organizations are under immense pressure to acquire and operate integrated,
database security
A subset of information security
efficient, and capable applications. A modern organization needs to create an envi-
that focuses on the assessment and
ronment that safeguards these applications, particularly those that are important protection of information stored in
elements of the organization’s infrastructure—operating system platforms, certain data repositories.
Downloaded by olinder seth ()
