Project Three - Information Security White Paper Research

Project Three - Information Security White - Research Paper Example It is essential to define a solid network defense for handling cyber-attacks. We have divided security into two aspects i.e. technical and formal security. Technical System Security After identifying the purpose, there is a requirement of identify weaknesses or vulnerabilities along with impact and types. Organizations have to consider the backdoors and the week points that may allow or trigger any threats to disrupt business operations by compromising an asset or information system. Moreover, a holistic approach is required to address all risks and vulnerabilities, as every minor vulnerability can expand by cascading other risks in the system. At a technical standpoint, what needs to be protected hardware, applications or data? That is a question that must be addressed by organization itself (Royal Canadian, 1992). The summary of this question can only be encountered by identifying and categorizing threats. As per (Dhillon, 2007) threats are categorized as Modification, Destruction, Disclosure, Interception, Interruption and fabrication and implies on hardware security, data security and software security. Effective change management and configuration management procedures along with documentation are the most effective controls for minimize security vulnerabilities that may arise from incompatible modules or hardware modification from the system (Prin of computer security 2E2010). Destruction is associated with physical damage to a hardware device, network device or software. Whereas, software destruction can be from a malicious code, Trojan or unintentional deletion of a kernel of any application etc. Similarly, data can also be deleted intentionally or unintentionally and can also be cause by malfunctioning device. Disclosure of data is proportional to confidentiality i.e. need to know basis. Data is easy to be stolen because the original copy still seems intact, in spite of the data theft. Data types can be classified in to many types, again depending on o rganizational requirements. For instance, trade secrets, upcoming financial results or long term strategic plans of the organization can be classified as top secret, whereas, customer information can be classified as confidential. Organizations conducting business online collect customer information via websites. Data can also be intercepted by unauthorized access to computing and electronic resources. Moreover, unauthorized remote can also result in accessing information from a remote location. Interruption can also cause system availability that may result from malfunctioned hardware or power outage. Moreover, interruption of services can also be caused from broadcast storm or network congestion that may cause denial of service. Lastly, fabrication refers to a penetration of transactions to a database. Fabrication is often conducted by unauthorized parties in a way that is difficult to identify the authentic and forged transaction. One of the examples of fabrication is called as à ¢â‚¬ËœPhishing’. Moreover, asymmetric and symmetric encryption techniques are considered as per requirements. Moreover, non-repudiation can be prevented by third party certificate authorities. Formal System Security Management of information system security requires a development of organizational structure and processes for ensuring adequate protection and integrity. Likewise, for maintaining adequate security, an appropriate relationship organization is required for maintaining integrity of