The evolving nature of information security threats such as cybercrime, as well as the need to ensure the confidentiality and privacy of citizen information and to protect critical infrastructure call for effective information security management in the public sector. According to Evers (2006), the FBI (Federal Bureau of Investigation) estimates that cybercrime will cost businesses an estimated $67.2 billion per year. Citizens’ privacy and the security of their personal information have become issues of increasing concern as headlines of data security breaches and identity thefts abound in the mainstream media. For example, in 2005, 9.3 million U.S. citizens, about 4.25% of the population, were victims of identity theft and fraud, costing approximately $54.4 billion (Council of Better Business & Javelin Strategy & Research, 2006). E-government applications have made it easier for citizens to conduct business online with government agencies, although their trust in the ability of governments to keep that information private is low. Considering the amount of citizen information held by governments at all levels and the steps needed to address potential homeland-security and IT-related threats to critical infrastructure, the need for effective means of safeguarding public agency data has become an issue of paramount importance. In addition, the need to ensure integrity and availability of public information resources is crucial to many government operations. As a result, several states are recognizing the importance of information security and privacy in their state IT strategic plans (National Association of State Chief Information Security Officers [NASCIO], 2006).
Key Terms in this Chapter
Management Controls: Management controls are actions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.
Information Security Plan: It is a document that provides a road map for the goals to be accomplished in securing the information assets of an organization. The information security plan provides the basic blueprints for documenting an information security program.
Threat: A threat is any circumstance or event with potential cause for harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. It is the potential for the exploitation of a vulnerability. Threats arise from internal failures, human errors, attacks, and natural catastrophes. The examination of all actions and events that might adversely affect a system or operation is known as threat analysis.
Information Security Policy: This is a document that outlines the rules, laws, and practices that regulate how an organization will manage, protect, and distribute its sensitive information (both corporate and client information). It lays the framework for the computer-network-oriented security of an organization.
Technical Controls: These are hardware and software controls used to provide automated protection to the information technology system or applications. Technical controls operate within the technical system and applications.
Operational Controls: These are day-to-day procedures and mechanisms used to protect operational systems and applications. They address security methods that focus on mechanisms that primarily are implemented and executed by people (as opposed to systems). Operational controls affect the system and operational environment.
Configuration Management: This is the management of security features and assurances through the control of changes made to a system. It is a procedure for applying technical and administrative directions and surveillance to identify and document the functional and physical characteristics of an item or system, control any changes to such characteristics, and record and report the change, process, and implementation status.
Vulnerability: A vulnerability is a weakness in a network computer system’s security procedures, administrative controls, system design, implementation, internal controls, or so forth that could be exploited by a threat for one to gain unauthorized access to information, to disrupt critical processing, or to violate a system security policy. It is a flaw that may allow harm to occur to an information technology activity. A measurement of vulnerability, which includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack, is known as vulnerability assessment.
Authentication: Authentication is the process of identifying an individual, usually based on a user name and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Patch: A patch is a section of software code that is inserted into a program to correct mistakes or to alter the program.
Information Security Standards: This is a set of documents that outline the criteria and specific level of performance regarding the actions needed to be taken to secure the information assets of an organization.
Configuration: Configuration is the relative or functional arrangement of components in a system. It is the way a system is set up, or the assortment of components that make up the system. Configuration can refer to hardware or software, or the combination of both.
Identification: Identification is the process that enables the recognition of an entity (subject or object) by a computer system, generally by the use of unique machine-readable user names.
Information Security Program: It is a documented set of information security policies, procedures, guidelines, and standards implemented to provide the road map for effective information security management practices and controls.
Authorization: Authorization is the privilege granted to an individual by management to access information based upon the individual’s clearance and need-to-know principle. It is the granting to a user, program, or process the right of access.
Security Management: This is the process of monitoring and controlling access to network resources. This includes monitoring usage network resources, recording information about the usage of resources, detecting attempted or successful violations, and reporting such violations.