Road Map to Information Security Management

Road Map to Information Security Management

Lech Janczewski (The University of Auckland, New Zealand)
DOI: 10.4018/978-1-60566-014-1.ch169
OnDemand PDF Download:
$37.50

Abstract

Developments in multimedia technology and in networking offer to organizations new and more effective ways of conducting their businesses. That includes both internal as well as external contacts. Practically every business person owns a mobile phone, has PDA/laptop with wireless capabilities, and is able to communicate with colleagues/clients all over the world and from every place on the globe. As a result, well defined barriers between different organizations are becoming less and less visible. This technical progress intensifies the competing forces. In the past, an organization was directly exposed to competition located within their city or region. Now, due to easy communication, their competitor could be located on the opposite side of the globe. The advantage of using multimedia technology and networking could be accomplished only if data handled by a company are secure, that is, are available only to the authorised persons (confidentiality), represent true values (i.e., had not been changed during storage, processing, or transport), and are available on demand (availability). Thus, managing security of information becomes an obligatory part of running any modern IT system. There is not absolute IT system security. If a system is accessible by authorised people, by definition it is impossible to eliminate chances of unauthorised access. However, proper means exist to dramatically decrease the probability of occurrence of such unauthorised activities. This article illustrates the importance of proper managing in information security processes in an organization and presents a first level guidance on how to approach this problem. The most widely known document on information security is an annual Computer Crime and Security Survey (CCSS), conducted by San Francisco’s Computer Security Institute in cooperation with the FBI (CSI, 2006). It is based on responses from over 500 professionals representing all types and sizes of organizations from huge international corporations to small businesses from nationwide government agencies to small community centres. The message the survey is conveying is frightening: • Total losses for 2006 were $52,494,290 (USD) for the 313 respondents that were willing and able to estimate losses. • Losses due to virus contamination caused the most significant loss (over $15 million). • Unauthorised access to information was the second-most expensive computer crime among survey respondents. • As in previous years, virus incidents (65.2%) and insider abuse of network access (47%) were the most cited forms of attack or abuse. • The impact of the Sarbanes–Oxley Act on information security continues to be substantial. In fact, in open-ended comments, respondents noted that regulatory compliance related to information security is among the most critical security issues they face.
Chapter Preview
Top

The Information Security Issues

Developments in multimedia technology and in networking offer to organizations new and more effective ways of conducting their businesses. That includes both internal as well as external contacts. Practically every business person owns a mobile phone, has PDA/laptop with wireless capabilities, and is able to communicate with colleagues/clients all over the world and from every place on the globe. As a result, well defined barriers between different organizations are becoming less and less visible. This technical progress intensifies the competing forces. In the past, an organization was directly exposed to competition located within their city or region. Now, due to easy communication, their competitor could be located on the opposite side of the globe.

The advantage of using multimedia technology and networking could be accomplished only if data handled by a company are secure, that is, are available only to the authorised persons (confidentiality), represent true values (i.e., had not been changed during storage, processing, or transport), and are available on demand (availability). Thus, managing security of information becomes an obligatory part of running any modern IT system. There is not absolute IT system security. If a system is accessible by authorised people, by definition it is impossible to eliminate chances of unauthorised access. However, proper means exist to dramatically decrease the probability of occurrence of such unauthorised activities.

This article illustrates the importance of proper managing in information security processes in an organization and presents a first level guidance on how to approach this problem. The most widely known document on information security is an annual Computer Crime and Security Survey (CCSS), conducted by San Francisco’s Computer Security Institute in cooperation with the FBI (CSI, 2006). It is based on responses from over 500 professionals representing all types and sizes of organizations from huge international corporations to small businesses from nationwide government agencies to small community centres. The message the survey is conveying is frightening:

  • Total losses for 2006 were $52,494,290 (USD) for the 313 respondents that were willing and able to estimate losses.

  • Losses due to virus contamination caused the most significant loss (over $15 million).

  • Unauthorised access to information was the second-most expensive computer crime among survey respondents.

  • As in previous years, virus incidents (65.2%) and insider abuse of network access (47%) were the most cited forms of attack or abuse.

  • The impact of the Sarbanes–Oxley Act on information security continues to be substantial. In fact, in open-ended comments, respondents noted that regulatory compliance related to information security is among the most critical security issues they face.

The report is covering only a very small part of the USA’s economy, and real nationwide losses could be several magnitudes higher. Surveys of a similar nature are conducted in many other countries like New Zealand (NZ Survey, 2005; AusCERT, 2003). These surveys brought similar results. It is not a surprise, as the whole globe is becoming a wired village and the computer technology is the same all over the world.

Key Terms in this Chapter

Issuer: A issuer is an organization or a bank which issues credit card to cardholder. It provides the authorization services to acquirer.

Short Message Service (SMS): The service is available on mobile phones, which permits the sending or receiving of short messages. SMS messages are two-way alphanumeric paging messages up to 160 characters that can be sent to and from mobile phone.

Digital Certificates: It is issued by a Certification Authority (CA). It contains the owner name, expiration date and the owner’s public key and is to verify who are sending the message.

E-Wallet: It is also known as a digital wallet and likes a physical wallet used in the electronic payment system. It provides the security and encryption for the personal information.

Identification: Identification is a mechanism by which the system asks the user, “Who are you?” user identifies himself or herself to the system by a user name or user number in the computer system.

Certificate Revocation: The certificate can be revoked by the Certificate Authority (CA) before their scheduled expiration date. There are different revocation reasons defined in RFC 3280. A revoked certificate will be added to the Certificate Revocation List (CRL) and it should not be used by other system.

Acquirer: An acquirer is an organization or a bank that collects authorization requests and sales slips from merchant. It directly connects to the merchant’s POS/EDC in the traditional payment system.

Integrity: Data integrity ensures that the transaction is unchanged from its source and has not been accidentally or maliciously altered.

Authentication: It is a method to identify cardholder and merchant before payment. Authentication is the mechanism in which the system will identify the cardholder or merchant, “Is that really you?”

Nonrepudiation: A strong and substantial evidence is available to the sender of message that the message has been delivered, and to the receipt.

Merchant: An organization or an individual accepts credit card payment by selling product or service.

Encryption: It is the process to encrypt the message and make it unreadable without special knowledge. Encryption is to protect the public communication network such as Internet.

Financial Institution (Card Brand): A large data center that provides the financial services and network between acquirer bank and issuer bank.

Complete Chapter List

Search this Book:
Reset