Abstract
There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by Information Technology are becoming more and more complex resulting in various threats and vulnerabilities. The security properties, like confidentiality, integrity, and availability, are becoming more and more difficult to protect. In this chapter, a life-cycle approach to achieve and maintain security of enterprises has been proposed. First, enterprise information systems are looked at in detail. Then, the need for enterprise information system security and problems associated with security implementation are discussed. The authors consider enterprise information system security as a management issue and detail the information security parameters. Finally, the proposed security engineering life-cycle is described in detail, which includes, Security Requirement Analysis, Security Policy Formulation, Security Infrastructure Advisory Generation, Security Testing and Validation, and Review and Monitoring phases.
TopBackground
Enterprise and its Functionality
The Compact Oxford English Dictionary (Weiner, 1991) defines an “enterprise” as “a project or undertaking, especially a bold one”; “bold resourcefulness”; or, “a business or company”. Webopedia states that an enterprise is “a business organization. In the computer industry, the term is often used to describe any large organization that utilizes computers”. Combining these, we define an enterprise as an organization (Industry/Govt./Academic) created for business or service ventures. From the Information Security point of view, an enterprise is characterized by its business goals, business activities, organizational structure, and assets and infrastructure.
The Compact Oxford English Dictionary (Weiner, 1991) defines “information” as “facts or knowledge provided or learned; what is conveyed or represented by a particular sequence of symbols, impulses, etc”. The Wikipedia entry for information is “the result of processing, manipulating and organizing data in a way that adds to the knowledge of the receiver”. Thus, information can be viewed as data that is organized and accessible in a coherent and meaningful manner. The generation and use of information has some commonalities in different types of enterprises. For example, all of them rely on user and operator interactions, reliable storage and retrieval, correct processing, as well as timely and good quality dissemination of information. More and more enterprises are becoming dependent on the efficiency and quality of generation and processing of information. Information has become the prime mover in the growth and sustenance of all kinds of enterprises. Information and the technology supporting the creation, and management of information act as important assets of any enterprise. Thus there is a specific need to protect these assets.
Key Terms in this Chapter
Risk Analysis: This term defines the process of analyzing a target environment and the relationships of its risk related attributes. This analysis will identify threat-vulnerabilities, associate those vulnerabilities with affected assets, identify the potential for and nature of an undesirable result and specify risk mitigating controls.
Security Concern: Security concern of an asset is a function of threat and vulnerability of that asset.
Severity: Level of exploitation of vulnerability on a qualitative scale is defined by the severity value.
Threat: Threats are any unwanted activities or events that under certain conditions could jeopardize either the integrity, confidentiality or availability of information and other assets.
Information Asset: Databases, data files, system documentation, user manuals, training material, operational and support procedures, intellectual property, continuity plans, fallback arrangements, archived information.
Software Asset: Application software, System software, development tools, and utilities.
Asset: Asset means anything that has value to an organization. With respect to security, asset may imply physical resources, or information contained within the organization.
Hardware Asset: Computer equipment (processors, monitors, laptops, modems), communication equipment (routers, hubs, PABXs, fax machines), magnetic media (tapes and disks), other equipment, cabinets, safes.
Risk Management: This includes the process of assigning priority to, budgeting, implementing and maintaining the appropriate risk-reducing measures.
Safeguard: This term represents a risk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat.
Vulnerability: This is an inherent weakness associated with an enterprise asset. It is a condition that has the potential to allow a threat to occur with greater impact and greater frequency or both.