Information concerning individuals possesses value. Companies are increasingly reliant upon computer systems and networks to facilitate their critical business. Today, organizations operate in a global muti-enterprise environment with using of collaboration via telecommunication networks, especially the Internet. With the increase of using information system, great deal of public attention is now being focused on security. Leonard (2007) found that assuring data integrity, confidentiality and availability should be of major concern to information system security specialists. (p.56).
Why do you need information system security?
Information concerning individuals has value. According to Sherrie et al. (2006), “Information is a vital asset to any company, and needs to be appropriately protected.” (as citied in Hong et al, 2003). In order to decrease information exposure, companies must protect the place sensitive information resides because that is the entry point for cybercriminals. Peter (2003) asserted that company’s survival and the rights of its customers would be influenced by the risks of illicit and malevolent access to storage facilities (p.27.). Lose the data and you lose the business. This may result in potential damage to reputation of company and loss of customer confidence.
Today, protecting network is no longer simply and sufficient for information protection. In today’s business environment, information is constantly moving among employees and consumers. Threats can come from anywhere. External offenders are not the only threat to information security, but also from insiders. Gary (2002) stated that widespread computer interconnectivity offers many benefits but poses significant risks to our computer systems conversely (p.4). With the needs for reliable systems that provide security and privacy to their consumers, the matter of information security is becoming more and more important. In order to be able to make sensible decisions about security, there is a need for measuring the security of information system.
What do you need for information system security be successful?
There are many aspects of security. Confidentiality is the heart of the information system security control. Availability and integrity of its data and its functionalities are both involved to ensure the security of an information system. Important information can be grouped in different levels, such as public, private, confidential etc. Organization has to define documents in proper levels and where data should be stored, who can access the data, and how it can be protected. With this data, organization will then have an accurate understanding of where their exposures are and can leverage this information to create a more secure environment.
The main objective of information system security is to preserve the confidentiality of information. Scott (2002) affirmed that authentication and encryption can ensure authorized access to media and that the data itself has not been tampered or corrupted. (p.15). User authentication is a foundation procedure to ensure the right persons with granted permission to access the required confidential information. Unauthorized to access or disclosure of any part of the information to unauthorized person, this caused loss of confidentiality and privacy. According to Phillip (2005), “If someone gets access to an employee’s PIN and password, he or she has the keys to the kingdom.” (as citied in Kramer, 2005). Password must be amended over certain period of time and never share with others.
However, password security is not enough. Encryption is the mean to best diminish the access exposure of privacy information. It helps in ensuring the confidentiality of information transferring across networks. User access the confidential information over network should be protected by encryption or cryptographic security techniques. For example, using of virtual private network and through secure socket layer protocol will protect the information during transferring in the networks, especially the Internet. Outsiders are not easily to read the encrypted information.
Commercial systems should be made available to authorized users when they are needed. Service interruption in a production environment should also be awared of. Fratto (2009) stated that anything less than 99.9 % translating to certain hours is unacceptable in most cases. (p.36). Suffer a 5 minute outage in transaction oriented business such as internet banking service would cause a huge impact to their customers. In order to have dependable internet connection, some organization would put their data storage devices in data centers. In this situation, data may be better protected in the data centers rather than your own facilities. The service provider should have auditable controls governing physical access to your equipments, reducing the risk of someone accessing data locally.
The opposite of availability is denial of service (DoS). Malliga and Tamilarasi (2008) asserted that DoS attacks are relative simple, but powerful and pose a great security threat to the availability of commercial system. (p.21). It caused CPU resources and the bandwidth of the network to be fully utilized. Those attacks do not crack into the target systems, but attempt to disrupt the normal operations by flooding them. As a result, the performance of systems would degrade at an unacceptable level or even would completely shut down. Preventive systems attempt to eliminate the possibility of being attacked by DoS.
Integrity is a process that builds that data has not been modified, and the accuracy of the data can be preserved. Security manger should make sure the data has not been tampered with or altered either intentionally or unintentionally. Once data is modified, and then it results in loss of integrity. Weaknesses on servers, at the application or the operating system level, can be used to cause server data modification. In situations which are difficult to secure information due to its nature, detection of the loss of integrity should exist. For examples, sealing and signature can be easily implemented to improve information integrity. MD5 is another means of providing message integrity.
Higher level of security perceived leads to higher customer satisfaction. Many management executives would like to pass the compliance check from audit, but this is not the goal of the information system security. One hundred percent compliance does not mean the organization is secure. They should emphasize the importance of information security. According to Peyman (2003) , “Many companies are at a loss to know what to do about this threat to their business” (as citied in Jeffrey & Ellen, 2003). In fact, many serious data breaches are caused by human error and some are not deliberate. For instance, backup tape is generally stored outside data centre for catastrophic recovery purpose. However, unauthorized user can read or even replicate the tape data when tape owner lost the tape.
Risk management should also be applied to decrease risk to an acceptable level. Sherrie et al. (2006) stated that development of security policy and infrastructure is core to reducing risks, threats, and vulnerabilities in an organization. (p.5-6). Some organizations might be concerned with data loss. Organizations should have redundancy plan. Backup data can be restored to grant service immediately. According to Fratto (2009), “Outsourcing companies are themselves outsourcing their processing. Now you have to worry about where your data ends up.” (p.32). Without accounting, no historical data can be recorded which user accessed data at what time. Accounting system should be able to give an audit trail and recorded user’ actions which enable audits to track access.
Most of the persons have concerns on data confidentiality and thus required information system security which contain sensitive data. However, only few of them have developed a complete and systematic approach towards the security of the information systems such as security plan and policy. Also, the organization should also be alert of the importance of proper training and human related issue for achieving high level of information system security. Security awareness training assists user to familiarize with using system’s security features and understand their responsibilities and security procedures for protecting sensitive information. Security audits should also be performed regularly.
The challenge to the information security in today’s infrastructure is due to the unbounded nature of the network. To combat information exposure through networks, organizations should strictly follow the information security policies. The risk management profession can help structure and execute strategies to improve system integrity, confidentiality and availability. With implementation of preventative and detective controls, the actions that result from the implemented strategies must be integrated as part of process of minimizing risk of organization to achieve business success.