Free Essay

Information Systems Security

In:

Submitted By LaTaina
Words 1759
Pages 8
Hardware, software and the data that resides in and among computer systems must be protected against security threats that exploit vulnerabilities. Organizations must therefore impose appropriate controls to monitor for, deter and prevent security breaches.
Three areas have been considered, in a typical sense, as the basic critical security requirements for data protection: confidentiality is used to assure privacy; principles of integrity assure systems are changed in accordance with authorized practices; and, availability is applied to maintain proper system functions to sustain service delivery (Dhillon, 2007, p. 19).
These security requirements are represented in Figure 1, Classic Critical Security Requirements. This figure depicts the cross-domain solutions of informal controls, also known as human relationships, and formal and technical controls, which provide for organizational and physical information security controls, respectively.
Two additional security requirements have recently been added that are of particular importance to networked environments because attacks now extend far beyond traditional firewall perimeters. These are authentication, which is used to assure a message actually comes from the source it claims to have originated; and, nonrepudiation, which can be applied to prevent an entity from denying performance of a particular action related to handling data, thereby assuring validity of content and origin.
Figure 2, Core Data Security Set, depicts the interrelationship of the five core requirements of information security. The remainder of this paper will focus on nonrepudiation, which may also be explained as a security protocol that allows an individual or organization to prove, for instance, that someone sent an email or made a web-based purchase. In other words, “one party of a transaction cannot deny having received a transaction, nor can the other party deny having sent a transaction” (Professional Development Center, 2010).
Types of Nonrepudiation Controls
Asymmetric ciphers make public keys widely available for encrypting information, but only one individual possesses a private key to decrypt or decipher that information, and vice versa. Asymmetric cryptography, invented by Diffie and Hellman in 1975, can be used to authenticate a source such as a digital signature. RSA, named for Rivest, Shamir, and Adleman who first described this process and make it public, is an example of an asymmetric cipher algorithm. RSA uses a public key, available to everyone for encrypting messages. RSA then applies a limited-availability private key for decryption by the end user as represented in Figure 3 below.
Secure Socket Layer (SSL) encryption technologies also offer controls for non-repudiation to provide communications and data security over the internet. SSL uses asymmetric cryptography for privacy as well as keyed message authentication for message reliability. A Trusted Third Party (TTP) is often used for authentication in order to successfully implement non-repudiation controls. Just as a notary public will validate a signature, SSL certificates validate a user's transactions on the internet. Figure 4 below depicts two users making a data transaction across the internet.
This representation demonstrates data sent from User #1 and User #2 through the internet on a web browser such as Google Chrome or Safari. The web browser automatically encrypts the submitted data utilizing SSL encryption protocols. These encryptions must be trusted and verified, similar to how a notary public must witness the signature of a client before initiating their own seal of approval. This trust comes from the Trusted Third Party service providers. As the encrypted data transverses the internet, it will travel through the TTP, where they will authenticate with their own seal of approval. After the certificate checks out, the encrypted and certified data reaches its destination.
The non-repudiation controls that SSL certificates offer reside in the protocol itself. As a user encrypts the data he/she sends out, the SSL protocol will place a "personal key" on the data. This key is unique to every user. This personal key would be equivalent to someone's signature. In order to verify the signature and the SSL encryption, the TTP will verify the authenticity of the certificate. This validation is what makes the SSL certificate solidify that the sender, as opposed to anyone else, sent the information. Absent a "personal key" encrypted in the message and no validation from a TTP, then the message could not be traced back to a single user. In other words, information sent from user #1 could not be traced back and verified.
Potential Losses
Vulnerabilities must be understood to protect against threats to and attacks in information systems. Similarly, identifying and assessing potential losses is important. Hardware, software and the data that resides in computer systems must be secured, thereby assuring the integrity of these key components have not been modified in any way. This practice will help prevent vulnerabilities from being exploited (Dhillon, 2007, p. 17).
Losses for an Information System could be devastating if nonrepudiation processes were to be compromised or defeated. The customer base, for example, will lose faith in the viability of the system if it is disrupted and authenticity cannot be verified. Identity theft could occur where private and personal data could be lost or stolen. Since no security technology is absolutely full-proof, a digital signature alone may not always guarantee nonrepudiation.
Effective security is the result of the implementation of several tools, each focusing on a particular security requirement. Multiple tools should be used to prevent additional losses. Some examples include applying unique biometric information as a method of validation and verification, as does securing additional information about the sender or signer which, in combination, would further harden the system.
These would make repudiation increasingly difficult in situations involving the use of digital signatures when combined with added protective features. A loss of nonrepudiation would result in the questioning of the transactions that have occurred. Nonrepudiation protocols can be applied to e-mail accounts to minimize potential losses. Application security, for example, can be provided by router filters and server operating systems.
Nonrepudiation, in this instance, will help assure mail senders and recipients are not using phishing and e-mail scams to gain access to personal information as it travels. Instituting the use of hardened passwords, as well as enforcing rigorous policies on frequent changes and restricting reuse, are measures that may be implemented to deter attacks and prevent losses.
Figure 5 below depicts the importance and interdependency of nonrepudiation, among the other critical security requirements, to electronic commerce.
Electronic commerce uses technology such as digital signatures and encryption to establish authenticity and non-repudiation. Any Information Technology security system must validate that confidentiality, integrity and availability of data is always protected with redundant layers of encryption and non-modification controls. Specific nonrepudiation measures that protect the hardware, software and system data, along with authentication methods, while relatively new in comparison to the three basic security control requirements, cannot be overlooked when designing, constructing and placing a system into production. Examples include research data, medical and insurance records, new product specifications, and corporate investment strategies. In some locations, there may be a legal obligation to protect the privacy of individuals. This is particularly true for banks and loan companies (DHS, 2008).
Example Applications – Practical Implementation of Nonrepudiation
Nonrepudiation, from a legal perspective, implies a person, party or organization’s intention to fulfill its contractual obligation so that none of the parties involved should be capable of denying receiving or sending a transaction. Electronic commerce uses technology such as digital signatures and public key encryption, as discussed earlier, to establish non-repudiation & authenticity. Electronic commerce generally relates to trading of products or services over Internet or computer network. However, it is not exclusive to buying and selling products since it includes following online processes and properties.
The following four (4) properties must be satisfied to successfully implement non repudiation in any transaction:
1. Transactions and customers must be tightly bound;
2. Transactions must be difficult to forge;
3. Transactions must be unalterable; and;
4. Transactions must be verifiable.
Nonrepudiation architectures that incorporate these essential properties are the Challenge Response OTP Token and the Digital Signature. The general internet architecture needs to be understood in order to better elaborate on these examples. Figure 6 represents a customer connection to a web server that implements security layers for authentication.
In this representation, the customer uses a web browser and connects to a web server of any organization using Secure Socket Layer (SSL) / Transport Layer Security (TLS) for authentication and to conduct a transaction. The web server communicates with the authentication server for user authentication and with a backend for accomplishing the transaction request.
Implementing a Challenge Response OTP Token, depicted in Figure 7, requires the customer to submit positive identification to authenticate and sign legal documentation that is used to establish an account with an organization. The customer then receives the OTP token, which is assigned a unique serial number ensure a strong binding with customer-user. When the customer initiates a transaction using an OTP token, it creates an SSL session between web server and browser, after which the customer logs in by sending a login identification and password to web server through the SSL. The server returns a challenge, this challenge is entered into token by customer to generate response, the customer sends this response through the browser to achieve server for validation, and once this process is successfully completed, the client and server are connected.
The customer, after presenting verifiable identification and gaining access, receives a code and instructions to apply a unique public/private which must be submitted to gain a digital certificate. The customer and private key are bound together through the digital certificate as shown in Figure 8.
This scenario shows that when a customer or client initiates a connection to organization, an SSL session is opened between the browser and web server, and the client is authorized to complete transactions once his or her identification and password are successfully entered and authenticated. The back end receives the transaction request, validates the signature information, and once successfully validated, the transaction may continue.
In closing, it must be understood there are certain variables that must be considered when applying a Challenge Response OTP Token and Digital Signature as nonrepudiation methods. These include costs, technical support, speed, latency time and others. A comparison of these important variables is provided in Figure 9.

Works Cited

Dhillon, G. (2007). Principles of Information Security Systems. John Wiley & Sons, Inc.

DHS. (2008). US CERT. Retrieved September 14, 2011, from United States Certification: http://www.us-cert.gov/control_systems/pdf/SCADA_Procurement_DHS_Final_to_Issue_08-19-08.pdf

Professional Development Center. (2010). Retrieved September 7 from http://pdc-riphah.edu.pk/site/?page_id=69

Similar Documents

Premium Essay

Information Systems Security

...* Security Policy Ensuring that the provision of a management direction exists together with support for information security. These are to comply with relevant laws & regulations and the business requirements of Granddik. * Organization of Information Security Making sure that Information security within Granddik is managed. Maintaining security of Granddik’s information processing facilities that are processed, accessed, communicated to and managed by any external entities. * Asset Management Realization and maintenance of all organizational assets. Making sure that information is accorded the required and appropriate level of protection. * Human Resources Security Making sure that all stakeholders, contractors, employees and other users: 1. Have a complete understanding of their responsibilities and that they are suitable for roles that they are considered for. 2. Are made aware of all possible information security concerns and threats that exist or that may arise. 3. Change employment or leave the organization in an orderly manner. * Physical and Environmental Security Ensure that unauthorized access physical or otherwise, damage and interference to the organizations information and premise is at all time prevented. Also prevent any compromise of assets, loss, theft, interruption and damage to organizations activities. * Communications and Operations Management Ensuring that controls for operational procedures are developed, e-commerce...

Words: 397 - Pages: 2

Premium Essay

Information Systems Security

...Information Systems Security Strayer University CIS 333 June 18, 2014 David Bevin Information Systems Security The scope of our assignment as an information officer at Whale Pharmaceuticals is to safeguardour daily operations which require a combination of both physical and logical access controls to protect medication and funds maintained on the premises and personally identifiable information and protected health information of our customers. The immediate supervisor has tasked us with identifying inherent risks associated with this pharmacy and establishing physical and logical access control methods that will mitigate all risks identified. There are few basic things to be cognizant of as we carry out this task. Security is easiest to define by breaking it into pieces. An information system consists of the hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations. Information systems security is the collection of activities that protect the information system and the data stored in (Kim & Solomon 2012). We should also be aware of what we are up against. Cyberspace brings new threats to people and organizations. People need to protect their privacy. Businesses and organizations are responsible for protecting both their intellectual property and any personal or private data they handle. Various laws require organizations to use security controls to protect private and confidential...

Words: 3283 - Pages: 14

Premium Essay

Information System Security

...Claudia Goodman IT302 Homework 2 Security-Enhanced Linux The NSA has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security. It recognizes the critical role of operating system security mechanisms in supporting security at higher levels. End systems must be able to enforce confidentiality and integrity requirements to provide system security. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. Application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security. The results of several of these projects in this area have yielded a strong, flexible mandatory access control architecture called Flask. This has been mainstreamed into Linux and ported to several other systems, including the Solaris™ operating system, the FreeBSD® operating system, and the Darwin kernel. This provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements and it allows threats of tampering and bypassing of application security mechanisms to be addressed while enabling the confinement of damage that can be caused by malicious or flawed applications. This is simply an example of how mandatory access controls that can confine the actions of any process, including an...

Words: 1522 - Pages: 7

Premium Essay

Information Security System

...Information Security Systems Shikhi Mehrotra Abstract -- The idea of information security has been there since the times of our ancestors/forefathers. In the 21st century we have carried that legacy forward from our forefathers and made unimaginable improvements in the information security systems. In this advanced era we have made sure that all the technologies are stretched beyond limit so that we, humans, have the best and the safest information security systems ever. In this paper each and every new technology will be put forth and analyzed so that these technologies can be advanced and used by our future generation. I. INTRODUCTION From old traditional lockers to advanced hardware and software’s security systems, the information security has reached an advanced level which was unimaginable in the past. The basic aim of such system is to protect information from any illegal/unauthorized use such as unauthorized access, unlawful modification, usage or recording, illegal copying or even data destruction. Even with the numerous advancements that have taken place, there is always the desire of continuously improve the Information Security systems and taken them to the next level. In the recent past, new advancements have been made in areas such as fingerprint recognition security systems and new hardware are being developed to compliment these systems so that a customer is provided with highest possible level of security system. Most of these systems find their...

Words: 1395 - Pages: 6

Premium Essay

Maintaining Information Systems Security

...Maintaining Information Systems Security Akilah S. Huggins University Of Phoenix CMGT/400 August 11, 2014 Maintaining Information Systems Security Introduction With the growing development of information systems and networks, security is a main concern of organizations today. The fundamental objectives of information systems security are privacy, integrity, and accessibility. The foundation of organization's security lies in planning, creating and actualizing proper information systems' frameworks' security strategy that adjusts security objectives with the organization's requirements. In this paper the objective is to describe the importance of policies and standards for maintaining information systems security. Specifically, the paper include the discussion of the role employees—and others working for the organization to maintain the information systems security. Also the position paper aim to examine the different levels of security and how an organization can provide the proper level of effort to meet each information security need and how this relates to what is in an organization’s information security policy. Thesis Statement The aim and objective of the underlying paper is to analyze and evaluate the phenomena of maintaining information system security. Importance of Policies and Standards for Maintaining Information Systems Security. Information system security policies primarily address threats. The...

Words: 1235 - Pages: 5

Premium Essay

Principles of Information-Systems Security

...As an Information Security Engineer for a large multi-international corporation, that has just suffered multiple security breaches that have threatened customers' trust in the fact that their confidential data and financial assets such as Credit-card information; one must implement security measures that will protect the network through a vulnerable wireless connection within the organization, while also providing a security plan that will protect against weak access-control policies within the organization. The first step of protecting against Credit-card information through a vulnerable wireless connection within the organization would be to first protect your wireless broadband from cyber-attacks, which don’t involve any costly measures. One must always remember to lock down the wireless network. By default the password for your panel is often a standard one set-up by the manufacturer (for example ‘admin’). It’s very important that you change this as soon as possible, because it would me that many hackers would already have the password for it. When picking a strong password use a case sensitive combination of alphabets and numbers, six characters and more. Also remember to make it something unique and not the same as something else like your Facebook or Twitter password. Next too consider is the fact that most routers come with a WEP or WPA key built in for good measure, and each router has a different code so there is no need to stress when it comes to this aspect. Since...

Words: 902 - Pages: 4

Premium Essay

Information Systems Security Policy

... ® MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 ________________________________________________________________________ 1 MICROS Systems, Inc. Enterprise Information Security Policy Version 8.0 Public Table of Contents Overview – Enterprise Information Security Policy/Standards: I. Information Security Policy/Standards – Preface……………....5 I.1 Purpose …………….……………………………………………...5 I.2 Security Policy Architecture ………………….………………….6 I.3 Relation to MICROS Systems, Inc. Policies……………………..6 I.4 Interpretation………………………………………………….…..7 I.5 Violations…………………………………………………….….....7 I.6 Enforcement…………………………………………….................7 I.7 Ownership………………………………………………................7 I.8 Revisions…………………………………………………………..7 II. Information Security Policy - Statement………………………..8 MICROS Enterprise Information Security Policy (MEIP): 1. Information Security Organization Policy (MEIP-001)...……....9 2. Access Management Policy (MEIP-002)…………………………10 3. Systems Security Policy (MEIP-003)...…….…………………......11 4. Network Security Policy (MEIP-004)…………………………….12 ________________________________________________________________________ 2 MICROS Systems, Inc. Enterprise Information Security Policy Version 8.0 Public 5. Application Security Policy (MEIP-005)…..………………………13 6. Data Security/Management Policy (MEIP-006)……………….14-15 7. Security Incident Handling...

Words: 4971 - Pages: 20

Premium Essay

An Information System Security Breach at First Freedom Credit Union

...2 AN INFORMATION SYSTEM SECURITY BREACH AT FIRST FREEDOM CREDIT UNION Introduction The case is about an information system security breach at First Freedom Credit Union, a financial institution in the Southern part of the United States. First Choice Credit Union (FFCU has seven branches located throughout the metropolitan area. One branch is located at the FFFCU headquarters. Most employees at the FFCU has at least 5 years of service. The credit card information of 200,000 members has been stolen. This is highly sensitive information and it puts the members at critical risk. The security breach might cause loss of finances and other disturbances. Frank Sanders, the CEO of FFCU called a conference with all the executives of the FFCU. The nature of the conference was to discuss a security breach. A security breach that affected card member credit card numbers and personal information. Frank was uncertain if the breach had affected all members’ information or a portion. However, Frank was aware that fraudulent activity had already taken place on some accounts. Due to the fraudulent activity that had transpired Frank had canceled all current credit cards and was sending out replacement cards. Jaime O’ Dell, the chief information officer (CIO) was appalled because nothing had ever happened like this since his tenure with the company. Jaime felt the firewall being used was the top of the line, virus protested was updated daily and an intrusion detection system that would...

Words: 2842 - Pages: 12

Premium Essay

Information Systems and Security

...Information Systems are the backbone to support the management, operation and decision function of every business or organization. Information Systems (IS) are composed of hardware, software, infrastructure and trained personnel where all the information are digitally processed and be accessible for the use of authorized personnel. Let first resume Information Systems history: • In the 70’s, IS was made of mainframe computers were the data was centralized. They have fewer functions like payroll, inventory and billing process. • Then in the 80’s came the automation process where computers and peripheral devices started to be connected using Local Area Network (LAN). Also started the use of word processors and spreadsheets to automate the flow of information within departments. • In the 90’s the advance of technology brings the ability of corporation to stablish connection between branches and remote offices using Wide Area Network (WAN). Corporations started to look for systems and data integration, leaving behind stand-alone systems. • In the 2000, the introduction of the Internet expand WAN for global enterprises and business involved in supply chain and distribution between countries. Data sharing across systems was the main focus for corporations. The use of electronic mail (email) become a global standard communication between corporations. • In Current time, the advance on technology brings Wireless connectivity where new devices like tablet pc and smartphones...

Words: 764 - Pages: 4

Premium Essay

Information Systems & Security

...Kyle A. Metcalf November 20, 2011 Information Systems and Security Table of Contents Statement of Purpose 3 Access Control Modules 3 Authentication 4 Education & Management Support 5 User Accounts & Passwords 6 Remote Access 6 Network Devices & Attack Mitigation 9 Strategy 9 Physical Security 10 Intrusion Protection 10 Data Loss Prevention 11 Malware and Device Vulnerabilities 11 Definitions 11 Dangers 12 Actions 13 Web and Email Attack Mitigation 13 References 15 Statement of Purpose The managing partners of Metcalf Law Group, LLP (MLG, LLP), a small but growing Law Firm, have hired an IT Director to address the numerous short and long-term objectives. This document outlines those objectives, risks associated with the network and solutions to mitigate those risks, and policies and procedures to create and maintain a safe and secure system environment for MLG, LLP. Firm management has requested formal policies be put in place for Remote Access. MLG’s clients, including MP3, the Firm’s largest and most important client, want to ensure that all communication that occurs from remote locations is secure. Firm management has also requested a formal policy that outlines the Firm’s network security structure. The proposal will address security zones, firewalls, intrusion detection, and any other items that will help secure the network. Firm management also wants to address the issue of spyware and virus attacks. Proactive...

Words: 3222 - Pages: 13

Premium Essay

Information Systems and Security

...is to upgrade and implement abetter wide area network for Whiterun Medical Center by: Upgrading current servers oAdding a FTP server oAdding an Exchange Server oAdding a Active Directory Server Adding a wireless network Updating security Administrative Training to staff C. Network Security  C1. Permissions  Permissions will be set within shared folders for doctors and theirrespective nurses to access and keep files up-to-date. Doctors, aswell as nurses, shall have their own individual folder within the FTPserver with individual permissions for each user. Client confidentiality is top priority to protect all clients’ private information from any security risks. C1.1 Physical and Logical Access  Doctors and nurses shall have permission to connect to the physicalnetwork. Once connected to the Active Directory only theadministrator will have the ability to change any permission within thenetwork. Servers will be kept in an IT/Telecom room to keep awayfrom the main floor to prevent any accidental tampering. Roomaccess shall be limited to personnel such as: Domain Administrators,IT staff, and any other personnel hired/trained as backupadministrators when Domain Administrators are not available. C1.2 Wireless Network Security  Wireless connectivity will be available to users...

Words: 682 - Pages: 3

Free Essay

Introduction to Information System Security

...design impacts the software life-cycle in that it should occur early; the design and implementation of core functionality can influence the user interface – for better or worse. Because it deals with people as well as computers, as a knowledge area HCI draws on a variety of disciplinary traditions including psychology, computer science, product design, anthropology and engineering. HC: Human Computer Interaction (4 Core-Tier1 hours, 4 Core-Tier2 hours) Core-Tier1 hours HCI: Foundations HCI: Designing Interaction HCI: Programming Interactive Systems HCI: User-cantered design & testing HCI: Design for non-Mouse interfaces HCI: Collaboration & communication HCI: Statistical Methods for HCI HCI: Human factors & security HCI: Design-oriented HCI HCI: Mixed, Augmented and Virtual Reality 4 4 Core-Tier2 hours Includes Electives N N HC/Foundations [4 Core-Tier1 hours, 0 Core-Tier2 hours] Motivation: For end-users, the interface is the system. So design in this domain must be interaction-focussed and human-centred. Students need a different repertoire of techniques to address this than is provided elsewhere in the curriculum. Topics: • • • Contexts for HCI (anything with a user interface: webpage, business applications, mobile applications, games, etc.) Processes for user-centered development: early focus on users, empirical testing, iterative design. Different measures for evaluation: utility, efficiency, learnability, user satisfaction. Strawman draft version: February 2012 ...

Words: 1936 - Pages: 8

Premium Essay

Fundamentals of Information Systems Security

...Fundamentals of Information Systems Security CSS150-1302B-02 Phase 1 Discussion Board 2 Christopher Smith May 22, 2013 Hello all. At this time we are going to discuss three out of the seven domains of a typical IT infrastructure. The three that have I chosen to discuss have the greatest impact on your day to day work lives. The domains with the most impact are the user domain (you), the workstation domain (your computer), and the remote access domain (work from home users). The information within the seven domains is meant as internal use only. We at Richman Investments take the security of our, and our customer’s information very seriously. We will be discussing the three domains that are the most susceptible to attack. The human factor is the biggest variable in these domains. We will be discussing the safeguards put in place here at our firm. The largest of the three domains we will be discussing is the user domain. As stated above this means you. Included in our yearly security awareness training is a recap of our acceptable use policy (also found in your employee handbook). The acceptable use policy mandates what you cannot do on our network. This includes not using personal devices on any wired/wireless networks within our property, and using storage devices not provided to you by the company. Any files you need to access away from the office should be stored on our secure online storage system only. As the user it is your responsibility to be diligent and keep your...

Words: 905 - Pages: 4

Premium Essay

Policy

...Information Security Policy Best Practice Document Produced by UNINETT led working group on security (No UFS126) Authors: Kenneth Høstland, Per Arne Enstad, Øyvind Eilertsen, Gunnar Bøe October 2010 © Original version UNINETT 2010. Document No: Version / date: Original language : Original title: Original version / date: Contact: © English translation TERENA 2010. All rights reserved. GN3-NA3-T4-UFS126 October 2010 Norwegian “UFS126: Informasjonsikkerhetspolicy” July 2010 campus@uninett.no UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT led working group on security as part of a joint-venture project within the HE sector in Norway. Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and copyright preserved. The translation of this report has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 238875, rel ating to the project 'Multi-Gigabit European Research and Education Network and Associated Services (GN3)'. 2 Table of Contents EXECUTIVE SUMMARY INTRODUCTION 1 1.1 1.2 4 5 6 6 6 INFORMATION SECURITY POLICY Security goals Security strategy 2 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 ROLES AND AREAS OF RESPONSIBILITY PRINCIPLES FOR INFORMATION SECURITY AT Risk management Information security policy Security organization Classification and control...

Words: 6043 - Pages: 25

Premium Essay

Information Technology/Network Security Threats

...Protecting systems against various systems threats such as passwords and cracking tools with brute force or attacks into the system by gaining authentication for access rights including a password, policy, to educate the users. SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE. Each information security environments unique, unless modified to adapt to meet the organization’s needs. The System Development Life Cycle (SDLC) the system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Service decisions about security made in each of these phases to assure that the system is secure. The initiation phase begins with a determination of need for the system. The organization develops its initial definition of the problem that solved through automation. This followed by a preliminary concept for the basic system that needed, a preliminary definition of requirements, and feasibility and technology assessments. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. The information developed in these early analyses used to estimate the costs for the entire life cycle of the system, including information system security. An investment analysis determine...

Words: 1444 - Pages: 6