Information Assurance and Security 1

CHAPTER I - INTRODUCTION TO INFORMATION SECURITY

Overview:

Objective:
At the end of the lesson, the students should be able to;
 Identify the different approaches to Information Security implementation
 Explain the information security mechanism
 Explain the Disaster recovery

Approaches to Information Security Implementation

In order to determine the safety of data from potential violations and cyber-attacks, the
implementation of the security model has an important phase to be carried out. In order to ensure
the integrity of the security model can be designed using two methods:

1. Bottom-Up Approach:

The company’s security model is applied by system administrators or people who are working in
network security or as cyber-engineers. The main idea behind this approach is for individuals
working in this field of information systems to use their knowledge and experience in cyber security
to guarantee the design of a highly secure information security model.

This is a method of establishing security policies and/or practices that begins as a grassroots effort in
which systems administrators attempt to improve the security of their systems.

 Key Advantages –
An individual’s technical expertise in their field ensures that every system vulnerability is
addressed and that the security model is able to counter any potential threats possible.

 Disadvantage –
Due to the lack of cooperation between senior managers and relevant directives, it is often not
suitable for the requirements and strategies of the organization.

2. Top-Down Approach:

This type of approach is initialized and initiated by the executives of the organization. It is a
methodology of establishing security policies and/or practices that is initiated by upper
management.

 They formulate policies and outline the procedures to be followed.

 Determine the project’s priorities and expected results
 Determine liability for every action needed

It is more likely to succeed. That strategy usually provides strong support from top management by
committing resources, a consistent preparation and execution mechanism and opportunities to
affect corporate culture.

Module 2 1|Page
 Information Assurance and Security 1

Security management issues have been handled by organizations in various ways. Traditionally,
companies adopted a bottom-up approach, where the process is initiated by operational
employees and their results are subsequently propagated to upper management as per the
proposed policies. Since management has no information about the threat, the effects, the idea of
resources, possible returns and the security method, this approach has occasionally created a
sudden and violent collapse.

On the contrary, the top-down approach is a highly successful reverse view of the whole issue.
Management understands the gravity and starts the process, which is subsequently collected
systematically from cyber engineers and operating personnel.

Difference between Cyber Security and Information Security

The terms Cyber Security and Information Security  are often used interchangeably. As they both
are responsible for the security and protecting the computer system from threats and information
breaches and often Cybersecurity and information security are so closely linked that they may seem
synonymous and unfortunately, they are used synonymously.

If we talk about data security it’s all about securing the data from malicious users and threats.

Examples and Inclusion of Cyber Security are as follows:

 Network Security
 Application Security
 Cloud Security
 Critical Infrastructure

Examples and inclusion of Information Security are as follows:

 Procedural Controls
 Access Controls
 Technical Controls
 Compliance Controls

Parameters CYBER SECURITY INFORMATION SECURITY

Value Protecting company’s sensitive Protecting your company's data from

Module 2 2|Page
 Information Assurance and Security 1

Parameters CYBER SECURITY INFORMATION SECURITY

data from unauthorized electronic

access unauthorized access of any sort

It is all about protecting information from

It is the practice of protecting the unauthorized users, access, and data
Basic data from outside the resource on modification or removal in order to provide
Definition the internet. confidentiality, integrity, and availability.

It is about the ability to protect the

use of cyberspace from cyber It deals with the protection of data from any
Protect attacks. form of threat.

Cybersecurity to protect anything Information security is for information

Scope in the cyber realm. irrespective of the realm.

Cybersecurity deals with the Information security deals with the protection
Threat danger in cyberspace. of data from any form of threat.

Cybersecurity strikes against Information security strikes against

Cyber crimes, cyber frauds, and unauthorized access, disclosure modification,
Attacks law enforcement. and disruption.

Information security professionals are the

Cyber security professionals deal
with the prevention of active
threats or Advanced Persistent
Professionals threats (APT).
foundation of data security and security
professionals associated with it are
responsible for policies, processes, and
organizational roles and responsibilities that
assure confidentiality, integrity, and
availability.

It deals with threats that may or

may not exist in the cyber realm
such as protecting your social
media account, personal It deals with information Assets and integrity,
Deals with information, etc. confidentiality, and availability.

Defense Acts as first line of defense. Comes into play when security is breached.

The commonly accepted aspects of security are as follows:

 Identification and authentication

Identification is the ability to identify uniquely a user of a system or an application that is
running in the system. Authentication is the ability to prove that a user or application is
genuinely who that person or what that application claims to be.
 Authorization
Authorization protects critical resources in a system by limiting access only to authorized
users and their applications. It prevents the unauthorized use of a resource or the use of a
resource in an unauthorized manner.
 Auditing
Auditing is the process of recording and checking events to detect whether any unexpected or

Module 2 3|Page
 Information Assurance and Security 1

unauthorized activity has taken place, or whether any attempt has been made to perform
such activity.
 Confidentiality
The confidentiality service protects sensitive information from unauthorized disclosure.
 Data integrity
The data integrity service detects whether there has been unauthorized modification of data.

Disaster Recovery

Disaster recovery applies after a disaster.

An event can be categorized as a disaster when an organization is unable to mitigate the impact of an
incident while it is occurring and the level of damage or destruction is so severe that the organization
is unable to recover quickly. The difference between an incident and a disaster may be subtle; the
contingency planning team must make the distinction between the two, which may not be possible
until an attack occurs. Often an event that is initially classified as an incident is later determined to be
a disaster. When this happens, the organization must change its response and secure its most
valuable assets to preserve their value for the long term, even at the risk of more short-term
disruption.

Disaster recovery (DR) planning is the process of preparing an organization to handle a disaster and
recover from it, whether the disaster is natural or man-made. The key emphasis of a DR plan is to
reestablish operations at the primary site, the location at which the organization performs its business.
The goal of the plan is to make things whole, or as they were before the disaster

The Disaster Recovery Plan

The DR plan provides detailed guidance in the event of a disaster. It is organized by the type or
nature of the disaster, and it specifies recovery procedures during and after each type of disaster. It
also provides details about the roles and responsibilities of the people involved in the DR effort, and it
identifies the personnel and agencies that must be notified. The DR plan must be tested using the
same testing mechanisms. At a minimum, the DR plan must be reviewed periodically during a walk-
through or talk-through. The DR group consists of a planning team and a response team.

Many of the same precepts of incident response apply to disaster recovery:

• Priorities must be clearly established. The first priority is always the preservation of human life. The
protection of data and systems immediately falls to the wayside if the disaster threatens the lives,
health, or welfare of the organization’s employees or community. Only after all employees and
neighbors have been safeguarded can the disaster recovery team attend to protecting other assets.

• Roles and responsibilities must be clearly delineated. All members of the DR response team should
be aware of their expected actions during a disaster. Some people are responsible for coordinating
with local authorities, such as fire, police, and medical staff. Others are responsible for the evacuation
of personnel, if required. Still others are tasked simply to pack up and leave.

• Someone must initiate the alert roster and notify key personnel, including the fire, police, or medical
authorities mentioned earlier, as well as insurance agencies, disaster teams like the Red Cross, and
management teams.

• Someone must be tasked with documenting the disaster. As with an IR reaction, someone must
begin recording what happened to serve as a basis for later determining why and how the event
occurred.

• If possible, attempts must be made to mitigate the impact of the disaster on the organization’s
operations. If everyone is safe and all needed authorities have been notified, some employees can be
tasked with the evacuation of physical assets. Some can be responsible for making sure all systems
are securely shut down to prevent further loss of data.

Module 2 4|Page