CHAPTER 4:

INFORMATION SECURITY
Muhamad Khairulnizam Zaini
Senior Lecturer
Information Systems Management
UiTM Selangor
2017
LESSON OBJECTIVES:

1 Understand the definition of information security

2 Understand the key terms and concepts of information security

3 Understand the key challenges in information security

4 Understand the roles of professionals involved in information security within an organization

 INTRODUCTION
TO INFORMATION
SECURITY
The current state…
Information security?

Let’s have a look

https://youtu.be/7L9JerWIT3Y
DEFINING INFORMATION SECURITY

The activity to protect

information from a wide
Securing information
range of threats in order
through proactive
to ensure business
management of
continuity, minimize
information security
business damage, and
risks, threats and
maximize return on
vulnerabilities (Kritzinger
investments and
& Smith, 2008).
business opportunities
(Hagen et al., 2008).

The prevention of, and

recovery from, The protection of
unauthorized or information assets,
undesirable destruction, aiming to maintain
modification, disclosure, confidentiality, integrity,
or use of information and availability and
information resources, accountability of
whether accidental or information (Whitman
intentional (Alnatheer & and Mattord, 2011).
Nelson, 2009).
DEFINING INFORMATION SECURITY

The protection of Process that ensures that

information and within the enterprise,
information systems from information is protected
unauthorized access, use, against disclosure to
disclosure, disruption, unauthorized users
modification, or destruction (confidentiality), improper
in order to provide modification (integrity)
confidentiality, integrity, and non-access when
and availability (NIST, required (availability)
2011). (ISACA, 2012).

A multidisciplinary area of study

and professional activity which is
concerned with the development
The practice of and implementation of security
defending information fro countermeasures of all available
m unauthorized access, types (technical, organizational,
human-oriented and legal) in
use, disclosure, order to keep information in all its
disruption, modification, locations (within and outside the
perusal, inspection, organization’s perimeter) and,
recording or destruction consequently, information
systems, where information is
(ISO/IEC 27001, 2013). created, processed, stored,
transmitted and destructed, free
from threats (Cherdantseva &
Hilton 2013)
Information security is a crucial component in the success of any
organization, regardless of what environment the organization
functions in. The objectives of information security commonly is
to preserve an organization’s information assets and the
business processes they support.
INFO SECURITY or CYBERSECURITY?

Information Security - the protection of

information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide
confidentiality, integrity, and availability (CIA).

Cyber Security - protection of cyberspace and use

of it against any sort of crime (related/not related
to information CIA).
THE DEVELOPMENT OF INFORMATION SECURITY
THE TECHNICAL WAVE
THE INSTITUTIONAL WAVE
Information security is characterized by a
The growing emphasis on information
technical approach driven by the
security awareness and the risk that
application of mainframe environment
ignorant employees can compromise
which allows centralized processing for The Information Security measures had
All waves emphasize on the importance Information
business information in organization. of securing data required the institutionalization of
During this era, information security was
and information belongs to organization
limited to simple forms of Identification The Security
that is regarded information security in an organization.
and Authentication for logging onto the Institutional Governance And this has led to the Institutional
as critical resources for businesses. And the responsibility wave of information security in the
mainframe system as security control. Wave (mid Wave (mid mid-90s that saw enormous efforts of
is lies with the organization and
90s -its
midemployees. By doing
2000- now) promoting culture and way of thinking
The
so, it will ensureManagement
that the confidentiality
2000) and integrity of the in alignment of making secure
environment in protecting valuable
data and information of the company are maintained at all
Wave (early information resources belongs to the
80s-mid
times 90s)
for business strategic use. organization.

THE MANAGEMENT WAVE The

In conjunction with the development of
distributed computing, and the personal
computer which demanded a lot of other
inputs into the Information Security field,
the information security wave than
allegedly deemed as imperative. During
this period, information security really got
the attention of management, and this
have resulted many information security
managers to be appointed to developed
policies and procedures in tightening up
security elements in organizations.
Technical THE INFORMATION SECURITY GOVERNANCE WAVE
Wave The latest waves were started in early 2000 along with the
appearance of several International best practices for good
(early 80s) Corporate Governance. This is wave is termed as ‘Information
Security Governance Wave’. In this era, techniques to measure the
status and level of organization’s information security compliance
becoming more structured to be part of the governance. Apart from
that, the used of computerized systems are holistic in this era.
THE GUIDING PRINCIPLES

C.I.A –
Confidentiality,
Integrity, Availability

We want our information to:

Be confidential. Readable by the right people.
Have integrity. Can be altered by authorized
people or process.
Be available. Accessible by authorized people
only.

Our concerns:
Authentication. Information/messages
came from the person we acknowledge
Non-repudiation. Senders cannot deny
knowledge of sending the message or
performing some online activities, at some
later point in time.
INFOSEC. in broad
 The act of protecting the
confidentiality, integrity and
availability of information and
information systems from
unauthorized access, use,
disclosure, disruption,
modification, perusal,
inspection, recording or
destruction. – Regardless of
the form of the information
(electronic, printed, cloud, etc.)
 INFORMATION SECURITY DOMAINS
People – ”The Human Factor”
Human factor has to be address at two key levels :
Non-technical staff - must have up-to-date awareness of their role in preventing and reducing threats
Technical staff – must have broad, up-to-date information security skills, competency and qualifications.

People

Process
Good Information
Structured set of activities designed to accomplished a specific objective. i.e. procedures, works Security Practice
instructions, metrics, roles, improvements.
Technology Process

Technology
Technology is a key element in achieving effective information security for any organization.

…security is far more than investing in hardware and software. First and foremost, security is a business issue. This
means that top management is accountable for ensuring that its organisation’s security strategy meets business
objectives and is adopted as a strategic risk . Discussions of security risk at board level should include identifying which
risks to avoid, accept, mitigate or transfer (such as through information insurance), as well as reviewing specific plans
associated with each approach.

The three fundamental domains of an effective cyber security strategy are: people, processes and technology.
Source: www.itgovernance.co.uk
Information Security Challenges

 Discusshow People, Process and Technology could

become challenges for information security?

3 groups for 20 minutes discussions and 10 minutes

presentation.
 group 1 – People as challenge
 group 2 – Technology as challenge
 group 3 – Process as challenge
 INFORMATION
SECURITY
PROFESSIONALS
Information Security professionals
 Information Security professional must develop breadth and depth knowledge
throughout the information security domain (e.g. in physical security, business continuity
and legal matters).

 Information Security Professionals is defined as:

 Information security practitioners who conform with the requirements of Information
Security Professional Guideline; and
 Information security practitioners with specific roles and responsibilities in Information
Security Operation, Information Security Compliance and Information Security Audit
Cybersecurity Malaysia (CSM)
http://www.cybersecurity.my/data/content_files/11/1159.pdf?.diff=1373447691
Information Security professionals
 Information Security Professional comprises of the following 3
roles:

1
 Chief Information Security Officer (CISO).
 The role of a CISO is to define Information Security strategic
direction, develop and maintain policies and establish roles and
responsibilities for Information Security within the organisation.
 The Chief Information Security Officer may report to either the
Chief Executive Officer (CEO), Chief Operating Officer (COO),
Chief Technology Officer (CTO) or Chief Information Officer
(CIO) of an organisation and is subject to the organisation
structure.
http://www.cybersecurity.my
 Information Security professionals

2 


Information Security Operations.
The role of an Information Security Professional performing Information
Security Operations is to:
 1. Manage and implement appropriate access rights to
applications, systems, databases and network
 2. Implement and maintain network security
 3. Perform incident management
 4. Ensure that the relevant Information Security controls are
implemented and embedded in the respective departments
performing daily operations

http://www.cybersecurity.my
Information Security professionals

3 


Information Security Audit & Information Security Compliance.
In smaller agencies / organisations these two functions may be
combined. Essentially their role is to monitor compliance by the
staff of the agency / organisation to the Information Security
policies, standards, and procedures.
 Information Security Professional with the role of audit or
compliance shall be independent from day-to-day Information
Security Operations.

http://www.cybersecurity.my
Information Security professionals

Information Security Professional Requirements

Source: Cybersecurity Malaysia, 2013
 Some profession challenges: Skills shortage

 Source: http://research.esg-global.com/reportaction/tect0312201501/TOC
Source: https://cybersec.isaca.org
Summary
 In this chapter you learned how to:

 Define information security.

 Describe the key terms and concepts of information
security.
 Discuss the key challenges in information security.
 Explain the roles of professionals involved in
information security within an organization
 CHAPTER 5: THE
IMPORTANCE OF
INFORMATION SECURITY
IN ORGANIZATIONS
Muhamad Khairulnizam Zaini
Senior Lecturer
Information Systems Management
UiTM Selangor
2017
 LESSON OBJECTIVES:

1
Understand the importance of information security to organizations

2 Understand the meaning of threats and vulnerabilities

3 Understand the business impacts of realized threats

THE IMPORTANCE
OF INFORMATION
SECURITY
The Importance of Information Security for Business

..maintains the competitive

..necessity in sustaining an advantage, improves public image,
...ensuring business continuity by
organization’s business increases innovation and protects
reducing business risks.
operations. the enterprise’s assets.
Kruger et al., 2010
Thompson et al., 2006 Parker, 1997, Anttila et. al, 2004,
COBIT 5

…ensures a high quality of service ...ensures alignment of information

of information infrastructures and
technologies, which support and
complement the business goal of
an organization.
Lane, 2007
…ensures that technological security with business strategies
assets are safely accounted for and objectives, value delivery and
and protected. accountability and expands
Whitman and Mattord, 2011 business opportunities.
ISO 27001:2013, Vasiu et. al, 2003
Discussions..
Protect
Prevents
profit and
data theft
regulation

Information
Protect
& computer
intellectual
crimes has
property
escalated

maintains Foils cyber

productivity terrorism
THE VULNERABILITY
& THREATS
Source: https://heimdalsecurity.com
OVERVIEW: VULNERABILITIES & THREATS
A vulnerability refers to a
known weakness of an asset
(resource) that can be
exploited by one or more
attackers. In other words, it is
a known issue that allows an
attack to be successful. For
example, when a team
member resigns and you
forget to disable their access
to external accounts, change
logins or remove their names
A threat refers to a new or newly discovered incident with the from company credit cards,
potential to do harm to a system or your overall organization. this leaves your business
There are three main types of threats – natural threats (e.g., open to both intentional and
floods or a tornado), unintentional threats (such as an unintentional threats.
employee mistakenly accessing the wrong information) and
intentional threats.

Intentional threats? Source: www.bcm.com

Intentional (deliberate) threats
 Computer crimes are the best examples of intentional
threats, or when someone purposely damages property
or information. Computer crimes include espionage,
identity theft, child pornography, and credit card crime.
https://www.cerias.purdue.edu/assets/pdf/k12/infosec_newsletters/03threats.pdf

 Intentional threats includes spyware, malware, adware

companies or the actions of a disgruntled employee. In
addition, worms and viruses are also categorized as
threats, because they could potentially cause harm to
your organization through exposure to an automated
attack, as opposed to one perpetrated by humans.
 Acts of Compromises Deliberate Deliberate Deliberate Deliberate
human to intellectual acts of acts of acts of acts of theft
error/failure properties trespass information sabotage or • Illegal removal
• accidents • piracy • Unauthorized extortion vandalism of equipment or
• Employee • Copyright access information
• blackmail • Destruction of
mistakes infringements • Data collection • Information system or
disclosure information

Sources of threats
Deliberate Forces of Deviations in Technical Technical Technological
software nature quality of Hardware software obsolescence
attack • Unauthorized services failure failure • Uselessness
• viruses access • Power, Lan , • equipment • Bugs, codes technology
• Denial or • Data collection Wan loopholes etc • Outdated tech
service • Service issues
from service
providers

Sources of threats
Malicious Threats: Insiders
The most common threat

Information security breaches are now the burning issues.

“14% of all data breaches linked to insiders”

source: The Verizon 2013 Data Breach Investigation Report

Among 874incidents, as reported by companies to the

Ponemon Institute for its recent 2016 Cost of Data Breach
Study, 568 were caused by employee or contractor
negligence; 85 by outsiders using stolen credentials; and
191 by malicious employees and criminals.
Some real-life examples..
Alphabet, Google’s parent company, recently filed a lawsuit against its
former engineer Anthony Levandowski, who is now working with Uber. The
company accused Levandowski of copying more than 14,000 internal files
and taking them directly to his new employer.
source: https://www.tripwire.com

Anthony Lewandoski was a high profile engineer at Waymo, a subsidiary of

Alphabet (formerly known as Google). His role there was to push forward
the development self-driving cars.

In December 2015, he downloaded 9.7 GB of company files on his

computer so he could “work from home”. But in January 2016 he left
Waymo to join Uber’s own self-driving car division.

We cannot know for sure whether Lewandowski used the files to help Uber
in their own project, but the situation was ostentatious enough that Waymo
sued Uber and asked for a halt in their self-driving car trials until further
notice.

If the allegations are true, the damage caused to Waymo, and Google for
that matter, could far exceed the one caused by an external hacking. Years
of hard work and investment were practically handed over on silver platter
to a major competitor.
source: https://heimdalsecurity.com/
http://www.cdse.edu/documents/toolkits- http://www.cdse.edu/documents/cdse/CDSE-Insider-Threat-
insider/Robert-Mo-Insider-Threat-Case-Study.pdf Case-Study-Yuan-Li.pdf
 Security Vulnerability
 A vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
 Vulnerability is the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw ("The Three Tenets of Cyber
Security". U.S. Air Force Software Protection Initiative.
Retrieved 2009-12-15).
 A vulnerability refers to a known weakness of an asset (resource)
that can be exploited by one or more attackers. In other words, it
is a known issue that allows an attack to be successful.
Vulnerability assessment
 Benefits of a Vulnerability Assessment & Cyber
Security Assessment The goal is to limit exposure
and attack surfaces to make compromising and
exploitation of network vulnerabilities more difficult.

 Identify and safely exploit vulnerabilities on network devices, operating

systems, desktop applications, Web applications, databases, and
more.
 Detect and repair potential weaknesses in your network before they
can be exploited by cyber criminals.
 Understand and enhance the current state of your cyber security
posture and level of risk.
 Test your policy agreement and your organization's ability to identify
and respond to security threats.
 Determine the adequacy of employee security awareness as a
baseline for skill acquisition and reinforcement of human defences.
 Demonstrate compliance with current government and industry
regulations such as PCI-DSS, FFIEC, GLBA, and HIPAA/HITECH.
 Manage resources more efficiently by focusing attention and resources
where needed.

Source: http://www.infosightinc.com/solutions/advisory-services/vulnerability-assessment.php
 Impact of Security Risks and Threats

Viruses, worms, and Trojan horses can corrupt data on a user’s

computer, infect other computers, weaken computer security, or
provide back doors into protected networked computers. Viruses can
corrupt digital content on a user’s computer, spyware, adware, and

Other forms of security risk also

represent a significant problem
to businesses, their users, and
the company networks.
All types of threat and security risk can seriously
impair business operations, network use, and
computer performance while performing many
tasks unknown to the user of an infected computer.
 Some research examples..
Authors Study Objectives/Context
Zafar et. al, To investigates the financial impact of publicly
2012 announced information security breaches on
breached firms and their non-breached competitors
Akram, 2013 To theorize and empirically measure the effects of
information disclosure on the accuracy of business
decision-making at various organizations
Mani et. al, To contribute to a better understanding of the
information security threats, awareness, and risk
2014
management standards currently employed by the
real estate sector in South Australia
Telstra, 2014 To understand the security market dynamics,
particularly the drivers, restraints and adoption
trends facing Australian organizations.
Gallagher et. To establish a measure of the impact of security
breaches and to assess differences in the impact
al, 2016
experienced across organizations of different sizes,
different industries, and the degree to which they
are centralized or decentralized.
Telstra, 2016 To understand the security market dynamics,
particularly the drivers, restraints and adoption
trends facing Australian and Asians organizations.
Threats/Risks
e-business/e-commerce utilization for businesses
attacks or threats to information assets can result in
inadequate decisions, which consequently affect the
entire structure of the organization / insecure
information assets
Physical breaches (e.g. due to stolen data storage
devices such as smart mobile devices and computers)
and non-physical breaches (e.g. due to computer or
network intrusions) on real estate information.
Technology becomes more important to business
every day. But the technologies that currently make
the biggest difference – like Cloud Computing, Big
Data and Mobility – also increase your exposure to
security incidents.
Security breach through IT systems
Connectivity and technology provide great benefits to
our society and the economy today, and the full
potential to touch and benefit us all is yet to be fully
realized. However with this benefit comes some risk –
and as more of the world embraces technology and
connectivity, the risk increases and organizations
need to be able to manage this risk
Business Impacts
Unwanted access to internal information - Data loss
– competitive disadvantages
Information security has a substantial effect on
generating accurate, effective and efficient business
decisions.
An employee misuses work-related data for personal
gain will impact competitive advantages.
Critical infrastructure, business continuity and IT &
business processes were the most severely affected
by security incidents in organizations during the past
three years.
Disruption to operations
Security incidents impacted in productivity loss,
disruption of business operations, critical
infrastructure breakdown, reputational loss, loss of
sensitive data and financial loss.
Summary
 In this chapter you learned how to:

 Describe the importance of information security to

the organizations
 Explain the terms vulnerability and threats.
 Discuss the impacts of security risks and threats to
organizations