Malawi University of Science and Technology

Malawi Institute of Technology

Information Security

ISEC-210

Module Compiler
Allan Nila Chongwe – MSc. Computer Science, BSc. Information Technology

ISEC-210 Module Guide – A.N. Chongwe Page | 1

 Copyright

This material is a property of the Malawi University of Science and Technology

This material is not to be sold.

2021

All rights are reserved. No part of this publication may be reproduced, stored in a
retrieval system or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording or otherwise without copyright
clearance from Malawi University of Science and Technology.

Malawi University of Science and Technology,

P.O. Box 5196,
Limbe,
Malawi.
Tel: (265) 1 478 000
Fax: (265) 1 478 220
Email: registrar@must.ac.mw
Website: www.must.ac.mw

ISEC-210 Module Guide – A.N. Chongwe Page | 2

 Unit 1
Introduction to Information Security

1.0 Introduction

Welcome to Unit 1. This Unit gives a brief introduction to information

security. We will look at what information security is, how it relates to
cyber security and its importance to organisations and people. We will
also look at the CIA triad, the critical characteristics of information and
conclude with a look at the McCumber Cube.

1.1 Intended Learning Outcomes

By the end of this unit, you should be able to:

a. Define information security.
b. Compare and contrast information security and cyber security.
c. Explain why information security is important for organizations.
d. Explain critical characteristics of information.
e. Explain the C.I.A. triad.
f. Describe the CNSS security model.

1.2 Key Terms

During the course of this unit, you will find the following key words or
phrases. Watch out for these and make sure that you understand what
they mean.
 Information  Cyber security  Integrity
 Authenticity  Confidentiality  Availability

ISEC-210 Module Guide – A.N. Chongwe Page | 3

 1.3 What is Information Security?

In general, security is the state or quality of being secure from adversaries

i.e. those who would do harm, intentionally or otherwise. Achieving
the appropriate level of security for an organization requires a
multifaceted approach. A successful organization should have multiple
layers of security in place to protect its operations, physical
infrastructure, people, communications, and information.

Information security, on the other hand, can be defined as the

protection of information and its critical elements, including the systems
and hardware that use, store, and transmit the information. It may refer
to the processes and methodologies designed and implemented in order
to preserve the confidentiality, integrity and availability of the
information via the application of policy, education, training and
awareness, and technology. Information is processed data and
information security includes the broad areas of information security
management, data security, and network security.

1.3.1 Information security vs computer security (cyber security)

The terms ‘information security’ and ‘cyber security’, are different

although some people, wrongly, use them interchangeably. Information
security ensures that both physical (non-digital) and digital data is
protected from unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction. Information security
differs from computer security (cyber security) in that information
security aims to keep data or information safe in any form not only in

ISEC-210 Module Guide – A.N. Chongwe Page | 4

 electronic format. For example, securing a paper document is
information security responsibility while if the document is scanned and
transferred it to digital file, the security of this digital file is a cyber
security responsibility.

Cyber security is a subset of information security and is the practice of

defending an organization‘s networks, computers and data from
unauthorized digital access, attack or damage by implementing various
processes, technologies and practices. Cyber security concentrates on
protecting data in the digital form in what is called cyberspace. Cyber
security also does not focus on the implementation and configuration of
network devices but concentrates more on cyber attacks and how these
can be detected and defended against these attacks. Network security is
therefore a subset of cyber security, aims to protect any data that is being
sent through devices in a network to ensure that the information is not
changed or intercepted.

1.4 Importance of Information Security

A good number of people have no idea about the importance of

information security for their companies and themselves. A lot of
managers have the misconception that their information is completely
secure and free from any threats. This is a big mistake! Data, whether in
digital or non-digital form, is a critical resource for organizations and
enterprises such as banks, hospitals, governments and universities. And
securing this critical resource is in the best interest of these organizations.
Data is arguably one of the most important asset in an organisation.
Without data, an organization loses its record of transactions and its

ISEC-210 Module Guide – A.N. Chongwe Page | 5

 ability to deliver value to customers. Any business, academic institution,
or government agency that operates within the modern context of
connected and responsive services relies on information systems. Even
when transactions are not online, information systems and the data they
process enable the creation and movement of goods and services.
Therefore, information security is a critical aspect for any serious
organisation. The value of data motivates attackers to steal, sabotage,
or corrupt it. An effective information security program implemented
by management protects the integrity and value of the organization‘s
data. Organizations store much of the data they deem critical in
databases, managed by specialized data management software known
as a database management system (DBMS).

Information security performs four important functions to ensure that

information assets remain safe and useful: Protecting the organization‘s
ability to function, enabling the safe operation of applications
implemented on the organization‘s IT systems, protecting the data an
organization collects and uses and safeguarding the organization‘s
technology assets.

1.5 Critical characteristics of information

The value of information comes from the characteristics it possesses.

When a characteristic of information changes, the value of that
information either increases or, more commonly, decreases. Some
characteristics affect information‘s value to users more than others,
depending on circumstances.

ISEC-210 Module Guide – A.N. Chongwe Page | 6

 1. Availability – Availability enables authorized users to access
information without interference or obstruction and to receive it
in the required format.
2. Accuracy – Information has accuracy when it is free from mistakes
or errors and has the value that the end user expects. If
information has been intentionally or unintentionally modified, it
is no longer accurate.
3. Authenticity – Authenticity of information is the quality or state
of being genuine or original, rather than a reproduction or
fabrication. Information is authentic when it is in the same state
in which it was created, placed, stored, or transferred. This is not
always the case. E-mail spoofing, the act of sending an e-mail
message with a modified field, is a problem for many people
today because the modified field often is the address of the
originator. Spoofing the sender‘s address can fool e-mail recipients
into thinking that the messages are legitimate traffic, thus inducing
them to open e-mail they otherwise might not have.
4. Confidentiality – Information has confidentiality when it is
protected from disclosure or exposure to unauthorized
individuals or systems. Confidentiality ensures that only users with
the rights, privileges, and need to access information are able to
do so. When unauthorized individuals or systems view
information, its confidentiality is breached. To protect the
confidentiality of information, one can use several measures,
including the following:
 Information classification
 Secure document storage

ISEC-210 Module Guide – A.N. Chongwe Page | 7

  Application of general security policies
 Education of information custodians and end users

Confidentiality, like most characteristics of information, is

interdependent with other characteristics and is closely related to
the characteristic known as privacy. The value of confidentiality
is especially high for personal information about employees,
customers, or patients. People who transact with an organization
expect that their personal information will remain confidential,
whether the organization is government or private one.
5. Integrity – Information has integrity when it is whole, complete,
and uncorrupted. The integrity of information is threatened when
it is exposed to corruption, destruction, or other disruption of its
authentic state. Corruption can occur while information is being
stored or transmitted. Many computer viruses and worms are
designed with the explicit purpose of corrupting data.
6. Utility – The utility of information is the quality or state of having
value for some purpose or end. In other words, information has
value when it can serve a purpose. If information is available but
is not in a meaningful format to the end user, it is not useful.
7. Possession – The possession of information is the quality or state
of ownership or control. Information is said to be in one‘s
possession if one obtains it, independent of format or other
characteristics. While a breach of confidentiality always results in
a breach of possession, a breach of possession does not always
lead to a breach of confidentiality. For example, assume a
company stores its critical customer data using an encrypted file

ISEC-210 Module Guide – A.N. Chongwe Page | 8

 system. An employee who has quit decides to take a copy of the
tape backups and sell the customer records to the competition.
The removal of the tapes from their secure environment is a
breach of possession. But, because the data is encrypted, neither
the former employee nor anyone else can read it without the
proper decryption methods; therefore, there is no breach of
confidentiality.

1.6 The CIA Triad

Confidentiality, integrity and availability, commonly referred to, as the

C.I.A. triad (Figure 1.1) has been the standard for computer security in
both industry and government since the development of the mainframe.
This standard is based on the three characteristics of information that
give it value to organizations: confidentiality, integrity, and availability.
The security of these three characteristics is as important today as it has
always been, but the C.I.A. triad model is generally viewed as no longer

Figure 1.1 – The CIA triad.

adequate in addressing the constantly changing environment. The

threats to the confidentiality, integrity, and availability of information
have evolved into a vast collection of events, including accidental or

ISEC-210 Module Guide – A.N. Chongwe Page | 9

 intentional damage, destruction, theft, unintended or unauthorized
modification, or other misuse from human or nonhuman threats. This
vast array of constantly evolving threats has prompted the development
of a more robust model that addresses the complexities of the current
information security environment.

1.7 The CNSS Model

There In 1991, John McCumber created the Committee on National

Security Systems (CNSS) model framework for establishing and
evaluating information security programs, now known as The
McCumber Cube. This security model is depicted as a three-dimensional
Rubik's Cube-like grid. It provides a graphical representation of the
architectural approach widely used in computer and information
security; it is now known as the McCumber Cube. To develop a secure
system, one must consider not only key security goals (CIA) but also
how these goals relate to various states in which information resides and
full range of available security measures.

Figure 1.3 – The McCumber Cube.

ISEC-210 Module Guide – A.N. Chongwe Page | 10

 As shown in Figure 1.3, the McCumber Cube shows three dimensions.
When extrapolated, the three dimensions of each axis become a 3x3x3
cube with 27 cells representing areas that must be addressed to secure
today‘s information systems. To ensure comprehensive system security,
each of the 27 areas must be properly addressed during the security
process. For example, the intersection of technology, integrity, and
storage requires a set of controls or safeguards that address the need to
use technology to protect the integrity of information while in storage.
One such control might be a system for detecting host intrusion that
protects the integrity of information by alerting security administrators
to the potential modification of a critical file. A common omission from
such a model is the need for guidelines and policies that provide
direction for the practices and implementations of technologies.

ISEC-210 Module Guide – A.N. Chongwe Page | 11

 Unit Summary

In this Unit, we looked at an introduction to information security. We

first looked at the definition of information security, how it relates to
cyber security and its importance to organisations and people. We also
looked at the CIA triad, the critical characteristics of information and
concluded with a look at the McCumber Cube.

ISEC-210 Module Guide – A.N. Chongwe Page | 12

 Unit Activity

1. Define the following terms;

a. Security
b. Information security
c. Attack
d. Threat
2. Compare and contrast information security and cyber security.
3. Explain the importance of information security to an organisation.
4. Discuss any four (4) critical characteristics of information.
5. Discuss the CIA triad.
6. Explain how the McCumber Cube extends the CIA triad.

ISEC-210 Module Guide – A.N. Chongwe Page | 13

 References

1. Whitman, M.E., Mattord, H.J. (2012). Principles of information

security (4th ed.). Boston: Thomson Educational.
2. Whitman, M. E., & Mattord, H. J. (2013). Management of
information security. Nelson Education.
3. Sohail Z., (2021). The CNSS security model. How would you
address them in your organization? Accessed from
https://sohail.life/3726/the-cnss-security-model-how-would-you-
address-them-in-your-organization/

ISEC-210 Module Guide – A.N. Chongwe Page | 14

ISEC-210 Module Guide – A.N. Chongwe Page | 15