Information Security: MIM737

Department of Information and

Marketing Sciences
Midlands State University
 Security Administration
Conducting a Security Program
• This is a series of ongoing, regular, periodic
evaluations conducted to ensure that the physical
facilities of a computer installation are
safeguarded adequately.
• Security administrator has to consider an
extensive list of possible threats to the
organization, prepare an inventory of assets,
evaluate the adequacy of controls and implement
new controls.
 Security Administration
• Security evaluations need to be repeated
periodically to determine whether covert changes
have occurred that necessitate modification to
controls.
• Major steps to be taken when evaluating security
installation are:
 Security Administration
(1)Preparation of a project plan
• If the objectives of the review are not kept
clearly in mind, too much work will be
undertaken that has only marginal benefits.
• The initial evaluations deal with critical areas;
when these are sorted out, lesser concerns can
be addressed
• The project plan of a security evaluation
encompasses the normal items that should be
present in any project plan.
 Security Administration
i. Objectives and scope of the evaluation
ii. Tasks to be accomplished
iii. Organization of the project team
iv. Resources budget
v. Schedule for task accomplishment
• Standard tools such as the gant chart can be used
to assist the documentation and communication
processes

• .
 Security Administration
(2)Identification and Valuation of Assets
• It is important to prepare a complete inventory
since the omission of an asset may result in a set
of exposures being overlooked that ultimately
may lead to a loss being incurred.
• The major categories of assets that the security
manager must investigate are: personnel,
hardware, application software, system software,
data, facilities(furniture, office space, filing
cabinets) and supplies(tapes, disks, preprinted
paper)
 Security Administration
Valuing the assets can be a difficult task. Valuation
may differ depending upon:
• who is asked to give the valuation

• the age of the asset

• the way in which the asset may be lost

• the period of time for which it is lost.

 Security Administration
(3)Threats Identification and Probability
Assessment
• The security manager attempts to flesh out and
evaluate all threats that may affect the physical
security of the computer installation.
• Browne[1979] identifies three major categories of
threats that the security manager must consider:
unreliable systems, disasters and hostile action.
• Having identified the threats, the next step is to
estimate the likelihood of occurrence.
 Security Administration
• To some extent the nature and value of the assets
held within the computer installation affect the
likelihood of the occurrence of a threat
(4)Exposures Analysis
It comprises three major tasks
a) identification of the controls in place and an
assessment of their reliability
b) evaluation of the likelihood that a threat will be
successful given the reliability of the controls in
place and
 Security Administration
c) Assessment of the loss that results if a threat
circumvents the controls that are in place.
• The objective is to reduce the exposures to an
acceptable level.

(5)Controls Adjustment
• In light of the exposures analysis, the security
manager must evaluate whether each exposure
is at an acceptable level.
 Security Administration
• The benefits of a control that arise because it
reduces expected losses from threats must
exceed the costs of designing, implementing , and
operating the control.
• The security manager needs to examine whether
an existing control should be terminated or
modified in some way to make it more cost-
effective.
 Security Administration
(6)Security Report Preparation
• Like all reports to management, often the most
difficult part is getting the recommendations
accepted.
• With respect to the feasibility of recommended
safeguards, the security manager has to
demonstrate that the safeguards are within the
installation's capabilities to design, implement
and operate.
• ➢ The report must also include a plan to
implement the recommendations.
 Security Administration
Major Security Threats and Remedial Measures
Fire damage
• The security manager should arrange regular
inspections of all fire protection systems.,
periodic drills.
• The procedures to be followed during an
emergency should be documents.
Energy Variations.
• ➢ Voltage regulators protect hardware against
temporary increases in power; circuit breakers,
 Security Administration
• batteries etc.
• Careful assessment of the likelihood of
unacceptable energy variations is essential to the
ongoing operations of the installation.
• The impact of any new energy consumer on the
existing power supply should be assessed.
• The design of security for the installation must
provide for the possibility of total loss of power.
Pollution
• There is need for regular cleaning, vacuuming
 Security Administration
• In general, pollution is minimized by having good
housekeeping procedures.
Unauthorized intrusion
• In communications networks, the points most likely
to be wiretapped are junction boxes and the private
branch exchange so the security administrator must
make sure these points are secure.
• Water damage and structural damage

• .
 Security Administration
Controls of Last Resort
• Though safeguards are implemented, an
installation may still suffer a disaster. In such a
scenario there must be two controls of last resort.
Disaster Recovery Plan
• Cerullo [1981] argues that a comprehensive
disaster recovery plan comprises four parts.
 Security Administration
Emergency Plan
• It specifies the actions to be taken immediately
when a disaster occurs.
• The actions to be initiated may vary depending on
the nature of the disaster that occurs.
• The plan must show who is to be notified
immediately upon the disaster occurring, must
show any actions to be undertaken within the
installation, evacuation procedures must be
specified and return procedures specified
 Security Administration
• In all cases, the personnel responsible to the actions
must be notified and the protocols to be followed
must be specified clearly.
Backup Plan
• It specifies the location of backup resources, the site
where resources can be assembled and operations
restarted, the personnel required for gathering the
backup resources and restarting operations, the
priorities to be assigned to recovering the various
systems, and a time frame to whic recovery of each
system must be effected.
• ➢
 Security Administration
• The most difficult part in preparing a backup plan
is ensuring that all critical resources are backed
up; programs, data, hardware, facilities, supplies,
documentation, and personnel.
• The selection of backup sites is an important
decision.
• The backup plan must assist employees as much
as possible by providing concise, complete, clear
instructions on the recovery procedures they are
to accomplish.
 Security Administration
Recovery Plan
• The recovery plan sets out how the full capabilities of
the installation will be restored.
• The plan should identify a recovery committee that
will be responsible for working out the specifics of
the recovery to be undertaken.
• It should provide guidelines on priorities to be
followed.

.
 Security Administration
Test Plan
• The purpose of the test plan is to identify
deficiencies in the emergency, backup, recovery
plans or in the preparedness of the organization
and its personnel in the event of a disaster.
• It must enable a range of disasters to be
simulated and specify a criteria by which the
emergency, backup, and recovery plans can be
deemed satisfactory.
• Periodically, test plans must be invoked i.e. a
disaster must be simulated.
 Security Administration
• Disaster recovery plan can be tested by desk
checking, during a slow period in the day and also
without warning(acid tests).
The exposures that remain after controls have been
designed and implemented can be handled in
three ways.
• The organization can bear the risk itself and treat
any losses as part of normal operations
• Risk sharing through a trade association
• The risk can be transferred contractually
 Security Administration
Insurance
• Data processing insurance often is a complex affair.

• The security manager must ensure that the following

areas are covered: equipment, facilities, storage
media, business interruption, extra expenses,
valuable papers and records, accounts receivables

• .
 Security Administration
• It falls on the security manager to ensure that the
policy is not voided because it fails to fulfil a
condition of the policy. In this regard, regular
security reviews helps determine whether
insurance coverage is adequate and whether the
installation is fulfilling its responsibilities