eBook - ePub
The International Handbook of Computer Security
- 400 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
The International Handbook of Computer Security
About this book
The International Handbook of Computer Security is designed to help information systems/computer professionals as well as business executives protect computer systems and data from a myriad of internal and external threats. The book addresses a wide range of computer security issues. It is intended to provide practical and thorough guidance in what often seems a quagmire of computers, technology, networks, and software. Major topics discussed are: security policies; physical security procedures; data preservation and protection; hardware and software protection and security; personnel management and security; network security, internal and external systems; contingency planning; legal and auditing planning and control.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The International Handbook of Computer Security by Jae Shim,Anique A. Qureshi,Joel G. Siegel in PDF and/or ePUB format, as well as other popular books in Business & Business General. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Organizational Policy
Today the cost to businesses of stolen, misused, or altered information can be high, especially if real or purported damages to customers can be traced back to mismanagement. Thatās why you must value your information resources within the context of your business goals and constraints.
The objective of security management is to eliminate or minimize computer vulnerability to destruction, modification, or disclosure. But before we can discuss information security, we must see how that security works.
A key consideration is the physical location of the organization. Naturally, more security is needed in areas of high crime, although this may take the form of less expensive generic physical security measures. Who uses the information will also affect the security measures chosen. Some users need to alter data; others simply need to access it.
If a security plan is to be effective, top management must be fully convinced of the need to take counteractive steps. To assess the seriousness of a computer breakdown or loss of data, each business has to evaluate threats to the company, the potential losses if the threats are realized, and the time and cost that will be necessary to recover from any breach in security.
The proliferation of networks scatters security issues across the globe and increases the need for inexpensive but effective levels of security. Physical security measures reflect the location of each component, but procedural measures, especially in a large organization, though they may seem obtrusive are of equal importance.
Personal computers are another potential security threat. More and more people operate their PCs with telecommunications services to connect to central computers and network services. To limit the damage that can be done, each user must be identified and that identity authenticated. The user is then allowed to perform only authorized actions.
Audits can be very valuable for detecting security violations and deterring future violations. A security violation may be indicated from customer or vendor complaints that show discrepancies or errors; on the other hand, variance allowances can cover up fraudulent activity.
Audit trails used to produce exception reports are especially valuable to managers. Standard questions include who accessed what data, whether the data were altered, or whether access-only employees attempted alteration. Exception reports are best used daily because they are after-the-fact reports. You may also choose to look only at reports from areas of high vulnerability or where there is a history of corruption or attempted corruption.
A good manager will know the types and forms of information generated and how the information is used by the business before planning how to manage it. Security measures in an information resource management program must be practical, flexible, and in tune with the needs of the business. A risk-management approach recognizes alternatives and decision choices at each step in information resources management in order to develop a program that meshes with ongoing business practices.
It is your responsibility as a manager to (1) assist with the design and implementation of security procedures and controls, and (2) ensure that these remain effective by continuous internal audits. To do this you must:
ā¢ Identify the risks.
ā¢ Evaluate the risks.
ā¢ Install appropriate controls.
ā¢ Prepare a contingency plan.
ā¢ Continually monitor those controls against the plan.
Misuse of information is costly. Ask yourself, āWhere in the business scheme does this information work?ā identifying not only the department but also the type of usage (strategic, tactical, operational, or historical). This will help you determine how secure that information must be. Its value must justify the expense of protecting business data. For instance, because encryption is relatively expensive, itās usually reserved for higher business use (strategic or tactical). Operational business uses may use simpler controls such as passwords.
Security Administration
Security should be administered in the context of how the organization needs to control, use, and protect its information. Protection needs to be appropriate and reasonable given managementās risk posture. Three levels of security (physical, procedural, and logical) used in tandem can reduce the risks.
Physical Security
Physical security, the first line of defense, is the one that usually comes to mind when you hear the word āsecurity.ā This level literally separates those who are authorized to use certain types of information from those who are not. It also creates and maintains an environment in which the equipment is not exposed to damaging environment hazards like extreme heat or flooding, natural disasters, fire, power failure, or air conditioning failure.
Detection devices warn of an environmental failure, and automatic systems can protect against damages. Heat and smoke sensors and thermostats for temperature and humidity are standard equipment in computer centers. Attached to automatic shutoff devices they protect your computer system should critical limits be exceeded. Some natural disasters cannot be foreseen, especially in the usually windowless domain of the computer center, but disruption of service can be kept to a minimum by using backup centers.
At backup centers themselves, physical security takes on a heightened purpose. Your company may want to join a data center insurance group. The group data center should be able to handle the total workload of each member organization; in the event of service failure, the data center assumes the data processing role for that organization. During regular operations the data center may be used by a third party.
Human control is more elusive. Traffic, especially at the beginning and end of the business day, can overburden card-access systems. The physical layout of the building and the routes employees use to reach their workplaces can also overburden checkpoints. Guards, usually low-paid, are susceptible to bribery and relaxation of standards. Additionally, during high traffic times there may not be enough guards to check employee ID badges, or register visitors.
Procedural Security
Daily users of information systems gain great insight into their workings. They can identify holes in the process. Employees generally know if their system is being audited (as they should, to discourage corruption); if they are not being audited, the temptation to tamper with the system may be too great to resist. Companies with high turnover are particularly susceptible to employee modifications of the system.
Careful hiring and processing of employees, then, is one way to instill procedural security. Threats from mentally unstable employees are obvious. However, without the proper safeguards all current and former employees have access to the companyās computer resources. Among the proper safeguards:
ā¢ Revoke passwords as soon as an employee is terminated or if he is even suspected of infringement.
ā¢ Use lists of authorized personnel to control entrance into the system.
ā¢ Constantly monitor logs generated by computer systems that report access to sensitive areas.
ā¢ All transactions processed should be reviewed and audited.
These actions constitute a fundamental level of control over business operations that lets the whole organization know that management is concerned with security and is devoting time and money to seeing that its security objectives are met.
Logical Security
Computer hardware or software should automatically control the people and programs trying to access computer resources. Data encryption is an example.
Generally, all three levels of security must be combined to form the right mix for a given element. This is called an access control system. Its goals are to:
ā¢ Prevent unauthorized physical or logical access to facilities or to information via electronic formats,
ā¢ Track user computing and telecommunication activities, and
ā¢ Establish a basis for, and then enforce, a set of authorizations for all persons and programs attempting to use electronic information resources.
Establishing a Security Policy
Every organization should have a security policy that defines the limits of acceptable behavior and how the organization will respond to violations of such behavior. The policy assigns accountability and delegates authority across the organization. It will naturally differ from organization to organization, based on unique needs. Optional policies include:
ā¢ No playing of computer games on corporate computers.
ā¢ No visiting adult web sites using corporate Internet accounts or computers.
ā¢ An embargo against the use of a specific protocol if it cannot be administered securely.
ā¢ A prohibition against taking copies of certain corporate electronic documents out of the office.
ā¢ No use of pirated software.
Questions you must answer include: How will violators be reprimanded or punished? Will the organization respond to violators inside the organization? Will it be different from the response to violators outside the organization? What civil or criminal actions might be taken against violators?
Security policy should not be set piecemeal. This leads to inefficiencies, holes in the system, poor valuation of information elements, and inconsistencies. And it costs more to set policy piecemeal.
Publishing the policy is vital.
The owners of information can best assign information elements to a particular classification. Top management is in the best position to evaluate consequences. About 1 percent of all business information should have the highest level (and therefore costliest) classification. Mid-range classifications typically have about 40 percent of all business information.
Policy statements set program goals, give detailed directions for carrying out procedures, and explain absolute requirements of the information security system. Policy statements should be concise and not require modification for at least five years; standards or procedures usually must be modified no more often than every three years.
Your security policy should be a broad statement that guides individuals and departments as they work to achieve certain goals. Specific actions needed to realize goals will be contained in supporting standards rather than in the policy document.
The security policy should be concise and to the point, generally not exceeding 10 pages. It should be easy to understand. It should emphasize the roles of individuals and departments. It is not the purpose of the security policy to educate individuals. That objective is better achieved through training.
The rationale for a security policy should be stated, explaining its purpose, including why data integrity must be maintained. Come down hard on the importance of maintaining the confidentiality and privacy of information resources. The organization must have information continuously available; any interruption can have serious financial consequences.
Computer security must be everyoneās responsibility, so the computer security policy should encompass all locations of the company and all of its subsidiaries. Because security is only as strong as its weakest link, everyone in the organization must be held to the same set of standards. This means that the standards have to be flexible enough to be used in a wide variety of circumstances while remaining consistent across the organization.
The security policies apply to all data and computer facilities, including standalone computers, Internet and Intranet sites, local area networks (LANs), and wide area networks (WANs), as well as all forms of electronic communication, including email, fax, and data transmissions. They should also encompass relevant printed material, such as documentation and technical specifications.
Computer security is a means to an end, not an end in itself; it is an integral component of your organizationās overall risk management strategy. It should therefore be evaluated periodically to respond to changes in technology or circumstances. Assign authority for issuing and amending the security policy to a committee such as the Information Technology Management Committee that must determine when circumstances justify departure from the policy. All exceptions must have committee approval.
For a security policy to proceed, all individuals and departments must participate. It is well established that individuals are more likely to accept the security policy (or any other policy!) if they have had input during its creation, but the real benefit of employee participation is the knowledge they bring.
The relationship between the computer security policy and other corporate policies should be spelled out. For example, the computer security policy should be used in conjunction with the firmās policies for the internal control structure and contingency plans, including business interruption and resumption plans.
The policy should ensure compliance with all laws. Privacy and confidentiality issues have a serious effect on computer security. Increased governmental regulation is likely. The legal department should help department heads comply with the laws.
The responsibilities of the Information Systems department and its security personnel should be defined in the security policy docum...
Table of contents
- Cover
- Title Page
- Copyright Page
- Dedication
- Acknowledgements
- Table of Contents
- About the Authors
- What This Book Will do For You
- Chapter 1āOrganizational Policy
- Chapter 2āPhysical Security and Data Preservation
- Chapter 3āHardware Security
- Chapter 4āSoftware Security
- Chapter 5āPersonnel Security
- Chapter 6āNetwork Security
- Chapter 7āSecurity Policy
- Chapter 8āContingency Planning
- Chapter 9āAuditing and Legal Issues
- AppendixāSecurity Software
- Index