Introduction to Information Security (CAVITE STATE UNIVERSITY) PDF

Summary

This document is a course material on Introduction to Information Security, specifically for the CAVITE STATE UNIVERSITY, Bacoor City Campus. The material covers course description, principles, and strategies related to information security.

Full Transcript

2022

Republic of the Philippines

CAVITE STATE UNIVERSITY
Bacoor City Campus
SHIV, Molino VI, City of Bacoor

INTRODUCTION TO
INFORMATION
SECURITY
Contents
COURSE DESCRIPTION................................................................................................................................................................................. 2

MISSION...............................................................................................................................................................................................................2

VISION.................................................................................................................................................................................................................. 2

NIÑO M. RODIL.................................................................................................................................................................................................2

COURSE REQUIREMENTS............................................................................................................................................................................2

INTENDED LEARNING OUTCOMES........................................................................................................................................................... 3

PRE-TEST:............................................................................................................................................................................................................. 3

PRINCIPLES OF INFORMATION SECURITY.................................................................................................................................................. 4

What is Information Security?.......................................................................................................................................................................... 4

Confidentiality, Integrity, and Availability................................................................................................................................................. 10

System Development Life Cycle....................................................................................................................................................................12

DEVELOPING AND INFORMATION ASSURANCE STRATEGY......................................................................................................... 15

INFORMATION ASSURANCE PRINCIPLES................................................................................................................................................. 18

ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS........................................................................................................21

POST-TEST:........................................................................................................................................................................................................28

ANSWER KEY:...........................................................................................................................................Error! Bookmark not defined.

1
 COURSE DESCRIPTION

ITEC85 – INFORMATION ASSURANCE AND
SECURITY

Republic of the Philippines This course provides an understanding about the
information security, integrity and privacy techniques.
CAVITE STATE UNIVERSITY Topics include the nature and challenges of computer
security, the relationship between policy and security,
Bacoor City Campus
role and application of cryptography, the mechanisms
SHIV, Molino VI, City of Bacoor used to implement policies, the methodologies and
technologies for assurance and vulnerability analysis
and intrusion detection

The students are expected to recognize the growing
importance of information security specialist to the IT
Infrastructure particularly in designing and innovating
the methods, tools and techniques in information
assurance and security.

MISSION PROGRAM OUTCOMES ADDRESSED BY
Cavite State University shall provide
THE COURSE. AFTER COMPLETING THIS
excellent, equitable and relevant COURSE, THE STUDENTS MUST BE ABLE
educational opportunities in the arts, TO:
science and technology through quality
instruction and relevant research and
development activities. 1. Attain the vision, mission, goals and
It shall produce professional, skilled and objectives of the university, campus and
morally upright individuals for global department; (E)
competitiveness. 2. Deliver a gender fair and gender sensitive
instruction to students aligned with University
goals and objectives. (D)
3. Understand the basic concepts in information
VISION security, including the security technology and
The premier university in historic Cavite principles, software security and trusted systems
recognized for excellence in the and IT security management (I)
development of globally competitive 4. Analyze the various cryptographic tools and
and morally upright individuals.
the requirements and mechanisms for
identification and authentication (E)
5. Understand the characteristics of typical
security architectures and the multi-level security
systems. (E)
NIÑO M. RODIL 6. Understand the different database security
Instructor I issues and solutions, models, architectures and
[email protected] its mechanisms (E)
COURSE REQUIREMENTS

1. Homework/Activity
2. Long Examination
2
 3. Midterm and Final Examination

Republic of the Philippines

CAVITE STATE UNIVERSITY
Bacoor City Campus
SHIV, Molino VI, City of Bacoor

INTENDED LEARNING OUTCOMES

After the completion of the unit, students will be able to:
1. Understand the definition and history of information security
2. Identify the key information security concepts and strategy principles
3. Understand the principles fulfill the information assurance requirements and objectives of the
majority of organizations

PRE-TEST:

Direction: Identify the terms and choose the best answer:

1. What is the primary goal of Information Assurance?
a) To secure data against unauthorized access
b) To ensure data availability, integrity, and confidentiality
c) To maintain system hardware
d) To develop new security algorithms

2. Which of the following is NOT a principle of the CIA Triad?
a) Confidentiality
b) Integrity
c) Availability
d) Authentication

3. What is the main purpose of encryption in information security?
a) To allow free data sharing
b) To protect data by converting it into unreadable code
c) To delete sensitive information
d) To increase the speed of data transfer

4. Which of the following is an example of a physical security measure?
a) Firewall
b) Strong passwords
c) Security cameras
d) Encryption software

3
 5. Which type of attack aims to overwhelm a system with traffic, making it unavailable
to users?
a) Phishing
b) Man-in-the-middle attack
c) Denial of Service (DoS)
d) SQL injection

6. What does “two-factor authentication” (2FA) require?
a) A password and username
b) A password and an additional verification method, such as a phone or fingerprint
c) Two different passwords
d) A security question and a password

7. Which of the following is considered a strong password?
a) 12345678
b) password123
c) P@ssw0rd!
d) admin1

8. What does the term “malware” refer to?
a) Software that enhances system security
b) Malicious software designed to harm or exploit a system
c) Hardware protection tools
d) Anti-virus programs

9. What is the primary purpose of a firewall?
a) To stop all internet traffic
b) To allow all inbound traffic
c) To monitor and control incoming and outgoing network traffic based on security rules
d) To increase the speed of internet connections

10. Social engineering is best described as:
a) Attacking a system through technical means
b) Tricking individuals into divulging confidential information
c) The development of new social media platforms
d) Creating encrypted communication channels

PRINCIPLES OF INFORMATION SECURITY

WHAT IS INFORMATION SECURITY?

 A “well-informed sense of assurance that the information risks and controls are in balance.”
—Jim Anderson, Inovant (2002)

4
  Security professionals must review the origins of this field to understand its impact on our
understanding of information security today.

Multiple Layers of Security

1. Physical Security - Involves the protection of hardware, facilities, and personnel from
physical threats like unauthorized access, theft, or natural disasters.

2. Personal Security - Focuses on the safety and protection of individuals, ensuring they are
not subject to harm, coercion, or espionage.

3. Operation Security - Protects sensitive information related to operations, ensuring that
adversaries cannot gain insights into critical activities.

4. Communications Security - Protects the confidentiality and integrity of communications
through encryption and secure channels to prevent interception and unauthorized access.

5. Network Secuirty - Ensures the protection of data flowing across networks from
unauthorized access, misuse, or attacks such as hacking or malware.

6. Information Security - Protects the integrity, confidentiality, and availability of data from
unauthorized access or breaches.

The Dawn of Information Security: Early Pioneers and Challenges

A. Began immediately following development first mainframes
- Developed for code breaking computations during World War II.
- Multiple levels of security were implemented.

B. Physical Controls
C. Rudimentary
- Defending against theft, espionage and sabotage.

1960s

5
  Original communication by mailing tapes
 Advanced Research Project Agency (ARPA)
- Examined feasibility of redundant networked communications
 Larry Roberts developed ARPANET from its inception
- Link computers
- Resource Sharing
- Link 17 Computer Research Centers
- Cost 3.4M
 ARPANET is the predecesoor to the Internet and grew in popularity
 Fundamental problems with ARPANET Security
- Individual remote sites were not secure from unauthorized users
- Vulnerability of password structure and formats
- No safety procedures for dial-up connections to ARPANET
- Non-existent user identificaion and authorization to system

1970s

 Rand Report R-609
- Paper that started the study of computer security
- Information Security was began

 Scope of computer security grew from physical security to include
- Safety of data
- Limiting unauthorized access to data
- Involvement of personnel from multiple lebels of an organization

 MULTICS
- System called Multiplexed Information and Computing Service
- First Operating system created with security as primary goal
- Mainframe, time-sharing OS developed in mid-1960s such as GE, Bell Labs and MIX.
- Several MULTICS key players created UNIX
- In late 1970s, microcprocessor expanded computing capabilities, the mainframe
presence reduced and expanded security threats.

1990s

 Network of computer are common and interconnection of networks expand. Internet
became the first manifestation of global network of networks.
 Information security is initially based on de facto standards.

6
  Most of the internet deployments, the security was treated as a low priority.

2000 to Present

 Millions of computer networks communicate and many communications are unsecured
 Growing threat of cyber attacks has increased the need for improved security.

KEY INFORMATION SECURITY CONCEPTS

1. Access
2. Asset
3. Attack
4. Control, Safeguard or Countermeasure
5. Exploit
6. Exposure
7. Loss
8. Protection Profile or Security Posture
9. Risk
10. Subject and Object
11. Threat
12. Threat Agent
13. Vulnerability

 Computer can be subject of an attack and Computer can be the object of attack.
 When the computer is subject of an attack, it is used as an active tool to conduct attack.

7
  When the computer is object of an attack, the computer is the entity being attack.

CRITICAL CHARACTERISTICS OF INFORMATION

The value of information comes from the characteristics it possess:
1. Availability
2. Accuracy
3. Authenticity
4. Confidentiality
5. Integrity
6. Utility
7. Possession

COMPONENTS OF AN INFORMATION SYSTEM

Information system (IS) is entire set of components necessary to use information as a resource in
the organization.

8
 1. Software
2. Hardware
3. Data
4. People
5. Procedures
6. Networks

BALANCING INFORMATION SECURITY AND ACCESS

Approches to Information Security Implementation

 Grassroots effort – System administrators drive
 Key Advantage – Technical expertise of individual administrator
 Seldom works and lacks number of critical features such as participant support and
organizational staying power.
 Initiated by upper management about the Policy Issue, Procedures and Processes. Dictate
the goals and expected outcomes of the project and determine the accountability for each
required actions

9
CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY

Confidentiality
Confidentiality and privacy are related terms but are not synonymous.
Confidentiality is the assurance of data secrecy where no one is able to read data except for the
intended

Confidentiality should prevail no matter what the data state is—whether data resides on a system,
is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a
safe). Privacy, on the other hand, involves personal autonomy and control of information about
oneself.

Integrity
People understand integrity in terms of dealing with people.
Integrity is a service that assures that the information in a system has not been altered except by
authorized individuals and processes. It provides assurance of the accuracy of the data and that it
has not been corrupted or modified improperly.

Availability
Availability is the service that assures data and resources are accessible to authorized subjects or
personnel when required. The second component of the availability service is that resources such
as systems and networks should provide sufficient capacity to perform in a predictable and
acceptable manner.

10
Identification, Authentication, Authorization, and Accountability

Identification, authentication, authorization, and accountability are the essential functions in
providing an access management system.

Identification
Identification is a method for a user within a system to introduce oneself. In an organizationwide
identification requirement, you must address identification issues. An example would be more
than one person having the same name. Identifiers must be unique so that a user can be
accurately identified across the organization.

Authentication
Authentication validates the identification provided by a user. In other words, it makes sure the
entity presenting the identification can further prove to be who they claim. To be authenticated,
the entity must produce minimally a second credential.

Three basic factors of authentication are available to all types of identities.
 What you should know (a shared secret, such as a password, which both the user and the
authenticator know)
 What you should have (a physical identification, such as a smartcard, hardware token, or
identification card)
 What you are (a measurable attribute, such as biometrics, a thumbprint, or facial
recognition)

Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on
a public key cryptography method. Public key cryptography provides two independent keys
generated together; one key is made public, and another is kept private. Any information

11
protected by one key (public) can be opened only with another key (private). If one key is
compromised, a new key pair must be generated.

Authorization
Once a user presents a second credential and is identified, the system checks an access control
matrix to determine their associated privileges. If the system allows the user access, the user is
authorized.

Accountability
The act of being responsible for actions taken within a system is accountability. The only way to
ensure accountability is to identify the user of a system and record their actions. Accountability
makes non-repudiation extremely important.

CIA Balance
The three fundamental security requirements are not equally critical in each application. For
example, to one organization, service availability and the integrity of information may be more
important than the confidentiality of information. A web site hosting publicly available information
is an example.

Therefore, you should apply the appropriate combination of CIA in correct portions to support
your organization’s goals and provide users with a dependable system.

SYSTEM DEVELOPMENT LIFE CYCLE

A methodology for design and implementation of information system. The methodology is a
formal approach to problem solving and based on structured sequence of procedures. Using the
methodology ensures a rigorous process and increase the probability of success.

The traditional SDLC is consist of six general phases.

12
 SDLC Waterfall Methodology

Investigation

Determine the problem the system being developed to solve and it must have objective,
constraints and scope of project specified. Developed a preliminary cost benefit analysis.

Feasibility analysis is performed to assess economic, technical and behaviorual feasibilities.

Analysis

Analysis is consist of assessment of the following:
1. Organization
2. Current Systems
3. Capability to support propose systems

Analysis determine the new system should be made and how the system interact with existing
systems. It should be documented.

Logical Design

A logical design is a conceptual, abstract design. You do not deal with the physical
implementation details yet; you deal only with defining the types of information that you need.
The process of logical design involves arranging data into a series of logical relationships called

13
entities and attributes.

Physical Design

Physical design is the process of turning a design into manufacturable geometries. It comprises a
number of steps, including floor planning, placement, clock tree synthesis, and routing.

Components are evaluated on make or buy decision. Feasibility analysis performed.

Implementation

Implementation is the execution or practice of a plan, a method or any design, idea, model,
specification, standard or policy for doing something.

Needed software should be created. The user should be trained and documentation should be
created.

Users are presented with system for performance review and acceptance test.

Maintenance and Change

This is the longest and most expensive phase. The task necessary to support and modify system.
This phase is where life cycle continues. The process begins again from the investigation phase.

When the current system can no longer support the organization mission, a new project should be
implemented.

14
DEVELOPING AND INFORMATION ASSURANCE
STRATEGY

The principles fulfill the information assurance requirements and objectives of the majority of
organizations. The size, complexity, and organizational environment will drive the relative
importance of each of the principles.

1. Comprehensive

An organization’s information assurance strategy and resulting policies and programs
should cover topics, areas, and domains needed for modern organizations. Each topic,

15
 domain, and area within a policy should contain sufficient breadth and detail to support
strategic, tactical, and operational implementation.

2. Independent
An organization’s information assurance strategy should contain independent contents
and perspectives related to the defined mission. Organizations are various sizes and use
products and services from vendors.

3. Legal and Regulatory Requirements

An organization’s information assurance strategy must be consistent with existing laws and
regulations applicable to but not limited to information assurance, human resources,
healthcare, finance, disclosure, internal control, and privacy within the organizational
context.

Organizations should refer to existing legal frameworks and regulations in their
information assurance strategies so leaders understand how to fulfill the regulatory
requirements of their industry or environment.

4. Living Document

An organization’s information assurance strategy should be written as a living document
comprised of independent components. In smaller organizations with little employee
turnover, culture may sustain practices.

5. Long Life Span

Although information assurance is a dynamic, fast-moving, and rapid-changing discipline,
it requires a stable strategic foundation. To increase the value and relevance of an
organization’s information assurance strategy, the strategy must focus on the
fundamentals of information assurance that remain constant over time. This is supported
by tactical and operational components.

6. Customizable and Pragmatic

16
 Organizations should develop a flexible information assurance strategy. The strategy
should be applicable to a broad spectrum of organization functions independent of size
and should consider varied objectives and infrastructure complexity. Organizations should
adopt and adapt their tactical and operational plans to reflect identified organizational
information assurance requirements and risk profiles. The suggested controls provided
throughout this work can serve as guidance.

7. Risk-Based Approach
In a risk-based approach, organizations identify their risk profiles and prioritize them. Since
each organization has a unique risk profile, it must select controls appropriate to its risk
tolerance.

An organization’s information assurance strategy must be broad enough to give guidance
to sub-components with diverse risk profiles. This is analogous to risk portfolio approaches
in finance. Risk tolerance and profiles are explained later in this work.

8. Organizationally Significant
Information assurance should be considered significant in an organization’s strategy and
ongoing operations, and it is a significant investment and area of concern for any
organization. Information assurance is part of an organization just like basic accounting.

9. Strategic, Tactical, and Operational
The organization’s information assurance strategy provides a framework to assist senior
managers and executives in making strategic (long-term) planning and decisions. It
provides information to aid in tactical (midterm) planning and decisions for managers. In
addition, an organization’s information assurance strategy contains information useful to
employees and line managers who make operational (short-term) planning and decisions.

10. Concise, Well-Structured, and Extensible
The structure and contents of the organization’s information assurance strategy should
demonstrate high cohesion and low coupling. Each topic should be discussed to the

17
 appropriate level completely on its own (high cohesion), and its contents should not be
highly dependent (low coupling) on other topics. This approach makes the policy
extensible by enabling the easy addition of new information (topics) and by providing a
modular approach to information assurance for the user.

INFORMATION ASSURANCE PRINCIPLES

Fundamental concepts in protecting organizations’ information assets:
 Information Assurance
Information assurance is the overarching approach for identifying, understanding, and
managing risk through an organization’s use of information and information systems.

Information assurance is concerned with the life cycle of information in an organization
through the objectives of maintaining the following services or attributes:
- Confidentiality
- Integrity
- Availability
- Nonrepudiation
- Authentication

The following are critical elements to remember about information assurance:
- Information assurance includes all information an organization may process, store,
transmit, or disseminate regardless of media. Thus, information on paper, on a hard
drive, in the mind of an employee, or in the cloud is considered to be “in scope.”
- Information security, information protection, and cybersecurity are subsets of
information assurance.

 Information Security
Information security is a subdomain of information assurance. As noted in the MSR model,
information security focuses on the CIA triad.
- Confidentiality
Confidentiality and privacy are related terms but are not synonymous. Confidentiality is
the assurance of data secrecy where no one is able to read data except for the
intended entity.

18
 - Integrity
Integrity is a service that assures that the information in a system has not been altered
except by authorized individuals and processes. It provides assurance of the accuracy
of the data and that it has not been corrupted or modified improperly.

- Availability
Availability is the service that assures data and resources are accessible to authorized
subjects or personnel when required. The second component of the availability service
is that resources such as systems and networks should provide sufficient capacity to
perform in a predictable and acceptable manner.

The following are critical elements to remember about information security:
- Like information assurance, information security includes all information an
organization may process, store, transmit, or disseminate regardless of media. Thus,
information on paper, on a hard drive, in the mind of an employee, or in the cloud is
considered in scope.
- Information protection and cybersecurity are subsets of information security.

 Information Protection
Information protection is best viewed as a subset of information security. It is often defined
in terms of protecting the confidentiality and integrity of information through a variety of
means such as policy, standards, physical controls, technical controls, monitoring, and
information classification or categorization

The following are critical elements to remember about information protection:
- Like information security, information protection includes all information an
organization may process, store, transmit, or disseminate regardless of media. Thus,
information on paper, on a hard drive, in the mind of an employee, or in the cloud is
considered in scope.
- Some laws, regulations, and rules specifically cite information protection as a
requirement for sensitive information such as personally identifiable information and
personal health information.

19
 Cybersecurity
Cybersecurity is a relatively new term that has largely replaced the term computer security.
This term is often confused with information assurance and information security.

Cybersecurity is used to describe the measures taken to protect electronic information
systems against unauthorized access or attack.

Cybersecurity is primarily concerned with the same objectives of information security
within the scope of electronic information systems’ CIA.

The following are critical elements to remember about cybersecurity:
- Cybersecurity is primarily focused on the protection of networks and electronic
information systems. Other media such as paper, personnel, and in some cases stand-
alone systems that rely on physical security are often outside the scope of
cybersecurity.

- Cybersecurity often focuses on the vulnerabilities and threats of an information system
at the tactical level. System scanning, patching, and secure configuration enforcement
are common foci of cybersecurity.

- Intrusion detection and incident response and other functions commonly run fromn a
security operations center (SOC) are often identified as cybersecurity functions.

20
ASSETS, THREATS, VULNERABILITIES, RISKS, AND CONTROLS

Information assets have unique vulnerabilities, and they are continuously exposed to new threats.
The combination of vulnerabilities and threats contribute to risk.

To mitigate and control risks effectively, organizations should be aware of the shortcomings in
their information systems and should be prepared to tackle them in case the shortcomings turn
into threats to activities or business

Common Threats

1. Errors and Negligence
People are prone to make errors when using computers, especially after long hours of
work. Typographical errors can occur when entering data, and if these errors are not
checked, validated, and corrected they affect the accuracy and integrity of information.

2. Fraudulent and Theft Activities
Fraud and theft activities are common in the business world. With technical advancement
and downloadable materials from the Internet, anyone with basic knowledge of system
penetration may successfully trespass sensitive areas of financial information systems. The
trespass allows the perpetrator to modify the information.

3. Loss of Infrastructure

21
 Modern organizations connect through internal and external infrastructures which are not
under their direct control. It is crucial to ensure that an organization’s physical and virtual
infrastructures are well maintained to avoid loss from these communication channels.

Infrastructure interruption may cause significant disruption to the organization’s usual
operations. This leads to losses in terms of money, time, and resource use.

4. Malware
Malware, or malicious software, penetrates systems resulting in damage to the system.
Malware is actually a piece of code or software program that is hostile, intrusive, or at least
annoying. Examples of malware are Trojan horses, viruses, worms, and logic bombs.

5. Attackers
Attackers are those who penetrate an organization’s system either internally or externally
with or without authorization.

- Hackers and hacktivist
Hackers use technical and social means to gain authorized/unauthorized access to
information assets, computer systems, and networks. Some of the technical means
include delving deep into the code and protocols used in computer systems and
networks.

- Criminal attackers
These attackers view the computer and its contents as the target of a crime—it’s
something to be stolen or it’s used to perpetrate the crime. These individuals are
motivated simply by profit and greed. Since most large financial transactions occur on
networks, electronic crimes include fraud, extortion, theft, embezzlement, and forgery.

- National warfare, asymmetric warfare, and terrorism
Nations depend on information systems to support the economy, infrastructure, and
defense, which are all important assets. They are now targets not only of unfriendly
foreign powers that are sources of highly structured threats but also of terrorists who
are omewhat less structured.

22
 - Information warfare
Information warfare is using information technology as a weapon to impact an
adversary. Several recent examples have shown how customized malware and
computer viruses can dramatically impact the progression of secret nuclear ambitions
or severely cripple the command and control infrastructure of an opponent.

Types of Attacks

- Technical attacks
Rely on protocol, configuration, or program weakness within target systems or
hardware, which are hacked to gain access.

- Social engineering (SE) attacks
These attacks are performed over the phone after sufficient background information
has been obtained concerning the target. Electronic SE attacks seem to be overtaking
the phone SE attacks.

- Physical attacks
Rely on weaknesses surrounding computer systems. These may take the form of
dumpster diving for changed passwords and configuration information, or gaining
unuthorized access to a wiring closet and installing a wi-fi bridge to hack from a
parking lot outside.

Codes of Ethics

These ethical guidelines show stakeholders and employees that management is sincere in
developing and supporting an ethical environment within the organization. This will limit the
occurrence of unethical conduct within the organization eventually.

Code Description

Honesty  Security professionals should not abuse trust and
power entrusted to them.
 Security professionals should take only the assignments
within their capability.

23
  Security professionals should seek advice when it is
required.

Professionalism  Security professionals must ensure all stakeholders are
well informed on the status of assignments and advise
cautiously when required.
 Security professionals should address the concerns of
stakeholders at all levels to gain the broadest
acceptance of information security.
 Security professionals should not perform any
malicious actions that jeopardize organizational or
public interest.
 Security professionals should observe all contracts and
agreements.
 Security professionals should protect clients’ and
employers’ interest at all times.

Independence  Security professionals should discourage any prejudice
or conflict when advising and serving clients or
employers.
 Security professionals should point out any foreseeable
conflicts of interest that may arise.

Legal and Ethic  Security professionals should discourage any
misconduct or malpractice that causes unnecessary
alarm or fear.
 Security professionals should not be involved in any
criminal behavior or associate with any criminals.
 Security professionals should not serve personal
interest through organizational espionage.
 Security professionals should report any illegal activities
and should cooperate with law enforcement during
investigation.

Knowledge  Security professionals should be committed to enhance
and improveknowledge in terms of technical, project,
and leadership aspects.

24
  Security professionals should promote information
security professionally.
 Security professionals should respect intellectual
property.
 Security professionals should share their knowledge
with coworkers and the security community willingly.

Quality  Security professionals should be familiar with all
specifications of work.
 Security professionals should oversee all activities and
ensure that those activities are well organized to ensure
an end product of good quality.

Privacy and  Security professionals should respect client, employer,
Confidentiality supplier, or coworker privacy and should not access any
information that is not intended for them.
 Security professionals should respect the confidentiality
of information accessed even after an assignment. Such
information should not be used for personal benefit or
be released to inappropriate parties.

Information Assurance Management System

Organizational processes are changing every day and are frequently distinguished by the formation of
autonomous workgroups or teams. Team-based mission-driven organizations are characterized by
their reliance on empowerment and knowledge-enabled workers. This transition requires a complete
revolution in how individuals interact with their organizational cohorts.

25
A Model for the information asset life cycle. The model shows the stages that information assets pass
through during their life cycle.

Plan-Do-Check-Act Model

The Plan-Do-Check-Act model demonstrates the process of managing security throughout the life
cycle. This includes the implementation of a continuous improvement process to attain an effective
information assurance management system.

This includes the implementation of a continuous improvement process to attain an effective
information assurance management system.

 Plan Establish the IAMS.
This phase requires meticulous documentation of decisions and the associated criteria. This
phase focuses on establishing and documenting the IAMS. The main outcomes of this phase
are establishing a documented information assurance policy, defining the scope of the IAMS,
and defining a risk management approach (consisting of risk assessment and a risk treatment
plan).

 Do Implement, operate, and maintain the IAMS.

The Do phase focuses on implementing and operating the controls selected and planned in

26
 the previous phase. The security policy, controls, processes, and procedures are now put into
practice.

 Check Monitor and review the IAMS.

This phase assesses the performance of the IAMS process. The primary activity ismanagement
review, which is a series of processes in which management observes the effectiveness of the
IAMS (in other words, that security controls are in place and achieving their objectives) and
makes decisions on improving it.

 Act Execute, maintain and improve the IAMS.

The Act phase focuses on continually improving the effectiveness of the IAMS. Implementing
corrective and preventive actions based on the results of the management review is essential.

27
POST-TEST:

Direction: Identify the terms describe by the following:

1. Security professionals must review the origins of this field to understand its impact on our
understanding of information security today
2. A methodology for design and implementation of information system.
3. Determine the problem the system being developed to solve and it must have objective,
constraints and scope of project specified.
4. Determine the new system should be made and how the system interact with existing
systems.
5. The process of turning a design into manufacturable geometries
6. The execution or practice of a plan, a method or any design, idea, model, specification,
standard or policy for doing something.
7. The task necessary to support and modify system. This phase is where life cycle
continues.
8. An organization’s information assurance strategy and resulting policies and programs
should cover topics, areas, and domains needed for modern organizations.
9. the overarching approach for identifying, understanding, and managing risk through an
organization’s use of information and information systems
10. It is often defined in terms of protecting the confidentiality and integrity of information
28
 through a variety of means such as policy, standards, physical controls, technical controls,
monitoring, and information classification or categorization
11. A relatively new term that has largely replaced the term computer security.
12. A piece of code or software program that is hostile, intrusive, or at least annoying.
13. Penetrate an organization’s system either internally or externally with or without
authorization.
14. Model demonstrates the process of managing security throughout the life cycle.
15. This phase requires meticulous documentation of decisions and the associated criteria.

29