Module 1 – Case
Frameworks of Information Security Management
Assignment Overview
Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements.
Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format.
Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.
Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.
Possession is the quality or state of having ownership or control of some object or item. Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
Module 1 Video
Case Assignment
Discuss the CNSS security model, which has a dimension consisting of the components of confidentiality, integrity, and availability; a second dimension with the components of processing, storage, and transmission; and a third dimension dealing with the components of policy and procedures, technology and education training, and awareness.
Assignment Expectations
Use the CNSS security model to evaluate the protection of information for some organization, club, or class in which you are involved. Using the CNSS model, examine each of the component combinations and discuss how you would address them in your chosen organization. Present your results in a word document using a table to show the security module components and a discussion of how these will be addressed in the organization, club, or class that you selected to discuss.
You are required to make effective and appropriate use of in-text citations to the assigned readings and other source material to support your arguments. Please use the Trident APA 7 Guide at https://careered.libguides.com/tui/library/apa for proper formatting and style.
Module 1 – Resources
Frameworks of Information Security Management
Required Reading
Required Reading
Blum, D. (2021). Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment, Apress. Chapter 1 – 4.
Elbayad, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Chapter 1 -4. Apress. Finding Skillsoft Books
Gupta, C. P., & Goyal, K. K. (2020). Cybersecurity : A self-teaching introduction Mercury Learning & Information. Chapters 1,2, and 3. Finding Skillsoft Books
McCumber Cube Model Framework – https://www.linkedin.com/pulse/mccumber-cube-model-framework-enhancing-information-security-%C7%82nanab/
Optional Reading
Harris, S., & Maymi, F. (2018). CISSP all-in-one exam guide, seventh edition, 8th edition (7th ed.) McGraw-Hill, Chapter 1. Available under Skillsoft Books in the Trident Online Library.
Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy. Journal of Advanced Research, 5(4), 491–497. Available in the Trident Online Library.
Module Overview – Background Reading
In this model the foundation for understanding the broader field of information security is established by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of information security. The role of security in the Systems Development Life Cycle is also discussed, along with the roles of security professionals.
Information security in organizations and governments is a critical business capability that needs to be aligned with corporate strategy to identify security risks and implement effective controls to minimize those risks. The need for computer security began in the early days of computing, with securing the physical location of the hardware from outside threats resulting in mainframes being locked away in the basements of corporate headquarters where physical access to locations included the need for badges and keys. The primary threats in these early days were physical theft of equipment, espionage against the products of the systems, and sabotage. As the Internet evolved from its early days in the 1960’s to our current state of always being connected in the Internet of Things where millions of devices are Internet enabled, security of this interconnected data has become very complex.
Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements.
The value of information is dependent on many information dimensions.
Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format.
Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.
Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.
Possession is the quality or state of having ownership or control of some object or item. Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
To understand the importance of information security, it is necessary to briefly review the elements of an information system. An information system (IS) is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. Software is the operating systems, applications, and assorted utilities of an information system. Hardware consists of the physical assets that run the applications that manipulate the data of an information system. As hardware has become more portable, the threat posed by hardware loss has become a more prominent problem.
The lifeblood of an organization is the information needed to strategically execute business opportunities, and the data processed by information systems are critical to today’s business strategy. People are often the weakest link in an information system, since they give the orders, design the systems, develop the systems, and ultimately use and game the systems that run today’s business world.
Procedures are the written instructions for accomplishing a task, which may include the use of technology or information systems. These are the rules that are supposed to be followed and the foundation for the technical controls that security systems must be designed to implement. Modern information processing systems are extremely complex and rely on many hundreds of connections, both internal and external.
Networks are the highway over which information systems pass data and users complete their tasks. The proper control over traffic in every network in an organization is vital to properly managing the information flow and security of that organization.
In this discussion of information security, it is important to realize that it is impossible to obtain perfect security. Security is not an absolute; it is a process and not a goal. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats. Security begins as a grassroots effort when systems administrators attempt to improve the security of their systems. This is referred to as the bottom-up approach, which seldom works, as it lacks a number of critical features, such as participant support and organizational staying power. An alternative approach, which has a higher probability of success, is called the top-down approach, where the project is initiated by upper management who issue policy, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions. The top-down approach has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture.
Management of information security must be managed in a manner similar to any other major system implemented in the organization. The SDLC is a methodology for the design and implementation of an information system in an organization based on a structured sequence of procedures to insure a rigorous process and to create a comprehensive security posture.
The first phase, investigation, is where the objectives, constraints, and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits. The feasibility analysis is performed to assess the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization’s time and effort.
In the analysis phase, the information is learned during the investigation phase and consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. The next step is selecting applications capable of providing needed services based on the business need. Based on the applications needed, data support and structures capable of providing the needed inputs are selected. Then specific technologies are selected to implement the physical solution. In the end, another feasibility analysis is performed.
In the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. After another feasibility analysis, the entire solution is presented to management for approval.
In the implementation phase, any needed software is created, components are ordered, received, and tested. Afterwards, users are trained and supporting documentation is created. Again, a feasibility analysis is prepared, and sponsors are presented with the system for a performance review and acceptance test.
The maintenance and change phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase.
When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented. With software assurance (SA) as a methodological approach, security is built into the development life cycle rather than addressed at later stages. NIST (https://www.nist.gov/topics/cybersecurity) recommends that organizations incorporate the associated IT security steps into the SDLC for their development processes. It is imperative that information security be designed into a system from its inception, rather than added in during or after the implementation phase.
In this discussion, the key roles in the management of information security are described. The Chief Information Officer is the senior technology officer, although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The Chief Information Security Officer is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title.
For information security project teams, many individuals are needed. The Champion is a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. The Team leader is a project manager, who may be a departmental line manager or staff unit manager, understands project management, personnel management, and information security technical requirements. The Security policy developers are individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. The Risk assessment specialists are individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used. The Security professionals are dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. The Systems administrators are individuals whose primary responsibility is administering the systems that house the information used by the organization. The End users are those who the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.
Now we will discuss the roles of those who safeguard the data. Data Owners are those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change. The Data Custodians are those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. The Data Users are end users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.
Security as Art means that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. While there are many security manuals to support individual systems, once these systems are interconnected, there is no magic user’s manual for the security of the entire system. This is especially true with the complex levels of interaction between users, policy, and technology controls. Security is also a science where we are dealing with technology developed by computer scientists and engineers designed to operate at rigorous levels of performance. Even with the complexity of the technology, most scientists would agree that specific scientific conditions cause virtually all actions that occur in computer systems. Almost every fault, security hole, and systems malfunction is a result of the interaction of specific hardware and software. Social science examines the behavior of individuals as they interact with systems, whether societal systems or, in our case, information systems. End users who need the very information the security personnel are trying to protect may be the weakest link in the security chain. If security administrators understand some of the behavioral aspects of organizational science and change management, then security administrators can greatly reduce the levels of risk caused by end users, and they can create more acceptable and supportable security profiles.
