Fundamentals of Information Systems

Security/Information Security and Risk

Management

Contents

 1Introduction
o 1.1Security Program
o 1.2Security Controls
o 1.3The Elements of Security
 2Core Information Security Principles
o 2.1Confidentiality
o 2.2Integrity
o 2.3Availability
 3Information Security Management Governance
o 3.1Security Governance
o 3.2Security Policies, Procedures, Standards, Guidelines, and Baselines
 3.2.1Policies
 3.2.2Standards
 3.2.3Procedures
 3.2.4Baselines
 3.2.5Guidelines
 3.2.6Putting It All Together
o 3.3Organizational Security Models
 3.3.1COSO
 3.3.2ITIL
 3.3.3COBIT 4.X
 3.3.4ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)
 3.3.4.1BS 7799
 3.3.4.2ISO 17799
 3.3.4.3ISO 27000 Series
 4Organizational Behavior
o 4.1Organizational Structure Evolution
o 4.2Best Practices
 4.2.1Job Rotation
 4.2.2Separation of Duties
 4.2.3Least Privilege (Need to Know)
 4.2.4Mandatory Vacations
 4.2.5Job Position Sensitivity
o 4.3Security Roles and Responsibilities
 4.3.1Levels of Responsibilities
 4.3.2Classification of Roles and their Responsibilities
o 4.4Reporting Model
o 4.5Enterprise-wide Security Oversight
 4.5.1Defining the Goals
  4.5.2Security Planning
 4.5.3Personnel Security
 5Security Awareness, Training, and Education
o 5.1Conducting A Formal Security Awareness Training
o 5.2Awareness Activities and Methods
 6Information Risk Management
o 6.1Risk Management Concepts
o 6.2Risk Handling Strategies
o 6.3Risk Assessment/Analysis
 6.3.1Identifying The Risk Elements
 6.3.2A Quantitative Approach to Risk Analysis
 6.3.3A Qualitative Approach to Risk Analysis
 6.3.4Selecting and Implementing a Countermeasure
 7Information Classification
o 7.1Introduction
o 7.2Classification Types
o 7.3Guidelines for Information Classification
o 7.4Criteria for Information Classification
o 7.5Data Classification Procedures
o 7.6Classification Controls
 8Ethics
o 8.1Basic Concepts
o 8.2Professional Code of Ethics
 8.2.1Computer Ethics Institute
 8.2.2Internet Architecture Board
 8.2.3The (ISC)2Code of Ethics
o 8.3Example Topics in Computer Ethics
 8.3.1Computers in the Workplace
 8.3.2Computer Crime
 8.3.3Privacy and Anonymity
 8.3.4Intellectual Property
 8.3.5Professional Responsibility
 8.3.6Globalization
o 8.4Common Computer Ethics Fallacies
o 8.5Hacking and Hacktivism
 8.5.1The Hacker Ethics
 9References

Introduction[edit]
Information security means protecting information (data) and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction.
Information Security management is a process of defining the security controls in order to protect the
information assets.

Security Program[edit]
The first action of a management program to implement information security (iss) is to have a
security program in place. Though some argue the first act would be to gain some real "proof of
concept" "explainable thru display on the monitor screen" security knowledge. Start with maybe
understanding where OS passwords are stored within the code inside a file within a directory. If you
don't understand Operating Systems at the root directory level maybe you should seek out advice
from somebody who does before even beginning to implement security program management and
objectives.
Security Program Objectives

 Protect the company and its assets.

 Manage Risks by Identifying assets, discovering threats and estimating the risk
 Provide direction for security activities by framing of information security policies, procedures,
standards, guidelines and baselines
 Information Classification
 Security Organization and
 Security Education
Security Management Responsibilities

 Determining objectives, scope, policies,re expected to be accomplished from a security program

 Evaluate business objectives, security risks, user productivity, and functionality requirements.
 Define steps to ensure that all the above are accounted for and properly addressed
Approaches to Build a Security Program

 Top-Down Approach
o The initiation, support, and direction comes from the top management and work their way
through middle management and then to staff members.
o Treated as the best approach but seems to based on the I get paid more therefor I must
know more about everything type of mentality.
o Ensures that the senior management who are ultimately responsible for protecting the
company assets is driving the program.
 Bottom-Up Approach
o The lower-end team comes up with a security control or a program without proper
management support and direction.
o It is oft considered less effective and doomed to fail for the same flaw in thinking as above; I
get paid more therefor I must know more about everything.
Since advancement is directly tied to how well you can convince others, who often fall outside of
your of job duties and department, as to your higher value to the company as stated by your own
effective written communication this leads to amazing resume writers and take no blame style of
email responses that seems to definitely lead to the eventual failure of company's standards and
actual knowledge. It is often covered up by relationships which form at the power levels within any
group of people and those who are considered so-called experts having no real idea what is really
involved under the hood of the reports/applications they use and no proof presented in emails written
when self declared claims of their expertise is made or blame is to be put on another.

Security Controls[edit]
Security Controls can be classified into three categories
Administrative Controls which include

 Developing and publishing of policies, standards, procedures, and guidelines.

 Screening of personnel.
 Conducting security-awareness training and
 Implementing change control procedures.
Technical or Logical Controls which include

 Implementing and maintaining access control mechanisms.

 Password and resource management.
 Identification and authentication methods
 Security devices and
 Configuration of the infrastructure.
Physical Controls which include

 Controlling individual access into the facility and different departments

 Locking systems and removing unnecessary floppy or CD-ROM drives
 Protecting the perimeter of the facility
 Monitoring for intrusion and
 Environmental controls.

Security Note: It is the responsibility of the information owner (usually

a Sr. executive within
the management group or head of a specific dept) to protect the data and
is the due care
(liable by the court of law) for any kind of negligence

The Elements of Security[edit]

Vulnerability

 It is a software, hardware, or procedural weakness that may provide an attacker the open door
he is looking for to enter a computer or network and have unauthorized access to resources
within the environment.
 Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
 E.g.: a service running on a server, unpatched applications or operating system software,
unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
Threat

 Any potential danger to information or systems.

 A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability.
 The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat
agent could be an intruder accessing the network through a port on the firewall
Risk

 Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding
business impact.
 Reducing vulnerability and/or threat reduces the risk.
 E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one
to access the network in an unauthorized method.
Exposure

 An exposure is an instance of being exposed to losses from a threat agent.

 Vulnerability exposes an organization to possible damages.
 E.g.:If password management is weak and password rules are not enforced, the company is
exposed to the possibility of having users' passwords captured and used in an unauthorized
manner.
Countermeasure or Safeguard

 It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.

 E.g.: strong password management, a security guard, access control mechanisms within an
operating system, the implementation of basic input/output system (BIOS) passwords, and
security-awareness training.
The Relation Between the Security Elements

 Example: If a company has antivirus software but does not keep the virus signatures up-to-date,
this is vulnerability. The company is vulnerable to virus attacks.
 The threat is that a virus will show up in the environment and disrupt productivity.
 The likelihood of a virus showing up in the environment and causing damage is the risk.
 If a virus infiltrates the company's environment, then vulnerability has been exploited and the
company is exposed to loss.
 The countermeasures in this situation are to update the signatures and install the antivirus
software on all computers

Threat Agent gives rise to Threat exploits Vulnerability leads to Risk

can damage Assets and causes an Exposure can be counter measured by
Safeguard
directly effects Threat Agent

Alternative Description:
A threat agent causes the realisation of a threat by exploiting a vulnerability. The measurement of
the extent that this exploitation causes damage is the exposure. The organisational loss created
within the exposure is the impact. Risk is the probability that a threat event will generate loss and be
realised within the organisation.
Example:

 Target: A bank contains money.

 Threat: There are individuals who want, or need, additional money.
 Vulnerability: The bank uses software that has a security flaw.
 Exposure: 20% of the bank's assets are affected by this flaw.
 Exploit: By running a small snippet of code (malware), the software can be accessed illegally.
 Threat Agent: There are hackers who have learned how to use this malware to control the
bank's software.
 Exploitation: The hackers access the software using the malware and steal money.
 Impact: The bank loses monetary assets, reputation, and future business.
 Risk: The likelihood that a hacker will exploit the bank's software vulnerability and impact the
bank's reputation and monetary resources.

Core Information Security Principles[edit]

The three fundamental principles of security are availability, integrity, and confidentiality and are
commonly referred to as CIA or AIC triad which also form the main objective of any security
program.
The level of security required to accomplish these principles differs per company, because each has
its own unique combination of business and security goals and requirements.
All security controls, mechanisms, and safeguards are implemented to provide one or more of these
principles.
All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or
all of the AIC principles

Confidentiality[edit]
 Ensures that the necessary level of secrecy is enforced at each junction of data processing and
prevents unauthorized disclosure. This level of confidentiality should prevail while data resides
on systems and devices within the network, as it is transmitted and once it reaches its
destination.
 Threat sources
o Network Monitoring
o Shoulder Surfing- monitoring key strokes or screen
o Stealing password files
o Social Engineering- one person posing as the actual
 Countermeasures
o Encrypting data as it is stored and transmitted.
o By using network padding
o Implementing strict access control mechanisms and data classification
o Training personnel on proper procedures.
Integrity[edit]
 Integrity of data is protected when the assurance of accuracy and reliability of information and
system is provided, and unauthorized modification is prevented.
 Threat sources
o Viruses
o Logic Bombs
o Backdoors
 Countermeasures
o Strict Access Control
o Intrusion Detection
o Hashing
Availability[edit]
 Availability ensures reliability and timely access to data and resources to authorized individuals.
 Threat sources
o Device or software failure.
o Environmental issues like heat, cold, humidity, static electricity, and contaminants can also
affect system availability.
o Denial-of-service (DoS) attacks
 Countermeasures
 o Maintaining backups to replace the failed system
o IDS to monitor the network traffic and host system activities
o Use of certain firewall and router configurations

Information Security Management Governance[edit]

Security Governance[edit]
Governance is the set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately and verifying that the enterprise's resources are
used responsibly.
Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on
information Security systems and their performance and risk management.

Security Policies, Procedures, Standards, Guidelines, and

Baselines[edit]
Policies[edit]
A security policy is an overall general statement produced by senior management (or a selected
policy board or committee) that dictates what role security plays within the organization.
A well designed policy addresses:

1. . What is being secured? - Typically an asset.

2. . Who is expected to comply with the policy? - Typically employees.
3. . Where is the vulnerability, threat or risk? - Typically an issue of integrity or responsibility.
Types of Policies

 Regulatory: This type of policy ensures that the organization is following standards set by
specific industry regulations. This policy type is very detailed and specific to a type of industry.
This is used in financial institutions, health care facilities, public utilities, and other government-
regulated industries. E.g.: TRAI.
 Advisory: This type of policy strongly advises employees regarding which types of behaviors and
activities should and should not take place within the organization. It also outlines possible
ramifications if employees do not comply with the established behaviors and activities. This
policy type can be used, for example, to describe how to handle medical information, handle
financial transactions, or process confidential information.
 Informative: This type of policy informs employees of certain topics. It is not an enforceable
policy, but rather one to teach individuals about specific issues relevant to the company. It could
explain how the company interacts with partners, the company's goals and mission, and a
general reporting structure in different situations.
Types of Security Policies

 Organizational
o Management establishes how a security program will be set up, lays out the program's
goals, assigns responsibilities, shows the strategic and tactical value of security, and
outlines how enforcement should be carried out.
o Provides scope and direction for all future security activities within the organization.
 o This policy must address relative laws, regulations, and liability issues and how they are to
be satisfied.
o It also describes the amount of risk senior management is willing to accept.
o Characteristics
 Business objectives should drive the policy's creation, implementation, and
enforcement. The policy should not dictate business objectives.
 It should be an easily understood document that is used as a reference point for all
employees and management.
 It should be developed and used to integrate security into all business functions and
processes.
 It should be derived from and support all legislation and regulation applicable to the
company.
 It should be reviewed and modified as a company changes, such as through adoption of
a new business model, merger with another company, or change of ownership.
 Each iteration of the policy should be dated and under version control.
 The units and individuals who are governed by the policy must have access to the
applicable portions and not be expected to have to read all policy material to find
direction and answers
 Issue-specific
o Addresses specific security issues that management feels need more detailed explanation
and attention to make sure a comprehensive structure is built and all employees understand
how they are to comply with these security issues
o E.g.: An e-mail policy might state that management can read any employee's e-mail
messages that reside on the mail server, but not when they reside on the user's workstation
 System-specific
o Presents the management's decisions that are specific to the actual computers, networks,
applications, and data.
o This type of policy may provide an approved software list, which contains a list of
applications that may be installed on individual workstations.
o E.g.: This policy may describe how databases are to be used and protected, how computers
are to be locked down, and how firewalls, IDSs, and scanners are to be employed.
Standards[edit]

 Standards refer to mandatory activities, actions, rules, or regulations.

 Standards can give a policy its support and reinforcement in direction.
 Standards could be internal, or externally mandated (government laws and regulations).
Procedures[edit]

 Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
 E.g.: we can write procedures on how to install operating systems, configure security
mechanisms, implement access control lists, set up new user accounts, assign computer
privileges, audit activities, destroy material, report incidents, and much more.
 Procedures are considered the lowest level in the policy chain because they are closest to the
computers and users (compared to policies) and provide detailed steps for configuration and
installation issues.
 Procedures spell out how the policy, standards, and guidelines will actually be implemented in
an operating environment.
 If a policy states that all individuals who access confidential information must be properly
authenticated, the supporting procedures will explain the steps for this to happen by defining the
 access criteria for authorization, how access control mechanisms are implemented and
configured, and how access activities are audited
Baselines[edit]

 A baseline can refer to a point in time that is used as a comparison for future changes. Once
risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed
upon, after which all further comparisons and development are measured against it.
 A baseline results in a consistent reference point.
 Baselines are also used to define the minimum level of protection that is required.
 In security, specific baselines can be defined per system type, which indicates the necessary
settings and the level of protection that is being provided. For example, a company may stipulate
that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline.

Security Note : Baselines that are not technology-oriented should be

created and enforced within organizations
as well. For example, a company can mandate that all employees must have
a badge with a picture ID in view while in the
facility at all times. It can also state that visitors must sign in at a
front desk and be escorted while in the facility.
If these are followed, then this creates a baseline of protection.

Guidelines[edit]

 Guidelines are recommended actions and operational guides to users, IT staff, operations staff,
and others when a specific standard does not apply.
 Guidelines can deal with the methodologies of technology, personnel, or physical security.
Putting It All Together[edit]

 A policy might state that access to confidential data must be audited. A supporting guideline
could further explain that audits should contain sufficient information to allow for reconciliation
with prior reviews. Supporting procedures would outline the necessary steps to configure,
implement, and maintain this type of auditing.
 policies are strategical(long term) while standards, guidelines and procedures are
tactical(medium term).
Organizational Security Models[edit]
Some of the best practices that facilitate the implementation of security controls include Control
Objectives for Information and Related Technology (COBIT), ISO/IEC 17799/BS 7799, Information
Technology Infrastructure Library (ITIL), and Operationally Critical Threat, Asset and Vulnerability
Evaluation (OCTAVE).
COSO[edit]
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-
sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent
financial reporting and to make recommendations to reduce its incidence. COSO has established a
common definition of internal controls, standards, and criteria against which companies and
organizations can assess their control systems.
Key concepts of the COSO framework
 Internal control is a process. It is a means to an end, not an end in itself.
 Internal control is affected by people. It’s not merely policy manuals and forms, but people at
every level of an organization.
 Internal control can be expected to provide only reasonable assurance, not absolute assurance,
to an entity's management and board.
 Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.
The COSO framework defines internal control as a process, effected by an entity's board of
directors, management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:

 Effectiveness and efficiency of operations

 Reliability of financial reporting
 Compliance with applicable laws and regulations.
COSO Internal Control Framework: the five components
According to the COSO framework, internal control consists of five interrelated components. These
components provide an effective framework for describing and analyzing the internal control system
implemented in an organization. The five components are the following:

 Control Environment: The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other components of internal
control, providing discipline and structure. Control environment factors include the integrity,
ethical values, management's operating style, delegation of authority systems, as well as the
processes for managing and developing people in the organization.
 Risk assessment: Every entity faces a variety of risks from external and internal sources that
must be assessed. A precondition to risk assessment is establishment of objectives and thus
risk assessment is the identification and analysis of relevant risks to achievement of assigned
objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
 Control activities: Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary actions are taken to
address risks to achievement of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of activities as diverse as
approvals, authorizations, verifications, reconciliations, reviews of operating performance,
security of assets and Separation of duties/segregation of duties.
 Information and communication: Information systems play a key role in internal control
systems as they produce reports, including operational, financial and compliance-related
information, that make it possible to run and control the business. In a broader sense, effective
communication must ensure information flows down, across and up the organization. Effective
communication should also be ensured with external parties, such as customers, suppliers,
regulators and shareholders.
 Monitoring: Internal control systems need to be monitored—a process that assesses the quality
of the system's performance over time. This is accomplished through ongoing monitoring
activities or separate evaluations. Internal control deficiencies detected through these monitoring
activities should be reported upstream and corrective actions should be taken to ensure
continuous improvement of the system.
ITIL[edit]
The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for
managing information technology (IT) infrastructure, development, and operations.
ITIL is published in a series of books, each of which cover an IT management topic
Overview and Benefits
ITIL provides a systematic and professional approach to the management of IT service provision.
Adopting its guidance offers users a huge range of benefits that include:

 reduced costs;
 improved IT services through the use of proven best practice processes;
 improved customer satisfaction through a more professional approach to service delivery;
 standards and guidance;
 improved productivity;
 improved use of skills and experience; and
 improved delivery of third party services through the specification of ITIL or ISO 20000 as the
standard for service delivery in services procurements.
ITIL v3
The ITIL v3 which was published in May 2007, comprises 5 key volumes:

1. . Service Strategy
2. . Service Design
3. . Service Transition
4. . Service Operation
5. . Continual Service Improvement
COBIT 4.X[edit]
The Control Objectives for Information and related Technology (COBIT 4.X) is a set of best practices
(framework) for information technology (IT) management created by the Information Systems Audit
and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides
managers, auditors, and IT users with a set of generally accepted measures, indicators, processes
and best practices to assist them in maximizing the benefits derived through the use of information
technology and developing appropriate IT governance and control in a company.
Overview

 COBIT has 34 high level processes that cover 210 control objectives categorized in four
domains:
o Planning and Organization
o Acquisition and Implementation
o Delivery and Support
o Monitoring
 COBIT provides benefits to managers, IT users, and auditors
o Managers benefit from COBIT because it provides them with a foundation upon which IT
related decisions and investments can be based. Decision making is more effective because
COBIT aids management in defining a strategic IT plan, defining the information
architecture, acquiring the necessary IT hardware and software to execute an IT strategy,
ensuring continuous service, and monitoring the performance of the IT system.
o IT users benefit from COBIT because of the assurance provided to them by COBIT's defined
controls, security, and process governance.
o COBIT benefits auditors because it helps them identify IT control issues within a company's
IT infrastructure. It also helps them corroborate their audit findings.
COBIT structure
 Plan and Organize: The Planning and Organization domain covers the use of information &
technology and how best it can be used in a company to help achieve the company's goals and
objectives. It also highlights the organizational and infrastructural form IT is to take in order to
achieve the optimal results and to generate the most benefits from the use of IT.
 Acquire and Implement: The Acquire and Implement domain covers identifying IT requirements,
acquiring the technology, and implementing it within the company's current business processes.
This domain also addresses the development of a maintenance plan that a company should
adopt in order to prolong the life of an IT system and its components.
 Delivery and Support: The Delivery and Support domain focuses on the delivery aspects of the
information technology. It covers areas such as the execution of the applications within the IT
system and its results, as well as, the support processes that enable the effective and efficient
execution of these IT systems. These support processes include security issues and training.
 Monitor and Evaluate: The Monitoring and Evaluation domain deals with a company's strategy in
assessing the needs of the company and whether or not the current IT system still meets the
objectives for which it was designed and the controls necessary to comply with regulatory
requirements. Monitoring also covers the issue of an independent assessment of the
effectiveness of IT system in its ability to meet business objectives and the company's control
processes by internal and external auditors.
ISO/IEC 27000 Series (Formerly BS 7799/ISO 17799)[edit]
Tracking the history of the ISO/IEC 27000-series of standards is somewhat of a challenge. This
section provides the history of the ISO standard for information security management that began
with BS 7799 and later resulted in ISO 17799 and eventually the ISO 27000 "family of standards" for
Information Security Management Systems (ISMS). Like the other control and governance models,
the ISO 27000 series provides a set of guidelines and best practices for information security
management. The standards are the product of ISO/IEC JTC1 (Joint Technical Committee 1) SC27
(Sub Committee 27), an international body that meets in person twice a year. The International
Standards Organization (ISO) also develops standards for quality control, environmental protection,
product usability, manufacturing, etc.
BS 7799[edit]
The BS 7799 is basically divided into 3 Parts

 BS 7799 Part 1 was a standard originally published as BS 7799 by the British Standards
Institute (BSI) in 1995.
o It was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of
practice for information security management." in 2000.
o ISO/IEC 17799 was most recently revised in June 2005 and was renamed to ISO/IEC
27002 in July 2007.
 BS 7799 Part 2 of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled
"Information Security Management Systems - Specification with guidance for use." It is focused
on how to implement an Information security management system (ISMS)
o The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) (Deming quality
assurance model), aligning it with quality standards such as ISO 9000.
o BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
 BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with
ISO/IEC 27001.
ISO 17799[edit]

 Derived from BS 7799

 It is an internationally recognized ISM standard that provide high level, conceptual
recommendations on enterprise security
 ISO 17799 has 2 parts
o Part-I is an implementation guide with guidelines on how to build a comprehensive
information security infrastructure.
o Part-II is an auditing guide based on requirements that must be met for an organization to be
deemed complaint with ISO 17799
 ISO 17799 domains
o Information security policy for the organization: Map of business objectives to security,
management's support, security goals, and responsibilities.
o Creation of information security infrastructure: Create and maintain an organizational
security structure through the use of security forum, security officer, defining security
responsibilities, authorization process, outsourcing, and independent review.
o Asset classification and control: Develop a security infrastructure to protect organizational
assets through accountability and inventory, classification, and handling procedures.
o Personnel security: Reduce risks that are inherent in human interaction by screening
employees, defining roles and responsibilities, training employees properly, and
documenting the ramifications of not meeting expectations.
o Physical and environmental security: Protect the organization's assets by properly choosing
a facility location, erecting and maintaining a security perimeter, implementing access
control, and protecting equipment.
o Communications and operations management: Carry out operations security through
operational procedures, proper change control, incident handling, separation of duties,
capacity planning, network management, and media handling.
o Access control: Control access to assets based on business requirements, user
management, authentication methods, and monitoring.
o System development and maintenance: Implement security in all phases of a system's
lifetime through development of security requirements, cryptography, integrity, and software
development procedures.
o Business continuity management: Counter disruptions of normal operations by using
continuity planning and testing.
o Compliance: Comply with regulatory, contractual, and statutory requirements by using
technical controls, system audits, and legal awareness.
ISO 27000 Series[edit]
The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27k' for short)
comprises information security standards published jointly by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
The series provides best practice recommendations on information security management, risks and
controls within the context of an overall Information Security Management System (ISMS), similar in
design to management systems for quality assurance (the ISO 9000 series) and environmental
protection (the ISO 14000 series).
The series is deliberately broad in scope, covering more than just privacy, confidentiality and IT or
technical security issues. It is applicable to organizations of all shapes and sizes. All organizations
are encouraged to assess their information security risks, then implement appropriate information
security controls according to their needs, using the guidance and suggestions where relevant.
Given the dynamic nature of information security, the ISMS concept incorporates continuous
feedback and improvement activities, summarized by Deming's "plan-do-check-act" approach, that
seek to address changes in the threats, vulnerabilities or impacts of information security incidents.
The following are the currently published 27000-series standards:
 ISO 27000 Overview and vocabulary overview and glossary of terms.
 ISO 27001 Information security management systems -- Requirements. This is the
specification/requirements for an information security management system (an ISMS) which
replaced the old BS7799-2 standard
 ISO 27002 Code of practice for information security management. This is the 27000 series
standard number of what was originally the ISO 17799 standard (which itself was formerly
known as BS7799-1).
 ISO 27003 Information security management system implementation guidance.This will be the
official number of a new standard intended to offer guidance for the implementation of an ISMS
(IS Management System) .
 ISO 27004 Information security management -- Measurement. This standard covers information
security system management measurement and metrics, including suggested ISO27002 aligned
controls..
 ISO 27005 Information security risk management.This is the methodology independent ISO
standard for information security risk management..
 ISO 27006 Requirements for bodies providing audit and certification of information security
management systems. This standard provides guidelines for the accreditation of organizations
offering ISMS certification.
Other 27000-series ISO publications:

 ISO 27011 Information security management guidelines for telecommunications organizations

based on ISO/IEC 27002
 ISO 27033 Network security -- Part 1: Overview and concepts
 ISO 27799 Health informatics -- Information security management in health using ISO/IEC
27002
Although the list of ISO 27000-series standards for information security management continues to
grow in number. ISO/IEC 27002 and ISO/IEC 27001 remain the most used standards, because they
provide the most basic guidance for an enterprise information security program practices and
processes and also because they are the most current versions of their popular predecessors (BS
7799 and ISO 17799).

Organizational Behavior[edit]
Organizational Structure Evolution[edit]
 Today's Security Organizational Structure
Best Practices[edit]
Job Rotation[edit]
Job Rotation is an approach to management development where an individual is moved through a
schedule of assignments designed to give him or her a breath of exposure to the entire operation.
Job rotation is also practiced to allow qualified employees to gain more insights into the processes of
a company and to increase job satisfaction through job variation.
Separation of Duties[edit]
Separation of duties (SoD) is the concept of having more than one person required to complete a
task. It is alternatively called segregation of duties or, in the political realm, separation of powers.
***WARNING*** WARNING about SOD possible shortcomings ****** This approach can lead to a
high level of difficulty when trying to determine what the underlying causes of errors or failures in
large scale entity's production automation as no person will be able to view the information flow
process from the "big picture" and how an automated program starts an application that is not
creating the correct output data but not clearly failing to an error message alert running on a Virtual
Server client that transports the data file that is created to an outside client and etc. etc. etc.
Especially as each separated department individual will just glance at their application software used
to manage their specified section on their monitor screen and seeing no obvious errors assume the
unknown error causing complete system or process failure problem is not within their section and go
back to the practice of effective communicating while writing all the great accomplishments they
delivered that furthered the entity's stated goals to have available for their next review with
management because that's what HR told them to do. (Not that this behavior is faulty or wrong in
any sense and it is actually doing what the entity's incentives are geared to encourage not only for
advancement but to keep a job as well.)
Without those few and far between expert level techs who can have (or get) the administration rights
to view all aspects of any given production process it will be nearly impossible to determine the
underlying cause and can lead to outrageous decisions as to what the problem must of been. (For
example: deciding to quit using all virtual servers and go back to multiple actual server machines
with each connected to it's on monitor all because no error handling was encoded in the in-house
written .net program.) (Or nobody realizing the automated software machine was running into RAM
issues because every automated job was set to auto start at exactly 6:00 and MS Windows has a
built in limit of a maximum of 10 network connections at one time even at the enterprise level and so
forth.) ***These SOD positions are of no interest to those high level technical experts who seek to be
constantly challenged.***
Overview

 SoD in basic terms that is no single individuals should have controls over two or more phases of
a transaction or operation, so that a deliberate fraud is more difficult to occur because it requires
collusion of two or more individuals or parties.
 With the concept of SoD, business critical duties can be categorized into four types of functions,
authorization, custody, record keeping and reconciliation. In a perfect system, no one person
should handle more than one type of function.
 In information systems, segregation of duties helps reduce the potential damage from the
actions of one person. IS or end-user department should be organized in a way to achieve
adequate separation of duties
Control Mechanisms to enforce SoD
There are several control mechanisms that can help to enforce the segregation of duties:

 Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point
of origination to its existence on an updated file. Good audit trails should be enabled to provide
information on who initiated the transaction, the time of day and date of entry, the type of entry,
what fields of information it contained, and what files it updated.
 Reconciliation of applications and an independent verification process is ultimately the
responsibility of users, which can be used to increase the level of confidence that an application
ran successfully.
 Exception reports are handled at supervisory level, backed up by evidence noting that
exceptions are handled properly and in timely fashion. A signature of the person who prepares
the report is normally required.
 Manual or automated system or application transaction logs should be maintained, which record
all processed system commands or application transactions.
 Supervisory review should be performed through observation and inquiry and the trust built with
directory one-level up managers.
 To compensate repeated mistakes or intentional failures by following a prescribed procedure,
independent reviews are recommended. Such reviews can help detect errors and irregularities
but are usually expensive can raise questions as to how much can an outside independent
review once a quarter know about your processes compared to people within and what level of
trust can be built with those independent reviewers.
Least Privilege (Need to Know)[edit]
Introduction
The principle of least privilege, also known as the principle of minimal privilege or just least privilege,
requires that in a particular abstraction layer of a computing environment every module (such as a
process, a user or a program on the basis of the layer we are considering) must be able to access
only such information and resources that are necessary to its legitimate purpose.
Note: This principle is a useful security tool, but it has never been successful at enforcing high
assurance security on a system.
Benefits

 Better system stability. When code is limited in the scope of changes it can make to a system, it
is easier to test its possible actions and interactions with other applications. In practice for
example, applications running with restricted rights will not have access to perform operations
that could crash a machine, or adversely affect other applications running on the same system.
 Better system security. When code is limited in the system-wide actions it may perform,
vulnerabilities in one application cannot be used to exploit the rest of the machine. For example,
Microsoft states “Running in standard user mode gives customers increased protection against
inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits,
spyware, and undetectable viruses.” [1]
 Ease of deployment. In general, the fewer privileges an application requires the easier it is to
deploy within a larger environment. This usually results from the first two benefits, applications
that install device drivers or require elevated security privileges typically have addition steps
involved in their deployment, for example on Windows a solution with no device drivers can be
run directly with no installation, while device drivers must be installed separately using the
Windows installer service in order to grant the driver elevated privileges
Mandatory Vacations[edit]
Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges
of employees. This often results in easy detection of abuse, fraud, or negligence.
Job Position Sensitivity[edit]
Security Roles and Responsibilities[edit]
Levels of Responsibilities[edit]

 Senior management and other levels of management understand the vision of the company, the
business goals, and the objectives.
 Functional management, whose members understand how their individual departments work,
what roles individuals play within the company, and how security affects their department
directly.
 Operational managers and staff. These layers are closer to the actual operations of the
company. They know detailed information about the technical and procedural requirements, the
systems, and how the systems are used. The employees at these layers understand how
security mechanisms integrate into systems, how to configure them, and how they affect daily
productivity.
Classification of Roles and their Responsibilities[edit]
Data Owner

 The data owner (information owner) is usually a member of management, in charge of a specific
business unit, and is ultimately responsible for the protection and use of a specific subset of
information.
 The data owner decides upon the classification of the data that he is responsible for and alters
that classification if the business needs arise.
 This person is also responsible for ensuring that the necessary security controls are in place,
ensuring that proper access rights are being used, defining security requirements per
classification and backup requirements, approving any disclosure activities, and defining user
access criteria.
 The data owner approves access requests or may choose to delegate this function to business
unit managers. And it is the data owner who will deal with security violations pertaining to the
data he is responsible for protecting.
 The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-
day maintenance of the data protection mechanisms to the data custodian.
Data Custodian

 The data custodian (information custodian) is responsible for maintaining and protecting the
data.
 This role is usually filled by the IT department, and the duties include performing regular
backups of the data, periodically validating the integrity of the data, restoring data from backup
media, retaining records of activity, and fulfilling the requirements specified in the company's
security policy, standards, and guidelines that pertain to information security and data protection.
System Owner

 The system owner is responsible for one or more systems, each of which may hold and process
data owned by different data owners.
 A system owner is responsible for integrating security considerations into application and system
purchasing decisions and development projects.
 The system owner is responsible for ensuring that adequate security is being provided by the
necessary controls, password management, remote access controls, operating system
configurations, and so on.
 This role needs to ensure that the systems are properly assessed for vulnerabilities and must
report any to the incident response team and data owner.
Security Administrator

 A security administrator's tasks are many, and include creating new system user accounts,
implementing new security software, testing security patches and components, and issuing new
passwords.
 The security administrator role needs to make sure that access rights that are given to users
support the policies and data owner directives.
Security Analyst

 This role works at a higher, more strategic level than the previously described roles and helps to
develop policies, standards, and guidelines and set various baselines.
 Whereas the previous roles are "in the weeds" and focusing on their pieces and parts of the
security program, a security analyst helps define the security program elements and follows
through to ensure that the elements are being carried out and practiced properly. This person
works more at a design level than at an implementation level.
Application Owner

 An application owner, usually the business unit managers, are responsible for dictating who can
and cannot access their applications, like the accounting software, software for testing and
development etc.
Supervisor

 This role, also called user manager, is ultimately responsible for all user activity and any assets
created and owned by these users like ensuring that all his employees understand their
responsibilities with respect to security, distributing initial passwords, making sure that the
employees' account information is up-to-date, and informing the security administrator when an
employee is fired, suspended, or transferred.
Change Control Analyst

 The change control analyst is responsible for approving or rejecting requests to make changes
to the network, systems, or software.
 This role needs to make sure that the change will not introduce any vulnerability, that it has been
properly tested, and that it is properly rolled out.
 The change control analyst needs to understand how various changes can affect security,
interoperability, performance, and productivity.
Data Analyst

 The data analyst is responsible for ensuring that data is stored in a way that makes the most
sense to the company and the individuals who need to access and work with it.
 The data analyst role may be responsible for architecting a new system that will hold company
information or advising in the purchase of a product that will do this.
 The data analyst works with the data owners to help ensure that the structures that are set up
coincide with and support the company's business objectives.
Process Owner

 Security should be considered and treated like just another business process. The process
owner is responsible for properly defining, improving upon, and monitoring these processes.
 A process owner is not necessarily tied to one business unit or application. Complex processes
involve a lot of variables that can span across different departments, technologies, and data
types.
Solution Provider

 This role is called upon when a business has a problem or requires that a process be improved
upon.
 A solution provider works with the business unit managers, data owners, and senior
management to develop and deploy a solution to reduce the company's pain points.
User

 The user is any individual who routinely uses the data for work-related tasks.
 The user must have the necessary level of access to the data to perform the duties within their
position and is responsible for following operational security procedures to ensure the data's
confidentiality, integrity, and availability to others.
Product Line Manager

 Responsible for explaining business requirements to vendors and wading through their rhetoric
to see if the product is right for the company
 Responsible for ensuring compliance to license agreements
 Responsible for translating business requirements into objectives and specifications for the
developer of a product or solution
 Decides if his company really needs to upgrade their current systems
 This role must understand business drivers, business processes, and the technology that is
required to support them.
 The product line manager evaluates different products in the market, works with vendors,
understands different options a company can take, and advises management and business units
on the proper solutions that are needed to meet their goals.
Responsibilities of the Information Security Officer

 Communicate Risks to Executive Management

 Budget for Information Security Activities
 Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines
 Develop and Provide Security Awareness Program
 Understand Business Objectives
 Maintain Awareness of Emerging Threats and Vulnerabilities
 Evaluate Security Incidents and Response
 Develop Security Compliance Program
 Establish Security Metrics
 Participate in Management Meetings
 Ensure Compliance with Government Regulations
 Assist Internal and External Auditors
 Stay Abreast of Emerging Technologies
Reporting Model[edit]
 Business Relationships
 Reporting to the CEO
 Reporting to the Information Technology (IT) Department
 Reporting to Corporate Security
 Reporting to the Administrative Services Department
 Reporting to the Insurance and Risk Management Department
 Reporting to the Internal Audit Department
 Reporting to the Legal Department
 Determining the Best Fit
Enterprise-wide Security Oversight[edit]
Defining the Goals[edit]

 Vision Statement
 Mission Statement
Security Planning[edit]

 Strategic Planning
 Tactical Planning
 Operational and Project Planning
Personnel Security[edit]
There are many facets of personnel responsibilities that fall under management's umbrella and
several of these facets have a direct correlation to the overall security of the environment such as

 Hiring the most qualified individuals

 Performing background checks of the personnel using detailed job descriptions
 Providing necessary training
 Enforcing strict access controls, and
 Terminating individuals in a way that protects all parties involved.
Hiring Practices
Depending on the position that needs to be filled, a level of screening should be done by human
resources to ensure that the company hires the right individual for the right job.

 Skills should be tested and evaluated, and the caliber and character of the individual should be
examined.
 Nondisclosure agreements need to be developed and signed by new employees to protect the
company and its sensitive information.
 Any conflicts of interests need to be addressed, and there should be different agreements and
precautions taken with temporary and contract employees.
 References should be checked, military records should be reviewed, education should be
verified, and if necessary, a drug test should be administered.
 Many times, important personal behaviors can be concealed, and that is why hiring practices
should include scenario questions, personality tests, and observations of the individual, instead
of just looking at a person's work history.
Employee Controls

 A management structure must be in place to make sure that everyone has someone to report to
and that the responsibility for another person's actions is spread equally and intelligently.
 Consequences for noncompliance or unacceptable behavior must be communicated before an
event takes place.
 Proper supervisory skills need to be acquired and used to ensure that operations go smoothly
and any out-of-the-ordinary activities can be taken care of before they get out of control.
 Rotation of duties should be employed in order keep control of each department in a healthy and
productive state. No one person should stay in one position for a long period of time because
they may end up having too much control over a segment of the business thus resulting in a
fraud, data modification, and misuse of resources.
 Employees in sensitive areas should be forced to take their vacation, which is known as a
mandatory vacation policy, giving the scope for the other individual in his place who can usually
detect any fraudulent errors or activities.
 Two variations of separation of duties and control are split knowledge and dual control.
o In both cases, two or more individuals are authorized and required to perform a duty or task.
o In the case of split knowledge, no one person knows or has all the details to perform a task.
 o In the case of dual control, two individuals are again authorized to perform a task, but both
must be available and active in their participation to complete the task or mission.
Termination

 Companies should have a specific set of procedures to follow with each and every termination.

Security Awareness, Training, and Education[edit]

Conducting A Formal Security Awareness Training[edit]
The Need
The management's directives pertaining to security are captured in the security policy, and the
standards, procedures, and guidelines are developed to support these directives. However, these
directives will not be effective if no one knows about them and how the company expects them to be
implemented.

 For security to be successful and effective, senior management on down to the rest of the staff
needs to be fully aware of the importance of enterprise and information security.
 All employees should understand the underlying significance of security and the specific security
related requirements expected out of them.
 The controls and procedures of a security program should reflect the nature of the data being
processed.
 The security program should be developed in a fashion that makes sense for the different
cultures and environments.
 The security program should communicate the what, how, and why of security to its employees.
 Security-awareness training should be comprehensive, tailored for specific groups, and
organization-wide with a goal that each employee understands the importance of security to the
company as a whole and to each individual.
 Expected responsibilities and acceptable behaviours need to be clarified, and noncompliance
repercussions, which could range from a warning to dismissal, need to be explained before
being invoked.
Different Types of Security Awareness Trainings
There are usually at least three separate audiences for a security-awareness program:
management, staff, and technical employees.

 Each type of awareness training needs to be geared toward the individual audience to ensure
that each group understands its particular responsibilities, liabilities, and expectations.
 Members of management would benefit the most from a short, focused security awareness
orientation that discusses corporate assets and financial gains and losses pertaining to security.
 Mid-management would benefit from a more detailed explanation of the policies, procedures,
standards, and guidelines and how they map to the individual departments for which they are
responsible.
 Middle managers should be taught why their support for their specific departments is critical and
what their level of responsibility is for ensuring that employees practice safe computing activities.
They should also be shown how the consequences of noncompliance by individuals who report
to them can affect the company as a whole and how they, as managers, may have to answer for
such indiscretions.
 The technical departments must receive a different presentation that aligns more to their daily
tasks. They should receive a more in-depth training to discuss technical configurations, incident
 handling, and indications of different types of security compromises so they can be properly
recognized.
 Employees should not try to combat an attacker or address fraudulent activities by themselves
instead they should be told to report these issues to upper management, and upper
management should determine how to handle the situation.
 The presentation given to staff members needs to demonstrate why security is important to the
company and to them individually. The better they understand how insecure activities can
negatively affect them, the more willing they will be to participate in preventing such activities.
 It is usually best to have each employee sign a document indicating that they have heard and
understand all the security topics discussed and understand the ramifications of noncompliance.
 Security training should happen periodically and continually.
Evaluating The Program
Security-awareness training is a type of control, and just like any other control it should be monitored
and evaluated for its effectiveness.

 After the employees attend awareness training, a company may give them questionnaires and
surveys to gauge their retention level and to get their feedback about the training, to evaluate
the program's effectiveness.
 A good indication of the effectiveness of the program can be captured by comparing the number
of reports of security incidents that were made before and after the training.
 For online training, capture individuals' names and what training modules have or have not been
completed within a specific time period. This can then be integrated into their job performance
documentation.
 Security-awareness training must repeat the most important messages in different formats, be
kept up-to-date, be entertaining, positive, and humorous, be simple to understand, and—most
important—be supported by senior management.
Specialized Training Programs

 Train the individuals to use specialized devices and technologies.

 Different roles require different types of training (firewall administration, risk management, policy
development, IDSs, and so on). A skilled staff is one of the most critical components to the
security of a company, and not enough companies are spending the funds and energy
necessary to give their staffs proper levels of security education.
Training Topics
What Might a Course in Security Awareness Look Like?

Awareness Activities and Methods[edit]

Job Training
Professional Education
Performance Metrics

Information Risk Management[edit]

Information risk management (IRM) is the process of identifying and assessing risk, realizing the
limitations in reducing it to an acceptable level, and implementing the right mechanisms to maintain
that level.

Risk Management Concepts[edit]

Categories of Risks

 Physical damage- Fire, water, vandalism, power loss, and natural disasters
 Human interaction- Accidental or intentional action or inaction that can disrupt productivity
 Equipment malfunction- Failure of systems and peripheral devices
 Inside and outside attacks- Hacking, cracking, and attacking
 Misuse of data- Sharing trade secrets, fraud, espionage, and theft
 Loss of data- Intentional or unintentional loss of information through destructive means
 Application error- Computation errors, input errors, and buffer overflows
 Social Status- Loss of Customer base and reputation

Security Tip: The threats need to be identified, classified by category,

and evaluated to calculate their
actual magnitude of potential loss. Real risk is hard to measure, (more
accurately stated it is hard to accept)
but prioritizing the potential risks in order of which risk needs to be
addressed first is attainable

Defining a Risk Management Policy

 The IRM policy provides the infrastructure for the organization's risk management processes
and procedures.
 Characteristics of an IRM policy
o It should address all issues of information security, from personnel screening and the insider
threat to physical security and firewalls.
o It should provide direction on how the IRM team relates information on company risks to
senior management and how to properly execute management's decisions on risk mitigation
tasks.
o The IRM policy should be a subset of the organization's overall risk management policy and
should be mapped to the organizational security policies.
 The IRM policy should address the following items:
o Define the objectives of IRM team
o Level of risk the company will accept and what is considered an acceptable risk
o Formal processes of risk identification
o Connection between the IRM policy and the organization's strategic planning processes
o Responsibilities that fall under IRM and the roles that are to fulfill them
o Mapping of risk to internal controls
o Approach for changing staff behaviors and resource allocation in response to risk analysis
o Mapping of risks to performance targets and budgets
o Key indicators to monitor the effectiveness of controls
Risk Management Practices
A risk management team should have the ability and follow the best practices, some of them which
include

 Establishing a risk acceptance level as provided by senior management

 Documenting risk assessment processes and procedures
 Establishing proper procedures for identifying and mitigating risks
 Getting support from senior management for appropriate resource and fund allocation
 Defining contingency plans where assessments indicate that they are necessary
 Ensure that security-awareness training is provided for all staff members associated with
information assets.
 Strive to establish improvement (or risk mitigation) in specific areas when necessary
 Should map legal and regulation compliancy requirements to control and implement
requirements
 Develop metrics and performance indicators to be able to measure and manage various types of
risks
 Identify and assess new risks as the environment and company changes
 Integrate IRM and the organization's change control process to ensure that changes do not
introduce new vulnerabilities
Risk Handling Strategies[edit]
As it is impossible to have a system or an environment to be 100 percent secure, there should be an
acceptable level of risk.
Residual Risk vs. Total Risk

 Residual Risk: Where there is always some risk left over to deal with.
 Total Risk: Where there are no risk measure and the risk is 100%. These type of risk is
acceptable when the cost/benefit analysis results indicate that this is the best course of action
 The Relation:
o Threats*Vulnerability*Asset Value = Total Risk
o Threats*Vulnerability*Asset Value* Control Gap= Residual Risk
Ways to deal with Risk
There are four basic ways of dealing with risks:

 Transfer it: If a company's total or residual risk is too high and it purchases an insurance then it
is transfer of risk to the insurance company
 Reject it: If a company is in denial about its risk or ignore it, it is rejecting the risk
 Reduce it: If a company implements countermeasures, it is reducing the risk
 Accept it: If a company understands the risk and decides not to implement any kind of
countermeasures it is accepting the risk. And this is actually what all computer systems boil
down to. There is no way to mitigate the risk if the system is going to connect to the internet.
Having only one user without any networking with others computer systems is the closet you can
ever get to not having any risks.
Once given console access (sitting at the actual hardware device be it computer, server, router)
there is no security that can keep a skilled person from getting into that system. Not one. This is the
"beginning of knowledge" of computer system security. And increasing knowledge increases
sorrow.
These two things you must accept as they are the facts. If you can't handle these two absolute facts
like an adult maybe you should go do something else. Try becoming an actor maybe, or poet, but do
not continue with believing you have any computer security knowledge if you can't get into this
mindset. It's OK not everyone can handle dealing with the truth, it's hard, uncomfortable and it
literally hurts (that feeling of pain is called cognitive indifference.)

Risk Assessment/Analysis[edit]
Risk analysis is a method of identifying vulnerabilities and threat and assessing the possible damage
to determine where to implement security safeguards
Why Risk Analysis?

 To ensure that security is cost effective, relevant, timely, and responsive to threat.
 To provide a cost/benefit comparison, this compares the annualized cost of safeguards to the
potential cost of loss.
 Help integrate the security program objectives with the company's business objectives and
requirements
 To provide an economic balance between the impact of the threat and the cost of the
countermeasure.
The Risk Analysis Activities

 Identifying assets and their values

 Identifying the vulnerabilities and threats
 Analyze the risk- Two approaches
o Quantitative Approach
o Qualitative Approach
 Selecting and Implementing a countermeasure
Identifying The Risk Elements[edit]
Identifying Assets and Their Values

 Kinds of assets
o Tangible: measurable - computers, facilities, supplies
o Intangible: immeasurable, difficult to assess - reputation, intellectual property.
 Factors to be considered during assessing the value of information and assets.
o Cost to acquire or develop the assets
o Cost to maintain and protect the assets
o Value of the asset to owners and users
o Value of the asset to adversaries
o Value of intellectual property that went into developing the information
o Price others are willing to pay for the asset
o Cost to replace the asset if lost
o Operational and production activities that are affected if the asset is unavailable
o Liability issues if the asset is compromised
o Usefulness and role of the asset in the organization
 Need for determining the value of assets
o To perform effective cost/benefit analyses
o To select specific countermeasures and safeguards
o To determine the level of insurance coverage to purchase
o To understand what exactly is at risk
o To conform to due care and comply with legal and regulatory requirements
Identify the Vulnerabilities and Threats
There are many types of threat agents that can take advantage of several types of vulnerabilities,
resulting in a variety of specific threats
 Threat
Can Exploit This Vulnerability Resulting in This Threat
Agent

Virus Lack of antivirus software Virus infection

Powerful services running on a

Hacker Unauthorized access to confidential information
server

Misconfigured parameter in the

Users System malfunction
operating system

Facility and computer damage, and possibly loss

Fire Lack of fire extinguishers
of life

* Sharing mission-critical information * Altering

* Lack of training or standards
Employee data inputs and outputs from data processing
enforcement * Lack of auditing
applications

Contractor Lack access control mechanisms Stealing trade secrets

* Poorly written application * * Conducting a buffer overflow * Conducting a

Attacker
Lack of stringent firewall settings denial-of-service attack

Breaking windows and stealing computers and

Intruder Lack of security guard
devices

A Quantitative Approach to Risk Analysis[edit]

 Quantitative analysis uses risk calculations that attempt to predict the level of monetary losses
and percentage of chance for each type of threat.
 Quantitative risk analysis also provides concrete probability percentages when determining the
likelihood of threats.
 Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact
damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is
quantified and entered into equations to determine total and residual risks.
 Purely quantitative risk analysis is not possible, because the method attempts to quantify
qualitative items, and there are always uncertainties in quantitative values
Sample Steps for a Quantitative Risk Analysis

 Step 1: Assign Value to Assets- For each asset, answer the following questions to determine its
value
o What is the value of this asset to the company?
o How much does it cost to maintain?
o How much does it make in profits for the company?
o How much would it be worth to the competition?
o How much would it cost to re-create or recover?
o How much did it cost to acquire or develop?
o How much liability are you under pertaining to the protection of this asset?
 Step 2: Estimate Potential Loss per Threat- To estimate potential losses posed by threats,
answer the following questions:
o What physical damage could the threat cause and how much would that cost?
 o How much loss of productivity could the threat cause and how much would that cost?
o What is the value lost if confidential information is disclosed?
o What is the cost of recovering from this threat?
o What is the value lost if critical devices were to fail?
o What is the single loss expectancy (SLE) for each asset, and each threat?
 Step 3: Perform a Threat Analysis- Take the following steps to perform a threat analysis
o Gather information about the likelihood of each threat taking place from people in each
department, past records, and official security resources that provide this type of data.
o Calculate the annualized rate of occurrence (ARO), which is how many times the threat can
take place in a 12-month period.
 Step 4: Derive the Overall Loss Potential per Threat-To derive the overall loss potential per
threat, do the following:
o Combine potential loss and probability.
o Calculate the annualized loss expectancy (ALE) per threat by using the information
calculated in the first three steps.
o Choose remedial measures to counteract each threat.
o Carry out cost/benefit analysis on the identified countermeasures.
 Step 5: Reduce, Transfer, or Accept the Risk- For each risk, you can choose whether to reduce,
transfer, or accept the risk:
o Risk reduction methods
 Install security controls and components.
 Improve procedures.
 Alter environment.
 Provide early detection methods to catch the threat as it's happening and reduce the
possible damage it can cause.
 Produce a contingency plan of how business can continue if a specific threat takes
place, reducing further damages of the threat.
 Erect barriers to the threat.
 Carry out security-awareness training.
o Risk transfer- Buy insurance to transfer some of the risk, for example.
o Risk acceptance- Live with the risks and spend no more money toward protection.
Quantitative Risk Analysis Metrics

 Single loss expectancy (SLE) - The amount of loss due to a single occurrence of a threat.
 Annualized loss expectancy (ALE) - The estimated loss per annum.
 Exposure factor (EF) - Represents the percentage of loss a realized threat could have on a
certain asset.
 Annualized rate of occurrence (ARO) – It is the value that represents the estimated frequency of
a specific threat taking place within a one-year timeframe. It can range from 0.0 to 1.0.
 The Relation
o Asset value * exposure factor (EF) = SLE
 Example: If a data warehouse has the asset value of $150,000, and if it is estimated that
if a fire were to occur, 25 percent of the warehouse would be damaged, then SLE
=0.25*$150000=$37,500.
o SLE * Annualized rate of occurrence (ARO) = ALE. If ARO is 0.1 (indicating once in ten
years), then the ALE =$37,500* 0.1 = $3750. This tells the company that if it wants to put in
controls or safeguards to protect the asset from this threat, it can sensibly spend $3750 or
less per year to provide the necessary level of protection.
Results of a Quantitative Risk Analysis
The following is a short list of what generally is expected from the results of a risk analysis

 Monetary values assigned to assets

 Comprehensive list of all possible and significant threats
 Probability of the occurrence rate of each threat
 Loss potential the company can endure per threat in a 12-month time span
 Recommended safeguards, countermeasures, and actions analysis.
Quantitative Pros

 Requires more complex calculations

 Is easier to automate and evaluate
 Used in risk management performance tracking
 Provides credible cost/benefit analysis
 Shows clear-cut losses that can be accrued within one year's time
Quantitative Cons

 Calculations are more complex. Can management understand how these values were derived?
 Without automated tools, this process is extremely laborious.
 Big need to gather detailed information about environment.
 Standards are not available. Each vendor has its own way of interpreting the processes and
their results.
A Qualitative Approach to Risk Analysis[edit]

 In Qualitative approach, we walk through different scenarios of risk possibilities and rank the
seriousness of the threats and the validity of the different possible countermeasures.
 The Qualitative analysis techniques include judgment, best practices, intuition, and experience.
 Qualitative Risk Analysis Techniques
o Delphi -A group decision method used to ensure that each member gives an honest opinion
of what he or she thinks the result to a particular threat will be. This method is used to obtain
an agreement on cost, loss values, and probabilities of occurrence without individuals
having to agree verbally.
o Brainstorming
o Storyboarding
o Focus groups
o Surveys
o Questionnaires
o Checklists
o One-on-One meetings
o Interviews.
 The risk analysis team will determine the best technique for the threats that need to be assessed
and the culture of the company and individuals involved with the analysis.
 The team that is performing the risk analysis gathers personnel who have experience and
education on the threats being evaluated. When this group is presented with a scenario that
describes threats and loss potential, each member responds with their gut feeling and
experience on the likelihood of the threat and the extent of damage that may result.
Severity of Probability of Potential Effectiveness of Effectiveness
Personnel
Threat Threat Loss Firewall of IDS
IT manager 4 2 4 4 3

DBA 4 4 4 3 4

Application
2 3 3 4 2
programmer

System
3 4 3 4 2
operator

Operational
5 4 4 4 4
manager

Results 3.6 3.4 3.6 3.8 3

Qualitative Pros

 Requires simple calculations

 Involves high degree of guesswork
 Provides general areas and indications of risk
 Provides the opinions of the individuals who know the processes best
Qualitative Cons

 The assessments and results are basically subjective.

 Usually eliminates the opportunity to create a dollar value for cost/benefit discussions.
 Difficult to track risk management objectives with subjective measures.
 Standards are not available. Each vendor has its own way of interpreting the processes and
their results.
Selecting and Implementing a Countermeasure[edit]
Countermeasure Selection

 A security countermeasure should be cost effective and should be decided based on some
cost/benefit analysis.
 A commonly used cost/benefit calculation for a given safe guard is:
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of
safeguard) = value of safeguard to the company
Functionality and Effectiveness of Countermeasures
The following shows some of the characteristics to be considered before committing for a safeguard
mechanism

Characteristic Description

It can be installed or removed from an environment without

Modular in nature
adversely affecting other mechanisms.

A security level is applied to all mechanisms it is designed to

Provides uniform protection
protect in a standardized method.
Provides override functionality An administrator can override the restriction if necessary.

When installed, it defaults to a lack of permissions and rights

Defaults to least privilege
instead of installing with everyone having full control.

Independence of safeguard and The safeguard can be used to protect different assets, and
the asset it is protecting different assets can be protected by different safeguards.

The more security the safeguard provides, the better. This

functionality should come with flexibility, which enables you
Flexibility and security
to choose different functions instead of all or none.

Clear distinction between user A user should have fewer permissions when it comes to
and administrator configuring or disabling the protection mechanism.

When humans have to configure or modify controls, this opens

the door to errors. The safeguard should require the least
Minimum human intervention
amount of input from humans as possible.

Software continues to evolve, and updates should be able to

Easily upgraded
happen painlessly.

There should be a mechanism that is part of the safeguard that

Auditing functionality
provides minimum and/or verbose auditing.

Minimizes dependence on other The safeguard should be flexible and not have strict requirements
components about the environment into which it will be installed.

Easily usable, acceptable, and If the safeguards provide barriers to productivity or add extra
tolerated by personnel steps to simple tasks, users will not tolerate it.

Must produce output in usable Important information should be presented in a format easy for
and understandable format humans to understand and use for trend analysis.

The mechanism should be able to be reset and returned to

Must be able to reset safeguard original configurations and settings without affecting the system or
asset it is protecting.

The safeguard should be able to be tested in different

Testable
environments under different situations.

Does not introduce other The safeguard should not provide any covert channels or back
compromises doors.

System and user performance System and user performance should not be greatly affected.

Thresholds should be able to be set as to when to alert personnel

of a security breach, and this type of alert should
Proper alerting
be acceptable.
 The assets in the environment should not be adversely affected
Does not affect assets
by the safeguard.

Determination of Likelihood
Determination of Impact
Determination of Risk
Reporting Findings
Countermeasure Selection
Information Valuation

Information Classification[edit]
Introduction[edit]
 After identifying the information to be protected, it is necessary to classify the information and
organize it according to its sensitivity to loss, disclosure or unavailability.
 The primary purpose of data classification is to indicate the protection level of confidentiality,
Integrity and Availability required for each type of dataset.
 Data classification helps to ensure that the data is protected in the most cost-effective manner.
 Each classification should have separate handling requirements and procedures pertaining to
how that data is accessed, used, and destroyed.
Classification Types[edit]
Organization
Classification Definition Examples That Would
Use This

• How many people are

• Disclosure is not welcome, but it
working on a specific Commercial
Public would not cause an adverse impact
project • Upcoming business
to company or personnel.
projects

• Requires special precautions to

ensure the integrity and
confidentiality of the data by • Financial information •
protecting it from unauthorized Details of projects • Commercial
Sensitive
Profit earnings and business
modification or deletion. • Requires
forecasts
higher than normal assurance of
accuracy and |completeness.

• Personal information for use

• Work history • Human
within a company. • Unauthorized Commercial
Private resources information •
disclosure could adversely affect business
Medical information
personnel. or company

• For use within the company only. • Trade secrets • Health Commercial
Confidential
• Data that is exempt from care information • business /
 disclosure under the Freedom of Programming code • Military
Information Act or other laws and Information that keeps a
regulations. • Unauthorized company competitive
disclosure could seriously affect a
company.

• Computer manual and

Unclassified • Data is not sensitive or classified. warranty information • Military
Recruiting information

Sensitive but
• Minor secret. • If disclosed, it • Medical data •
unclassified Military
could cause serious damage. Answers to test scores
(SBU)

• Deployment plans for

• If disclosed, it could cause serious
Secret troops • Nuclear bomb Military
damage to national security.
placement

• Blueprints of new
• If disclosed, it could cause grave wartime weapons • Spy
Top secret Military
damage to national security. satellite information •
Espionage data

Guidelines for Information Classification[edit]

 The classification should neither be a long list nor be too restrictive and detailed-oriented.
 Each classification should be unique and should not have any overlappings.
 The classification process should outline how information and applications are and handled
throughout their life cycle.
Criteria for Information Classification[edit]
 Usefulness of data
 Value of data
 Age of data
 The level of damage that could be caused if the data were disclosed
 The level of damage that could be caused if the data were modified or corrupted
 Legal, regulatory, or contractual responsibility to protect the data
 Effects the data has on national security
 Who should be able to access the data
 Who should maintain the data
 Where the data should be kept
 Who should be able to reproduce the data
 What data requires labels and special marking
 Whether encryption is required for the data
 Whether separation of duties is required
 Which Backup Strategy is appropriate
 Which Recovery Strategy is appropriate
 Security Note: An organization needs to make sure that whoever is backing
up classified data—and whoever has access
to backed-up data—has the necessary clearance level. A large security
risk can be introduced if low-end technicians with
no security clearance can have access to this information during their
tasks. Backups contain all your data and deserve the
same considerations in terms of security risk as the entire
infrastructure because that is exactly what it is only in a single
location, often stored as a single file and usually with little thought
put into what are the risks involved with that appliance.

Data Classification Procedures[edit]

The following outlines the necessary steps for a proper classification program:

 Define classification levels.

 Specify the criteria that will determine how data is classified.
 Have the data owner indicate the classification of the data she is responsible for.
 Identify the data custodian who will be responsible for maintaining data and its security level.
 Indicate the security controls, or protection mechanisms, that are required for each classification
level.
 Document any exceptions to the previous classification issues.
 Indicate the methods that can be used to transfer custody of the information to a different data
owner.
 Create a procedure to periodically review the classification and ownership. Communicate any
changes to the data custodian.
 Indicate termination procedures for declassifying the data.
 Integrate these issues into the security-awareness program so that all employees understand
how to handle data at different classification levels.
 DataClassificationPolicySample
Classification Controls[edit]
The type of control implemented per classification depends upon the level of protection that
management and the security team have determined is needed. Some of the controls are :

 Strict and granular access control for all levels of sensitive data and programs
 Encryption of data while stored and while in transmission
 Auditing and monitoring (determine what level of auditing is required and how long logs are to be
retained)
 Separation of duties (determine whether two or more people need to be involved in accessing
sensitive information to protect against fraudulent activities; if so, define and document
procedures)
 Periodic reviews (review classification levels, and the data and programs that adhere to them, to
ensure that they are still in alignment with business needs; data or applications may also need to
be reclassified or declassified, depending upon the situation)
 Backup and recovery procedures (define and document)
 Change control procedures (define and document)
 File and file system access permissions (define and document)

Ethics[edit]
Ethics is the field of study concerned with questions of value, that is,judgments about what type of
human behavior is “good” or “bad” in any given situation. Ethics are the standards, values, morals,
principles, etc.,on which to base one's decisions or actions; often, there is no clear “right” or “wrong”
answer.

Basic Concepts[edit]
Computer Ethics
The term "computer ethics" is open to interpretations both broad and narrow.

 On the narrow side, computer ethics might be understood as the efforts of professional
philosophers to apply traditional ethical theories like utilitarianism, Kantianism, or virtue ethics to
issues regarding the use of computer technology.
 On the broad side, it can be understood as a standards of professional practice, codes of
conduct, aspects of computer law, public policy, corporate ethics—even certain topics in the
sociology and psychology of computing
Professional Code of Ethics[edit]
Certified professionals, including those holding the CISSP, are held morally,and sometimes legally,
to a higher standard of ethical behavior. In promoting proper computing behavior within the industry
and the confines of our corporate boundaries, professionals should incorporate ethics into their
organizational policies and awareness programs.
Several organizations have addressed the issue of ethical behavior through ethics guidelines. These
include organizations such as

 The Computer Ethics Institute,

 The Internet Activities Board,
 The International Computer Security Association,
 The Information Systems Security Association, and
 The (ISC)2 Code of Ethics.
Computer Ethics Institute[edit]
The CEI Ten Commandments of Computer Ethics

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper
compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system
you are designing.
 10. Thou shalt always use a computer in ways that ensure consideration and respect for your
fellow humans.
Internet Architecture Board[edit]
The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering,
and management. It is an independent committee of researchers and professionals with a technical
interest in the health and evolution of the Internet.

 IAB has two principal subsidiary task forces:

o The Internet Engineering Task Force (IETF) and
o The Internet Research Task Force (IRFT).
The IAB issues ethics-related statements concerning the use of the Internet.It considers the Internet
to be a resource that depends upon availability and accessibility to be useful to a wide range of
people. It is mainly concerned with irresponsible acts on the Internet that could threaten its existence
or negatively affect others. It sees the Internet as a great gift and works hard to protect it for all who
depend upon it. IAB sees the use of the Internet as a privilege, which should be treated as such and
used with respect.

 IAB considers the following acts as unethical and unacceptable behavior:

o Purposely seeking to gain unauthorized access to Internet resources
o Disrupting the intended use of the Internet
o Wasting resources (people, capacity, and computers) through purposeful actions
o Destroying the integrity of computer-based information
o Compromising the privacy of others
o Conducting Internet-wide experiments in a negligent manner
The (ISC)2Code of Ethics[edit]
All information systems security professionals who are certified by (ISC)2 recognize that such
certification is a privilege that must be both earned and maintained. In support of this principle, all
Certified Information Systems Security Professionals (CISSPs) commit to fully support this Code of
Ethics. CISSPs who intentionally or knowingly violate any provision of the Code will be subject to
action by a peer review panel, which may result in the revocation of certification.
Code of Ethics Preamble:

 Safety of the commonwealth, duty to our principals, and to each other requires that we adhere,
and be seen to adhere, to the highest ethical standards of behavior.
 Therefore, strict adherence to this code is a condition of certification.
Code of Ethics Canons:

 Protect society, the commonwealth, and the infrastructure.

 Act honorably, honestly, justly, responsibly, and legally.
 Provide diligent and competent service to principals.
 Advance and protect the profession.
The Code of Ethics

 Protect society, the commonwealth, and the infrastructure

o Promote and preserve public trust and confidence in information and systems.
o Promote the understanding and acceptance of prudent information security measures.
o Preserve and strengthen the integrity of the public infrastructure.
 o Discourage unsafe practice.
 Act honorably, honestly, justly, responsibly, and legally
o Tell the truth; make all stakeholders aware of your actions on a timely basis.
o Observe all contracts and agreements, express or implied.
o Treat all constituents fairly. In resolving conflicts, consider public safety and duties to
principals, individuals, and the profession in that order.
o Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take
care to be truthful, objective, cautious, and within your competence.
o When resolving differing laws in different jurisdictions, give preference to the laws of the
jurisdiction in which you render your service.
 Provide diligent and competent service to principals
o Preserve the value of their systems, applications, and information.
o Respect their trust and the privileges that they grant you.
o Avoid conflicts of interest or the appearance thereof.
o Render only those services for which you are fully competent and qualified.
 Advance and protect the profession
o Sponsor for professional advancement those best qualified. All other things equal, prefer
those who are certified and who adhere to these canons. Avoid professional association with
those whose practices or reputation might diminish the profession.
o Take care not to injure the reputation of other professionals through malice or indifference.
o Maintain your competence; keep your skills and knowledge current. Give generously of your
time and knowledge in training others.
Example Topics in Computer Ethics[edit]
Computers in the Workplace[edit]
Computers posing threat to Traditional Jobs
As a "universal tool" that can, in principle, perform almost any task, computers obviously pose a
threat to jobs.

 Although computers occasionally need repair, they don't require sleep, they don't get tired, they
don't go home ill or take time off for rest and relaxation. At the same time, computers are often
far more efficient than humans in performing many tasks. Therefore, economic incentives to
replace humans with computerized devices are very high.
 In the industrialized world many workers already have been replaced by computerized devices
and even professionals like medical doctors, lawyers, teachers, accountants and psychologists
are finding that computers can perform many of their traditional professional duties quite
effectively.
 The employment outlook, however, is not all bad. In the short run, computer-generated
unemployment will be an important social problem; but in the long run, information technology
will create many more jobs than it eliminates.
 Even when a job is not eliminated by computers, it can be radically altered by "de-skilling" the
workers and turning them into passive observers and button pushers.
 Hopefully as the knowledge spreads showing there is no reason for the scarcity driven
economics (i.e. man made gold by radiating form of mercury patented USA 1942 and similar
accomplishments for diamonds, oil, etc) the world can move away from the dehumanizing
practices of the past and let the automated computer systems do the work the plebs, peasants,
slaves, and working poor have performed for way too long. But we must always stay vigilant for
the abuses of power that stem from the "equal rights for all but entitlements for me" human flaw
anyone of us can succumb to which brings such terrible destruction upon societies. And since
we are all inherently lazy (would you usually walk to the most farthest away source of water
 when thirsty as opposed to the closest potable source) we can be assured it will be difficult to
keep.
Health and Safety at Workplace

 Another workplace issue concerns health and safety. According to Forester and Morrison, when
information technology is introduced into a workplace, it is important to consider likely impacts
upon health and job satisfaction of workers who will use it. It is possible, for example, that such
workers will feel stressed trying to keep up with high-speed computerized devices—or they may
be injured by repeating the same physical movement over and over—or their health may be
threatened by radiation emanating from computer monitors. These are just a few of the social
and ethical issues that arise when information technology is introduced into the workplace.
Computer Crime[edit]
Security Aspects behind the Crime
In this era of computer "viruses" and international spying by "hackers" who are thousands of miles
away, it is clear that computer security is a topic of concern in the field of Computer Ethics. The
problem is not so much the physical security of the hardware (protecting it from theft, fire, flood,
etc.), but rather "logical security", which according to Spafford, Heaphy and Ferbrache are divide into
five aspects:

 Privacy and confidentiality

 Integrity—assuring that data and programs are not modified without proper authority
 Unimpaired service
 Consistency—ensuring that the data and behavior we see today will be the same tomorrow
 Controlling access to resources
Challenges
Malicious kinds of software, or "programmed threats", provide a significant challenge to computer
security. These include

 viruses, which cannot run on their own, but rather are inserted into other computer programs;
 worms which can move from machine to machine across networks, and may have parts of
themselves running on different machines;
 Trojan horses which appear to be one sort of program, but actually are doing damage behind
the scenes;
 logic bombs which check for particular conditions and then execute when those conditions arise;
and
 bacteria or rabbits which multiply rapidly and fill up the computer's memory.
Trusted Persons/Security clearance Persons vs Hackers/Whackers

 Computer crimes, such as embezzlement, financial fraud within exchanges, interest rate
manipulations or planting of logic bombs, are normally committed by trusted personnel who have
permission to use the computer system and/or access to classified information. Computer
security, therefore, must also be concerned with the actions of trusted computer users and those
with confidential security clearances.
The higher the trusted level/security clearance access or the higher level within an organization's
hierarchy the larger the risk of more extreme damage in terms of costs and security while having the
opposite effect in terms of the likelihood for getting caught in the criminal act decrease exponentially.
And even more concerning is the chance of actually having criminally charges brought against the
once "most trusted" but now criminal falls virtually to zero at the very top levels as those criminals
will settle before charges get filed for a fraction of the amount stolen with no damage coming to their
reputation whatsoever thus allowing them to maintain that "most trusted" status. This is clearly the
most worrisome not just for those within an organization but for all people within a nation or union of
nations bound by financial/economic trade agreements since they are based on trust and could lead
to large scale wars between those nations. Is there an all inclusive-systems risk more frightening
than this?

 Hackers/Whackers breaks into someone's computer system without permission by way of

unknown security risks. Some intentionally steal data or commit vandalism, while others merely
"explore" the system to see how it works and what files it contains. These "explorers" often claim
to be benevolent defenders of freedom and fighters against rip-offs by major corporations or
spying by rogue government agents. Some think of themselves as performing charity wok for the
more "IT-challeneged" users of information systems who either through ignorance or just
laziness don't find the risks themselves. These self-appointed vigilantes/charity workers of
cyberspace say they do no harm, and claim to be helpful to society by exposing security risks for
the users who just don't have the natural ability or skills to find them for their selves and for
those that are willfully ignorant and just don't put forth the effort.
Some are of the opinion every act of hacking is harmful, because any known successful penetration
of a computer system requires the owner to thoroughly check for damaged or lost data and
programs. They claim even if the hacker did indeed make no changes, the computer's owner must
run through a costly and time-consuming investigation of the compromised system. While others
would claim (and is actually stated in separate security section within this page above) that the
data/systems/application owners should already be performing routine checks for damaged or lost
data or compromised programs and applications. These people ask would you rather have a benign
intruder that found a way to penetrate your computer/network systems and also lets you know of the
potential security flaw or have a criminal intruder penetrate your system with intent to steal possibly
millions of dollars from you or your customers before you had any clue of the risk you were taking or
the risks you were placing on your customers/clients/confidential and or proprietary data? And if you
are of the latter opinion should you be held financial or criminally responsible since you willingly
prefer this option?
Privacy and Anonymity[edit]
The Privacy Concern
Privacy is one of the earliest computer ethics topics to arouse public interest.

 The ease and efficiency with which computers and computer networks can be used to gather,
store, search, compare, retrieve and share personal information make computer technology
especially threatening to anyone who wishes to keep various kinds of "sensitive" information
(e.g., medical records) out of the public domain or out of the hands of those who are perceived
as potential threats.
Factors exposing the Privacy
Some of the factors that increases the concern of Privacy are

 Commercialization and rapid growth of the internet;

 The rise of the world-wide-web;
 Increasing "user-friendliness" of Computers and Applications
 Processing power of computers;
 Decreasing costs of computer technology
 Data-mining and data matching,
 Recording of "click trails" on the web etc.
Anonymity
Anonymity on the internet is sometimes discussed in the same context with questions of privacy on
the internet, because anonymity can provide many of the same benefits as privacy.For example, if
someone is using the internet to obtain medical or psychological counseling, or to discuss sensitive
topics (for example, AIDS), anonymity can afford protection similar to that of privacy. Similarly, both
anonymity and privacy on the internet can be helpful in preserving human values such as security,
mental health, self-fulfillment and peace of mind. Unfortunately, privacy and anonymity also can be
exploited to facilitate unwanted and undesirable computer-aided activities in cyberspace, such as
money laundering, drug trading, terrorism, or preying upon the vulnerable.
Intellectual Property[edit]
The Argument
One of the more controversial areas of computer ethics concerns the intellectual property rights
connected with software ownership.

 Some people, like Richard Stallman who started the Free Software Foundation, believe that
software hoarding should not be allowed at all. He claims that all programs distributed to the
public should be free, and all programs distributed to the public should be available for copying,
studying and modifying by anyone who wishes to do so.
 Some argue that software companies or programmers would not invest weeks and months of
work and significant funds in the development of software if they could not get the investment
back in the form of license fees or sales. Although the Free Open Source Software that is
created and maintained for free by thousands worldwide seems to have clearly disproved these
claims over the last 20 years.
The Scenario

 Today's software industry is a multibillion dollar part of the economy; and software companies
claim to lose billions of dollars per year through illegal copying ("software piracy").
 Many people think that software should be ownable, but "casual copying" of personally owned
programs for one's friends should also be permitted.
 The software industry claims that millions of dollars in sales are lost because of such copying.
Ownership is a complex matter, since there are several different aspects of software that can be
owned and three different types of ownership: copyrights, trade secrets, and patents. One can
own the following aspects of a program:
o The "source code" which is written by the programmer(s) in a high-level computer language
like Java or C++.
o The "object code", which is a machine-language translation of the source code.
o The "algorithm", which is the sequence of machine commands that the source code and
object code represent.
o The "look and feel" of a program, which is the way the program appears on the screen and
interfaces with users.
 A very controversial issue today is owning a patent on a computer algorithm.
o A patent provides an exclusive monopoly on the use of the patented item, so the owner of
an algorithm can deny others use of the mathematical formulas that are part of the
algorithm.
o Mathematicians and scientists are outraged, claiming that algorithm patents effectively
remove parts of mathematics from the public domain, and thereby threaten to cripple
science.
The Challenge
 Running a preliminary "patent search" to make sure that your "new" program does not violate
anyone's software patent is a costly and time-consuming process and the level of confidence
that can be achieved with this search outside of a courtroom is literally nil. As a result, only very
large companies with big budgets can afford to run such a search or afford the costly court
battles. This effectively eliminates many small software companies, stifling competition and
decreasing the variety and quality of programs available to the society.
Professional Responsibility[edit]
Computer professionals have specialized knowledge and often have positions with authority and
respect in the community. Along with such power to change the world comes the duty to exercise
that power responsibly. Computer professionals find themselves in a variety of professional
relationships with other people including:

 employer—employee
 client—professional
 professional—professional
 society—professional
These relationships involve a diversity of interests, and sometimes these interests can come into
conflict with each other. Responsible computer professionals, therefore, will be aware of possible
conflicts of interest and try to avoid them and strive to remember everyone involved is human and to
have empathy. A good way to think at all times is by asking oneself, is that how I would want to be
treated if I was in their position?
Professional organizations like the Association for Computing Machinery (ACM) and the Institute of
Electrical and Electronic Engineers (IEEE), also have established codes of ethics, curriculum
guidelines and accreditation requirements to help computer professionals understand and manage
ethical responsibilities.
Globalization[edit]
Computer ethics today is rapidly evolving into a broader and even more important field, which might
reasonably be called "global information ethics".
For the first time in the history of the earth, ethics and values are debated and transformed in a
context that is not limited to a particular geographic region, or constrained by a specific religion or
culture. This may very well be one of the most important social developments in history but some of
the issues like Global Laws, Global Cyberbusiness, Global Education, Information Rich and
Information Poor etc. are a growing concern for the networked world.

Common Computer Ethics Fallacies[edit]

The lack of early, computer-oriented childhood rearing and conditioning has led to several pervasive
fallacies. The generation of computer users includes those from 7 to 70 years old who use
computing and other information technologies. Like all fallacies, some people are heavily influenced
by them, and some are less so. Some of the common fallacies which are probably the most
important are

 The Computer Game Fallacy

 The Law-Abiding Citizen Fallacy
 The Shatterproof Fallacy
 The Candy-from-a-Baby Fallacy
 The Hacker's Fallacy
 The Free Information Fallacy

Hacking and Hacktivism[edit]
A hacker is a person who delights in having an intimate understanding of the internal workings of a
system, computers and computer networks in particular.
The Hacker Ethics[edit]
The two most common but not widely accepted hacker ethics are

 The belief that information-sharing is a powerful positive good, and that it is an ethical duty of
hackers to share their expertise by writing open-source code and facilitating access to
information and to computing resources wherever possible.
 The belief that system-cracking for fun and exploration is ethically OK as long as the cracker
commits no theft, vandalism, or breach of confidentiality.