CIA Triad, Authorization, Authentication, Ethics, and Security SDLC in Information Technology Management
Added on 2023-05-30
6 Pages1938 Words340 Views
Information Technology Management
CIA triad has many components and each component is related to information security. The first
component is Confidentiality. Confidentiality refers to an attribute of information that basically explains
how data or information can remain confidential without exposure to unauthorized identities. There is a
procedure to maintain information confidential like cryptography and security policies. Confidentiality is
related to information security as it is important to maintain confidentiality for information security
(Dewey, 2016).The second one is Integrity that means an attribute that assures that data incomplete
and uncorrupted. Integrity only hampers when there is an exposure to damage, destruction and
corruption. Information corruption can be happen anytime while entering, storing and transferring the
data. For information security, it is necessary to maintain integrity to remove the risk of data exposure
(Desai & von der Embse, 2008). In third step, there is availability and it refers to the easy availability of
data. It basically shows how easily the data is accessible without any interruption. It means the data
should be available in usable format. Information should be available to only those people who have
authority to use the same. If information is available to everyone then it may hamper information
security.
Authorization and authentication are two different concepts as authorization means a control
mechanism that needs verification and validation of an entity that is unauthorized. It mainly creates a
system that helps in the identification of the authority whether it is valid for the system access or not.
There are individual users who use PIN (Personal identification number), password or any other way for
their system’s authentication whereas Authorization refers to a process of giving permission to do
something in system. It checks the authority of an individual for a system or information. After the
authentication of identity, authorization helps in defining the permitted or non-permitted actions for an
individual like delete, modify or access the contents of system (Silberschatz, Korth & Sudarshan, 2011).
Authentication is done only in the first step and authorization usually done after authentication.
Authentication basically verifies the user’s credentials and authorization helps in validating permissions
of the users. They both are related to information security as authorization helps in explaining the
authority to the system and authentication helps in making the information accessible to the authorized
users (PATHAK, 2011).
Ethics is derived from the Greek work ‘Ethos’ that means ‘Character’. It shows how an individual should
react and explains what is right and what is wrong. It also consists of some rules and regulations that
should be followed by every individual. Ethics has a wide role in information security and people belong
to this industry have to be very careful about this topic as there is a high level of scrutiny. Ethics helps in
maintaining information security by protecting confidential client information and personal data of
employee. There are ethical trainings in organizations that help employees to understand the
confidentiality of the information and how to maintain the same by following ethical rules and
regulation (Harris, 2010). There is pre specified code of conduct of every organization and all the
members are expected to follow the same. Afterwards, it remains the responsibility of individual to
behave in an ethical way by taking the responsibility of security of information and act as per the policies
and procedures.
Security SDLC refers to the process of designing and implementing an information system. There are
proper plans that are based on SDLC. In the end of each plan, there is a review in which the performance
component is Confidentiality. Confidentiality refers to an attribute of information that basically explains
how data or information can remain confidential without exposure to unauthorized identities. There is a
procedure to maintain information confidential like cryptography and security policies. Confidentiality is
related to information security as it is important to maintain confidentiality for information security
(Dewey, 2016).The second one is Integrity that means an attribute that assures that data incomplete
and uncorrupted. Integrity only hampers when there is an exposure to damage, destruction and
corruption. Information corruption can be happen anytime while entering, storing and transferring the
data. For information security, it is necessary to maintain integrity to remove the risk of data exposure
(Desai & von der Embse, 2008). In third step, there is availability and it refers to the easy availability of
data. It basically shows how easily the data is accessible without any interruption. It means the data
should be available in usable format. Information should be available to only those people who have
authority to use the same. If information is available to everyone then it may hamper information
security.
Authorization and authentication are two different concepts as authorization means a control
mechanism that needs verification and validation of an entity that is unauthorized. It mainly creates a
system that helps in the identification of the authority whether it is valid for the system access or not.
There are individual users who use PIN (Personal identification number), password or any other way for
their system’s authentication whereas Authorization refers to a process of giving permission to do
something in system. It checks the authority of an individual for a system or information. After the
authentication of identity, authorization helps in defining the permitted or non-permitted actions for an
individual like delete, modify or access the contents of system (Silberschatz, Korth & Sudarshan, 2011).
Authentication is done only in the first step and authorization usually done after authentication.
Authentication basically verifies the user’s credentials and authorization helps in validating permissions
of the users. They both are related to information security as authorization helps in explaining the
authority to the system and authentication helps in making the information accessible to the authorized
users (PATHAK, 2011).
Ethics is derived from the Greek work ‘Ethos’ that means ‘Character’. It shows how an individual should
react and explains what is right and what is wrong. It also consists of some rules and regulations that
should be followed by every individual. Ethics has a wide role in information security and people belong
to this industry have to be very careful about this topic as there is a high level of scrutiny. Ethics helps in
maintaining information security by protecting confidential client information and personal data of
employee. There are ethical trainings in organizations that help employees to understand the
confidentiality of the information and how to maintain the same by following ethical rules and
regulation (Harris, 2010). There is pre specified code of conduct of every organization and all the
members are expected to follow the same. Afterwards, it remains the responsibility of individual to
behave in an ethical way by taking the responsibility of security of information and act as per the policies
and procedures.
Security SDLC refers to the process of designing and implementing an information system. There are
proper plans that are based on SDLC. In the end of each plan, there is a review in which the performance
of the project has been judged and on the basis of the same it has been decided whether the project
should be continued, discontinued, postponed or outsourced. In security SDLC, there is a process of
identification of all the threats and risks that represents the next design and implements controls to
remove threats and risks. There are six steps in SecSDLC and the first step is Investigation and it refers to
getting all the goals, objectives, process and outcomes of the project. It also includes analysis of
problems, define goals and identify all the constraints. Second step is about analysis and in analysis
phase, there is an analysis of all the security policies and the known threats attached to the same. It also
includes the analysis of all the relevant issues (Aristotle., 2016). Logical Design is the third step which is
all about the formulation of controls that helps in protecting confidential information from all the
threats. In logical design, there is a creation of security blueprint by the team members and examination
and implementation has been done. After that Physical Design is there and in physical design, there is an
evaluation of technology so that it can provide support to the blueprint, create alternative solutions and
finalize the design. The second last phase is Implementation. Implementation phase refers to the stage
where the solutions are acquired, tested, implemented and then tested again (Pretorius, 2003). It also
includes the management of the plan. The last phase that comes after implementation is Maintenance
and change. In this stage all the adequate changes have been done in internal and external environment
to meet the requirement ("Design of Patient Monitoring System(PMS) Application using Security Design
Patterns in Architecture Phase of Secure SDLC", 2016).
It is similar to Traditional system analysis and design because the main purpose of traditional system
was same as SecSDLC. Its process was also similar and helpful in fulfilling all the objectives. The four
Policies and the ways they are used in the organization are important. Enterprise Information Security is
a very high level policy for information security that basically sets strategic direction and scope of all the
efforts of the organization related to security. It is also called as security program. It helps an
organization in fulfilling the implementation and management requirements. The second one is issue
specific security policy used in regulates the use of technology or resource issue in the organization. It
provides assistance to the organization by safeguarding the same from hacking and malware protection
(K.Pandey & Batra, 2013). Third policy is related to the Specific Security Policy and these policies look
different if we compare with other policies and sometimes it looks like a procedure to the readers. It
includes some standards that are used while configuration or maintenance of the system. It helps
organizations in managerial guidance and technical guidance. The last policy is Access Control Lists that
refers to the user access lists, metrics and capability structure that explains the privilege and rights of
the users. It shows the objects that an individual or group can access. It helps an organization in
authorization of the system (Shin & Lee, 2016).
The goals of security program are to meet long term challenges by handling day to day security
operations. It also helps in describing the plans, policies and some initiatives related to information
security. There are various components of security programs. Every organization has different
information security needs that totally depend upon the size, culture and budget of the organization
(Rani, 2017). The level of information security program operates depends on the strategic plan of the
organization and its mission and vision statement. These are the main documents that should be used
should be continued, discontinued, postponed or outsourced. In security SDLC, there is a process of
identification of all the threats and risks that represents the next design and implements controls to
remove threats and risks. There are six steps in SecSDLC and the first step is Investigation and it refers to
getting all the goals, objectives, process and outcomes of the project. It also includes analysis of
problems, define goals and identify all the constraints. Second step is about analysis and in analysis
phase, there is an analysis of all the security policies and the known threats attached to the same. It also
includes the analysis of all the relevant issues (Aristotle., 2016). Logical Design is the third step which is
all about the formulation of controls that helps in protecting confidential information from all the
threats. In logical design, there is a creation of security blueprint by the team members and examination
and implementation has been done. After that Physical Design is there and in physical design, there is an
evaluation of technology so that it can provide support to the blueprint, create alternative solutions and
finalize the design. The second last phase is Implementation. Implementation phase refers to the stage
where the solutions are acquired, tested, implemented and then tested again (Pretorius, 2003). It also
includes the management of the plan. The last phase that comes after implementation is Maintenance
and change. In this stage all the adequate changes have been done in internal and external environment
to meet the requirement ("Design of Patient Monitoring System(PMS) Application using Security Design
Patterns in Architecture Phase of Secure SDLC", 2016).
It is similar to Traditional system analysis and design because the main purpose of traditional system
was same as SecSDLC. Its process was also similar and helpful in fulfilling all the objectives. The four
Policies and the ways they are used in the organization are important. Enterprise Information Security is
a very high level policy for information security that basically sets strategic direction and scope of all the
efforts of the organization related to security. It is also called as security program. It helps an
organization in fulfilling the implementation and management requirements. The second one is issue
specific security policy used in regulates the use of technology or resource issue in the organization. It
provides assistance to the organization by safeguarding the same from hacking and malware protection
(K.Pandey & Batra, 2013). Third policy is related to the Specific Security Policy and these policies look
different if we compare with other policies and sometimes it looks like a procedure to the readers. It
includes some standards that are used while configuration or maintenance of the system. It helps
organizations in managerial guidance and technical guidance. The last policy is Access Control Lists that
refers to the user access lists, metrics and capability structure that explains the privilege and rights of
the users. It shows the objects that an individual or group can access. It helps an organization in
authorization of the system (Shin & Lee, 2016).
The goals of security program are to meet long term challenges by handling day to day security
operations. It also helps in describing the plans, policies and some initiatives related to information
security. There are various components of security programs. Every organization has different
information security needs that totally depend upon the size, culture and budget of the organization
(Rani, 2017). The level of information security program operates depends on the strategic plan of the
organization and its mission and vision statement. These are the main documents that should be used
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
Information Securitylg...
|17
|4456
|84
Information Security: CIA Triad and Biometric Authenticationlg...
|12
|2669
|151
Information Technology - Assignment Solutionlg...
|5
|1474
|167
Information Security: CIA Triad, ATM Security, Biometric Authentication, Caesar Cipherlg...
|13
|2577
|292
Information System for Automated Teller Machines Name of Student-Name of University- Author's Notelg...
|5
|1413
|122
Factors for Protection of ATM Security, Biometric Authentication and Cryptographylg...
|7
|1209
|292