Information Security Management: CIA Triad, Ethics, SDLC, and Policies

Verified

Added on 2023/05/30

AI Summary

This report provides a detailed overview of several critical aspects of information security. It begins by explaining the CIA triad (Confidentiality, Integrity, and Availability) and its importance in maintaining information security. The report then discusses authorization and authentication, highlighting their roles in controlling access to systems and data. Furthermore, it delves into the significance of ethics in information security, emphasizing the need for professionals to adhere to ethical codes and regulations. The Security SDLC (System Development Life Cycle) is examined, outlining the steps involved in designing and implementing secure information systems. The report also covers different types of security policies and how they are used within organizations to protect information assets. Finally, it addresses risk management, including risk assessment and various risk control strategies. This document serves as a comprehensive resource for understanding the multifaceted nature of information security.

Information Technology Management

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

CIA triad has many components and each component is related to information security. The first
component is Confidentiality. Confidentiality refers to an attribute of information that basically explains
how data or information can remain confidential without exposure to unauthorized identities. There is a
procedure to maintain information confidential like cryptography and security policies. Confidentiality is
related to information security as it is important to maintain confidentiality for information security
(Dewey, 2016).The second one is Integrity that means an attribute that assures that data incomplete
and uncorrupted. Integrity only hampers when there is an exposure to damage, destruction and
corruption. Information corruption can be happen anytime while entering, storing and transferring the
data. For information security, it is necessary to maintain integrity to remove the risk of data exposure
(Desai & von der Embse, 2008). In third step, there is availability and it refers to the easy availability of
data. It basically shows how easily the data is accessible without any interruption. It means the data
should be available in usable format. Information should be available to only those people who have
authority to use the same. If information is available to everyone then it may hamper information
security.
Authorization and authentication are two different concepts as authorization means a control
mechanism that needs verification and validation of an entity that is unauthorized. It mainly creates a
system that helps in the identification of the authority whether it is valid for the system access or not.
There are individual users who use PIN (Personal identification number), password or any other way for
their system’s authentication whereas Authorization refers to a process of giving permission to do
something in system. It checks the authority of an individual for a system or information. After the
authentication of identity, authorization helps in defining the permitted or non-permitted actions for an
individual like delete, modify or access the contents of system (Silberschatz, Korth & Sudarshan, 2011).
Authentication is done only in the first step and authorization usually done after authentication.
Authentication basically verifies the user’s credentials and authorization helps in validating permissions
of the users. They both are related to information security as authorization helps in explaining the
authority to the system and authentication helps in making the information accessible to the authorized
users (PATHAK, 2011).
Ethics is derived from the Greek work ‘Ethos’ that means ‘Character’. It shows how an individual should
react and explains what is right and what is wrong. It also consists of some rules and regulations that
should be followed by every individual. Ethics has a wide role in information security and people belong
to this industry have to be very careful about this topic as there is a high level of scrutiny. Ethics helps in
maintaining information security by protecting confidential client information and personal data of
employee. There are ethical trainings in organizations that help employees to understand the
confidentiality of the information and how to maintain the same by following ethical rules and
regulation (Harris, 2010). There is pre specified code of conduct of every organization and all the
members are expected to follow the same. Afterwards, it remains the responsibility of individual to
behave in an ethical way by taking the responsibility of security of information and act as per the policies
and procedures.
Security SDLC refers to the process of designing and implementing an information system. There are
proper plans that are based on SDLC. In the end of each plan, there is a review in which the performance

of the project has been judged and on the basis of the same it has been decided whether the project
should be continued, discontinued, postponed or outsourced. In security SDLC, there is a process of
identification of all the threats and risks that represents the next design and implements controls to
remove threats and risks. There are six steps in SecSDLC and the first step is Investigation and it refers to
getting all the goals, objectives, process and outcomes of the project. It also includes analysis of
problems, define goals and identify all the constraints. Second step is about analysis and in analysis
phase, there is an analysis of all the security policies and the known threats attached to the same. It also
includes the analysis of all the relevant issues (Aristotle., 2016). Logical Design is the third step which is
all about the formulation of controls that helps in protecting confidential information from all the
threats. In logical design, there is a creation of security blueprint by the team members and examination
and implementation has been done. After that Physical Design is there and in physical design, there is an
evaluation of technology so that it can provide support to the blueprint, create alternative solutions and
finalize the design. The second last phase is Implementation. Implementation phase refers to the stage
where the solutions are acquired, tested, implemented and then tested again (Pretorius, 2003). It also
includes the management of the plan. The last phase that comes after implementation is Maintenance
and change. In this stage all the adequate changes have been done in internal and external environment
to meet the requirement ("Design of Patient Monitoring System(PMS) Application using Security Design
Patterns in Architecture Phase of Secure SDLC", 2016).
It is similar to Traditional system analysis and design because the main purpose of traditional system
was same as SecSDLC. Its process was also similar and helpful in fulfilling all the objectives. The four
Policies and the ways they are used in the organization are important. Enterprise Information Security is
a very high level policy for information security that basically sets strategic direction and scope of all the
efforts of the organization related to security. It is also called as security program. It helps an
organization in fulfilling the implementation and management requirements. The second one is issue
specific security policy used in regulates the use of technology or resource issue in the organization. It
provides assistance to the organization by safeguarding the same from hacking and malware protection
(K.Pandey & Batra, 2013). Third policy is related to the Specific Security Policy and these policies look
different if we compare with other policies and sometimes it looks like a procedure to the readers. It
includes some standards that are used while configuration or maintenance of the system. It helps
organizations in managerial guidance and technical guidance. The last policy is Access Control Lists that
refers to the user access lists, metrics and capability structure that explains the privilege and rights of
the users. It shows the objects that an individual or group can access. It helps an organization in
authorization of the system (Shin & Lee, 2016).
The goals of security program are to meet long term challenges by handling day to day security
operations. It also helps in describing the plans, policies and some initiatives related to information
security. There are various components of security programs. Every organization has different
information security needs that totally depend upon the size, culture and budget of the organization
(Rani, 2017). The level of information security program operates depends on the strategic plan of the
organization and its mission and vision statement. These are the main documents that should be used

by CIO and CISO for creating mission statement for information security program (Stahl, Doherty, Shaw
& Janicke, 2013).
Risk assessment is important because it assess the relative risk of each vulnerability asset involved and
helps in the process of risk control by calculating comparative ratings. There are practitioners who
perform it. They basically calculate risk estimation values while some practitioners rely on the broader
methods of estimation. The results of this assessment are the evaluation of the risk of each asset hat has
been identified. There are five risk control strategies. The first strategy is Defense strategy and it refers
to the application of safeguards that helps in removal of risk that is not controllable. Second strategy is
Transference that means transferring the risk to the other areas or probably outside the entities. Third
strategy is about mitigation that means to the reduction of impact to information assets so that attacker
cannot become successful. Fourth strategy is related to acceptance that means to understand the
impacts of leaving a risk uncontrolled and then acknowledge the risk that never be controlled. The last
strategy is about termination that refers to removing the information asset from the operations of the
organization.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

References-
Aristotle. (2016). The Nicomachean Ethics of Aristotle. Lanham: Dancing Unicorn Books.
Desai, M., & von der Embse, T. (2008). Managing electronic information: an ethics
perspective. Information Management & Computer Security, 16(1), 20-27. doi:
10.1108/09685220810862724
Design of Patient Monitoring System(PMS) Application using Security Design Patterns in Architecture
Phase of Secure SDLC. (2016). International Journal Of Modern Trends In Engineering & Research, 3(12),
29-34. doi: 10.21884/ijmter.2016.3147.wiihu
Dewey, J. (2016). Ethics. Read Books Ltd.
Harris, A. (2010). The Ethics and Confidentiality Committee and Research Ethics Committees. Research
Ethics, 6(4), 117-119. doi: 10.1177/174701611000600402
K.Pandey, S., & Batra, M. (2013). Security Testing in Requirements Phase of SDLC. International Journal Of
Computer Applications, 68(9), 31-35. doi: 10.5120/11609-6985
PATHAK, N. (2011). DATABASE MANAGEMENT SYSTEM. [S.l.]: HIMALAYA PUBLISHING HOUSE.
Pretorius, J. (2003). Ethics and international security in the information age. Defense & Security
Analysis, 19(2), 165-175. doi: 10.1080/1475179032000083370
Rani, B. (2017). Database Management System Using Index efiltering In Information Retrival
System. International Journal Of Engineering And Computer Science, 6(11). doi: 10.18535/ijecs/v6i11.10
Shin, S., & Lee, T. (2016). Information Security Activity of Analysis Phase in Information Security Model in
Accordance with SDLC. Journal Of The Korea Society Of Computer And Information, 21(11), 79-83. doi:
10.9708/jksci.2016.21.11.079
Silberschatz, A., Korth, H., & Sudarshan, S. (2011). Database system concepts. New York: McGraw-Hill.

Stahl, B., Doherty, N., Shaw, M., & Janicke, H. (2013). Critical Theory as an Approach to the Ethics of
Information Security. Science And Engineering Ethics, 20(3), 675-699. doi: 10.1007/s11948-013-9496-6