1. Identify and describe the three main goals known as the CIA of information security. In your answer provide an example of an information security control that is used to ensure each of these three goals of information security.
2. Draw the four key components of the operational model of information security in a diagram and describe a security control technology that would be used for each of the three types of protection in the operational model of security.
3. Identify and describe the three main types of cryptography. In your answer provide an example of how each of these three main types of cryptography is used in provide appropriate security in a technology solution.
4. Explain the respective roles of the certificate authority and the registration authority in the process for a user to obtain a digital certificate in a public key infrastructure (PKI). Illustrate your answer with a simple diagram that
shows the interaction between the user, registration authority and certificate authority.
5. Explain why SSL/TLS use a combination of symmetric and asymmetric cryptographic methods. In your answer consider the relationship between symmetric and asymmetric cryptographic methods and their respective roles in securing the communication channel in an e-commerce transaction.
6. List and briefly describe the four main types of backups that are conducted, in your answer emphasize the relative storage space and the level of complexity required for each type of backup.
7. Explain why software patches need to be tested before release and can’t just be applied to production software environments. In your answer give an example of what could go wrong if a software patch was released before being adequately tested.
8. Identify and briefly describe each of the key five steps that are used in any general risk management process
9. Describe what is meant by an Advanced Persistent Threat (APT) using the seven steps of an APT Attack Model (1) Initial Compromise (2) Establish a foothold (3) Escalate privileges (4) Internal reconnaissance (5) Move laterally (6) Maintain presence and (7) Complete mission.
10. Explain why you should always search free space and slack space on a hard drive in a computer forensic investigation if you suspect an employee of conducting illegal activities on a company computer
11. Discuss the concept of personally identifiable information (PII) with particular emphasis on elements of PII that need to be protected. Your answer should consider key corporate responsibilities associated with the storage, use or transmission of PII.
12. Explain why ethics is an important issue for an Information Security Professional, in relation to privacy and confidentiality of employee and customer data.
1: CIA of information security is commonly described as the triad of information security. Confidentiality, Integrity and Availability are denoted by the term CIA. It is a model of information security that helps in evaluating organisation’s information security.
Confidentiality is defined as ensuring authorized person is accessing data. Unauthorised access should be blocked to ensure information security. Disclosure of important data is restricted to authorised access. The goal of confidentiality in information security is to protect important information against misuse. Organisations ensure confidentiality by using user Id’s and password, policy based control security and access control lists (ACL). Integrity is defined as assuring that information and data can be trusted. It also ensures that only authorised persons alter data and information. It guards against improper destruction and modification of information. One of the highest ideals is integrity of personal character. Integrity is divided into two categories, one if data integrity and the other is system integrity. Organisations ensure integrity through hashing algorithms and data encryption. Data encryption ensures that hackers cannot understand sensitive information. Availability is defined as data and information being available whenever required. It also ensures that data are accessible by authorised users. Organisations ensure availability through software patching and upgrading, hardware maintenance and network optimization.
2: The four key components that are required in operational model of information security are (1) information security manager (2) business risk manager (3) senior executives and (4) individuals with responsibility of implementation, design, improvement and monitoring responsibility.
Organisation is a complex system that delivers value. An operational model is used to break down the complex system into simple components that shows the working of the system. The model helps leaders to identify problems that are causing under performance. The operational model is broken down into four components namely executives, senior managers, middle managers and workers. It also helps in describing the way an organisation works. It can also communicate the vision of how an operation will work in the future – to be.
3: The three main types of cryptography are public key cryptography, one time pad and steganography. In public key cryptography, one key encrypts and another matching key decrypts. The keys together are called key pair. One key is known as secret key that is kept secret and other key is the public key that is shared with everyone. The public key is defined as the key to public drop box, and the private key as key that helps to take out things from drop box.
The other type of cryptography is one time pad cryptography. The same pad is given to both sender and receiver that should be transmitted over secure line. The pad is destroyed once it is used that gives feature of high security situations.
Information and data is kept hidden from people who snoop on another person by the process of steganography. For example, pictures consists of a lot of unused space that can be used to hide messages. This concept cannot be fully treated as cryptography but can be used to explain the concept.
4: The role of certificate authority (CA) is to validate ownership of domain and after domain validation issue certificate. The certificate authority uses credit reports and business registration to vet applying organisation. The Certificate authority incorporated in Public key infrastructure (PKI) ensures that people cannot mask any information on internet so that they cannot use fake digital certificates. CA verifies certificate applicant’s identity before issuing digital certificate. Certification Practice Statement (CPS) is provided by CA that states the policies and practices for issuance and maintenance of digital certificates in PKI.
The registration authority verifies authority to a network of users who requests for digital certificate. After verifying, it informs certificate authority to issue digital certificate. Registration authority is a part of PKI that enables users and companies to exchange money and information safely and securely. The digital certificate issued consists of public key that encrypts and decrypts digital signatures safely and securely. They verify certificate according to the class of certificate that is being requested. The following are the class certificate:
Class 1: Verifies individual through emails that is used to sign digitally email messages. For the process of verification, email address, physical address and full name is required.
Class 2: Verifies user of software so that the user can verify authenticity of software vendor.
Class 3: It is provided to companies who are wishing to set their own certificate authority.
5: Secrets cannot be transmitted between machines with the use of symmetric cryptography that had never communicated before and asymmetric encryption encrypts small data and is significantly slow when used to encrypt large blocks. As a result, SSL/TLS uses both type of encryption.
Symmetric and asymmetric cryptography is used to ensure the quality of communication and information systems and data that is transmitted and stored on them depends on both software and hardware tools as well as good organisational, managerial and operational procedures. Today, cryptography methods are used to support message confidentiality and it has become more sophisticated. They also include integrity protection, authentication, nonrepudiation and detection of unauthorized copying. The main problem with public key encryption is that anyone can send the message. Reversal of public key cryptography is digital signature. The message is encrypted using sender’s private key instead of receiver’s public key. The message receiver decrypts the signature-using sender’s private key that verifies identity of sender of message.
6: The four types of backup that are conducted are full backup, incremental backup, differential backup and virtual full backup. Copy of all files are stored in case of full backup. Full backups consumes huge amount of relative space even when the files are compressed and then stored. The disk life is shortened due to heavy access to backup disks and consumes network bandwidth. The main advantage of full backup is ease of restoration. File name, date and location is only needed to restore lost data. Incremental backups saves space by storing the files that have been changed or created only after the last backup. The main advantage of incremental backup is that data backed at each iteration is much smaller that saves space and utilises less network bandwidth. Similar to incremental backups are differential backups except that new files are stored that occurs after the last full backup was performed. This type of backup however requires more network bandwidth and space compared to incremental backups. Virtual full backup is another type of backup that utilises a database to track and manage backed data. This method help virtual full backup to avoid disadvantages of other backup methods. The copy of files is taken only once and is not needed to be taken again as long as the storage medium is unchanged. It saves relative space and network bandwidth.
7: Software patches should be tested before implementing them to prevent error in production environment. Testing the software patch before release will be beneficial for avoiding risks. Testing prevents software from external destructive software. It will help the organisation improve its functionality and not worry about security updates. It will protect the system from malware attacks if software patch is tested. Proves beneficial in reducing the complexity of production software environments. It will mitigate 83% of security issues.
Therefore, if software patch is not tested before releasing it to production software environment then it might not be compatible with the environment and software might become vulnerable to attacks. The steps that are performed for testing are creating an environment for test followed by testing limited production devices. A patch provides security to software and fixes software vulnerability. Therefore, it is important for testing the patch to ensure security.
8: The five steps that are taken in any risk management process are:
9: Advanced persistent threat (APT) is defined as targeted and prolonged cyber attack, where the attacker gains access to the network however remains undetected for an extended period. The intention of the attack is to monitor network activity and do data theft rather than cause damage to the network of organisation. The sectors of manufacturing, financial industry and national defense are typically targeted by APT. The companies in this sectors deals with intellectual property, value information, military plans and other data from enterprise organisation and government. The APT attack model consists of various steps like target selection, information gathering, point of entry, planting malware on compromised machine, escalate privileges, command and control communication, lateral movement, asset persistence and discovery, data exfiltration and covering the tracks. The APT attack includes significantly well studied and planned by attackers. The internal blueprint of IT infrastructure, social engineering attacks, malware engineering and data extraction that is undetected (Da Veiga and Martins 2015). The first stage of APT attack is target selection, followed by gathering information of the organisation. After collection of sufficient information, the attackers makes the entry followed by planting malware in compromised machines. The malwares controls communication and commands.
10: The leftover storage space that exists in hard disk drive when not all the space is used to store the file is called slack space. When a file is deleted, the file is not erased from the operating system, however the space is only available for reallocation. The slack space is mainly defined as the difference between physical and logical size. The actual size measured in bytes is the logical size. The number of sectors allocated to the file is determined by the physical size.
The slack space and free space should always be searched if an employee is suspected of conducting illegal activities on a company computer to prevent loss and theft of data. Data might be lost due to over writing and overlapping of data. Important data that is lost or stolen by the employee might create huge loss to organisation.
11: The Personally identifiable information and Protected Health information should be identified by every organisations and handled them security. PII is any data that can be identified, located and contacted either combined with other sources or itself. The information that is linked to an individual is included in the PII. The information of the individual in include through medical, financial, employment and educational records. The data elements that are required to identify an individual are biometric data, telephone number, social security number and name. The federal agencies has the responsibility of safeguarding sensitive information and other PII (Yang and Jia 2014). Protecting PII has become the most important thing today. Several laws that are related to PII are Privacy Act, GLBA, HIPAA, COPPA, FERPA and FCRA.
The laws are utilised for an important cause that restricts organisation from sharing personal information to other parties. They also protect the information. The information that are identified by PII are Personal identification number such as diver’s license number, patient identification number and passport number.
12: Ethics is important in information security for creating information security and privacy awareness. Ethics involves responsibility, duty and personal character. The main ethical theories are Utilitarianism, hedonism and egoism.
Utilitarian theory is the main theory that is also referred to as the greatest happiness principle. The main concept behind this theory is that right action brings more good than bad to all persons. Hedonism elaborates the good and bad thing that are stated in utilitarian theory. Pain and pleasure is included in the theory. Hedonists are not utilitarians but utilitarian are hedonists. Egoism is focussed on the idea of good and bad for individuals. These theories are elaborately discussed in the code of ethics. It is important that every organisation follow the code of ethics. Whenever, there is a dilemma in decision making of any organisation, the administrators try to follow ethical theory. Several unwanted situation in information security is solved by ethical theories.
Ahn, S.H., Kim, N.U. and Chung, T.M., 2014, February. Big data analysis system concept for detecting unknown attacks. In Advanced communication technology (ICACT), 2014 16th International Conference on (pp. 269-272). IEEE.
Chen, P., Desmet, L. and Huygens, C., 2014, September. A study on advanced persistent threats. In IFIP International Conference on Communications and Multimedia Security (pp. 63-72). Springer, Berlin, Heidelberg.
Cherdantseva, Y. and Hilton, J., 2013, September. A reference model of information assurance & security. In 2013 International Conference on Availability, Reliability and Security (pp. 546-555). IEEE.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.
Da Veiga, A. and Martins, N., 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review, 31(2), pp.243-256.
Fabian, B., Ermakova, T. and Junghanns, P., 2015. Collaborative and secure sharing of healthcare data in multi-clouds. Information Systems, 48, pp.132-150.
Ghafir, I. and Prenosil, V., 2014. Advanced persistent threat attack detection: an overview. Int J Adv Comput Netw Secur, 4(4), p.5054.
Kaur, J. and Mustafa, N., 2013, November. Examining the effects of knowledge, attitude and behaviour on information security awareness: A case on SME. In Research and Innovation in Information Systems (ICRIIS), 2013 International Conference on (pp. 286-290). IEEE.
Khan, A.N., Kiah, M.M., Khan, S.U. and Madani, S.A., 2013. Towards secure mobile cloud computing: A survey. Future Generation Computer Systems, 29(5), pp.1278-1299.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.
Mason, R.O., 2017. Four ethical issues of the information age. In Computer Ethics (pp. 41-48). Routledge.
Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for information security. International Journal of Computer Applications, 67(19).
Sorokin, P., 2017. Social and cultural dynamics: A study of change in major systems of art, truth, ethics, law and social relationships. Routledge.
Tamjidyamcholo, A., Baba, M.S.B., Shuib, N.L.M. and Rohani, V.A., 2014. Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43, pp.19-34.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
Yang, K. and Jia, X., 2014. Expressive, efficient, and revocable data access control for multi-authority cloud storage. IEEE transactions on parallel and distributed systems, 25(7), pp.1735-1744.
Yang, K., Jia, X., Ren, K., Zhang, B. and Xie, R., 2013. DAC-MACS: Effective data access control for multiauthority cloud storage systems. IEEE Transactions on Information Forensics and Security, 8(11), pp.1790-1801.
Zafar, H., 2013. Human resource information systems: Information security concerns for organizations. Human Resource Management Review, 23(1), pp.105-113.
To export a reference to this article please select a referencing stye below:
My Assignment Help. (2020). Principles Of Information Security 3. Retrieved from https://myassignmenthelp.com/free-samples/cis2005-principles-of-information-security-3.
"Principles Of Information Security 3." My Assignment Help, 2020, https://myassignmenthelp.com/free-samples/cis2005-principles-of-information-security-3.
My Assignment Help (2020) Principles Of Information Security 3 [Online]. Available from: https://myassignmenthelp.com/free-samples/cis2005-principles-of-information-security-3
[Accessed 21 February 2020].
My Assignment Help. 'Principles Of Information Security 3' (My Assignment Help, 2020) <https://myassignmenthelp.com/free-samples/cis2005-principles-of-information-security-3> accessed 21 February 2020.
My Assignment Help. Principles Of Information Security 3 [Internet]. My Assignment Help. 2020 [cited 21 February 2020]. Available from: https://myassignmenthelp.com/free-samples/cis2005-principles-of-information-security-3.
Stuck with a research paper for days? Well, if you can’t figure out how to do a research paper on a certain research paper topic, get the necessary assistance from MyAssignmenthelp.com, the no.1 academic paper writing service on the internet. Here, we have professional researchers who will brainstorm to get unique ideas for your paper while you enjoy yourself. We are considered amongst the top writing services who know how to write a thesis for a research paper like the back of their hand. Our in-house academic writers will make sure you receive a plagiarism-free research paper on time.
Answer: Introduction The use of information technology is helping the business organizations in various aspects. The business organizations are using the information technology in order to gain the competitive advantage in the market. Apart from that the use of the digital technology is also helping the organizations to implement different IT enabled innovations in the organization (Damanpour, Sanchez?Henriquez and Chiu 2018). These inn...Read More
Answer: Introduction Information security policy is defined as a set of policies which is used by an organization to secure and private their data or information. The security of information is one of the crucial problems in this modern generation and most of organizations are facing the issue of cyber-attack. It is observed that the rate of cyber-crimes is growing very fast and lack of security is a big problem that increases such kind ...Read More
Answer: Introduction With the establishment of the computers, the world of business was changed forever. By using software and computers, organizations make use of information technology such that all the departments can be managed smoothly. The use of information technology is done by businesses in different departments comprising manufacturing, security, human resource, and finance (Reddick, 2011). With the help of information technology, c...Read More
Answer: Introduction: Managing information system deals with business process, people, and technology for recording, storing and processing information. This is helpful to produce regular decisions. The following study is a policy research proposal. It is the approach towards understanding a particular problem in policy. It is developed in response to an open and targeted call for proposals. The proposal examines the effect of information s...Read More
Answer: Introduction The use of Information system/Information technology has become strategic and has a significant impact on the process of thinking, acting and linking of an organisation, inside and outside operations. At present days, most of the organizations in all sectors are fundamentally dependent on the information systems. On the contrary, there are different levels in the hierarchy management of the organizations using IT as one o...Read More
Just share your requirements and get customized solutions on time.
Our writers make sure that all orders are submitted, prior to the deadline.
Using reliable plagiarism detection software, Turnitin.com.We only provide customized 100 percent original papers.
Feel free to contact our assignment writing services any time via phone, email or live chat.
Our writers can provide you professional writing assistance on any subject at any level.
Our best price guarantee ensures that the features we offer cannot be matched by any of the competitors.
Get all your documents checked for plagiarism or duplicacy with us.
Get different kinds of essays typed in minutes with clicks.
Calculate your semester grades and cumulative GPa with our GPA Calculator.
Balance any chemical equation in minutes just by entering the formula.
Calculate the number of words and number of pages of all your academic documents.
Our Mission Client Satisfaction
A large proportion of this assignment has been copied from other sources, 34% Turnitin score. Although you use quotation marks to identify this in places you are not referencing correctly. You should only quote direct from the source if you are using...
Thank you for your support. Work is well written all learning outcomes achieved.
Because its not done properly so i am working on it byself. Some of part not explained verg well
very very good outline, helped me to have a clear idea of what i need to do on my first essay ever.