Discuss about the Cryptography and Network Security.
Definition of Security- Giving a protection to a organization, person, country or building from threats those are done by some foreign countries or some attackers or hackers is known as security (Collins, 2016). To secure a state’s security or an organization’s security, some procedures are followed. Those procedures are that are followed or the measure that are taken is known as security. With a secure environment, there comes a feeling of stable state, safe and a state that is free from anxiety.
Types of security- The special areas where the security is needed are
The protection of software, hardware, personnel, information and network from threats is known as the physical security (Ortmeier, 2017). Physical security involves fire, theft, disasters and any others. For organizations, physical security involves access control of organization’s specific location or data by the employees.
Information security is also known as InfoSec. InfoSec includes a large set of processes for the management of process, policies and tools which help to detect, respond and prevent the hackers from non digital and digital data assets. Information security includes many categories: application security, information security, mobile security and network security.
The telecommunication is prevented from the hackers that are protected from the unauthorized access of the network. This is known as communication security and COMSEC. The unclassified and classified traffic are both protected by COSMEC. This includes video, data and voice that are carried on communications of military networks.
Information Security- The set of methods or processes that are used for management of tools, policies and processes to detect and encounter the threats and prevent them from the threats that are involved in digital and non digital data (Crossler et al., 2013). Set of business process that protects the data from unauthorized threats is called information security. In Information Security shows how the data is formatted. The private and sensitive information receives threats from different sources. This may include identity threat, ramsomware, and malware or phishing threats. The security of information protects the data from being hacked and also initiative preventive methods are taken. Incident Response Plan (IRP) should be prepared by the organizations and businesses for security groups and data breach. This helps them to limit and control the damage of the data.
CNSS security model is known as Committee on National Systems Security Model. For the evaluation and establishment of Infosec detailed model are developed to secure a system. To build a secure system, not only the security goal (CIA) is needed, but the goals that are interrelated to different states and different regions (Hoisl, Sobernig & Strembeck, 2014). The cells that are present in the cube depict all the areas that are needed to secure a organization from data breach. The information of a system is secured by the CNSS Security Model.
C.I A. Triangle- C.I. A. stands for Confidentiality, Integrity and Availability. To give a protection of all the aspects of the CIA triad, security measure are taken. To implement and evaluate the information security of a n organization C.I.A (Tipton, Forkey & Choi, 2016). Triad is needed. The main three components of C.I.A. Triad are defined as follows:
Confidentiality- the data or information of a system or organization must be accessed only by the authorized person. The list of access control, security based on policy, password and user id are to be kept personal to maintain the confidentiality of data.
Integrity- The data or information must be original when they are sent to receiver from sender. The data received should be from the trusted sender. Hashing or data encryption algorithms are used to provide the integrity of the data.
Availability- The information and data should be made available to all the systems and controllers when they are needed at the time of execution.
Principle of Information Security Management- The principle of all organizations is different from each other. The assurance management of all the organizations has its own language that is related closely to the need of that particular business.
Information Security Planning
Role of Planning- To avoid data risk or transfer, accept and mitigate the technologies and the processes of an organization, information security planning is needed (Stallings & Tahiliani, 2014). The confidentiality, integrity and availability of the data are protected by the information security planning.
Security Systems Development Life Cycle (SecSDLC)- This is a policy that defines the requirements of information security planning and increase the protection of system resources of information (Crook & Evans, 2014). The life cycles of the information system are planning, development, maintenance, feasibility, retirement and implementation. Security is to be maintained in all the stages of life cycle to achieve:
- The information that is sensitive is to be protected.
- Proper removal of data id ensured when the system is crashed.
- New risks should be prevented.
Organizational Planning- The objective of the organization, monitoring and formulating and specific strategies that are achieved are the processes of organizational planning (Alruwaili & Gulliver, 2015). The resource allocation and staffing is also managed by organizational planning. The implementation and formulation to see the goals of organization that are achieved are needed by the organizational planning.
Strategic Planning: In strategic planning the long term goals and the future is developed. The strategic plan depicts a structure of what the enterprise will attend in next five to ten years.
Tactical Planning: The plans of strategic planning are translated to particular plans that are needed in an organization. The functionality and the responsibility of the departments that are at lower level are concerned in tactical plans.
Operational Planning: The low level manager makes the operational plans. Specific processes or procedures that happen in the organization come sunder operational planning. Routine tasks are planned n this planning.
Planning Contingency- The different situations that may come in the future of an organization comes under planning contingency (Osburn, Hatcher & Zongrone, 2015). A good planning of contingency should have all the positive or good events or plans that might change the operation.
Incidence Response Plan (IRP) - The classification, response, recovery and identification of an incident is done in IRP.
Disaster Recovery Plan (DRP) - this involve s the planning that should done after a disaster happens in an organization.
Business Continuity Plan (BCP) – This plan states the critical functions that continue in an organization.
Information Security Policy and Program
Definition of Information Security Policy- there are three elements in Information security policy: Policy Statements, How to deal with information security and requirements.
Enterprise Information Security Policy (EISP) – In this policy there exists an external audit that includes enterprise network and branch agencies that are executive (Crnjanski et al., 2016). The audit in this EISP shows all the defects that are not addressed properly in the policies and the documents that were defined previously.
Issue-specific security policies (ISSP) - Through this policy all the members and staffs of the organization are instructed to use the resource of the organization. The technological philosophies that are fundamentally related to the organization are guided in this policy.
System-specific security policies (SysSP) - These are not permanent policies of an organization. These policies are created when the organization needs to function as procedures and standards that are to be used in maintaining and configuring the systems. There are two groups of SysSP- technical specification and management guidance.
Information security program for large organization- Different organizations have different programs on information security (Peltier, 2016). The internal groups of the organizations are made and again remade challenges that are long term even if they handle security operations that are held daily. By information security programs, functions of the organization are divided into groups. By dividing into groups the work is done faster and is done efficiently.
Information security program for medium organization- The Infosec security programs that are organized by medium organizations are: they must have a smaller amount of budget. The size of security staffs must be small as the organization is medium. There must be programs that includes to seek help from the IT staffs if are needed for practices and plans. The program that is followed by medium organizations must have the way to set policies, handle all the incidents in regular basis. Some of the security functions that are not so important can be neglected by medium organizations.
Information security program for small organization- Small organizations follow different sets of information security programs. These have very simple and centralized organizational model in IT sector. Money is disproportionately spent on security of small sectors. A single security administrator only has the responsibility to handle information security. The policy of small industries are issue specific. Threats from internal issues are mostly less because there is small number of employees.
Alruwaili, F. F., & Gulliver, T. A. (2015). Secsdlc: A practical life cycle approach for cloud-based information security. IJRCCT, 4(2), 095-107.
Collins, A. (2016). Contemporary security studies. Oxford university press.
Crnjanski, T., Krajnovic, D., Tadic, I., Stojkov, S., & Savic, M. (2016). An Ethical issue scale for community pharmacy setting (EISP): Development and validation. Science and engineering ethics, 22(2), 497-508.
Crook, S. R., & Evans, G. W. (2014). The role of planning skills in the income–achievement gap. Child development, 85(2), 405-411.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. computers & security, 32, 90-101.
Hoisl, B., Sobernig, S., & Strembeck, M. (2014). Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach. Software & Systems Modeling, 13(2), 513-548.
Ortmeier, P. J. (2017). Introduction to Security. Pearson.
Osburn, H. K., Hatcher, J. M., & Zongrone, B. M. (2015). Training and development for organizational planning skills. The Psychology of Planning in Organizations: Research and Applications, 334.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Stallings, W., & Tahiliani, M. P. (2014). Cryptography and network security: principles and practice (Vol. 6). London: Pearson.
Tipton, S. J., Forkey, S., & Choi, Y. B. (2016). Toward Proper Authentication Methods in Electronic Medical Record Access Compliant to HIPAA and CIA Triangle. Journal of medical systems, 40(4), 100.