CIA triad has many components and each component is related to information security. The first component is Confidentiality. Confidentiality refers to an attribute of information that basically explains how data or information can remain confidential without exposure to unauthorized identities. There is a procedure to maintain information confidential like cryptography and security policies. Confidentiality is related to information security as it is important to maintain confidentiality for information security (Dewey, 2016).The second one is Integrity that means an attribute that assures that data incomplete and uncorrupted. Integrity only hampers when there is an exposure to damage, destruction and corruption. Information corruption can be happen anytime while entering, storing and transferring the data. For information security, it is necessary to maintain integrity to remove the risk of data exposure (Desai & von der Embse, 2008). In third step, there is availability and it refers to the easy availability of data. It basically shows how easily the data is accessible without any interruption. It means the data should be available in usable format. Information should be available to only those people who have authority to use the same. If information is available to everyone then it may hamper information security.
Authorization and authentication are two different concepts as authorization means a control mechanism that needs verification and validation of an entity that is unauthorized. It mainly creates a system that helps in the identification of the authority whether it is valid for the system access or not. There are individual users who use PIN (Personal identification number), password or any other way for their system’s authentication whereas Authorization refers to a process of giving permission to do something in system. It checks the authority of an individual for a system or information. After the authentication of identity, authorization helps in defining the permitted or non-permitted actions for an individual like delete, modify or access the contents of system (Silberschatz, Korth & Sudarshan, 2011). Authentication is done only in the first step and authorization usually done after authentication. Authentication basically verifies the user’s credentials and authorization helps in validating permissions of the users. They both are related to information security as authorization helps in explaining the authority to the system and authentication helps in making the information accessible to the authorized users (PATHAK, 2011).
Ethics is derived from the Greek work ‘Ethos’ that means ‘Character’. It shows how an individual should react and explains what is right and what is wrong. It also consists of some rules and regulations that should be followed by every individual. Ethics has a wide role in information security and people belong to this industry have to be very careful about this topic as there is a high level of scrutiny. Ethics helps in maintaining information security by protecting confidential client information and personal data of employee. There are ethical trainings in organizations that help employees to understand the confidentiality of the information and how to maintain the same by following ethical rules and regulation (Harris, 2010). There is pre specified code of conduct of every organization and all the members are expected to follow the same. Afterwards, it remains the responsibility of individual to behave in an ethical way by taking the responsibility of security of information and act as per the policies and procedures.
Security SDLC refers to the process of designing and implementing an information system. There are proper plans that are based on SDLC. In the end of each plan, there is a review in which the performance of the project has been judged and on the basis of the same it has been decided whether the project should be continued, discontinued, postponed or outsourced. In security SDLC, there is a process of identification of all the threats and risks that represents the next design and implements controls to remove threats and risks. There are six steps in SecSDLC and the first step is Investigation and it refers to getting all the goals, objectives, process and outcomes of the project. It also includes analysis of problems, define goals and identify all the constraints. Second step is about analysis and in analysis phase, there is an analysis of all the security policies and the known threats attached to the same. It also includes the analysis of all the relevant issues (Aristotle., 2016). Logical Design is the third step which is all about the formulation of controls that helps in protecting confidential information from all the threats. In logical design, there is a creation of security blueprint by the team members and examination and implementation has been done. After that Physical Design is there and in physical design, there is an evaluation of technology so that it can provide support to the blueprint, create alternative solutions and finalize the design. The second last phase is Implementation. Implementation phase refers to the stage where the solutions are acquired, tested, implemented and then tested again (Pretorius, 2003). It also includes the management of the plan. The last phase that comes after implementation is Maintenance and change. In this stage all the adequate changes have been done in internal and external environment to meet the requirement ("Design of Patient Monitoring System(PMS) Application using Security Design Patterns in Architecture Phase of Secure SDLC", 2016).
It is similar to Traditional system analysis and design because the main purpose of traditional system was same as SecSDLC. Its process was also similar and helpful in fulfilling all the objectives. The four Policies and the ways they are used in the organization are important. Enterprise Information Security is a very high level policy for information security that basically sets strategic direction and scope of all the efforts of the organization related to security. It is also called as security program. It helps an organization in fulfilling the implementation and management requirements. The second one is issue specific security policy used in regulates the use of technology or resource issue in the organization. It provides assistance to the organization by safeguarding the same from hacking and malware protection (K.Pandey & Batra, 2013). Third policy is related to the Specific Security Policy and these policies look different if we compare with other policies and sometimes it looks like a procedure to the readers. It includes some standards that are used while configuration or maintenance of the system. It helps organizations in managerial guidance and technical guidance. The last policy is Access Control Lists that refers to the user access lists, metrics and capability structure that explains the privilege and rights of the users. It shows the objects that an individual or group can access. It helps an organization in authorization of the system (Shin & Lee, 2016).
The goals of security program are to meet long term challenges by handling day to day security operations. It also helps in describing the plans, policies and some initiatives related to information security. There are various components of security programs. Every organization has different information security needs that totally depend upon the size, culture and budget of the organization (Rani, 2017). The level of information security program operates depends on the strategic plan of the organization and its mission and vision statement. These are the main documents that should be used by CIO and CISO for creating mission statement for information security program (Stahl, Doherty, Shaw & Janicke, 2013).
Risk assessment is important because it assess the relative risk of each vulnerability asset involved and helps in the process of risk control by calculating comparative ratings. There are practitioners who perform it. They basically calculate risk estimation values while some practitioners rely on the broader methods of estimation. The results of this assessment are the evaluation of the risk of each asset hat has been identified. There are five risk control strategies. The first strategy is Defense strategy and it refers to the application of safeguards that helps in removal of risk that is not controllable. Second strategy is Transference that means transferring the risk to the other areas or probably outside the entities. Third strategy is about mitigation that means to the reduction of impact to information assets so that attacker cannot become successful. Fourth strategy is related to acceptance that means to understand the impacts of leaving a risk uncontrolled and then acknowledge the risk that never be controlled. The last strategy is about termination that refers to removing the information asset from the operations of the organization.
Aristotle. (2016). The Nicomachean Ethics of Aristotle. Lanham: Dancing Unicorn Books.
Desai, M., & von der Embse, T. (2008). Managing electronic information: an ethics perspective. Information Management & Computer Security, 16(1), 20-27. doi: 10.1108/09685220810862724
Design of Patient Monitoring System(PMS) Application using Security Design Patterns in Architecture Phase of Secure SDLC. (2016). International Journal Of Modern Trends In Engineering & Research, 3(12), 29-34. doi: 10.21884/ijmter.2016.3147.wiihu Dewey, J. (2016). Ethics. Read Books Ltd.
Harris, A. (2010). The Ethics and Confidentiality Committee and Research Ethics Committees. Research Ethics, 6(4), 117-119. doi: 10.1177/174701611000600402
K.Pandey, S., & Batra, M. (2013). Security Testing in Requirements Phase of SDLC. International Journal Of Computer Applications, 68(9), 31-35. doi: 10.5120/11609-6985
PATHAK, N. (2011). DATABASE MANAGEMENT SYSTEM. [S.l.]: HIMALAYA PUBLISHING HOUSE.
Pretorius, J. (2003). Ethics and international security in the information age. Defense & Security Analysis, 19(2), 165-175. doi: 10.1080/1475179032000083370
Rani, B. (2017). Database Management System Using Index efiltering In Information Retrival System. International Journal Of Engineering And Computer Science, 6(11). doi: 10.18535/ijecs/v6i11.10
Shin, S., & Lee, T. (2016). Information Security Activity of Analysis Phase in Information Security Model in Accordance with SDLC. Journal Of The Korea Society Of Computer And Information, 21(11), 79-83. doi: 10.9708/jksci.2016.21.11.079
Silberschatz, A., Korth, H., & Sudarshan, S. (2011). Database system concepts. New York: McGraw-Hill.
Stahl, B., Doherty, N., Shaw, M., & Janicke, H. (2013). Critical Theory as an Approach to the Ethics of Information Security. Science And Engineering Ethics, 20(3), 675-699. doi: 10.1007/s11948-013-9496-6