TAPMI

IT For Business (ITS 5001)

Information Security and Privacy

Selvaraj Vadivelu
Jan-Mar 2022
 Information Security

• Information Security
Information Security Model (McCumber Cube)
Vulnerabilities, Threats, and Attacks
• Organizational Framework for Information Security
Information Security Policy & Processes
Risk Assessment
Disaster Recovery and Business Continuity Planning
Information Security Audits → Certifications
• Tools and Technologies for Information Security

Reference: Chapter 8: Laudon, K. C., & Laudon, J. P. (2020). Management information systems: Managing the digital firm (16th Edition),
Pearson Education Limited

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security: McCumber Model
Information Security Model (McCumber Cube):
Desired Information Security Goals
• Confidentiality: Access only to authorized entities
• Integrity: Information reflects reality and is created
and maintained in an authorized manner
• Availability: Data is available to authorized entities
State of Information
• Storage
• Transmission
• Processing
Security measures:
Measures to ensure desired information security goals are
met while information moves across various states
• Technology
• Policy and Practices
McCumber, J. (1991, October). Information systems
security: A comprehensive model. In Proceedings of the • Education, Training and Awareness to people
14th National Computer Security Conference (pp. 328- involved
337). Baltimore, Maryland, USA: National Institute of
Standards and Technology.

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security: Terminology
Vulnerability: Weakness or fault in information security that can be exploited to attack
Threat: Category of Objects/people who pose potential danger to assets through attacks E.g. Virus,
DDoS (Distributed Denial of Service)
Threat Agent: Specific object, person who poses such a danger (by carrying out an attack) E.g. A specific
hacker or a specific malware
Attack: Action by Threat agents that exploits the vulnerability in a system to impact information security
Reference: http://web.cse.ohio-state.edu/~champion.17/4471/4471_lecture_2.pdf

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security
Organizational Framework for Information Security (1/2)
Policies, procedures, and technical measures used to prevent unauthorized access, alteration, theft, or physical
damage to information systems
Established Information Security Policy
• Reviewed and approved by Chairman or CEO
• Create awareness
Detail out processes in line with the policy
• Document and publish centrally
• Train employees
Controls
• Methods, policies, and organizational procedures that ensure safety of organization’s assets; accuracy
and reliability of its accounting records; and operational adherence to management standards
Periodic Risk Assessment
• Identify all risks, compute Risk Exposure (Probability * Impact) and rank them
• Identify mitigation strategy, mitigation plans and contingency plans for the prioritized risks

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security
Organizational Framework for Information Security (2/2)
Disaster Recovery Planning
Hot redundancies; Geographic distribution
Business Continuity Planning (BCP)
Recovery plan of the IT Infrastructure in the event of any unanticipated disruption
This plan is to ensure business operations continue/resume as per requirements
Periodically test BCP
Audit (Internal and External)
• Planned audits as per checklist; Surprise desk/printer checks
Certify the Information Security Management System Eg. ISO 27000 standards

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security
Tools and Technologies for Information Security (1/4)
• Identity Management Software
• Manages users and privileges databases; Manages the user attributes like
passwords and syncs them across tools for authentication
• Authentication
• Password systems; Smart cards; Biometric authentication; Two-factor
authentication
• Anti-malware Software
• Securing Wireless Networks
• Firewalls (Fig 8.5 in Textbook)
• Controls the flow of incoming and outgoing network traffic as per policies
between Org network and Internet (or) between two different internal networks.

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Figure 8.5 A Corporate Firewall

Reference: Chapter 8: Laudon, K.

C., & Laudon, J. P. (2020).
Management information
systems: Managing the digital
firm (16th Edition), Pearson
Education Limited

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security
Tools and Technologies for Information Security (2/4)

Encryption:
Message →Encryt → Encrypted Message → Decrypt → Decrypted Message
Symmetric key encryption: Sender and receiver use single, shared key

Public key encryption (Confidentiality) (Fig 8.6 in Textbook)

• Two Keys (Public and Private)
• Sender encrypts message with recipient’s public key
• Recipient decrypts with recipient’s private key (Only recipient can decrypt)

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Figure 8.6 Public Key Encryption

Reference: Chapter 8: Laudon, K.

C., & Laudon, J. P. (2020).
Management information
systems: Managing the digital
firm (16th Edition), Pearson
Education Limited

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security
Tools and Technologies for Information Security (3/4)
Digital Signature (authentication, integrity and non-repudiation are established)
Sender/Signatory A does the following:
Message → Use a Hashing function → HashedMessage
HashedMessage → Encrypt using A’s private key → Encrypted HashedMessage (Digital Signature)
A sends Message + Hashed Message to Recipient B
Recipient B does the following:
Message → Use the same Hashing function as used by A → B’s HashedMessage
Check if this matches with the HashedMessage sent by A to confirm if the message is not modified (Integrity)
Digital Signature → Decrypt using A’s public key → Decrypted HashedMessage;
Check if this matches with the HashedMessage sent by A to know that only A has signed (Authentication)
B sends the message and digital signature that he received from A to Checker C
Checker C repeats the same process that B did and reconfirms. (Non-Repudiation)
(Non-repudiation is the assurance that someone cannot deny the validity of something)

If Confidentiality is to be added to this, then A could have first encrypted the message with B’s Public Key
to ensure that only B is able to decrypt the message
TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security
Tools and Technologies for Information Security (4/4)
Digital certificate (Fig 8.7 in Textbook)
User A sends an encrypted message (request for a digital certificate) to Certification Authority (CA)
The CA verifies user A’s identity (Eg. Domain name and any other details as relevant)
If CA is satisfied, then User A provides their public encryption key over a secure channel to CA
CA uses this public key to generate a digital certificate which contains user A’s identity and a public key
alongwith it
CA then digitally signs the digital certificate and provides it to User A

User A can then provide this certificate to any partner B they want to communicate with (Open channel)
Partner B will verify that the certificate is valid by verifying the CA’s digital signature
If the check is passed, then Partner B knows that the public key in the digital certificate is indeed that of the
User A with identity (as mentioned in the digital certificate).

When Partner B wants to communicate with User A, they use this public key (which belongs to User A) and
only User A will be able to decrypt this message with their private key.

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Figure 8.7 Digital Certificates

Reference: Chapter 8: Laudon, K.

C., & Laudon, J. P. (2020).
Management information
systems: Managing the digital
firm (16th Edition), Pearson
Education Limited

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Privacy

• IT makes invasion into the privacy of

individuals cheap, profitable and effective.
• Challenges
Unauthorized Access to Information
Unauthorized Disclosure of Information
Data Accuracy Problems
Use of Data in Social Networks
Insufficient Privacy Protection Policies
Laws – yet to be widespread and effective

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Privacy
Human Resources Information System (HRIS)

– Information System pertaining to Human resources

Management at different levels (Strategic, Tactical
and Operational)

– Includes personal data of employees (Aadhar ID,

education, employment, performance, bank account
data, salaries, medical data, family members and
benefits and more)

➔ It is critical for organizations to be clear about what

employee data is collected, stored, processed, used, and
distributed—when, why, and by whom

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Privacy: Challenges in HRIS
Unauthorized Access to Information
Employees should authorize access to their data
Access to employee data should be controlled at different levels (Internal/External; Levels of
Management; Functional groups; External entities including past employees/managers)
Eg. Health Insurance Portability and Accountability Act (HIPAA) requires that Medical data is stored
separately
Unauthorized Disclosure of Information
Unauthorized Disclosure of employee data to external entities (Insurance agencies, Creditors, Landlords,
Charity organizations)
Data Accuracy Problems
Inaccurate employee data impacts employees and the organization
Eg. Background verification agencies, Data entry issue, Data updation issue

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Privacy: Challenges in HRIS
Use of Data in Social Networks
Usage of personal details of the candidate/employee from Social Networks
Maybe inaccurate, not representative and may be irrelevant to business

➔ These challenges will impact the employee concerned in their personal and
professional life including stigmatization

➔ Lack of comprehensive Privacy Protection Policies and practices inside the

organization will aggravate this even further
Eg. Training to employees on best practices in using employee data
Eg. Is it ok for immediate reporting manager to have all details (Eg. Salary data) about the employee?

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Privacy - Laws
• European Union
• General Data Protection Regulation (GDPR);
• India
• Personal Data Protection Bill (2019) - Draft
• Parliamentary committee report on this submitted in Dec 2021.
• Current laws:
• Provisions are contained in the Information Technology Act, 2000 (as
amended by the Information Technology Amendment Act, 2008) read with
the Information Technology [Reasonable Security Practices And Procedures
And Sensitive Personal Data Or Information] Rules, 2011 (SPDI Rules)

https://iapp.org/news/a/a-look-at-proposed-changes-to-indias-personal-data-protection-bill/
https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
https://www.ahlawatassociates.com/wp-content/uploads/2021/12/17-Joint-Committee-on-the-Personal-Data-
Protection-Bill-2019.pdf

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Information Security - Discussion

ABC Ltd is requesting for proposals from established vendors for outsourcing some of their
product development and sustenance work. The scope of work to be outsourced involves
maintenance and enhancement of a legacy product (software Intellectual Property to be
modified; Newer user interface designs for product hardware) of ABC Ltd which is ABC’s
valuable IP earning sustained royalty revenues over the years.

What information security related requirements should ABC Ltd expect from the vendors?

Some aspects to consider: Certifications; InfoSec Questionnaire to assess the organizational infosec
framework; Execution Model eg. Offshore Development Center (ODC) with zoning – controlled access to
vendor’s intranet and internet from within ODC); Monitoring of physical items in/out movement from the
ODC; Mechanisms for avoiding mobiles/cameras to be taken inside;

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Privacy – Discussion

1. What are the practices that an organization can adopt to improve employee data
accuracy?
2. An organization with offices in India, Europe, North America and China has an online
employee directory. It displays few details (Name, Extn, Designation, Location, Cubicle,
Photo, Manager name) of each employee and helps people contact each other when
required. Is there any issue with this?

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
 Module 1: Introduction to IT & IS
A Recap
IS / IT; Components; The way IS/IT transform business – Six objectives; Academic
disciplines involved; Roles in IS/IT

Porter’s models; IS as a business strategy; Challenges of strategic IS and solutions

Introduction
to IT & IS
- What, How, IT infrastructure: Components; Stages and Drivers of its evolution; Current trends in HW,
SW and Communication; Challenges in managing IT and solutions
Benefits,
Challenges and
Solutions Ethical & Social Issues arising from IS; Challenges to Privacy, IP, Liability, System Quality
and Quality of Life due to IS; Ethical analysis and guiding principles for ethical decisions;

Information Security and Privacy; Organizational Framework, Tools and Technologies for
InfoSec

TAPMI_PGDM_ITB_ITS5001_Selvaraj_Vadivelu_Jan_Mar_2022
Meet you in Session 7 (Module 2: IS Applications)!