.

DEPARTMENT OF COMPUTER SCIENCE

AND ENGINEERING

INFORMATION SECURITY

VIII SEMESTER

INFORMATION SECURITY Page|1 DEPARTMENT OF CSE

.
 SYLLABUS

Subject Code Subject Name

CS T83 INFORMATION SECURITY
Course Objectives:
1. To provide an understanding of principal concepts, major issues, technologies and basic approaches
in information security.
2. Develop an understanding of information assurance as practiced in computer operating systems,
distributed systems, networks and representative applications.
3. Gain familiarity with prevalent network and distributed system attacks, defenses against them and
forensics to investigate the aftermath.
4. Develop a basic understanding of cryptography, how it has evolved and some key
encryption techniques used today.
5. Develop an understanding of security policies (such as authentication, integrity and
confidentiality), as well as protocols to implement such policies in the form of message exchanges.
Course Outcomes:
On successful completion of the module students will be able to:
1. To master information security governance, and related legal and regulatory issues
2. To be familiar with how threats to an organization are discovered, analyzed, and dealt with
3. To be familiar with network security threats and countermeasures
4. To be familiar with network security designs using available secure solutions (such as PGP, SSL,
IPSec, etc)
5. To be familiar with advanced security issues and technologies (such as DDoS attack detection and
containment, and anonymous communications,)
UNIT – I
FUNDAMENTALS: Introduction to Information Security - Critical Characteristics of Information -
NSTISSC Security Model - Components of an Information System - Securing the Components -
Balancing Security and Access - SDLC - Security SDLC.

UNIT – II
SECURITY INVESTIGATION: Need for Security - Business Needs - Threats - Attacks - Legal,
Ethical and Professional Issues.

UNIT – III
SECURITY ANALYSIS: Risk Management: Identifying and Assessing Risk - Assessing and
Controlling Risk - Trends in Information Risk Management - Managing Risk in an Intranet
Environment.

UNIT – IV
LOGICAL DESIGN: Blueprint for Security - Information Security Policy - Standards and Practices
- ISO 17799/BS 7799 - NIST Models - VISA International Security Model - Design of Security
Architecture - Planning for Continuity.

UNIT – V
PHYSICAL DESIGN: Security Technology - IDS, Scanning and Analysis Tools - Cryptography -
Access Control Devices - Physical Security - Security and Personnel issues.

Text Books:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, Vikas Publishing
House, New Delhi, 2003.
Reference Books:
1. Micki Krause, Harold F. Tipton, “Handbook of Information Security Management”, Vol 1-3 CRC
Press LLC, 2004.
2. Stuart Mc Clure, Joel Scrambray, George Kurtz, “Hacking Exposed”, Tata McGrawHill, 2003
INFORMATION SECURITY Page|2 DEPARTMENT OF CSE
 .

3. Matt Bishop, “Computer Security Art and Science”, Pearson/PHI, 2002.

Website: Website:
1. http://www.cryptography.com/
2. https://www.schneier.com/cryptography.html
3. http://www.information-security-policies-and-standards.com/
4. www.jhuapl.edu/ourwork/nsa/

INFORMATION SECURITY Page|3 DEPARTMENT OF CSE

 .

UNIT- I

FUNDAMENTALS: Introduction to Information Security - Critical Characteristics of Information -

NSTISSC Security Model - Components of an Information System - Securing the Components -
Balancing Security and Access - SDLC - Security SDLC.

2 MARKS
1. What is information security?
Information security in today’s enterprise is a “well-informed sense of assurance that the
information risks and controls are in balance.”
 The protection of information and its critical elements, including the systems and
hardware that use, store, and transmit that information
 Tools, such as policy, awareness, training, education, and technology are necessary
 The C.I.A. triangle was the standard based on confidentiality, integrity, and
availability
 The C.I.A. triangle has expanded into a list of critical characteristics of information

2. Trace the history of information security

 Computer security began immediately after the first mainframes were developed
 Groups developing code-breaking computations during World War II created the first
modern computers
 Physical controls were needed to limit access to authorized personnel to sensitive military
locations
 Only rudimentary controls were available to defend against physical theft, espionage, and
sabotage
3. What is Rand Report R-609?
Information Security began with Rand Corporation Report R-609.The Rand Report was
the first widely recognized published document to identify the role of management and
policy issues in computer security.
The scope of computer security grew from physical security to include:
a. Safety of the data
b. Limiting unauthorized access to that data
c. Involvement of personnel from multiple levels of the organization

INFORMATION SECURITY Page|4 DEPARTMENT OF CSE

 .

4. What is Security? What are the security layers ,a successful organization should have?
ions security
“The quality or state of being secure--to be free from danger” .To be protected from
adversaries
 Physical Security
 Personal Security
 Operations security
 Communications security
 Network security
 Information security

5. What is Physical Security?

The Physical Security is to protect physical items,objects or areas of organization from
unauthorized access and misuse

6. What is Personal Security?

The Personal Security involves protection of individuals or group of individuals who are
authorized to access the organization and its operations

7. What is Operation Security?

The Operations security focuses on the protection of the details of particular operations
or series of activities.

8.What is Communications Security?

The Communications security encompasses the protection of organization’s
communicatons media ,technology and content

9.What is Network Security and Information Security?

The network security is the protection of networking components,connections,and
contents.
The Information security is the protection of information and its critical elements,including
the systems and hardware that use ,store,and transmit the information

10. What are the critical characteristics of information?

 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession

11. What is meant by Availability of information?

It enables authorized to access information without interference and receive it in the
required format

12. What is Accuracy of information?

it refers to information which is free from mistakes or errors and has the value the end
user expects

13. What is Authenticity of information?

It refers to quality or state of being genuine or original,rather than reproduction .
Information is authentic when the contents are original as it was created,palced or stored or
transmitted

INFORMATION SECURITY Page|5 DEPARTMENT OF CSE

 .

14. Write about NSTISSC Security model?

This refers to “The National Security Telecommunications and Information Systems
Security Committee” document. This document presents a comprehensive model for
information security. The model consists of three dimensions

15. What is meant by Confidentiality

Information has confidentiality when disclosure or exposure to unauthorized
individuals or systems is prevented

16. Write short notes on Integrity ,Utility and Possession of Information

 Integrity – Information has integrity when it is whole,complete, and uncorrupted
 Utility – The utility of information is the quality or state of having value for some purpose or
end.
 Possession – the possession of information is the quality or state of having ownership or
control of some object or item.

17.List the components of an information system?

An Information System (IS) is the entire set of
1. Software
2. Hardware
3. Data
4. People
5. procedures necessary to use information as a resource in the organization

18.Write about the software component of an information system.

The software component of IS comprises applications,operating systems,and assorted
command utilities. Software programs are the vessels that carry the life blood of information
through an organization. Software programs become an easy target of accidental or intentional
attacks.

19..Write about the hardware component of an information system.

Hardware is the physical technology that houses and executes the software, stores and
carries the data,provides interfaces for the entry and removal of information from the
sytem.Physical security policies deals with the hardware as a physical asset and with the
protection of these assets from theft.

20..write short notes on Data components of an information system.

Data stored,processed,and transmitted through a computer system must be protected.
Data is the most valuable asset possessed by an organization and it is the main tartget of
intentional attacks.
INFORMATION SECURITY Page|6 DEPARTMENT OF CSE
 .

21.write about People components of an information system.

Though often overlooked in computer security considerations, people have always been
a threat to information security and they are the weakest link in a security chain.. Policy,
education and training, awareness, and technology should be properly employed to prevent
people from accidently or intentionally damaging or losing information.

22.Write about Procedures components of an information system.

Procedures are written instructions for accomplishing when an unauthorized user
obtains an organization’s procedures ,it poses threat to the integrity of the information.
Educating employees about safeguarding the procedures is as important as securing the
information system. Lax in security procedures caused the loss of over ten million dollars
before the situation was corrected.

23.Write short notes on Networks components of an information system.

Information systems in LANs are connected to other networks such as the internet and
new security challenges are rapidly emerge. Apart from locks and keys which are used as
physical security measures ,network security also an important aspect to be considered.

24.How components are secured in an information system?

Securing the Components
 The computer can be either or both the subject of an attack and/or the object of an attack
 When a computer is
– the subject of an attack, it is used as an active tool to conduct the attack
– the object of an attack, it is the entity being attacked

25.What is meant by balancing Security and Access?

Balancing Security and Access
 It is impossible to obtain perfect security - it is not an absolute; it is a process
 Security should be considered a balance between protection and availability
 To achieve balance, the level of security must allow reasonable access, yet protect
against threats
INFORMATION SECURITY Page|7 DEPARTMENT OF CSE
 .

26.List the approaches used for implementing information security?

1. Bottom Up Approach
2. Top-down Approach

27.Draw the diagrammatic representation of the two approaches used for implementing
information security

28.What is meant by bottom up approach

 Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
 Key advantage - technical expertise of the individual administrators
 Seldom works, as it lacks a number of critical features:
– participant support
– organizational staying power

29.Write short notes on Top-down Approach

 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required actions
 This approach has strong upper management support, a dedicated champion, dedicated
funding, clear planning, and the chance to influence organizational culture
 May also involve a formal development strategy referred to as a systems development
life cycle
 Most successful top-down approach

30.What is SDLC?
The Systems Development Life Cycle
 Information security must be managed in a manner similar to any other major system
implemented in the organization
 Using a methodology
– ensures a rigorous process
– avoids missing steps
 The goal is creating a comprehensive security posture/program
31.List the different phases of SDLC
1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance and Change

INFORMATION SECURITY Page|8 DEPARTMENT OF CSE

 .

32.Draw the diagram of SDLC

33. Write about Investigation phase of SDLC

What is the problem the system is being developed to solve?
– The objectives, constraints, and scope of the project are specified
– A preliminary cost/benefit analysis is developed
– A feasibility analysis is performed to assesses the economic, technical, and
behavioral feasibilities of the process

34.Write about Analysis phase of SDLC

 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and a feasibility analysis update

35.Write about Logical design phase of SDLC

 Based on business need, applications are selected capable of providing needed services
 Based on applications needed, data support and structures capable of providing the
needed inputs are identified
 Finally, based on all of the above, select specific ways to implement the physical solution
are chosen
 At the end, another feasibility analysis is performed

36.Write about physical phase of SDLC

 Specific technologies are selected to support the alternatives identified and evaluated in
the logical design
 Selected components are evaluated based on a make-or-buy decision
 Entire solution is presented to the end-user representatives for approval

37.Write about Implementaion phase of SDLC

 Components are ordered, received, assembled, and tested
 Users are trained and documentation created
 Users are then presented with the system for a performance review and acceptance test
INFORMATION SECURITY Page|9 DEPARTMENT OF CSE
 .

38.Write about Maintenance and Change phase of SDLC

 Tasks necessary to support and modify the system for the remainder of its useful life
 The life cycle continues until the process begins again from the investigation phase
 When the current system can no longer support the mission of the organization, a new
project is implemented

39.What is Security SDLC?

Security Systems Development Life Cycle
 The same phases used in the traditional SDLC adapted to support the specialized
implementation of a security project
 Basic process is identification of threats and controls to counter them
 The SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions

40.Write about Investigation phase of Security SDLC

 Identifies process, outcomes and goals of the project, and constraints
 Begins with a statement of program security policy
 Teams are organized, problems analyzed, and scope defined, including objectives, and
constraints not covered in the program policy
 An organizational feasibility analysis is performed

41.Write about Analysis phase of Security SDLC

 Analysis of existing security policies or programs, along with documented current
threats and associated controls
 Includes an analysis of relevant legal issues that could impact the design of the security
solution
 The risk management task (identifying, assessing, and evaluating the levels of risk) also
begins

42.Write short notes on Logical & Physical Design phases of Security SDLC
 Creates blueprints for security
 Critical planning and feasibility analyses to determine whether or not the project should
continue
 In physical design, security technology is evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines readiness so all parties involved have a
chance to approve the project

43.Write about Implementation phase of Security SDLC

 The security solutions are acquired (made or bought), tested, and implemented, and
tested again
 Personnel issues are evaluated and specific training and education programs conducted
 Finally, the entire tested package is presented to upper management for final approval

44.Write about Maintenance and Change phase of Security SDLC

 The maintenance and change phase is perhaps most important, given the high level of
ingenuity in today’s threats
 The reparation and restoration of information is a constant duel with an often unseen
adversary
 As new threats emerge and old threats evolve, the information security profile of an
organization requires constant adaptation
INFORMATION SECURITY P a g e | 10 DEPARTMENT OF CSE
 .

45. Write short notes on Information Security is an Art

 With the level of complexity in today’s information systems, the implementation of
information security has often been described as a combination of art and science
Security as Art
 No hard and fast rules nor are there many universally accepted complete solutions
 No magic user’s manual for the security of the entire system
 Complex levels of interaction between users, policy, and technology controls

46. . Write short notes on Information Security as Science

 Dealing with technology designed to perform at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Almost every fault, security hole, and systems malfunction is a result of the interaction of
specific hardware and software
 If the developers had sufficient time, they could resolve and eliminate these faults

47.. How information security is viewed as a social science?

 Social science examines the behavior of individuals interacting with systems
 Security begins and ends with the people that interact with the system
 End users may be the weakest link in the security chain
 Security administrators can greatly reduce the levels of risk caused by end users, and
create more acceptable and supportable security profiles

48.Describe the information security roles to be played by Senior Management in a

typical organization?
 Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior executive(s) for strategic planning
 Chief Information Security Officer
– responsible for the assessment, management, and implementation of securing the
information in the organization
– may also be referred to as the Manager for Security, the Security Administrator, or
a similar title

49.Describe the information security roles to be played by Security Project Team in a

typical organization?
 A number of individuals who are experienced in one or multiple requirements of both
the technical and non-technical areas:
– The champion
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users

50.what are the three types of data ownership and their responsibilities?
 Data Owner
 Data Custodian
 Data Users

51.Who is called Data owner?

Data Owner - responsible for the security and use of a particular set of information
INFORMATION SECURITY P a g e | 11 DEPARTMENT OF CSE
 .

52.Who is called Data Custodian

Data Custodian - responsible for the storage, maintenance, and protection of the information

53.Who is called Data Users

Data Users - the end systems users who work with the information to perform their daily
jobs supporting the mission of the organization

54.What is the difference between a threat agent and a threat?

A threat is a category of objects,persons,or other entities that pose a potential danger to an
asset. Threats are always present.
A threat agent is a specific instance or component of a threat.
(For example
All hackers in the world are a collective threat
Kevin Mitnick,who was convicted for hacking into phone systems was a threat agent.)

55. What is the difference between vulnerability and exposure?

The exposure of an information system is a single instance when the system is open to
damage.
Weakness or faults in a system expose information or protection mechanism that expose
information to attack or damage or known as vulnerabilities.

56. What is attack?Write its types.

An attack is an intentional or unintentional attempt to cause damage or otherwise
compromise the information.
If some one casually reads sensitive information not intended for his or her use ,this
considered as a passive attack.
If a hacker attempts to break into an information system,the attack is considered active.

57. What is hacking?

Hacking can be defined positively and negatively.
(1) to write computer programs for enjoyment
(2) to gain access to a computer illegally
In early days the computer enthusiasts are called hacks or hackers because they could tear
apart the computer instruction code,or even a computer itself.
In recent years ,the term hacker is used in a negative sense,that is,the persons gaining
illegal access to others’ computer systems and programs and manipulating and damaging.
58.What is security blue print?
The security blue print is the plan for the implementation of new security measures in the
organization. Some times called a framework,the blue print presents an organized approach to
the security planning process.

59.What is ARPANET?
Department of Defense in US,started a research program on feasibility of a
redundant,networked communication system to support the military’s exchange of
information.Larry Robers,known as the founder if internet ,developed the project from its
inception.
ARPANET protocols (the rules of syntax that enable computers to communicate on a
network) were originally designed for openness and flexibility, not for security.

60. What is MULTICS?

MULTICS was an operating system ,now obsolete. MULTICS is noewothy because it was the first
and only OS created with security as its primary goal. It was a mainframe ,time-sharing OS
developed in mid – 1960s by a consortium from GE,Bell Labs,and MIT.
INFORMATION SECURITY P a g e | 12 DEPARTMENT OF CSE
 .

59.Write ARPANET program plan

60. Draw the components of an Information system

INFORMATION SECURITY P a g e | 13 DEPARTMENT OF CSE

 .

11 Marks
1. What is Security? What are the security layers, a successful organization should have?
on its security (5 Marks)
“The quality or state of being secure--to be free from danger”
To be protected from adversaries
 Physical Security – to protect physical items, objects or areas of organization from
unauthorized access and misuse
 Personal Security – involves protection of individuals or group of individuals who are
authorized to access the organization and its operations
 Operations security – focuses on the protection of the details of particular operations or
series of activities.

Communications security – encompasses the protection of organization’s
communications media, technology and content
 Network security – is the protection of networking components, connections, and contents
 Information security – is the protection of information and its critical elements, including the
systems and hardware that use, store, and transmit the information

2.What are the critical characteristics of information? (6 Marks)

Availability enables authorized users—persons or computer systems—to access information
without interference or obstruction and to receive it in the required format.
Consider, for example, research libraries that require identification before
entrance.Librarians protect the contents of the library so that they are available only to
authorized patrons. The librarian must accept a patron’s identification before that patron has
free access to the book stacks. Once authorized patrons have access to the contents of the
stacks, they expect to find the information they need available in a useable format and familiar
language,which in this case typically means bound in a book and written in English.

Accuracy Information has accuracy when it is free from mistakes or errors and it has the value
that the end user expects. If information has been intentionally or unintentionally modified, it is
no longer accurate. Consider, for example, a checking account. You assume that the information
contained in your checking account is an accurate representation of your finances. Incorrect
information in your checking account can result from external or internal errors. If a bank teller,
for instance, mistakenly adds or subtracts too much from your account, the value of the
information is changed. Or, you may accidentally enter an incorrect amount into your account
register. Either way, an inaccurate bank balance could cause you to make mistakes, such as
bouncing a check.

Authenticity Authenticity of information is the quality or state of being genuine or original,

rather than a reproduction or fabrication. Information is authentic when it is in the same state
in which it was created, placed, stored, or transferred. Consider for a moment some common
assumptions about e-mail. When you receive e-mail, assume that a specific individual or group
created and transmitted the e-mail—assume that the origin of the e-mail is known . This is not
always the case. E-mail spoofing, the act of sending an e-mail message with a modified field, is
a problem, because often the modified field is the address of the originator. Spoofing the
sender’s address can fool e-mail recipients into thinking that messages are legitimate traffic,
thus inducing them to open e-mail they otherwise might not have. Spoofing can also alter data
being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing,
which can enable the attacker to get access to data stored on computing systems.

Another variation on spoofing is phishing, when an attacker attempts to obtain personal

or financial information using fraudulent means, most often by posing as another individual or
organization. Pretending to be someone you are not is sometimes called pretexting when it is
undertaken by law enforcement agents or private investigators. When used in a phishing attack,

INFORMATION SECURITY P a g e | 14 DEPARTMENT OF CSE

 .

e-mail spoofing lures victims to a Web server that does not represent the organization it
purports to, in an attempt to steal their private data such as account numbers and passwords.
The most common variants include posing as a bank or brokerage company, e-commerce
organization, or Internet service provider.

Confidentiality Information has confidentiality when it is protected from disclosure or

exposure to unauthorized individuals or systems. Confidentiality ensures that only those with
the rights and privileges to access information are able to do so. When unauthorized individuals
or systems can view information, confidentiality is breached. To protect the confidentiality of
information, there is number of measures, including the following:
 Information classification
 Secure document storage
 Application of general security policies
 Education of information custodians and end users
Confidentiality, like most of the characteristics of information, is interdependent with other
characteristics and is most closely related to the characteristic known as privacy. The value of
confidentiality of information is especially high when it is personal information about
employees, customers, or patients. Individuals who transact with an organization expect that
their personal information will remain confidential, whether the organization is a federal
agency, such as the Internal Revenue Service, or a business. Problems arise when companies
disclose confidential information. Sometimes this disclosure is intentional, but there are times
when disclosure of confidential information happens by mistake
For example, when confidential information is mistakenly e-mailed to someone outside
the organization rather than to someone inside the organization. Several cases of privacy
violation are outlined in Offline: Unintentional Disclosures.
Other examples of confidentiality breaches are an employee throwing away a document
containing critical information without shredding it, or a hacker who successfully breaks into an
internal database of a Web-based organization and steals sensitive information about the
clients, such as names, addresses, and credit card numbers. As a consumer, you give up pieces of
confidential information in exchange for convenience or value almost daily. By using a
“members only” card at a grocery store, you disclose some of your spending habits. When you
fill out an online survey, you exchange pieces of your personal history for access to online
privileges. The bits and pieces of your information that you disclose are copied, sold, replicated,
distributed, and eventually coalesced into profiles and even complete dossiers of yourself and
your life. A similar technique is used in a criminal enterprise called salami theft. A deli worker
knows he or she cannot steal an entire salami, but a few slices here or there can be taken home
without notice. Eventually the deli worker has stolen a whole salami. In information security,
salami theft occurs when an employee steals a few pieces of information at a time, knowing that
taking more would be noticed—but eventually the employee gets something complete or
useable.

Integrity Information has integrity when it is whole, complete, and uncorrupted. The integrity
of information is threatened when the information is exposed to corruption, damage,
destruction, or other disruption of its authentic state. Corruption can occur while information is
being stored or transmitted. Many computer viruses and worms are designed with the explicit
purpose of corrupting data. For this reason, a key method for detecting a virus or worm is to
look for changes in file integrity as shown by the size of the file. Another key method of assuring
information integrity is file hashing, in which a file is read by a special algorithm that uses the
value of the bits in the file to compute a single large number called a hash value. The hash value
for any combination of bits is unique. If a computer system performs the same hashing
algorithm on a file and obtains a different number than the recorded hash value for that file, the
file has been compromised and the integrity of the information is lost. Information integrity is
the cornerstone of information systems, because information is of no value or use if users
cannot verify its integrity. File corruption is not necessarily the result of external forces, such as

INFORMATION SECURITY P a g e | 15 DEPARTMENT OF CSE

 .

hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity.
Transmitting data on a circuit with a low voltage level can alter and corrupt the data.
Redundancy bits and check bits can compensate for internal and external threats to the
integrity of information. During each transmission, algorithms, hash values, and the error-
correcting codes ensure the integrity of the information. Data whose integrity has been
compromised is retransmitted.

Utility The utility of information is the quality or state of having value for some purpose or end.
Information has value when it can serve a purpose. If information is available, but is not in a
format meaningful to the end user, it is not useful. For example, to a private citizen U.S. Census
data can quickly become overwhelming and difficult to interpret; however, for a politician, U.S.
Census data reveals information about the residents in a district, such as their race, gender, and
age. This information can help form a politician’s next campaign strategy.

Possession The possession of information is the quality or state of ownership or control.

Information is said to be in one’s possession if one obtains it, independent of format or other
characteristics. While a breach of confidentiality always results in a breach of possession, a
breach of possession does not always result in a breach of confidentiality. For example, assume
a company stores its critical customer data using an encrypted file system. An employee who
has quit decides to take a copy of the tape backups to sell the customer records to the
competition. The removal of the tapes from their secure environment is a breach of possession.
But, because the data is encrypted, neither the employee nor anyone else can read it without the
proper decryption methods; therefore, there is no breach of confidentiality. Today, people
caught selling company secrets face increasingly stiff fines with the likelihood of jail time. Also,
companies are growing more and more reluctant to hire individuals who have demonstrated
dishonesty in their past.

3. What are the components of an information system? (6 Marks)

An information system (IS) is much more than computer hardware is the entire set of
software, hardware, data, people, procedures, and networks that make possible the use of
information resources in the organization. These six critical components enable information to
be input, processed, output, and stored. Each of these IS components has its own strengths and
weaknesses, as well as its own characteristics and uses. Each component of the information
system also has its own security requirements.

Software
The software component of the IS comprises applications, operating systems, and
assorted command utilities. Software is perhaps the most difficult IS component to secure. The
exploitation of errors in software programming accounts for a substantial portion of the attacks
on information. The information technology industry is rife with reports warning of holes, bugs,
weaknesses, or other fundamental problems in software. In fact, many facets of daily life are
affected by buggy software, from smart phones that crash to flawed automotive control
computers that lead to recalls.
INFORMATION SECURITY P a g e | 16 DEPARTMENT OF CSE
 .

Software carries the lifeblood of information through an organization. Unfortunately,

software programs are often created under the constraints of project management, which limit
time, cost, and manpower. Information security is all too often implemented as an afterthought,
rather than developed as an integral component from the beginning. In this way, software
programs become an easy target of accidental or intentional attacks.

Hardware
Hardware is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system. Physical security policies deal with hardware as a physical asset and with the protection
of physical assets from harm or theft. Applying the traditional tools of physical security, such as
locks and keys, restricts access to and interaction with the hardware components of an
information system. Securing the physical location of computers and the computers themselves
is important because a breach of physical security can result in a loss of information.
Unfortunately, most information systems are built on hardware platforms that cannot
guarantee any level of
information security if unrestricted access to the hardware is possible. Before September 11,
2001, laptop thefts in airports were common. A two-person team worked to steal a computer as
its owner passed it through the conveyor scanning devices.
The first perpetrator entered the security area ahead of an unsuspecting target and
quickly went through. Then, the second perpetrator waited behind the target until the target
placed his/her computer on the baggage scanner. As the computer was whisked through, the
second agent slipped ahead of the victim and entered the metal detector with a substantial
collection of keys, coins, and the like, thereby slowing the detection process and allowing the
first perpetrator to grab the computer and disappear in a crowded walkway.While the security
response to September 11, 2001 did tighten the security process at airports,hardware can still
be stolen in airports and other public places. Although laptops and notebook computers are
worth a few thousand dollars, the information contained in them can be worth a great deal
more to organizations and individuals.

Data
Data stored, processed, and transmitted by a computer system must be protected. Data is
often the most valuable asset possessed by an organization and it is the main target of
intentional attacks. Systems developed in recent years are likely to make use of database
management systems. When done properly, this should improve the security of the data and the
application. Unfortunately, many system development projects do not make full use of the
database management system’s security capabilities, and in some cases the database is
implemented in ways that are less secure than traditional file systems.

People
Though often overlooked in computer security considerations, people have always been
a threat to information security. Legend has it that around 200 B.C. a great army threatened the
security and stability of the Chinese empire. So ferocious were the invaders that the Chinese
emperor commanded the construction of a great wall that would defend against the Hun
invaders. Around 1275 A.D., Kublai Khan finally achieved what the Huns had been trying for
thousands of years. Initially, the Khan’s army tried to climb over, dig under, and break through
the wall. In the end, the Khan simply bribed the gatekeeper—and the rest is history. Whether
this event actually occurred or not, the moral of the story is that people can be the weakest link
in an organization’s information security program. And unless policy, education and training,
awareness, and technology are properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the weakest link. Social
engineering can prey on the tendency to cut corners and the commonplace nature of human
error. It can be used to manipulate the actions of people to obtain access information about a
system.

INFORMATION SECURITY P a g e | 17 DEPARTMENT OF CSE

 .

Procedures
Another frequently overlooked component of an IS is procedures. Procedures are
written instructions for accomplishing a specific task. When an unauthorized user obtains an
organization’s procedures, this poses a threat to the integrity of the information. For example, a
consultant to a bank learned how to wire funds by using the computer center’s procedures,
which were readily available. By taking advantage of a security weakness (lack of
authentication), this bank consultant ordered millions of dollars to be transferred by wire to his
own account.
Lax security procedures caused the loss of over ten million dollars before the situation
was corrected. Most organizations distribute procedures to their legitimate employees so they
can access the information system, but many of these companies often fail to provide proper
education on the protection of the procedures. Educating employees about safeguarding
procedures is as important as physically securing the information system. After all, procedures
are information in their own right. Therefore, knowledge of procedures, as with all critical
information, should be disseminated among members of the organization only on a need-to-
know basis.

Networks
The IS component that created much of the need for increased computer and
information security is networking. When information systems are connected to each other to
form local area networks (LANs), and these LANs are connected to other networks such as the
Internet,new security challenges rapidly emerge. The physical technology that enables network
functions is becoming more and more accessible to organizations of every size. Applying the
traditional tools of physical security, such as locks and keys, to restrict access to and interaction
with the hardware components of an information system are still important; but when
computer systems are networked, this approach is no longer enough. Steps to provide network
security are essential, as is the implementation of alarm and intrusion systems to make system
owners aware of ongoing compromises.

4. Write short notes on Balancing information security and access

Even with the best planning and implementation, it is impossible to obtain perfect
information security. . Information security cannot be absolute: it is a process, not a goal. It is
possible to make a system available to anyone, anywhere, anytime, through any means.
However, such unrestricted access poses a danger to the security of the information. On the
other hand, a completely secure information system would not allow anyone access. For
instance, when challenged to achieve a TCSEC C-2 level security certification for its Windows
operating system, Microsoft had to remove all networking components and operate the
computer from only the console in a secured room. achieve balance—that is, to operate an
information system that satisfies the user and the security professional—the security level must
allow reasonable access, yet protect against threats.
INFORMATION SECURITY P a g e | 18 DEPARTMENT OF CSE
 .

The figure shows some of the competing voices that must be considered when balancing
information security and access. Because of today’s security concerns and issues, an information
system or data-processing department can get too entrenched in the management and
protection of systems. An imbalance can occur when the needs of the end user are undermined
by too heavy a focus on protecting and administering the information systems. Both information
security technologists and end users must recognize that both groups share the same overall
goals of the organization to ensure the data is available when, where, and how it is needed, with
minimal delays or obstacles. In an ideal world, this level of availability can be met even after
concerns about loss, damage, interception, or destruction have been addressed.

5.What are the approaches used for implementing information security?(6 Marks)
Bottom Up Approach


Security from a grass-roots effort - systems administrators attempt to improve the
security of their systems
 Key advantage - technical expertise of the individual administrators
 Seldom works, as it lacks a number of critical features:
– participant support
– organizational staying power
Top-down Approach
 Initiated by upper management:
– issue policy, procedures, and processes
– dictate the goals and expected outcomes of the project
– determine who is accountable for each of the required actions
 This approach has strong upper management support, a dedicated champion, dedicated
funding, clear planning, and the chance to influence organizational culture
 May also involve a formal development strategy referred to as a systems development
life cycle
– Most successful top-down approach

6.What is SDLC? Explain different phases of SDLC

The Systems Development Life Cycle
 Information security must be managed in a manner similar to any other major system
implemented in the organization
 Using a methodology
– ensures a rigorous process
– avoids missing steps
 The goal is creating a comprehensive security posture/program
INFORMATION SECURITY P a g e | 19 DEPARTMENT OF CSE
 .

Investigation
The first phase, investigation, is the most important. What problem is the system being
developed to solve? The investigation phase begins with an examination of the event or plan
that initiates the process. During the investigation phase, the objectives, constraints, and scope
of the project are specified. A preliminary cost-benefit analysis evaluates the perceived benefits
and the appropriate levels of cost for those benefits. At the conclusion of this phase, and at every
phase following, a feasibility analysis assesses the economic, technical, and behavioural
feasibilities of the process and ensures that implementation is worth the organization’s time
and effort. In summary,
 What is the problem the system is being developed to solve?
– The objectives, constraints, and scope of the project are specified
– A preliminary cost/benefit analysis is developed
– A feasibility analysis is performed to assesses the economic, technical, and
behavioral feasibilities of the process

Analysis
The analysis phase begins with the information gained during the investigation phase.
This phase consists primarily of assessments of the organization, its current systems, and its
capability to support the proposed systems. Analysts begin by determining what the new
system is expected to do and how it will interact with existing systems. This phase ends with the
documentation of the findings and an update of the feasibility analysis. In summary,
 Consists primarily of
– assessments of the organization
– the status of current systems
– capability to support the proposed systems
 Analysts begin to determine
– what the new system is expected to do
– how the new system will interact with existing systems
 Ends with the documentation of the findings and a feasibility analysis update

Logical Design
In the logical design phase, the information gained from the analysis phase is used to
begin creating a systems solution for a business problem. In any systems solution, it is
imperative that the first and driving factor is the business need. Based on the business need,
applications are selected to provide needed services, and then data support and structures
capable of providing the needed inputs are chosen. Finally, based on all of the above, specific
technologies to implement the physical solution are delineated. The logical design is, therefore,

INFORMATION SECURITY P a g e | 20 DEPARTMENT OF CSE

 .

the blueprint for the desired solution. The logical design is implementation independent,
meaning that it contains no reference to specific technologies, vendors, or products. It
addresses, instead, how the proposed system will solve the problem at hand. In this stage,
analysts generate a number of alternative solutions, each with corresponding strengths and
weaknesses, and costs and benefits, allowing for a general comparison of available options. At
the end of this phase, another feasibility analysis is performed. In summary,
 Based on business need, applications are selected capable of providing needed services
 Based on applications needed, data support and structures capable of providing the
needed inputs are identified
 Finally, based on all of the above, select specific ways to implement the physical solution
are chosen
 At the end, another feasibility analysis is performed

Physical Design
During the physical design phase, specific technologies are selected to support the
alternatives identified and evaluated in the logical design. The selected components are
evaluated based on a make-or-buy decision (develop the components in-house or purchase
them from a vendor). Final designs integrate various components and technologies. After yet
another feasibility analysis, the entire solution is presented to the organizational management
for approval. In summary,
 Specific technologies are selected to support the alternatives identified and evaluated in
the logical design
 Selected components are evaluated based on a make-or-buy decision
 Entire solution is presented to the end-user representatives for approval

Implementation
In the implementation phase, any needed software is created. Components are ordered,
received, and tested. Afterward, users are trained and supporting documentation created. Once
all components are tested individually, they are installed and tested as a system. Again a
feasibility analysis is prepared, and the sponsors are then presented with the system for a
performance review and acceptance test. In summary,
 Components are ordered, received, assembled, and tested
 Users are trained and documentation created
 Users are then presented with the system for a performance review and acceptance test

Maintenance and Change

The maintenance and change phase is the longest and most expensive phase of the
process. This phase consists of the tasks necessary to support and modify the system for the
remainder of its useful life cycle. Even though formal development may conclude during this
phase, the life cycle of the project continues until it is determined that the process should begin
again from the investigation phase. At periodic points, the system is tested for compliance, and
the feasibility of continuance versus discontinuance is evaluated. Upgrades, updates, and
patches are managed. As the needs of the organization change, the systems that support the
organization must also change. It is imperative that those who manage the systems, as well as
those who support them, continually monitor the effectiveness of the systems in relation to the
organization’s environment. When a current system can no longer support the evolving mission
of the organization, the project is terminated and a new project is implemented. In summary,
 Tasks necessary to support and modify the system for the remainder of its useful life
 The life cycle continues until the process begins again from the investigation phase
 When the current system can no longer support the mission of the organization, a new
project is implemented
INFORMATION SECURITY P a g e | 21 DEPARTMENT OF CSE
 .

7.What is Security SDLC? Explain its different phases.

Security Systems Development Life Cycle
 The same phases used in the traditional SDLC adapted to support the specialized
implementation of a security project
 Basic process is identification of threats and controls to counter them
 The SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions

Investigation
The investigation phase of the SecSDLC begins with a directive from upper management,
dictating the process, outcomes, and goals of the project, as well as its budget and other
constraints. Frequently, this phase begins with an enterprise information security policy
(EISP),which outlines the implementation of a security program within the organization. Teams
of responsible managers, employees, and contractors are organized; problems are analyzed; and
the scope of the project, as well as specific goals and objectives and any additional constraints
not covered in the program policy, are defined. Finally, an organizational feasibility analysis is
performed to determine whether the organization has the resources and commitment
necessary to conduct a successful security analysis and design. In summary,
 Identifies process, outcomes and goals of the project, and constraints
 Begins with a statement of program security policy
 Teams are organized, problems analyzed, and scope defined, including objectives, and
constraints not covered in the program policy
 An organizational feasibility analysis is performed

Analysis
In the analysis phase, the documents from the investigation phase are studied. The
development team conducts a preliminary analysis of existing security policies or programs,
along with that of documented current threats and associated controls. This phase also includes
an analysis of relevant legal issues that could affect the design of the security solution.
Increasingly, privacy laws have become a major consideration when making decisions about
information systems that manage personal information. Recently, many states have
implemented legislation making certain computer-related activities illegal. A detailed
understanding of these issues is vital. Risk management also begins in this stage. Risk
management is the process of identifying, assessing, and evaluating the levels of risk facing the
organization, specifically the threats to the organization’s security and to the information stored
and processed by the organization. In summary,
 Analysis of existing security policies or programs, along with documented current
threats and associated controls
 Includes an analysis of relevant legal issues that could impact the design of the security
solution
 The risk management task (identifying, assessing, and evaluating the levels of risk) also
begins

Logical & Physical Design

The logical design phase creates and develops the blueprints for information security,
and examines and implements key policies that influence later decisions. Also at this stage, the
team plans the incident response actions to be taken in the event of partial or catastrophic loss.
The planning answers the following questions:
 Continuity planning: How will business continue in the event of a loss?
 Incident response: What steps are taken when an attack occurs?
 Disaster recovery: What must be done to recover information and vital systems
 immediately after a disastrous event?
INFORMATION SECURITY P a g e | 22 DEPARTMENT OF CSE
 .

Next, a feasibility analysis determines whether or not the project should be continued or be
outsourced.
The physical design phase evaluates the information security technology needed to
support the blueprint outlined in the logical design generates alternative solutions, and
determines a final design. The information security blueprint may be revisited to keep it in line
with the changes needed when the physical design is completed. Criteria for determining the
definition of successful solutions are also prepared during this phase. Included at this time are
the designs for physical security measures to support the proposed technological solutions. At
the end of this phase, a feasibility study determines the readiness of the organization for the
proposed project, and then the champion and sponsors are presented with the design. At this
time, all parties involved have a chance to approve the project before implementation begins. In
summary,
 Creates blueprints for security
 Critical planning and feasibility analyses to determine whether or not the project should
continue
 In physical design, security technology is evaluated, alternatives generated, and final
design selected
 At end of phase, feasibility study determines readiness so all parties involved have a
chance to approve the project

Implementation
The implementation phase in of SecSDLC is also similar to that of the traditional SDLC.
The security solutions are acquired (made or bought), tested, implemented, and tested again.
Personnel issues are evaluated, and specific training and education programs conducted.
Finally, the entire tested package is presented to upper management for final approval. In
summary,
 The security solutions are acquired (made or bought), tested, and implemented, and
tested again
 Personnel issues are evaluated and specific training and education programs conducted
 Finally, the entire tested package is presented to upper management for final approval

Maintenance and Change

Maintenance and change is the last, though perhaps most important, phase, given the
current ever-changing threat environment. Today’s information security systems need constant
monitoring, testing, modification, updating, and repairing. Applications systems developed
within the framework of the traditional SDLC are not designed to anticipate a software attack
that requires some degree of application reconstruction. In information security, the battle for
stable, reliable systems is a defensive one. Often, repairing damage and restoring information is
a constant effort against an unseen adversary. As new threats emerge and old threats evolve,
the information security profile of an organization must constantly adapt to prevent threats
from successfully penetrating sensitive data. This constant vigilance and security can be
compared to that of a fortress where threats from outside as well as from within must be
constantly monitored and checked with continuously new and more innovative technologies. In
summary,
 The maintenance and change phase is perhaps most important, given the high level of
ingenuity in today’s threats
 The reparation and restoration of information is a constant duel with an often unseen
adversary
 As new threats emerge and old threats evolve, the information security profile of an
organization requires constant adaptation
INFORMATION SECURITY P a g e | 23 DEPARTMENT OF CSE
 .

8. List the steps that are common between SDLC and Security SDLC and also write the
unique steps of Security SDLC

S.No Phases Steps common to both the systems Life cycle Steps unique to the
development life cycle and the security systems development
security systems development life life cycle
cycle
1 Phase 1:  Outline project scope and goals  Management defines
Investigation  Estimate costs project processes and
 Evaluate existing resources goals and documents
 Analyze feasibility these in the program
security policy
2 Phase 2:  Assess current system against  Analyze existing security
Analysis plan developed in Phase 1 policies and programs
 Develop preliminary system  Analyze current threats
requirements and controls
 Study integration of new system  Examine legal issues
with existing system  Perform risk analysis
 Document findings and update
feasibility analysis
3 Phase 3:  Assess current business needs  Develop security
Logical Design against plan developed in Phase blueprint
2  Plan incident response
 Select applications, data support, actions
and structures  Plan business response to
 Generate multiple solutions for disaster
consideration  Determine feasibility of
 Document findings and update continuing and/or
feasibility analysis outsourcing the project
4 Phase 4:  Select technologies to support  Select technologies
Physical solutions developed in Phase 3 needed to support
Design  Select the best solution security blueprint
 Decide to make or buy  Develop definition of
components successful solution
 Document findings and update  Design physical security
feasibility analysis measures to support
techno logical solutions
 Review and approve
project
5 Phase 5:  Develop or buy software  Buy or develop security
Implementatio  Order components solutions
n  Document the system  At end of phase, present
 Train users tested package to
 Update feasibility analysis management for approval
 Present system to users
 Test system and review
performance
6 Phase 6:  Support and modify system  Constantly monitor, test,
Maintenance during its useful life modify, update, and
and  Test periodically for compliance repair to meet changing
Change with business needs threats
 Upgrade and patch as necessary
INFORMATION SECURITY P a g e | 24 DEPARTMENT OF CSE
 .

9. Write about Communities of Interest (6 Marks)

Each organization develops and maintains its own unique culture and values. Within
each organizational culture, there are communities of interest that develop and evolve. As
defined here, a community of interest is a group of individuals who are united by similar
interests or values within an organization and who share a common goal of helping the
organization to meet its objectives. While there can be many different communities of interest
in an organization .

Information Security Management and Professionals

The roles of information security professionals are aligned with the goals and mission of
the information security community of interest. These job functions and organizational roles
focus on protecting the organization’s information systems and stored information from
attacks.

Information Technology Management and Professionals

The community of interest made up of IT managers and skilled professionals in systems
design, programming, networks, and other related disciplines has many of the same objectives
as the information security community. However, its members focus more on costs of system
creation and operation, ease of use for system users, and timeliness of system creation, as well
as transaction response time. The goals of the IT community and the information security
community are not always in complete alignment, and depending on the organizational
structure, this may cause conflict.

Organizational Management and Professionals

The organization’s general management team and the rest of the resources in the
organization make up the other major community of interest. This large group is almost always
made up of subsets of other interests as well, including executive management, production
management, human resources, accounting, and legal, to name just a few.
The IT community often categorizes these groups as users of information technology
systems, while the information security community categorizes them as security subjects. In
fact, this community serves as the greatest reminder that all IT systems and information
security objectives exist to further the objectives of the broad organizational community. The
most efficient IT systems operated in the most secure fashion ever devised have no value if they
are not useful to the organization as a whole.

10. Write about Information Security: Is It an Art or a Science ?

 With the level of complexity in today’s information systems, the implementation of
information security has often been described as a combination of art and science
Security as Art
The administrators and technicians who implement security can be compared to a painter
applying oils to canvas. A touch of color here, a brush stroke there, just enough to represent the
image the artist wants to convey without overwhelming the viewer, or in security terms,
without overly restricting user access. There are no hard and fast rules regulating the
installation of various security mechanisms, nor are there many universally accepted complete
solutions. While there are many manuals to support individual systems, there is no manual for
implementing security throughout an entire interconnected system. This is especially true given
the complex levels of interaction among users, policy, and technology controls.
 No hard and fast rules nor are there many universally accepted complete solutions
 No magic user’s manual for the security of the entire system
 Complex levels of interaction between users, policy, and technology controls

Security as Science
Technology developed by computer scientists and engineers—which is designed for
rigorous performance levels—makes information security a science as well as an art. Most

INFORMATION SECURITY P a g e | 25 DEPARTMENT OF CSE

 .

scientists agree that specific conditions cause virtually all actions in computer systems. Almost
every fault, security hole, and systems malfunction is a result of the interaction of specific
hardware and software. If the developers had sufficient time, they could resolve and eliminate
these faults. The faults that remain are usually the result of technology malfunctioning for any
one of a thousand possible reasons. There are many sources of recognized and approved
security methods and techniques that provide sound technical security advice. Best practices,
standards of due care, and other tried-and-true methods can minimize the level of guesswork
necessary to secure an organization’s information and systems.
 Dealing with technology designed to perform at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Almost every fault, security hole, and systems malfunction is a result of the interaction of
specific hardware and software
 If the developers had sufficient time, they could resolve and eliminate these faults

Security as a Social Science

A third view to consider is information security as a social science, which integrates
some of the components of art and science and adds another dimension to the discussion. Social
science examines the behavior of individuals as they interact with systems, whether these are
societal systems or, as in this context, information systems. Information security begins and
ends with the people inside the organization and the people that interact with the
system,intentionally or otherwise. End users who need the very information the security
personnel are trying to protect may be the weakest link in the security chain. By understanding
some of the behavioral aspects of organizational science and change management, security
administrators can greatly reduce the levels of risk caused by end users and create more
acceptable and supportable security profiles. These measures, coupled with appropriate policy
and training issues, can substantially improve the performance of end users and result in a
more secure information system.

11.Describe the information security roles to be played by various professionals in a

typical organization?
It takes a wide range of professionals to support a diverse information security program.
As noted earlier in this chapter, information security is best initiated from the top down. Senior
management is the key component and the vital force for a successful implementation of an
information security program. But administrative support is also essential to developing and
executing specific security policies and procedures, and technical expertise is of course
essential to implementing the details of the information security program. The following
sections describe the typical information security responsibilities of various professional roles
in an organization.

Senior Management
The senior technology officer is typically the chief information officer (CIO), although
other titles such as vice president of information, VP of information technology, and VP of
systems may be used. The CIO is primarily responsible for advising the chief executive officer,
president, or company owner on the strategic planning that affects the management of
information in the organization. The CIO translates the strategic plans of the organization as a
whole into strategic information plans for the information systems or data processing division
of the organization. Once this is accomplished, CIOs work with subordinate managers to develop
tactical and operational plans for the division and to enable planning and management of the
systems that support the organization.

The chief information security officer (CISO) has primary responsibility for the
assessment, management, and implementation of information security in the organization. The
CISO may also be referred to as the manager for IT security, the security administrator, or a
similar title.The CISO usually reports directly to the CIO, although in larger organizations it is

INFORMATION SECURITY P a g e | 26 DEPARTMENT OF CSE

 .

not uncommon for one or more layers of management to exist between the two. However, the
recommendations of the CISO to the CIO must be given equal, if not greater, priority than other
technology and information-related proposals. The placement of the CISO and supporting
security staff in organizational hierarchies is the subject of current debate across the industry.
 Chief Information Officer
– the senior technology officer
– primarily responsible for advising the senior executive(s) for strategic planning
 Chief Information Security Officer
– responsible for the assessment, management, and implementation of securing the
information in the organization
– may also be referred to as the Manager for Security, the Security Administrator, or
a similar title

Security Project Team

The information security project team should consist of a number of individuals who
are experienced in one or multiple facets of the required technical and nontechnical areas. Many
of the same skills needed to manage and implement security are also needed to design it.
Members of the security project team fill the following roles:
 A number of individuals who are experienced in one or multiple requirements of both
the technical and non-technical areas:
– The champion
– The team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
Champion: A senior executive who promotes the project and ensures its support, both
financially and administratively, at the highest levels of the organization.
Team leader: A project manager, who may be a departmental line manager or staff unit
manager, who understands project management, personnel management, and information
security technical requirements.
Security policy developers: People who understand the organizational culture, existing
policies, and requirements for developing and implementing successful policies.
Risk assessment specialists: People who understand financial risk assessment techniques, the
value of organizational assets, and the security methods to be used.
Security professionals: Dedicated, trained, and well-educated specialists in all aspects of
information security from both a technical and nontechnical standpoint.
Systems administrators: People with the primary responsibility for administering the systems
that house the information used by the organization.
End users: Those whom the new system will most directly affect. Ideally, a selection of users
from various departments, levels, and degrees of technical knowledge assist the team in
focusing on the application of realistic controls applied in ways that do not disrupt the essential
business activities they seek to safeguard.

Data Responsibilities
The three types of data ownership and their respective responsibilities are outlined
below:
Data owners: Those responsible for the security and use of a particular set of information.They
are usually members of senior management and could be CIOs. The data owners usually
determine the level of data classification (discussed later), as well as the changes to that
classification required by organizational change. The data owners work with subordinate
managers to oversee the day-to-day administration of the data.
INFORMATION SECURITY P a g e | 27 DEPARTMENT OF CSE
 .

Data custodians: Working directly with data owners, data custodians are responsible for the
storage, maintenance, and protection of the information. Depending on the size of the
organization, this may be a dedicated position, such as the CISO, or it may be an additional
responsibility of a systems administrator or other technology manager. The duties of a data
custodian often include overseeing data storage and backups, implementing the specific
procedures and policies laid out in the security policies and plans, and reporting to the data
owner.

Data users: End users who work with the information to perform their assigned roles supporting
the mission of the organization. Everyone in the organization is responsible for the security of data,
so data users are included here as individuals with an information security role.
INFORMATION SECURITY P a g e | 28 DEPARTMENT OF CSE