1. Running head: PLANNING AND IMPLEMENTING INFORMATION SECURITY 1
Planning and Implementing Information Security
John Intindolo
American Public University
2. PLANNING AND IMPLEMENTING INFORMATION SECURITY 2
Planning and Implementing Information Security
Information Security has become a point of emphasis for almost everyone in today’s
world. A large portion of the population has a computer that they use for their daily activities.
Some use it to do their homework, pay their bills, or even balance their checkbook. Others may
use their computer to keep in touch with family and friends through social media websites, or to
keep up track of their fantasy football team’s stats. Businesses may rely on their computer
network to perform daily business transactions, store pertinent financial and customer data. The
one thing that they all share is that they need to be connected to the Internet.
The different types of networks that connect the user to the computer can come in many
forms. That connection could be through an at home network with a single computer connected,
or a large family with several computers, laptops, and smart phones connected, to a small business
with a group of computers connected to their network, or it could even be a large corporation
that has multiple networks spread across multiple locations. The point is no matter how big or
small a network is, the common things they all share is the need for their information to remain
secure. So what is Information Security?
Information Security is the practice of defending information from being accessed, used,
disclosed modified, inspected, recorded, or destroyed by someone who is unauthorized to do so
(“Definition of information security,” 2012). As demonstrated by that definition, Information
Security does not relate only to computers. Whenever a person locks a file cabinet, or requires a
passcode to open safe they are using a form of Information Security. Other examples of putting
Information Security methods into place would be when a person uses a password to log onto
their phone or computer. Some may simply be trying to protect their personal photos or their
music catalog of mp3’s, others like businesses are looking to protect financial data (such as
employee payroll records), customer data (such as billing and credit card information), or even
3. PLANNING AND IMPLEMENTING INFORMATION SECURITY 3
intellectual property (such as trade secrets). The point is to keep unauthorized access from the
system no matter how big or how small that system is. What are the three main purposes of
Information Security?
The three main purposes of Information Security are to protect the confidentiality,
integrity, and availability of information. This is commonly known in the Information Technology
field as the CIA Triad of Information Security. Confidentiality refers to ensuring that the
information is kept from being accessed by those who are not authorized to do so. The integrity
of Information Security simply put means that the information is valid or trustworthy. Integrity
ensures that the information has not been corrupted in any way while entering the system.
Availability is the third main purpose of Information Security and as the name suggests, refers to
keeping the availability of information resources. Availability can be disrupted in several different
ways including the following: a technical issue breaking the connection to the network, a natural
disaster that causes a power outage, or a man-made disaster that was done either accidently or
intentionally. All three aspects of the CIA Triad are important and without all three being
implemented the security of the system will fail. There are two other security measures of
Information Security that are an extension of the CIA Triad umbrella and they are: Authentication
and Nonrepudiation.
Authentication is “the process of determining whether someone or something is, in fact,
who or what, it is declared to be” (“Authentication vs.,” 2013). This can be accomplished through
the use of passwords for instance. Another example of authentication would be through the use of
security badges or a fingerprint scanner. If the person is not authenticated that they are who they
say they are, then they will not be able to connect to the network. It is important to use strong
passwords so that they may not be easily guessed by an attacker. Sometimes a password is just
not secure enough alone, and that would require the use of Multi-factored authentication. What
4. PLANNING AND IMPLEMENTING INFORMATION SECURITY 4
this means is that two or more authentication practices must be used before allowing someone
access to the network. For example, a password and the person’s social security number.
Repudiation can be defined as “the denial of an entity of having participated in all or part of a
communication” (Kremer & Raskin, p. 1). Therefore, nonrepudiation would be the complete
opposite of that, and indicates that the original source of data or the person who the data was sent
to has absolutely received the data.
There are choices that must be made in maintaining the security of information and
ensuring that the CIA Triad is being followed. These choices come in three different forms: rule-
based decisions, relativistic decisions, and rational decisions. Rule-based decisions are widely
accepted guidelines that are imposed for all subjects. Some examples of this would be a person
locking their doors to their house and locking their car doors. No one is making the person lock
their doors, but it is widely accepted as a practice of security.
Relativistic decisions are decisions that are made in an attempt to “one-up” someone who
has similar security problems. An example of this type of decision would be if a person went over
to their friend’s house and saw their security system, and then decided to go out and buy a more
advanced security system for themselves. In the field of Information Security this may not always
be done just to “one-up” another person’s security for bragging rights, but rather to ensure that
their information remains secured. The third common security decision is called a rational
decision. This means that the decision is based on analyzing the security process, and making a
well thought-out plan to determine the best measures to take. What is the security process?
The security process is a list of six phases that goes through the details of a problem
systematically and comes up with a rational decision to correct them. The six phases are as
follows: identify the assets, analyze the risk of an attack, establish a security policy, implement the
defenses, monitor the defenses, and recover from attacks (Smith, 2011, p. 5). Each of the six
5. PLANNING AND IMPLEMENTING INFORMATION SECURITY 5
phases are connected to each other. They are performed in order and each subsequent step builds
upon the results of the previous one. If there is an issue in a later step that states that an earlier
phase is incorrect, then the earlier step will be revisited and corrected.
Phase one is identifying the assets. This is done so that the most important data can be
separated from the least important. Identifying the assets will allow the security team to
understand what is pertinent to the organization and in need of protection. The second phase is to
analyze the risk of an attack. The purpose of this part of the security process is to identify where
there are weaknesses, so that they may be secured before an attacker has the chance to exploit
them. Establishing a security policy is the third phase and will create a set of rules that everyone
within the organization must follow. It does not matter if it is the CEO of the company or a
customer service representative. The security policy must be followed by all or it will fail.
Phase four is to implement the defenses. These defenses will protect the organization’s
network from an attack or an intrusion. This is where firewalls, anti-virus programs, anti-malware
programs, etc. are deployed. Phase five is to monitor the defenses that have been implemented. If
a there is a weakness in one of the defense that have been put into place, then the CIA of the
organization’s network is at risk. Therefore, when there is a weakness it must be corrected and
done so before it has a chance to be exploited. This continuous improvement is extremely
important to the success of a secure network. Technologies are constantly changing so if the
defenses are not being constantly monitored and updated the system will not survive. Phase six of
the process is recovering from attacks. No system is one-hundred percent impervious to an attack,
so it is important to have a plan in place to recover from an attack. Now that the purpose of
Information Security, the security decisions, and the security process have all been defined, how
does one implement Information Security?
6. PLANNING AND IMPLEMENTING INFORMATION SECURITY 6
The first step in implementation is to do a full risk assessment. According to Kiran, Reddy,
& Haritha, “Risk assessment is the progression that identifies and valuates the risks to information
security by defining the likelihood of occurrence and the resulting impact” (2013, p. 41).What this
means is that any and every asset to the organization will be analyzed and prioritized, from the
most important all the way down to the assets of smallest amount importance. This is the
foundation for a secure organization. The next step would be to create a security policy. The
purpose of the security policy is to determine the guidelines that every single person within the
organization to follow. It is important that those at the top of the organization follow this rule as
well, and stress its importance to everyone else. Why is so important for everyone to follow the
security policy?
The reason it is important for everyone to follow the security policy is because employees
who comply with the policy are the key to strengthening Information Security (Bulgurcu,
Cavusoglu, & Benbasat, 2010, p. 523). If everyone does not follow the policy the system will
falter. The security policy is a written policy that provides protection not only over the
information itself, but also the equipment and software that is used to process, stockpile, and
communicate that information. For reasons previously mentioned, it is extremely important that
the policy is constantly reviewed and updated to correct areas of weakness.
At this point is the next step would be to put together a security administration team. This
group of individuals will oversee that everyone within the organization is adhering to the security
policy. Having a team that works together will make it a lot easier to ensure that everyone is
following the security policy. If a company has hundreds of employees it may be difficult for one
or two people to monitor them all. A security administration team can be broken up into different
sectors of the organization. It is important that all members of the security administration team
7. PLANNING AND IMPLEMENTING INFORMATION SECURITY 7
work collaboratively to ensure that the policy is being followed. In other words, everyone on the
team should know if any issues come about in a sector that another administrator is overseeing.
An incident response plan would be the next logical step in implementing information
security. This plan will handle any and all incidents that occur, no matter how big or how
minuscule. As stated earlier, no system is immune to an attack no matter how secure it may be. It
is for this reason that it is of the utmost importance to have an incident response plan that will be
a guide for the incident response team to follow. This guide will save time and confusion in the
event of an intrusion. By documenting how to handle each and every incident, the team will
maintain connectivity or greatly reduce the downtime of the organization’s network when an
attack occurs. Additionally, the incident response plan can give the incident response team the
ability to isolate the incident, stop the attack from spreading, and doing more damage throughout
the network.
Now that an incident response plan has been put into place, the next step would be to
create an incident response team. The duties of the incident response team are to follow the
guidelines set forth in the incident response plan when an instance has taken place. As stated
above the response team will respond immediately to an incident and prevent the attack from
causing greater damage to the network by remedying the situation in a timely manner.
Furthermore, it is the incident response teams’ responsibility to keep the organization up and
running, or minimize the amount of time it is down following an attack. The members of the
incident response team are governed by the security administration team.
Keeping the business up and running or reducing the downtime of a network are important
factors that an incident response team is responsible for. This is accomplished by following a
business continuity plan. A business continuity plan will describe how to keep business moving in
the event of an incident. Not all incidents are a result of an attack however. Some are the result of
8. PLANNING AND IMPLEMENTING INFORMATION SECURITY 8
natural disasters such as an earthquake, tornado, or snow storm. The damage could be a simple
power outage or the data could be destroyed altogether. With man-made disasters the problems
can range from a malicious attack all the way to physical damage of equipment and software. A
big part of business continuity is to have constant backups that are performed once every 24
hours. Now if an office is hit by a tornado then that backup is most likely rendered useless;
therefore, backups should be stored at a secure off-site location.
Everyone wants there information to be kept secure. Whether it’s a teenager wanting their
music files protected, a man’s banking information, or a business’s financial and customer data,
the one thing that remains constant is the need for Information Security. Information Security
does not provide a quick fix solution. There is no one-step process that is the end all be all
solution. If there was one though could it be trusted? After all if something sounds too good to be
true it usually is. Information Security is instead a lengthy and complicated process that takes a
collaborative effort from everyone involved to make it work. There is no fool proof plan to
protect a network one-hundred percent, but if the policies and strategies outlined in this paper are
followed it will greatly reduce the risk of an attack.
9. PLANNING AND IMPLEMENTING INFORMATION SECURITY 9
References
Authentication vs. authorization. (2013). Retrieved from
http://protect.iu.edu/cybersecurity/authn-authz
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An
Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS
Quarterly, 34(3), 523-A7.
Definiton of information security. (2012). Retrieved from http://oit.unlv.edu/network-and-
security/definition-information-security
Kiran, K., Reddy, L., & Haritha, N. (2013). A Comparative Analysis on Risk Assessment
Information Security Models. International Journal Of Computer Applications, 82(1-13),
41-47.
Kremer, S., & Raskin, J. F.(n.d.). A game approach to the verification of exchange protocols.
Retrieved from http://robotics.eecs.berkeley.edu/~wlr/228a02/papers/NonRepudiation.pdf
Smith, R.E., PhD. (2011). Elementary Information Security. Burlington, MA: Jones & Bartlett
Learning.
10. PLANNING AND IMPLEMENTING INFORMATION SECURITY 9
References
Authentication vs. authorization. (2013). Retrieved from
http://protect.iu.edu/cybersecurity/authn-authz
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An
Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS
Quarterly, 34(3), 523-A7.
Definiton of information security. (2012). Retrieved from http://oit.unlv.edu/network-and-
security/definition-information-security
Kiran, K., Reddy, L., & Haritha, N. (2013). A Comparative Analysis on Risk Assessment
Information Security Models. International Journal Of Computer Applications, 82(1-13),
41-47.
Kremer, S., & Raskin, J. F.(n.d.). A game approach to the verification of exchange protocols.
Retrieved from http://robotics.eecs.berkeley.edu/~wlr/228a02/papers/NonRepudiation.pdf
Smith, R.E., PhD. (2011). Elementary Information Security. Burlington, MA: Jones & Bartlett
Learning.