III. Security Staff

Security must begin with the establishment of an organization-wide policy by executive management. This policy should set the direction for security and give broad guidance. Guidelines and instructions on security should be covered in more detailed supporting documents.

II. Security Policy.

INFORMATION SYSTEMS SECURITY.

TEXT 2A.

UNIT 2.

Data accuracy.

Even the best software is of little use if it is processing corrupted data. Most generic software tools do not provide built-in-facilities for checking the accuracy of input data. Therefore, it becomes the responsibility of the user to build in such checks. These should include data format and range checks and cross-checks of results. Managers should require supporting information and evidence necessary to assure that calculations and other data handling operations have been performed properly.

Software accuracy.

In situations where important functions are being performed on smaller computers, consider applying formal controls over software development and testing.

This does not apply to situations where systems are being designed and programmed in traditional programming languages (e.g. Basic). There is increasing use of generic software tools (e.g. spreadsheet and database management systems) to build complex applications. Even though many of the typical programming problems may be reduced in these situations, the need for careful analysis and control is just as important. This may very well require additional training of personnel or the use of specially trained personnel since system development skills are not a normal part of professional training.

A successful security program consists of a number of interrelated key elements, each of which has a definite purpose and is supported by management. These elements are briefly discussed below.

I. Definition.

Information systems security can be defined as the protection of information assets against accidental or intentional but unauthorized disclosure, modification or destruction, and against denial of service.

A high-level Security Manager, with authority to act for the entire organization, should be designated. This management position would be responsible for directing and coordinating implementation of the organization’s policy and may require the assistance of one or more full time staff members dependent on the size of the organization.

IV. Management Responsibility.

Security is a line management responsibility. All line managers should be fully aware of the organization’s policies and guidelines. They are responsible for protecting all resources allocated to them and for ensuring that all employees are aware of and abide by established guidelines.

V. Employee Awareness.

All employees must be alert to the need for security. Awareness must come from management’s communication of the security policy and guidelines to all personnel. A clear understanding and commitment on the part of all employees to abide by the policy is necessary. Conditions of non-compliance should be specified and enforced.

VI. Ownership and Classification.

An ownership program provides the ability to ensure that all information is accounted for and that it receives the proper protection. An owner is that individual manager or agent of management who has property rights for an information asset and is responsible for making and communicating judgments and decisions on behalf of the organization with regard to:

v The classification and level of protection given to the asset.

v Approving application controls and authorizing access to the asset.

v Risk assessment, risk acceptance, and contingency planning for the asset.

VII. Hazards to Information Systems Environments.

Note: The hierarchy of exposures below can vary significantly depending upon the nature of the establishment and the degree of management controls in place.

v The biggest exposure is due to Errors and Omissions caused by honest employees who make mistakes in data entry, data update changes to applications etc.

v The second biggest exposure is from Dishonest Employees who take advantage of some missing control or misuse the authority they possess for personal gain.

v Third is Fire and Natural Disasters. Although lessened by management focus, fire still remains an exposure. Natural disasters are typically more predictable on the basis of historical occurrences associated with geographical locations.

v Fourth is Disgruntled Employees. A disgruntled employee is one who works for or used to work for an organization and wants to cause harm or embarrassment to the organization itself. The major difference between dishonest and disgruntled is: dishonest employees don’t want their act to be discovered, since it cuts off their source of personal gain, while disgruntled ones want the act to result in recognized harm.

v Fifth is Water Damage. This area has received much attention, but is still an exposure due to unplanned events such as burst pipes, leak roofs, etc.

v Sixth is External Threats. This includes man-made hazards such as riots, war, etc. Computer “hackers” fall into this category as well. Awareness of this security exposure hierarchy, coupled with the implementation of effective controls and procedures in the high-loss exposure areas, can go a long way in providing adequate protective measures against other threats.

VIII. Risk Analysis.

Vulnerabilities to hazards can differ greatly from one organization to another, depending on the nature of the organization. Each organization should perform a risk analysis to analyze their unique exposures.

IX. Protective Measures.

Protective measures to reduce risk exposures can be placed in three categories: physical security;

controls and procedures; contingency planning.

X. Cost / Benefit Analysis.

Prior to implementing any protective measure, management should assess the cost of the measure compared with the reduction in exposure to financial loss. Protection should be selected and applied on the basis of cost / benefit value.

XI. Audit.

The audit process should validate that all security exposures have been assessed and that cost-effective protection has been identified and implemented.

Words and word-combinations to memorize:

unauthorized disclosure-несанкционированное раскрытие (информации); abide by (smth.)-придерживаться (чего-л.); be alert-проявлять бдительность; ownership-право собственности; communicating judgment-умение здраво рассуждать; on behalf(of)-в интересах (кого-л.); contingency planning-планирование непредвиденных ситуаций; hazard-опасность сбоя; exposure-незащищенность данных, внешнее воздействие; embarrassment-запутанность; vulnerability-уязвимость.

I. Answer the following questions:

1. What does a successful security program consist of? 2. How can information systems security be defined? 3. What’s the security policy designed for? 4. What are all line managers responsible for?

5. How must employee awareness be carried out? 6. What does an ownership program provide?

7. How can you classify the hazards to information systems environments because of exposures?

II. Translate the following sentences and explain the use of Participle II.

1. To understand the kind of tasks done by the operating system, consider the sequence of steps that must be taken to transfer a file of data from primary memory to disk storage. 2. Any hidden assumption is a potential security hole. 3. The equipment tested requires further improvement.

4. Since then, viruses have become a serious security threat to casual home computer users and large corporate network. 5. One of the most elaborate biologically based systems is IBM’s Immune System for Cyberspace. 6. When worked, personnel faced with new security related tasks which at first sight seem more trouble than they are worth. 7. Having been given all the instructions the computer was able to start work immediately. 8. The circuit broken, the magnetic field disappears. 9. With the experiments having been carried out, we started new investigations. 10. The article deals with artificial intelligence, with particular attention being paid to its abilities.

III. Translate the following sentences explaining the functions of words ending in -ing.

1. Researchers have been looking into biological models of computer antivirus systems for several years. 2. Viruses began affecting desktop computers in the 1980s, starting with a harmless virus that infected Apple II systems in1981. 3. Viral scanning at the server level or via a LAN (local area network) manager can help protect against infection being spread throughout a network. 4. Having now high frequency transistors and integrated circuits the engineers can create such models of the computer. 5. In addition to creating insulating areas oxidation offers a practical method for growing silicon oxides at low temperatures.

6. According to Kephart, the Immune System can also use a neural-network technique that quickly identifies short byte sequences that represent instructions for carrying out virus-related tasks. 7. The most important part of keeping secrets is knowing the areas you need to protect. 8. Understanding the weak points is increasing security on IP (Internet Protocol) Networks. 9. Today there is a trend toward distributing more processing capability throughout a computer system, with various areas having small local processors for handling operations in those areas.

IV. Translate the following sentences with negative constructions.

1. You must be sure that the information transmitted from any point in a network is received at the destination it was intended to reach and nowhere else. 2. Security is a management issue, not a technological one. 3. Information technology organizations can no longer view security as a burden.

4. It makes no sense to install complicated software security measures when access to the hardware is not controlled. 5. No matter what you expect, IS won’t be protected. 6. A machine has neither human feelings nor desires or emotions. 7. You will never realize the special importance of Artificial Intelligence unless you’ve learnt its abilities for economic planning and management. 8. No attention would be needed from the Human operator, once the starting data and the method of computation had been set into the machine. 9. The limit of reoxane memory has not been measured but it is known that it is thousands of times larger than electronic memory.

Дата добавления: 2015-03-29; Просмотров: 545; Нарушение авторских прав?; Мы поможем в написании вашей работы!