Security Information System | ISS | Part 1

Security Information System | ISS | Part 1

What Is Security Information System (ISS)?

The security of information systems (ISS) is the set of technical, organizational, legal and human resources needed and put in place to conserve, restore, and ensure the security of information systems. Ensure system security information is a business management information system.

Issues of security of information systems

The term “computer system” here refers to any system whose operation involves, in one way or another, electricity and intended to develop, process, store, send or display information. Information systems generally rely on computer systems for their implementation. They include data communications (analog voice, Voice over IP, etc.) and in some cases, data on paper.

Such systems lend themselves to threats of various types, may alter or destroy information (known as “information integrity”), or to disclose it to others who should not have been unaware (referred to as “confidential information”), or for example to affect his availability (referred to as “System availability”). Since the 1970s, rapid access to information, speed and effectiveness of treatments, data sharing and interactivity have increased significantly – but it is also the case of outages – outages, incidents, errors , negligence and malice in particular with the opening on the Internet.

Some of these threats may also indirectly cause significant financial damage. For example, although it is relatively difficult to estimate the sums of the order of several billion U.S. dollars have been advanced as a result of damage caused by malware such as Code Red worm. Other substantial damage, such as those related to theft of credit card numbers have been determined more precisely.

Besides the financial aspects of computer security breaches can cause harm to the privacy of a person disseminating confidential information on it (including a postal address or bank) and can therefore be punished when negligence the host is established: if, for example, it has not patched in a timely manner.

Indirectly too, some threats can affect the image of the owner of the information system. Techniques Used for “defacing” (a consolidation of a website) to allow an attacker to identify security vulnerabilities on a web server. They can also take advantage of these vulnerabilities to spread false information about the owner (known as disinformation).

The most common, and undoubtedly the precursors for information security, is the information security policy, especially military. The TCSEC, reference book on the subject, comes from the Department of Defense (DoD) United States. The principle of multi-level security is rooted in research troubleshooting security of military information. Today, several mechanisms have been studied; include decoys based on the argument explicitly prohibits access to data is to provide information on the latter etc. which underlies the realistic assumption that the security 100% is not reached.

Risk assessment

Trying to secure an information system is an attempt to protect themselves against risks that may impact on the safety of it, or the information it processes.

Methods of risk analysis

Different methods of risk analysis on the information system exists. There are three main methods of assessment available on the French market:

  • The EBIOS (Expression of needs and identification of security objectives), developed by the National Security Agency Information Systems (ANSSI);
  • Method Mehari (Method harmonized risk analysis), developed by the CLUSIF;
  • Method OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed by Carnegie Mellon University (USA).

The MITRE Corporation, who works for the Department of Defense, United States, also developed in 1998 a method of assessing threats and vulnerabilities applied to the aerospace industry, and can be generalized to critical infrastructure: NIMS (SIN Infrastructure Management System, NAS National Aerospace meaning).

Even if the purpose of these methods is identical, the words and expressions used can vary. Those used below are broadly inspired by the method Feros.

Paradoxically, in business, the definition of indicators’ safety IS “measurable, relevant and then to define objectives in time, to achieve reasonable, is difficult. If performance indicators, indicators can be designated as the installation states of tools or procedures, but the indicators are more complex to define and assess, in evidence on those “alerts viral.

Sensitive information

Before attempting to protect them, it should determine what information sensitive business, which may be data, or more generally the assets represented by data. Each element may have a different sensitivity.

The assets also contain and especially the intellectual capital of the company, which is an information heritage to protect. We must assess threats and vulnerabilities to determine the vulnerable.

Safety Criteria

Safety can be judged according to several criteria:

  • Availability: Ensuring that these elements are considered accessible when needed by authorized persons.
  • Integrity: assurance that the elements are considered accurate and complete.
  • Confidentiality: ensuring that only authorized persons have access to material claimed.

Other issues may possibly be considered as criteria (although in fact security functions), such as:

Tracking (or “Proof”) guarantee the access and attempted access to material claimed to be traced and that these traces are preserved and exploited.

Once the sensitive elements, the risks on each of these elements can be estimated based threats to protect the items. This involves estimating:

  • Severity of impacts should the risks be realized,
  • The likelihood of risks (or potential, or their probability of occurrence).

In EBIOS, these two levels represent the level of each risk allowing them to evaluate (compare).

In the method Mehari, the product of the impact and the potential is called “gravity”. Other methods use the concept of “level of risk” or “degree of risk.”

Threats, or Insecurity information System

The main threats to which an effective information system can be confronted are:

  • A user of the system: the vast majority of problems related to the security of an information system is the user, typically careless;
  • An attacker: someone manages to break into the system, legitimately or not, and then access to data or programs which it is not supposed to have access for example using known vulnerabilities and un-patched in software;
  • A malicious program: a software intended to harm or abuse the resources of the system is installed (by accident or maliciously) on the system, opening the door to unauthorized or altering data, personal data may be collected unknowingly to the user and be reused for commercial or malicious;
  • A loss (theft, fire, water damage) or improper handling maliciously causing a loss of equipment and / or data.



Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.