Security Information System | ISS | Part 2

Security Information System | ISS | Part 2

Information Security — Objectives

Once the risks identified, it is desirable to determine the security objectives. These objectives are an expression of intent to counter identified risks and / or to comply with organizational security policies. A goal can be on the target system, its development environment or operating environment. These objectives can then be listed in security functions implementable on the information system.

Means of securing a system

Overall Design

The security of an information system can be likened to a chain of links more or less resistant. It is then characterized by the level of security the weakest link.

Thus, the security of information system must be addressed in a global context:

  • User awareness to security issues, or in some cases “awareness” (the English use the term awareness);
  • Security information;
  • Data security, related to interoperability issues, and the needs of data consistency in distributed universe;
  • Network Security;
  • Security of operating systems;
  • Security Telecommunications;
  • Application Security (buffer overflow), it requires secure programming example;
  • Physical security or security at the physical infrastructure (see “Recovery Strategy”).

Some data security is the basis of security of information systems because all systems use the data and common data are often very heterogeneous (format, structure, occurrence, etc.).

Defense in Depth

Straight out of an old military practice and always topical, the principle of defense in depth is up to each secure sub-system as a whole, and opposes the vision of a secure system only in the periphery. As a purist, the concept of defense in depth means that the various components of an infrastructure or an information system does not trust the other components with which they interact. Thus, each component itself performs all validations necessary to ensure safety. In practice, this model is applied partly because it is usually impractical to duplicate all the security checks. In addition, it may even be preferable to consolidate multiple security checks in a component dedicated to this purpose. This component must be considered safe by the whole system.

Security Policy

The security of information systems is generally limited to guaranteeing rights of access to data and resources of a system, putting in place mechanisms for authentication and control. These mechanisms ensure that users of these resources have only the rights they were granted.

Computer security must however be studied in such a way that does not prevent users to develop uses that are necessary, and ensure that they can use the information system with confidence. That is why it is necessary to define a first time a security policy, that is to say:

  • Develop rules and procedures, installation of technical tools in different departments of the organization (ranging from computer);
  • Define the action and persons to contact in case of an intrusion detection;
  • Educate users on security issues of information systems;
  • Clarify the roles and responsibilities.

The security policy is therefore all the paths taken by an entity in terms of security. As such, it needs to be developed at the direction of the organization, because it affects all users of the system.

Responsible for system security information

However, in France, it is mainly large corporations, businesses and public administrations have appointed and employed on a full time or not, “responsible for security of information systems. The tasks of the function depends on political will, managers and technicians involved in general have a good computing experience combined with the qualities of teaching, belief, etc.. Gradually, the management of data security is organized into domains or sub domains of services or staff and are given adequate financial and human resources and integrate the planning contracts or programs of the company.

Thus, it is not for administrators to define access rights for users, but line managers thereof or CISO (Chief of Security of Information Systems), if the position exists within the organization. The role of the administrator is to ensure that resources and access rights to them are consistent with the security policy adopted. Moreover, since it is the only one who knows the system well, it was up to back the information about security at his direction, possibly to advise on strategies to implement and to be the point of entry for users of communication problems and recommendations in terms of security.

Formal models of security

To achieve a target score with a good degree of confidence (level E4 minimum TCSEC), we formally define the concept of security in a model whose objectives are:

  • Express the needs of safety integrated into a computer context,
  • Provide a means to justify the model is consistent
  • Provide the means to satisfy the needs are satisfied
  • Provide methods for designing and implementing the system.

There are several formal models of security:

  • The Bell-LaPadula model (management mandate access, confidentiality, static) model that has been most used to check the security of computer systems. The designers of this model have demonstrated a theorem called Basic Security Theorem (BST). From this model were derived from other models: the Biba (access management by mandate, integrity, static), one of Dion (access management by mandate, confidentiality and integrity, static) of Jajodia and Sandhu (management Access by money, privacy, static).
  • The model of non-deduction (access management by mandate, confidentiality, dynamic) modeling the flow of information using concepts of logic. The security templates based on the principle of information flow are useful in controlling indirect access to information: they highlight the problem of covert channels.
  • The HRU model (discretionary access management) and its derivatives, the Take-Grant model and the model SPM.

Business Continuity Plan (BCP)

Faced with the increasing criticality of information systems within companies, it is now essential to have a security plan for the activity.

The plan is divided into two distinct levels:

  • The Disaster Recovery Activity (PRA) also called back “cold” which is used to restart “fast” activity after a disaster, with restoration of a backup system with data from the last backup
  • Continuity Plan (BCP) also called recovery “hot” which, by a redundant infrastructure and continuous data replication between sites, maintains the activity in case of major loss of one of sites.

Each of these plans attempt to minimize data loss and increase responsiveness in case of major disaster; an effective BCP must in principle be virtually transparent to users and ensure data integrity with no loss information. The implementation of a particular solution is often determined by the functional and budgetary constraints.

Technical Resources

In many ways technology can be implemented to ensure system security information. It should choose the means necessary, sufficient and fair. Here is a list of technical resources that can meet certain needs in terms of system security information:

  • Control access to the information system;
  • Network monitoring: snort, intrusion detection system;
  • Application Security: privilege separation, code auditing, reverse engineering;
  • Use of technology ad-hoc: Firewalls, UTM, Anti-malware (antivirus), antispam, and spyware;
  • Cryptography: strong authentication, PKI, encryption.

Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.

Sharing

Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.