Security of Information Systems and Transactions

In the modern business, organizations depend on the use of information. In order to achieve business goals it is essential to have accurate, complete and timely information. Modern information technology support and improve business processes to better achieve business goals and achieve competitive advantage.
Information systems are key factors in the operations of each organization. The use of information systems in business is the foundation for the development of new products and services and thus affects the formation of competitive advantage. The information system is, in essence, interaction between information technology, data, data processing procedures, and people who collect and use information.

The fundamental principles of information systems
In order for an information system to fully meet the requirements of a successful business for an organization, it must be based on the following fundamental principles:

  • Confidentiality: the property that information may not be available or disclosed to unauthorized entities
  • Integrity: the property that information which is processed is not altered unexpectedly or without authorization
  • Availability: the property that the information is accessible and usable at the request of an authorized entity
  • Non-repudiation: the inability to deny having performed an action or receipt of information
  • Provability: the property which ensures that the activities can be tracked to the party itself
  • Authentication: the property which ensures that the identity of the entity is exactly he/she actually claimed to be
  • Reliability: the property of a consistent and expected behavior and results

Violating the fundamental principles of information systems could be catastrophic for the business reputation of the organization. Breaking the integrity of information systems or information may lead to incorrect, fraudulent or erroneous decisions. Loss of confidentiality can lead to serious breaches of applicable laws and to the loss of customer trust. Unavailability of information system negatively affects the continuity of operations and may interrupt the course of vital business processes. Therefore it is necessary to pay great attention to the management of information system as an integral part of managing the organization as a whole. An essential part of managing information system makes information security management system.


Information Security Management System
Information security means protecting information and information systems from a wide range of risks in order to ensure continuous operations, minimize damage due to loss of information, and provide a maximum return on investment, and that the reputation of the organization remains at a high level.
Information Security Management System (ISMS) provides that the information essential for the successful operation of the organization are secure and always available. Adoption of the ISMS must be a strategic decision of the organization. Design and implementation of ISMS are influenced by the needs and objectives of organization, its security requirements, including processes, organization structure and size. It is expected that these systems, and systems supporting their work will change over time, following the organization's needs.


Risk Management
The implementation of the ISMS involves that special attention should be paid to management of risk arising from the use of information systems. Risk management is a process that allows organizations to balance the operational and economic costs of protective measures which preserve the security of organizations’ information systems. Risk management is the process of risk identification, risk assessment and taking steps to reduce risk to acceptable levels.
The threat is a situation that could cause damage to information systems.
Vulnerability is a set of conditions that may allow some threats to harmfuly affect the information system.

Harmful event is the event when a particular threat uses vulnerability in an information system to cause the damage.

Risk is a function of the probability that the identified source of threat will use a particular information system’s vulnerability and of the impact that this harmful event can have on the organization.

Risk identification consists of the following procedure:

1) determining the probability of threats

2) determining the probability of vulnerability exploitation

3) determining the probability of harmful events

4) analysis of the consequences of harmful events

5) determining the cost of consequences of harmful events

6) determining the extent of risk

Based on the identification and risk assessment the protection measures shall be recommended. Protection measures based on the risk assessment consist of the following types of actions:


1) preventive actions that prevent the occurrence of possible harmful events

2) actions to manage harmful event in the time of its occurrence

3) actions of removing the consequences of harmful events

In the implementation of preventive actions it is necessary to:

  • determine whether the recommended protective measures are covering all identified risks
  • if necessary, propose additional protective measures


During the occurrence of harmful events it is necessary to:

  • identify the place, time and dimensions of harmful events
  • prepare the first report of harmful event

When removing the consequences of harmful events it is necessary to:

  • remove the material remains of harmful event (water, collapsed and damaged material, burnt residues) if needed
  • assess the damage
  • restore a damaged computer equipment to make the reconstruction of lost data and programs

International Standards
Compliance with international standard ISO/IEC 27001 and ISO/IEC With regard to the claim made by some, that part of the premium (money paid to the insurer) is returned, this does not change anything and does not free from the taint of ribaa, gambling, transactions based on uncertainty, unjust consumption of people’s wealth and going against the principle of trusting in Allaah (tawakkul), and other kinds of haraam actions. 27002 raises the level of information security and defines protection measures. Direct benefits that organizations can have by the adoption of these standards are gaining the trust of its clients and partners, significant saving of costs that organization could have due to loss of vital information, and establishment of compliance with legal requirements.

ISO/IEC 27001 is an international standard prepared to provide a basic model for establishing, implementing, operating, monitoring, checking, maintaining and improving ISMS. It is harmonized with international standards ISO 9001:2000 and ISO 14001:2004 in order to support consistent and integrated implementation, and operation in accordance with appropriate standards of governance. A properly designed system of managing information system can thus meet all these standards.

ISO/IEC 27001 defines the requirements for implementing security controls tailored to the needs of each organization or part thereof. The requirements established in this International Standard are generic and are intended to be applicable in all organizations, regardless of their type, size and nature.

ISMS must be designed to ensure the selection of adequate security controls that protect valuable information and provide confidence to interested parties. The ISO/IEC 27002 provides guidelines that can be used when designing controls.

Exclusion of the controls that are considered mandatory to meet the criteria for risk treatment must be justified and must be satisfied that the associated risks are accepted by the top management. Statement of compliance with ISO/IEC 27001 is considered unacceptable if it excluded any control. However, some of the controls can be excluded in the case when they do not affect the ability of organization to provide adequate information security.


 

Suzana Stojaković – Čelustka, PhD is an expert in the field of information security. Some of her related duties were: CEO of CARNet CERT (Croatian Academic and Research Network Computer Emergency Response Team) in 1997., CEO of CARNet Department for security of computer networks in 1998., assistant for information security related jobs in Office for internetization of Croatian Government – 2002. - 2004., senior advisor for information security in Central State Office for e-Croatia, including development of National program of information security in the Republic of Croatia - 2004. – 2006., CISO (Chief Information Security Officer) in Croatian Bank for Reconstruction and Development (current position).

She is also a lecturer on information security topics at various occasions and editor at Croatian Information Security Portal (http://www.sigurnost.info). She received her BSEE and M.Sc. at Faculty of Electrotechnical Engineering, University of Zagreb, Croatia, and Ph.D at Faculty of Electrical Engineering, Czech Technical University of Prague, Czech Republic. Her Ph.D thesis, Building Secure Information Systems, can be found at http://www.oocities.com/suzana_sc2001/index.htm Her other interests include research in: computer architecture, distributed systems (networking), algorithmics, artificial intelligence and artificial life.

She is an active member of IFIP W.G. 9.6/11.7 (Working Group 9.6/11.7 - Information Technology Mis-Use and the Law, IFIP Technical Committee 9 - Relationship between Computers and Society) and IFIP W.G. 16.5 (Working Group 16.5 – Social and Ethical Issues in Entertainment Computing – IFIP Specialist Group on Entertainment Computing)




Comments (2)
  • Rubina  - Security dimensions vs basic security services

    Confidentiality, Integrity and Availability are often described as the main Security Principles, or views. I often found that concepts, such as authentication, authorization, or non-repudiation are described as basic security service. However, various authors provided their versions (i.e., sets) of the basic security services. I wonder what criteria they used to determine a set of basic security services.

  • Rubina  - ISO 27001/2 and Cloud

    Are ISO 27001/2, that is ISMS, applicable to cloud services?

Only registered users can write comments!