Page 74 - DCAP309_INFORMATION_SECURITY_AND

Page 74 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY

P. 74

Information Security and Privacy

Notes Among the tips is this: keep secrets. “Learn to shut your mouth. It’s not rude, but a good
practice, to refuse to talk about those things that might compromise security.” That doesn’t
mean you turn non-communicative because: “It’s one thing to share a security-hardening
tip, or to alert someone to a bad practice that can be corrected. It’s another thing to reveal
your own system’s security weaknesses by talking about them to others.”
If there are high-risk systems in your organisation, requiring extra physical security, you
may consider the following at workstation level: “a BIOS password; a required syskey
Windows boot password; a smart-card, token, and/or biometric for administrator logon;
removal of floppy, CD-ROM, or other removable drives; disabling of USB, serial, and
other communications ports in the BIOS; hardware locks on cables and drives; physical
locks that prevent theft of the workstation; and alarms that warn of computer movement.”

‘Harden WetWare’ says the last chapter. WetWare? That’s “the people part of an information
system,” explains the author. An important lesson for techies is to learn to speak business,
because “management is not going to learn to speak geek.” So, express security concerns
in the context of business value, advises Bragg. “If you have trouble thinking what the
business value is, just think money.”
Ignorance of law is no excuse, and there are laws beyond Moore’s and Murphy’s. In the US
context, there is the Gramm-Leach Bliley Act that requires financial institutions to
implement a security program that safeguards customer info. HIPAA or the Health
Insurance Portability and Accountability Act requires the protection of health-related
personal information that is maintained electronically. Sarbanes-Oxley Act or SOX
emphasises on internal controls. The Computer Fraud and Abuse Act “seeks to punish
people whose unauthorised access to computer causes harm.” Likewise, there are laws on
wiretap, economic espionage, and electronic communications privacy.

It’s hard to think of hardening if you trust too much in the goodness of the world. So, first
harden your heart before bulletproofing your systems, because there are those with guns
outside!
Source: http://www.thehindubusinessline.in/ew/2004/09/27/stories/2004092700160200.htm

5.9 Summary

 Physical security is an essential part of a security plan. It forms the basis for all other
security efforts, including data security.
 Physical threat to a computer system could be as a result of loss of the whole computer
system, damage of hardware, damage to the computer software, theft of the computer
system, vandalism, natural disaster such as flood, fire, war, earthquakes, etc.

 Certain natural disasters could either severely damage the computer system directly, or
prevent its operations.

 To restrict physical access, a security system must be able to differentiate among authorized
and unauthorized individuals.
 Intrusion Detection System (IDS) technology is an important component in designing a
secure environment. It is a type of security management system for computers and
networks.
 An IDS gathers and analyzes information from various areas within a computer or a
network to identify possible security breaches, which include both intrusions and misuse.

68 LOVELY PROFESSIONAL UNIVERSITY

69 70 71 72 73 74 75 76 77 78 79