Protection of Information Assets

INTRODUCTION

The most critical factor in protecting information assets and privacy is laying the perfect foundation for effective security management. The advent of electronic commerce and trading directly with customers through service providers has led to high profile security exposures such as viruses, denial of service (DoS) attacks, intrusions and unauthorized access, disclosures and identity theft over the internet. All these exposures have raised the profile of information and privacy risk and especially the need for information security management.

Integration of security engineering to system development life cycle

"Security systems engineering process is the process of discovering stakeholders', customers' and users' information protection needs and then designing and making information systems, with economy and elegance, so they can safely resist the forces to which they may be subjected."

When developing information systems the most preferred traditional method is to assess system of its security details after the IS development project is completed. However due to certain security breaches and increase in security threat level has led to the belief that it does not guarantee ideal IS security. It is found out that the reason to this failure is because it is not designed according to certain organizational IS environments. Therefore as an alternative integrating both security engineering and SDLC has become a vital process in developing solutions.

The model shown above is a perfect representation of integration between IS and SDLC and will be useful in understanding the steps of how the process is carried out.

Discover information and protection needs

The objective of the first stage of development is to understand the scenario and the documents customers need. The information systems security engineer (ISSE) should have a look at various areas of customer's business such as operations, human resources, engineering in order to gather background knowledge which will eventually help to develop a systems concept of operations (CONOPS) documents. Thereafter with the information gathered from systems CONOPS an information management module (IMM) and information management policy (IMP) documents are produced. The system CONOPS and the security CONOPS will be explained thoroughly in the security requirement phase for clear understanding purpose. IMM is responsible for breaking down all the required information into different parts. All the necessary creating, acquiring, processing, storing and retrieving of information made the IMM and for all the information that is being processed the principle of least privilege was applied. The principle of least privilege makes information accessible to the users