Introduction
An I.T security program, just like any other program in an organization, begins with objectives and strategies. The organization establishes security aims (objectives); how secure the I.T systems should be? Who should have access to the system? These objectives are then translated into possible courses of actions (strategies) that ensure the fulfillment of these objectives; How to achieve that level of security? The strategies are then written down as policies that govern the allocation of resources towards implementing security and the routine processes involved to that effect. This paper attempts to focus on the level of expertise, skills and academic/professional qualifications required to implement and maintain security policies, the segregation of duties among tasks and employees at organizational and governmental levels, the reasons for security in application development and the use of certain malware (such as logic bombs) to compromise I.T security.
- Telecommunication Network Security
- Access Control
- Cryptography
- Information Security Regulations and Governance
- Risk Management
- Application Development Security
- Business Continuity
- Disaster-recovery and Back-up Planning
- Physical and Environmental Security
- Operational Security; and
- Legal, Investigative and Regulatory Compliance.
The CISSP course is intended for individuals having at least four years of professional experience in any two or more of the educational domains mentioned above. At an organizational level, the education must be comprehensive and top-down; from mainframes to PCs. Training is made available on any forms and formats; class-room based paper-based or self study. It must be an ongoing activity and every educational domain must be updated with respect to the recent changes in security measures and techniques. Furthermore, education and training is offered according to the job description and designation in the organizational hierarchy.
Separation of Duties
There are four major types of information system policies; Program-Framework Policy, System-Specific Policy, Program-Level Policy and Issue-Specific Policy. Under the Program-Level Policy, the concept of “Segregation of Duties” exists. It refers to the way in which an organization attempt to prevent individual employees and users of the information system from committing an act of harm, theft or fraud; whether on an individual level or in collusion with other employees. The following steps are taken to ensure this separation:
- an employee shall not be allowed to review his/her own work
- separate departments for production and testing with separate employees
- separate duties of encryption key generation, with frequent job rotation within employees of the concerned department
- Division of encryption key into two components; each with different workers.
- Efficient policies and procedures implemented by the HR department to evaluate, screen, hire, train and terminate (should the need arise) employees and doing their background check.
The U.S. Government passed two resolutions that called for a separation of duties in the health-care sector (Health Insurance Portability and Accountability Act-HIPPA) and banking sector (Gramm-Leach-Bliley Act-GLBA). The former requires all patients under treatment to provide unrestricted access to their medical information by medical practitioners, while the latter ordered double-verification of all customer accounts, balances, payables and receivables by banks. Employee Screening Companies were required to verify whether a person purporting to be a government contractor has actually received government clearance to that effect. All these measures ensured that double-verification through segregation of duties is achieved. However, a sharp contrast is observed in the U.S Military Services and Department of Defense (DOD). These organizations are not allowed to segregate duties and double-verify the documentation of their own regular employees. Verification/Clearance is only required for military personnel requiring access to sensitive data, who have been authorized to do so, including members of military, non-military personnel employed in DOD, government contractor employees, FBI and Financial Checkers. . In third world countries, a similar concept of segregation of duties is observed, where the local banks are regulated by an autonomous State Bank and military clearance requiring government approvals.
Reasons for Security in Application Development
Under the System Development Life Cycle (SDLC), security analysts and software designers take steps to safeguard their applications from virus and other attacks as anticipated, rather than relying on taking counter-measures to respond only when attacked. Implementing security and control measures at each and every stage of the SDLC is vital as terabytes of information, billions of dollars and personal identities are at stake. .
When considering the application security development, the security professionals should be concerned with the following questions:
- What protection/security level is required?
- Who will have access to the system and at what levels?
- Will the data be made available to external users?
- How wide will the external user database be?
- What testing will be required to test the existing system, the protection applied and any malware susceptibility?
- What kind of access controls and data encryption (if the need arises) is required? And
- What kind of security testing will be appropriate at the modular/program level? Subsystem/Group of Program level? And at the operating system level?
System security professionals are required to stay up-to-date with the recent trends and changes in the threats to application software. This calls for increased education and training of existing and prospective software engineers, under the Education Subgroup of the Improving Security across SDLC Report-2004. Programmers can undertake various security certification and accreditation courses and other workshops, outside academic courses, that focus on software security and control measures. .
Logic Bombs
In the context of malware, a logic bomb is a hidden code, the triggering of which is contingent on a certain date or on the occurrence of a certain event or a specific condition. The first victim of logic bomb was a company which manufactured measuring devices for NASA and the U.S. Navy, named Omega Engineering. Timothy Lloyd, a former programmer and a disgruntled employee at the company, used a logic bomb to wipe erase all of the company’s research and development and production programs and their backups. The logic bomb exploded 10 days after his termination. It incurred losses of up to USD $10 million as the company had to re-write all its data from the beginning. The perpetrator was caught. Although set free initially on a $25,000 bond, Lloyd was charged guilty and had to spend up to five years in federal prison. .
Works Cited
Greenspan, D. (n.d.). CISSP Certification. Retrieved from I.T Career Finder: http://www.itcareerfinder.com/it-certifications/isc2-certifications/cissp-certification.html
Merkow, M., & Breithaupt, J. (2006). Information Security Principles and Practices. India: Pearson Education Inc.
