Computer Security to Ensure Online Privacy, Research Paper Example

Abstract

Information security management has become extremely prevalent as more and more of individuals information and vital data is stored, transferred and used in information technology systems.  With the ease of access and use of personal information there is also a rise in the need for laws and regulations governing the use, access and security of that data.  Accompanied by the laws and regulations there are also specific techniques and best practices that can be implemented at each level of access to mitigate the risk of security breach and provide control over the integrity of the information.  Each area of information security has specific focal points for ensuring data security and includes risk mitigation as a keystone to data integrity.

Information Systems Security

Despite the increase in network and data center security with the most up-to-date and technologically advanced security modules, there is still the potential for a security breach posing a threat to the network.  Criminals and other people with malicious cyber intent are currently exploring and creating new ways to bypassing or superseding security software in order to gain access to classified material such as banking information, personal data, competitor’s intellectual property or other information that may provide a potential advantage or gain to the criminal.  Information security requires a high level of rigor regarding safeguarding the information, ensuring it is used appropriately and serves its intended purpose.  To ensure that these key areas are focused upon there are rules, policies, regulations and laws that support the environment to create an environment that can adequately safeguard the private information.  There are specific rules and regulations that govern specific subject areas regarding areas such as patient information, employee data, demographics, credit card data, social security numbers, financial information, research and development, intellectual property and disclosure options to name a few (Cappelli, 2012).

Introduction

Data is a powerful tool and protecting that information falls into the responsibility of many parties.  All the way from the individual making the transaction to the corporation that is utilizing that data to better serve their customer, each level must follow the regulations and comply with the laws governing information security.  This information is gained by taking advantages of potential weaknesses in the security systems by physical or opportunistic methods.  These loses could result in the loss of business critical information or loss of a competitive advantage, both of which could negatively impact the company as a whole. Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and many more (Calder, 2008).

Understanding Cyber Security

Risk is the possibility of a deviation from the expected result.  Many people that are monitoring, controlling, reviewing or evaluating risk associate risk as a potential loss or a type of undesirable outcome to an intended plan, project, process or system. The result of a risk can be associated to specific outcomes or costs associated with the risk.  Cyber security revolves around the protection and sustainability of information and data from threats.  Information needs to be protected from multiple threats to avoid disruption, integrity violations, theft, destruction or other malicious activities to a person’s or organization’s information.  Cybersecurity is the prevention or safeguard of the data and information on the information network.  The security of information and the actions necessary to safeguard information is heavily dependent upon the variables of the risk such as probability or likelihood of occurrence, level of deviation from the intended plan and the breadth or impact of the risk.

Managing risk is vital to the protection of the data in the world of information security.  It is necessary to develop the risk management plan and incorporate all of the outlined risks that resulted in the risk analysis.  These risks would then align with the mitigation plan that the IT team would develop the appropriate steps to limit the exposure to the risks of the data.  In order to mitigate all of the risks associated with a project there would be a tremendous devotion of time and funding.  It is up to the security team to develop a prioritization of risks and build a contingency plan based upon those risk measurements and prioritization.  Managing the resources devoted to the mitigation of risks is just as important as managing the resources solely devoted to the project’s progression toward completion.  There needs to be a balance between risk acceptance and the benefits provided by expending resources toward the negation of those risks.  There is a point of limited payback on the investment to mitigate the risks and that is up to the project manager and the utilization of the risk management plan.

Managing risk is vital to the protection of the data in the world of information security.  It is necessary to develop the risk management plan and incorporate all of the outlined risks that resulted in the risk analysis.  These risks would then align with the mitigation plan that the IT team would develop the appropriate steps to limit the exposure to the risks of the data.  In order to mitigate all of the risks associated with a project there would be a tremendous devotion of time and funding.  It is up to the security team to develop a prioritization of risks and build a contingency plan based upon those risk measurements and prioritization.

Managing the resources devoted to the mitigation of risks is just as important as managing the resources solely devoted to the project’s progression toward completion.  There needs to be a balance between risk acceptance and the benefits provided by expending resources toward the negation of those risks.  There is a point of limited payback on the investment to mitigate the risks and that is up to the project manager and the utilization of the risk management plan.  Information security requires a high level of rigor regarding safeguarding the information, ensuring it is used appropriately and serves its intended purpose.  Could computing must take into account the many aspects of information security to include policies, technologies, controls and best practices.   To ensure that these key areas are focused upon there are rules, policies, regulations and laws that support the environment to create an environment that can adequately safeguard the private information.  There are specific rules and regulations that govern specific subject areas regarding areas such as patient information, employee data, demographics, credit card data, social security numbers, financial information, research and development, intellectual property and disclosure options to name a few (Cappelli, 2012).  Data is a powerful tool and protecting that information falls into the responsibility of many parties.  All the way from the individual making the transaction to the corporation that is utilizing that data to better serve their customer, each level must follow the regulations and comply with the laws governing information security.

Online Threats

Starting out when the first connection between computing systems there has been a risk to the data being transferred. To understand the methods for securing a computer system, it is important to know the types of threats as well as a brief history of each. Threats can enter into your network through direct or indirect attacks. The direct attack involves transferring data or or viruses through external media sources directly connected to the computer or network.  Examples of this would be executable files transferred through the use of CDs, DVDs or USB devices. Indirect transfer includes utilizing third party computers connected to the same network. The first instance of computer security dates back to 1945 when Rear Admiral Grace Murray Hopper found an uninvited visitor within the relays of her vessel.  A moth was trapped among the computer components and ever since, the terms “bug” and “debugging” have become synonymous with removing things that impede a computing systems progress.  In 1979, the first “worm” was discovered at Xerox’s Research Center. Initially worms were created as ways to improve performance and security but this process was misappropriated by hackers and led to ways to infest computers with malicious intent. As time progressed, so did the ability to cause destruction and breaches of security. In 1983, a student in a University of Southern California created the first computer “virus” which then led to a self-modifying virus produced seven years later.  In 1998, this type of infection was used to control over 500 military, governmental and civilian computers.  The suspects were two teenagers from a town in California.  In recent events, cyber terrorism has occurred in which Russian hackers stole passwords and usernames which led to the ability to steal and modify information as they please.  As the old cartoon character “Pogo” once said, “We have met the enemy and he is us (Weisman, 2013)”. As the increased capability of mobile platforms progress, the internet becomes more of a risk.  Identity theft or misrepresentation of information is a tremendous risk due to lack of security.  Moreover, identity thieves can take your personal data and use it to harm you in several ways, such as: gaining access to your account, use your name or id to create new things, change or delete things using your name and do cybercrimes under your name.

In order to form an a secured internet system, it requires multiple layers of security to create a redundant and secure system.  Each layer provides its own unique strengths and weaknesses and each layer would complement the other layers weaknesses with their own strengths and vice versa.  This in essence would create a nearly impervious security system which would negate risks to the network, information and other information technology systems.  This umbrella of cohesive and conjunctive security layers will provide the confidentiality of information, the integrity of the data and the ability for the users to access the system as needed in a secure environment.

To ensure privacy protection, each of the risks can be looked at and mitigated through evaluation and planning.  Depending on the risk and the probability of that risk different tactics can be implemented.  Ensuring the privacy of the individual’s data can occur on varying levels going from the individual’s level to the Information Technology firm utilizing the data.  There are two key components to information security.  The first is the IT security that protects the data.  This is the computer software and hardware that applies specific security measures that will safeguard the personal information and data.  The other pillar is the information assurance.  This is the act or measures put in place to ensure the data is not only protected but also ensures the integrity of the information remains in its intended form.  Both IT security and information assurance are coupled together to protect data and contribute the usability and purpose of that information.  Examples of privacy protection in the realm of IT security would include anti-spy ware, firewalls to prevent hacking into the corporation’s information and security settings using passwords to limit access.

In order to form an organizational information security system that limits both the physical and logical vulnerabilities, it requires multiple layers of security to create a redundant and secure system.  Each layer provides its own unique strengths and weaknesses and each layer would complement the other layers weaknesses with their own strengths and vice versa.  This in essence would create a nearly impervious security system which would negate risks to the network, information and other information technology systems.  This umbrella of cohesive and conjunctive security layers will provide the confidentiality of information, the integrity of the data and the ability for the users to access the system as needed in a secure environment.

Privacy Strategy

In order to form an organizational information security system it requires multiple layers of security to create a redundant and secure system.  Each layer provides its own unique strengths and weaknesses and each layer would complement the other layers weaknesses with their own strengths and vice versa.  This in essence would create a nearly impervious security system which would negate risks to the network, information and other information technology systems.  This umbrella of cohesive and conjunctive security layers will provide the confidentiality of information, the integrity of the data and the ability for the users to access the system as needed in a secure environment.

Many tasks are required to provide a secure environment for information.  The many tasks are required due to the fact that there are numerous risks or threats to IT systems that there must be a risk mitigation plan and action for each threat.  While some threats do not necessarily pose a clear an immediate danger there are threats that are present at every moment.  The goal is to limit the amount of actions necessary while also eliminating the risks to the IT systems and services.  Some examples of tasks that are necessary include data classification, firewall maintenance, record maintenance and virus protection.  While these are only a few of the tasks that involve security of IT resources they show a small snapshot of what is necessary to keep the IT resources secure.

In order to accomplish certain security tasks there must be responsible individuals assigned.  A couple examples include Information Security Architect and Ethical Hackers.  The role of the IS Architect is to design a secure and redundant system to thwart risks and provide a safe and secure IT environment.  The next is the ethical hacker.  Their task is to try to break into their own system using the same measures and countermeasures a threat from outside would utilize.  These roles provide key aspects for providing a security IT environment (Cooper, Grey, Raymond, & Walker, 2005).  To ensure privacy protection each of the risks can be looked at and mitigated through evaluation and planning.  Depending on the risk and the probability of that risk different tactics can be implemented.  Ensuring the privacy of the individual’s data can occur on varying levels going from the individual’s level to the Information Technology firm utilizing the data.  There are two key components to information security. The first is the IT security that protects the data.  This is the computer software and hardware that applies specific security measures that will safeguard the personal information and data. The other pillar is the information assurance.  This is the act or measures put in place to ensure the data is not only protected but also ensures the integrity of the information remains in its intended form. Both IT security and information assurance are coupled together to protect data and contribute the usability and purpose of that information.  Examples of privacy protection in the realm of IT security would include anti-spy ware, firewalls to prevent hacking into the corporation’s information and security settings using passwords to limit access.

Passwords and Data Protection

Passwords are the first line of defense against unintended intrusion into the secured system.  Passwords provide access and denial to the appropriate people and systems on the network.  Choosing a password that is not easily decrypted or guessed is paramount due to the immediately available capability of a person or entity would have once access is granted.  A strong password exponentially degrades the capability of the intruder to gain access to the system thus protecting the information at the first available opportunity.  Once the password is created and is strongly constructed it is necessary to protect the password.  This includes not writing it down, sharing the password or providing clues as to what the password would be.  The password should never be kept in any other place than one’s own mind due to the inherent risk of theft if the password is stored in a physical location.

To further protect data there is a useful set of technological advances that allows an electronic document to be signed and ultimately incorporate the legally binding act of signing a document onto an electronic version of that document.  Companies are moving toward a paperless workplace environment and as we move in that direction there is a need to have a verified and authorized document that holds the same weight as a paper copy that is signed in ink (Stamp, 2011).  Some direct examples of a digitally signed document would be the budget passed through the federal and state governments.  These documents are sanctioned and signed by the governmental leadership and can be electronically dispersed to be acted upon.  Other examples would be transcripts from college, work records and other personal data that would need to be validated and confirmed as accurate.  The purpose of a digital signature comes in different forms.  One main reason for a digital signature is the guarantee the authenticity of the document.  With a digitally signed copy the person signing the document is validating the documents authenticity.  Along with the authenticity there is the question of the document’s integrity.  This is slightly different that authenticity but holds some of the same characteristics.  The integrity is being confirmed by the signor of the document and verifying that the document has not been altered or changed which could compromise the intent of the document.

Privacy and ensuring the safeguard of individuals personal information takes on multiple facets of prevention, protection and mitigation.  The information technology advancements coupled with the laws and regulations that govern our actions and how we treat data allows for the mitigation of risk and lessens the chance of compromised data.

Encryption

Information security management has become extremely prevalent as more and more of individuals information and vital data is stored, transferred and used in information technology systems.  With the ease of access and use of personal information there is also a rise in the need for laws and regulations governing the use, access and security of that data.  Accompanied by the laws and regulations there are also specific techniques and best practices that can be implemented at each level of access to mitigate the risk of security breach and provide control over the integrity of the information.  Additional security through the use of Public Key Infrastructure (PKI) with focuses on both symmetric and asymmetric encryption focuses. Each area of information security has specific focal points for ensuring data security and includes risk mitigation as a keystone to data integrity.

In order to fully grasp the potential of encryption of data and both it benefits and potential downfalls, it is important to know the types of encryptions.  Within the realm of symmetrical encryption, there is a long and time-tested history of its use.  Symmetric encryption is a widely used data encryption technique.  In this version of data encryption, the data has a key applied to itself which only the sender and receiver would know.  This would allow the sender to encrypt the message, in other words put it into a code, which only the recipient has the ability to decipher.  This key allows easy communication between the sender and receiver if both have the key.  While this is an easy and valid way of encrypting data, there are potential hazards to exchanging data with a single key.  Information shared numerous times over a large network or even over the internet has increased exposure to risk and someone cracking the key and obtaining the information that is supposed to be encrypted.  With symmetric encryption’s potential for risk exposure there was a need for another type of data encryption that could provide a different type of protection if the information warranted heavier security.  Asymmetric encryption utilizes a two-key foundation.  The first key is a public key and as the name states, it is for the public to use.  This allows anyone to encrypt a message using that key and send the information to the recipient.  This is where the two-key system comes into play.  The second key is a private key.  This key is held only by the recipient but is necessary to have in order to decrypt the initial public key message.  The file that is encrypted by the public key is decrypted by using the private key only with a match from the public key.  This keeps the private key away from the exposure to external threats but still allows for the heavier yet slower encryption of the message (Cappelli, 2012).

Data encryption provides a way to secure information over various networks and the internet.  This increased capability to exchange information has made great impacts on global information exchange but with the increased capability there are also increased challenges.  Both symmetrical and asymmetrical encryptions have their place in the world of information security but they also have their vulnerabilities.  Even with the increased protection of digital certificates the threats to information is present.  Increased capability comes with increased responsibility in information security.

References

Calder, A., 2009. Implementing information security based on ISO 27001/ISO 27002 (best practice) Van Haren Publishing.

Calder, A., 2008. ISO27001/ISO27002: A pocket guide IT Governance Publishing.

Cappelli, P. (2012). How to get a job? beat the machines. Time: Business & Money. Retrieved: http://business.time.com/2012/06/11/how-to-get-a-job-beat-the-machines/

Cooper, D. F., Grey, S., Raymond, G., & Walker, P. (2005). Project risk management guidelines, managing risk in large projects and complex procurements. John Wiley & Sons

Kizza, J. (2010). Computer network security. New York, NY: Springer Science Business Media.

Stamp, M. (2011). Information security: principles and practice. Hoboken, NJ: Wiley

Weisman, S. (2013). 50 Ways to Protect Your Identity in a Degital Age [electronic resource]: New financial threats you need to know and how to avoid them. (2 ed ed.). USA: Upper Saddle River, N.J.

Zimmie, K., 2004. Secure and mature: combining CMMI SCAMPI with an ISO/IEC 21827(SSE-CMM) appraisal. Retrieved from http://www.sei.cmu.edu/library/assets/zimmie-secure.pdf