The problem with the "technical edifice" is that it is of human design and can always be circumvented by human design. The simplest example would be that of the user who merely copies confidential data onto a flashdrive and takes it off site. More sophisticated examples are offered by analogy. A century ago, more or less, designers of safes would look for unbeatable security systems, i.e. safes that couldn't be cracked. Constantly, however, criminal technology would match security technology, and safes would be cracked. Similarly, today we know that however good our security systems are, some time in the future some sophisticated design will allow unlicensed access to important data.
And while some breaches of security of purely technical (a well-written attack application), others rely on human behavior. For example, personnel in the "middle area" could be bribed. That is, security itself could be weakened by either intercepting the delivey of the security system or by placing someone within the security system itself.
The point is simple. No security system is so perfect it can be divorced from human behavior and attitude. What people do as routine behavior can be either security supportive or security weakening. Making unnecessary digital copies is threatening to a security system. Renaming them so they are not recognizable to company personnel is threatening. Removing them from the premises is really dangerous. Leaving them unattended is a major red flag.
It seems like a regular monthly occurrence that we read about a major data loss where a notebook computer is stolen from a vehicle while its user is eating at a restaurant, that national security plans have been lost on some missing flashdrive.
You weren't around, so I started this based on my interpretation of your question. Is this the nature of what you are looking for?
I need the answer to be broken into two answers, can you do that?
Do we really need to understand and place great importance on the informal controls prior to establishing security rules? Why or why not?
Even though information system security goes way beyond the security of the technical edifice, applications and organization resources can only be protected by using the latest security gadgets. Isn’t this a contradiction in itself?
Okay, ... Although I'm not sure I see the contradiction that is supposed to be implied in the second question. Maybe that's because I've done so much security support for some of my clients.
My analogy to the safes of yesteryear would apply in part to that. Let me think about a development that is clear.
Do you want two separate self-contained statements or two separate answers contained within a single document (which makes more sense to me as security is always two-pronged)?
Matthew, are you there?
I will need seperate answers to each question.
I also have other questions, would you be available and how much?
1.Discuss the relationship between core security requirements and the principles of easiest penetration, timeliness and effectiveness.
2.What is the relative positioning of the Bell La Pudula, Biba Integrity and Clark and Wilson models? How do you see one complementing the other?
3.Clearly encryption is essential in ensuring secrecy of communication. Identify characteristics of encryption that make it rather impossible to decrypt.
4.Differentiate between targeted attacks and target of opportunity attacks.
5.What kind of executive level support is essential for ensuring uptake of information system security? How should such a support be generated? What strategies can be put in place to ensure that executive level support is sustained over a period of time?
6.Development of security policies and their implementation is the responsibility of different roles in organizations. Discuss the differences in opinion with respect to development and implementation of security policies.
7.Establishing control structures in systems can best be achieved by focusing on requirement definitions and ensuring that controls get represented in basic data flows. Although such an assertion seems logical and commonsensical, identify and examine hurdles that usually prevent us from instituting such controls.
8.What is the systematic position of risk management in ensuring the overall security of an enterprise? Discuss giving examples.
9."Any reference to corporate governance results in discussing shareholders responsibilities. Perhaps there needs to be a focus on shareholder rights." Comment and compare countries with a common-law tradition (UK, USA, and those with a codified civil law Europe, former colonies). How does this impact the protection of information resources?
10.People who tend to pose the greatest IS security risks are those who have low self-esteem and strongly desire the approval of their peers. People who put more emphasis on associations and friendships relative to maintaining the organization’s value system can cause serious damage to the security. Discuss.
11."There are a number of independent security assurance and certification programs. Each claims itself to be the best in the industry and suggest that their certification allows companies and individuals to place a level of trust in the systems and practices. Can any security certification or assurance program guarantee a high level of success in ensuring security? Discuss.
12.Consider HIPAA and SOX as two cases in point. Consider aspects of each law and comment on the extent to which the laws demand extraordinary measure as opposed to regular good management. Discuss.
13. Information provided in an Intrusion Detection System is useful in dealing with computer crimes. Comment on the legal admissibility of such information.
14. Today security executives perform the difficult task of balancing the art and science of security. While the art relates to aspects of diplomacy, persuasion, and the understanding different mindsets, the science deals with establishing measures, forensics and intrusion detection. Given that security is indeed an art and a science, comment on the role of computer forensics in the overall security of the enterprise.
Wow, these are interesting questions. Some of these I can respond to off the top of my head; some require extensive research.
I know I don't have the time to deal with them all. More to the time, if you are under a time limit, you want more than one expert working on these questions. That means you need to separate them into meaningful bundles. Even a simple question like #13 has inherent difficulties -- for example, I know a lot about HIPAA and nothing about SOX, so I would have to waste your time researching SOX when someone else could probably deal with that quickly.
Moreover, even though by chance I am a useful source on the HIPAA part of the question, you would find more Experts in the Law categories. If you like, I can separate the questions for you into what I consider packages of equal difficulty and recommend what categories you put them in.
I would need them by next Thursday if you are available
Here, in the homework category, we have expertise in writing, in mathematics, in general technical areas (for examples, chemistry, physics, history, poetry), and are good researchers. However, when we encounter a specialized question ("what is the best material for making a container to hold liquid nitrogen?"), that may mean we spend a lot of time researching what appears to be a simple answer ("the best material is ____") and then the customer feels we need too much for an answer and the Expert feels he is being offered too little. :-)
I could provide good support on 3, 4, and 10. That's because they all have a strong underlying psychological or mathematical/logical component, all of which are my specialties.
I have the expertise to help with or at least comment on 7, 11, 13 and 14.
But I bet there are Experts here who can fill in the holes faster. One way or another, whoever's working on these, you will need to separate the questions sufficiently that they match the value of the question enough for whoever will be doing the work.
Lets start with these first two and go from there, thanks
Good. I am going to seem to be leaving chat because I will work on those two in a word document, then come back and post the results.
Quick question: Did your teacher provide you with his/her definition of "informal controls"? This is a rather general phrase, and could be used in a number of different ways. If not, then I will use my own definition.
No all of these are straight out of the book which has not arrived at my location as of yet.
Good grief! That can't be much good for you. Well, I will deal with it.
Please let me know if the file above is visible to you.
Okay, I checked myself and don't see it. Next test: Is the following link visible and accessible? http://ww2.justanswer.com/uploads/TH/TheMathTeacher/2012-10-24_180122_informal_security_-_1.docx
And, yes, it is. Please read over the answer above to the first question. Here is the supporting document for the definition and conclusions:
Everything looks good for questions #2, how do I see the answer to question #1?
I think you mean vice-versa. Question #1 is about informal controls.
Good. Working on 2 as we speak.
Here is part 2:
Yes, I am reading the second part
Okay. Let me know when you're done.
Everything looks good
Great. Any questions on anything in either of these?