Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Related Work
Normatives and Procedures
Conclusion and Future Work
References

Article A Layered Trust Information Security Architecture

Profile image of Luis JavierLuis Javier

2014

https://doi.org/10.3390/S141222754
visibility

description

19 pages

link

1 file

Abstract

Information can be considered the most important asset of any modern organization. Securing this information involves preserving confidentially, integrity and availability, the well-known CIA triad. In addition, information security is a risk management job; the task is to manage the inherent risks of information disclosure. Current information security platforms do not deal with the different facets of information technology. This paper presents a layered trust information security architecture (TISA) and its creation was motivated by the need to consider information and security from different points of view in order to protect it. This paper also extends and discusses security information extensions as a way of helping the CIA triad. Furthermore, this paper suggests information representation and treatment elements, operations and support components that can be integrated to show the various risk sources when dealing with both information and security. An overview of how information is represented and treated nowadays in the technological environment is shown, and the reason why it is so difficult to guarantee security in all aspects of the information pathway is discussed.

Related papers

Addressing Information Security Risk
Carol Woody

Educause Quarterly, 2005

View PDFchevron_right
Unseen Power of Information Assurance over Information Security
Guy Mouanda

https://arxiv.org/pdf/2411.00799, 2024

Information systems and data are necessary resources for several companies and individuals, but they likewise encounter numerous risks and dangers that can threaten their protection and value. Information security and information assurance are two connected expressions of protecting the confidentiality, integrity, and availability of information systems and data. Information security relates to the processes and methods that block unlawful entry, reform, or exposure of data; in contrast, information assurance covers the expansive aspirations of ensuring that data is responsible, consistent, and flexible. This paper leads the primary models, rules, and challenges of information security and information assurance, examines some of the top methods, principles, and guidelines that can aid in reaching them, and then investigates the modification in prominence for information security from being obscured in the information technology field to a liability pretending to be in the middle resolving all technology breaches around the world. This paper weighs the various controls and how information assurance can be used to spotlight security problems by focusing on human resource assets and technology. Finally, it demonstrates how information assurance must be considered above others' technology pretending to secure the information.

View PDFchevron_right
Information Assurance and Security J. UCS Special Issue
Sugata Sanyal

2005

The global economic infrastructure is becoming increasingly dependent upon information technology, with computer and communication technology being essential and vital components of Government facilities, power plant systems, medical infrastructures, financial centres and military installations to name a few. Finding effective ways to protect information systems, networks and sensitive data within the critical information infrastructure is challenging even with the most advanced technology and trained professionals.

View PDFchevron_right
Information Assurance for the Enterprise: A Roadmap to Information Security
Corey Schou

2006

View PDFchevron_right
Security in the information society: visions and perspectives: IFIP TC11 17th International Conference on Information Security (SEC2002), May 7-9, 2002, …
kamal aslan

2002

View PDFchevron_right
An Insight of Information Security: A Skeleton
Soham Joshi

International Journal of Recent Technology and Engineering (IJRTE), 2019

In this age of growing and developing information and technology, data security, integrity and confidentiality are essential aspects related to shared data over some network or medium. Many techniques over the years have been developed for securing the messages from attack or theft or breach of very sensible and essential data when shared over a network. The security threats to data have been ascending, so are the data hiding or securing techniques. This is where Information Security has a role to play. Development of techniques and methods that prevents the essential and secret data being stolen and thus providing security to the data. This paper discusses the significance of Information Security, its evolution since its infant stage and study about various subdomains of the same. This paper also shows a comparative study of various Information Security Techniques, their pros and cons and the applications in various domains. This paper analyses various Information Security methods ...

View PDFchevron_right
Information Protection Integrated Platform
Fabio Ghioni

2012

Today companies are faced with a growing number of threats which undermine the integrity of their own business and information. Most threats arise from the heavy dependence of services upon information technology and the high flexibility of IT infrastructures which poses problems in terms of potential misuse. Information leakage is one of the most sensitive instances of corporate incidents entailing a criminal intention. Nevertheless, other causes can be ascribed to an inadequate protection of critical information, i.e. a lack of policy enforcement or poor classification system. The end goal is to achieve an information infrastructure that ensures the availability of critical information while guaranteeing its integrity through a suitable Information Lifecycle Management strategy. However, such policies heavily rely on technological infrastructures and need to be supported by ad hoc tools. Hence, since it is not always possible to ensure accurate operations on the entire infrastruct...

View PDFchevron_right
Technical opinion: Information system security management in the new millennium
ubaiyadullah thameemulansari

Communications of the ACM, 2000

View PDFchevron_right
A Model for Information Assurance: An Integrated Approach” proceedings of the 2001 IEEE Workshop on Information Assurance and Security United …
Daniel Ragsdale

West Point, NY, 2001

The model presented in this paper is an extension of work reported in 1991 by John McCumber. His model provided an abstract research and pedagogic framework for the profession. In the decade since McCumber prepared his model, Information Systems Security (INFOSEC) has evolved into Information Assurance (IA). Although the framework remains sound, the growth of the profession has suggested that changes are needed. This extension of the model accommodates the expanded needs of the IA discipline and include three temporal measures have been included.

View PDFchevron_right
Information systems security: Scope, state-of-the-art, and evaluation of techniques
G. Pernul

International Journal of Information Management, 1995

To achieve a certain degree of information systems security different techniques have been proposed and implemented. It is the aim of this paper to form a basis for their evaluation and comparison. For this purpose a general framework of security is established by defining its scope, most common threats against the security, and two kinds of different comparison and evaluation criteria. The first criteria is a set of requirements on the secrecy and confidentiality of information while the second consists of several structural requirements which we believe are essential for a successful and powerful security technique. In our evaluation we include the Discretionary Models, the Mandatory Models, the Personal Knowledge Approach, the Chinese Wall Policy and the Clark and Wilson model of security. Giinther Pernul received MSc and the PhD degrees from the University of Vienna, where he holds an Associate Professor position at the Department of Information Engineering. Shortly he will take over a full professor position in Information Systems at the University of Essen, Germany. His main research interests are information systems analysis, modelling, and design, computer security, and database management systems.

View PDFchevron_right

References (38)

  1. Greenwald, G.; MacAskill, E.; Poitras, L. Edward Snowden: The whistleblower behind the NSA surveillance revelations. The Guardian, 10 June 2013; Volume 9.
  2. Richelson, J.T. The Snowden Affair. Washington Post, 4 September 2013.
  3. Release, G.P. Gartner Says Cloud-Based Security Services Market to Reach 2.1 Billion in 2013; Gartner Inc.: Stamford, CT, USA, 2013.
  4. Blakley, B.; McDermott, E.; Geer, D. Information security is information risk management. In Proceedings of the 2001 Workshop on New Security Paradigms, New York, NY, USA, 11-13 September 2001; pp. 97-104.
  5. Peltier, T.R. Information Security Fundamentals; CRC Press: London, UK, 2013.
  6. Disterer, G. ISO/IEC 27000, 27001 and 27002 for Information Security Management. J. Inf. Secur. 2013, 4, 92-100.
  7. Stamp, M. Information Security: Principles and Practice; John Wiley & Sons: Hoboken, NJ, USA, 2011.
  8. Posthumus, S.; von Solms, R. A framework for the governance of information security. Comput. Secur. 2004, 23, 638-646.
  9. Secure Your Information: Information Security Principles for Enterprise Architecture. Available online: http://www.tisn.gov.au/Documents/Secure_Your+Information+-+Information+Security+ Principles+for+Enterprise+Architecture+-+Report.pdf (accessed on 27 November 2014).
  10. Whitman, M.; Mattord, H. Management of Information Security; Cengage Learning: Boston, MA, USA, 2013.
  11. Parvizi, R.; Oghbaei, F.; Khayami, S.R. Using COBIT and ITIL frameworks to establish the alignment of business and IT organizations as one of the critical success factors in ERP implementation. In Proceedings of the 2013 5th Conference on Information and Knowledge Technology (IKT), Shiraz, Iran, 28-30 May 2013; pp. 274-278.
  12. Bell, D.E.; LaPadula, L.J. Secure Computer Systems: Mathematical Foundations; Technical Report; DTIC Document: Springfield, MA, USA, 1973.
  13. Biba, K.J. Integrity Considerations for Secure Computer Systems; Technical Report; DTIC Document: Bedford, MA, USA, 1977.
  14. Burrows, J.H. Guideline for Computer Security Certification and Accreditation; PN: Springfield, VA, USA, 1983.
  15. Contreras, J.L. Developing a Framework to Improve Critical Infrastructure Cybersecurity; University of Utah: Salt Lake City, UT, USA, 2013.
  16. Jeong, G.H.; Yi, D.W.; Jeong, S.R. The Effect of Composition and Security Activities for Information Security Architecture on Information Asset Protection and Organizational Performance. KIPS Trans. Part D 2010, 17, 223-232.
  17. Tang, C.L. Establish a Dynamic Business Driven Integrative Information Security Architecture. Appl. Mech. Mater. 2014, 513, 1309-1315.
  18. Åhlfeldt, R.M.; Spagnoletti, P.; Sindre, G. Improving the Information Security Model by Using TFI. In New Approaches for Security, Privacy and Trust in Complex Environments; Springer: Sandton, South Africa, 2007; pp. 73-84.
  19. Crossler, R.E.; Johnston, A.C.; Lowry, P.B.; Hu, Q.; Warkentin, M.; Baskerville, R. Future directions for behavioral information security research. Comput. Secur. 2013, 32, 90-101.
  20. Aurigemma, S.; Panko, R. A composite framework for behavioral compliance with information security policies. In Proceedings of the 2012 45th Hawaii International Conference on System Science (HICSS), Maui, HI, USA, 4-7 January 2012; pp. 3248-3257.
  21. Chu, H. Information Representation and Retrieval in the Digital Age; Information Today, Inc.: Medford, NJ, USA, 2003.
  22. Nayak, R.; Senellart, P.; Suchanek, F.M.; Varde, A.S. Discovering interesting information with advances in web technology. ACM SIGKDD Explor. Newsl. 2013, 14, 63-81.
  23. Freier, A.; Karlton, P.; Kocher, P. The Secure Sockets layer (SSL) Protocol Version 3.0; Internet Engineering Task Force (IETF): Dallas, TX, USA, 2011.
  24. Dierks, T. The Transport Layer Security (TLS) Protocol Version 1.2; Internet Engineering Task Force (IETF): Dallas, TX, USA, 2008.
  25. Diffie, W.; Landau, S.E. Privacy on the Line: The Politics of Wiretapping and Encryption; MIT Press: Cambridge, MA, USA, 2007.
  26. Anderson, R. Security Engineering; John Wiley & Sons: Hoboken, NJ, USA, 2008.
  27. Hughes, D.; Shmatikov, V. Information hiding, anonymity and privacy: A modular approach. J. Comput. Secur. 2004, 12, 3-36.
  28. An Introduction to the Business Model for Information Security. Available online: http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf (accessed on 27 November 2014).
  29. Pieters, W.; Coles-Kemp, L. Reducing normative conflicts in information security. In Proceedings of the 2011 Workshop on New Security Paradigms Workshop, Marin County, CA, USA, 12-15 September 2011; pp. 11-24.
  30. Dempsey, K.; Chawla, N.S.; Johnson, A.; Johnston, R.; Jones, A.C.; Orebaugh, A.; Scholl, M.; Stine, K. Information Security Continuous Monitoring (ISCM) for Federal Systems and Organisations; NIST Special Publication: Gaithersburg, MD, USA, 2011; pp. 800-137.
  31. Hand, R.; Ton, M.; Keller, E. Active security. In Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, College Park, MD, USA, 21-22 November 2013; p. 17.
  32. Lamsal, P. Understanding Trust and Security; Department of Computer Science, University of Helsinki: Helsinki, Finland, 2001.
  33. Avoiding the Top 10 Security Flaws, 2014. Available online: http://cybersecurity.ieee.org/ center-for-secure-design/avoiding-the-top-10-security-flaws.html (accessed on 27 November 2014).
  34. De Oliveira Albuquerque, R.; García-Villalba, L.J.; Kim, T.H. GTrust: Group Extension for Trust Models in Distributed Systems. IJDSN 2014, 2014, 872842.
  35. Van Os, R. Comparing Security Architectures: Defining and Testing a Model for Evaluating and Categorising Security Architecture Frameworks. Master's Thesis, Lulea University of Technology, Lulea, Sweden, 2014.
  36. Susanto, H.; Almunawar, M.N.; Tuan, Y.C. Information security management system standards: A comparative study of the big five. Int. J. Electr. Comput. Sci. IJECS-IJENS 2011, 11, 23-29.
  37. Hong, K.S.; Chi, Y.P.; Chao, L.R.; Tang, J.H. An integrated system theory of information security management. Inf. Manag. Comput. Secur. 2003, 11, 243-248.
  38. c 2014 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).

Related papers

A layered trust information security architecture
LUIS JAVIER GARCIA VILLALBA

Sensors (Basel, Switzerland), 2014

Information can be considered the most important asset of any modern organization. Securing this information involves preserving confidentially, integrity and availability, the well-known CIA triad. In addition, information security is a risk management job; the task is to manage the inherent risks of information disclosure. Current information security platforms do not deal with the different facets of information technology. This paper presents a layered trust information security architecture (TISA) and its creation was motivated by the need to consider information and security from different points of view in order to protect it. This paper also extends and discusses security information extensions as a way of helping the CIA triad. Furthermore, this paper suggests information representation and treatment elements, operations and support components that can be integrated to show the various risk sources when dealing with both information and security. An overview of how informat...

View PDFchevron_right
A Reference Information Model to Information Security Service
Marielba Zacarias

Atas da 17ª Conferência da Associação Portuguesa de Sistemas de Informação, 2017

Although the existence of an established body of knowledge, risk managers still strive to find a suitable risk information model that should be used in information security process. The purpose of this document is to capture key concepts of information risk management. It includes all information and / or assets associated with the information that are used in the organization or that may have an impact on information security. When it comes to implementation, information security risk management is a challenging process, because risk factors are constantly changing, due to rapidly changing technologies and the attacker's knowledge level. However, the main issue of our approaches is set a baseline to define the requirements for establishing, implementing, maintain and continually improving an information security management system.

View PDFchevron_right
Challenges in Information Security Protection
teresa pereira

Security is a topic that is gaining more and more interest by organizations and government agencies. The amount of data which organizations daily have to deal with, the increasing number of on-line transactions and the lack of computer security awareness are greater motivations not only to exploit software vulnerabilities but to exploit human vulnerabilities. In general, users tend to accept new technologies with complete disregard of their security vulnerabilities, if they get sufficient benefits from them. Fostering and continuously encourage a security culture and recognizing that people still are, and will always be the weakest link, will certainly assist organizations to achieve their adequate levels of security and thus becoming closer to their business goals. Moreover, monitoring and early detection also play an important role, as it enables organizations and governmental agencies to react more quickly to events that are harder to find and understand, from the security management point of view. The rapid response to the security events and the establishment of preventive actions to manage security are starting to become a competitive strategy to organizations. In this paper we highlight some information security concepts and principles, to deliver actionable information for decision makers for managing their corporate assets and ensure their resilience.

View PDFchevron_right
Maintaining Information Security in the New Technological Scenario
Leandro Malandrin

The technological scenario always played a critical role in Information Security. However, in recent years, this scenario has changed substantially, in ways not known so far. Characterized by different technological trends, like IT infrastructure outsourcing, cloud computing and mobility, this scenario created several new security challenges. The usual approach to deal with change in Information Security Management Systems (ISMS) is to execute a risk assessment review and to deploy new security controls. However, because of the disruptive nature of the technological scenario, that is not enough-new ways to plan the ISMS itself seem to be required. In this paper, these needed changed are identified and detailed, using ISO/IEC 27001 as a key reference. Based on risks mapped in the literature for key technological trends, checkpoints were created and inserted into the basic processes for important ISMS planning activities. The result is a support framework designed specifically for Security Policy definition and Risk Management. By modifying the usual process for each activity, the framework drives the creation of a security culture based on the awareness of the external scenario new risks. Applicability tests executed in a medium-sized organization showed that the framework can be easily plugged into real world situations. The main contribution of this research is the definition of new tool to help security practitioners better cope with the security challenges created by a disruptive technological scenario.

View PDFchevron_right
The security of information and the risks associated with its use, a model for its implementation
IJAERS Journal

To assess whether the management of information security and the risks associated with its use, through computer networks, at the Peninsula State University of Santa Elena, is effective, it is proposed to implement a model that establishes the goals to achieve to advance through the different levels that make up the rating scale. To evaluate the management of information security and the risks associated with its use, it is necessary to have a maturity model that not only allows evaluating the processes involved in the management of information security, but also those associated with the management of the risks linked to the processing of information in all its phases, since an adequate information security plan depends on it. Based on the aforementioned, the objective of this paper is to propose a model for the management of information security and the risks associated with its use, in computer networks.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved