Unit-3

Information system security:.

Information systems (IS) that are used to capture, create, store, process or distribute
classified information must be properly managed to protect against unauthorized disclosure of
classified information, loss of data integrity, and to ensure the availability of the data and system.

IS Security Manager (ISSM). The ISSM:

a. Ensures the development, documentation, and presentation of IS security education,

awareness, and training activities for facility management, IS personnel, users, and
others, as appropriate.

b. Establishes, documents, implements, and monitors the IS Security Program and related
procedures for the facility and ensures facility compliance with requirements for IS.

c. Identifies and documents unique local threats/vulnerabilities to IS.

d. Coordinates the facility IS Security Program with other facility security programs.

e. Ensures that periodic self-inspections of the facility's IS Program are conducted as part of
the overall facility self-inspection program and that corrective action is taken for all
identified findings and vulnerabilities. Self-inspections are to ensure that the IS is
operating as accredited and that accreditation conditions have not changed.

f. Ensures the development of facility procedures to:

(1) Govern marking, handling, controlling, removing, transporting, sanitizing, reusing,

and destroying media and equipment containing classified information.

(2) Properly implement vendor supplied authentication (password, account names)

features or security-relevant features.

(3) Report IS security incidents to the CSA. Ensure proper protection or corrective
measures have been taken when an incident/vulnerability has been discovered.

(4) Require that each IS user sign an acknowledgment of responsibility for the security of
the IS.

(5) Implement security features for the detection of malicious code, viruses, and intruders
(hackers), as appropriate.

g. Certifies to the CSA, in writing, that each System Security Plan (SSP) has been
implemented; that the specified security controls are in place and properly tested; and that
the IS is functioning as described in the SSP.
 h. Ensures notification of the CSA when an IS no longer processes classified information, or
when changes occur that might affect accreditation.

i. Ensures that personnel are trained on the IS's prescribed security restrictions and
safeguards before they are initially allowed to access a system.

j. Develops and implements general and remote maintenance procedures based on

requirements provided by the CSA.

Information System Security Officer(s) (ISSO). ISSOs may be appointed by the ISSM in

facilities with multiple accredited IS. The ISSM will determine the responsibilities to be assigned
to the ISSO that may include the following:

a. Ensure the implementation of security measures, in accordance with facility procedures.

b. Identify and document any unique threats.

c. If so directed by the GCA and/or if an identified unique local threat exists, perform a risk
assessment to determine if additional countermeasures beyond those identified in this
chapter are required.

d. Develop and implement a certification test as required by the ISSM/CSA.

e. Prepare, maintain, and implement an SSP that accurately reflects the installation and
security provisions.

f. Notify the CSA (through the ISSM) when an IS no longer processes classified
information, or when changes occur that might affect accreditation.

g. Ensure:

(1) That each IS is covered by the facility Configuration Management Program, as

applicable.

(2) That the sensitivity level of the information is determined prior to use on the IS and
that the proper security measures are implemented to protect this information.

(3) That unauthorized personnel are not granted use of, or access to, an IS.

(4) That system recovery processes are monitored to ensure that security features and
procedures are properly restored.

h. Document any special security requirement identified by the GCA and the protection
measures implemented to fulfill these requirements for the information contained in the
IS.
i. Implement facility procedures:

(1) To govern marking, handling, controlling, removing, transporting, sanitizing, reusing,

and destroying media and equipment containing classified information.

(2) To ensure that vendor? Supplied authentication (password, account names) features or
security-relevant features are properly implemented.

(3) For the reporting of IS security incidents and initiating, with the approval of the
ISSM, protective or corrective measures when a security incident or vulnerability is
discovered.

(4) Requiring that each IS user sign an acknowledgment of responsibility for the security
of IS and classified information.

(5) For implementing and maintaining security-related software for the detection of
malicious code, viruses, and intruders (hackers), as appropriate.

j. Conduct ongoing security reviews and tests of the IS to periodically verify that security
features and operating controls are functional and effective.

k. Evaluate proposed changes or additions to the IS, and advises the ISSM of their security
relevance.

l. Ensure that all active user Ids are revalidated at least annually.

Security on the internet:

The Internet is a global collection of Interconnected Networks that facilitate

information exchange and computer connectivity. The Internet is comprised of many
different computers, all of which fall into two categories: servers (also known as "hosts") and
clients (also known as "guests") -- technically, everything on the Internet can be considered a
"host," but for this discussion, we'll use "hosts" and "guests." Guest machines send bursts of
computer data called "packets" which are analyzed by the server belonging to the guest's
Internet service provider. If the data is located locally (on the ISP's machine), the ISP's server
will return the packets. If the information sought is not local (on another machine), the ISP's
server hands off the packets to a router, which then sends the packets to the server containing
the information. Once the information is located, it is sent back to the guest machine.

There are many different types of computers that fill these two categories:
mainframes, minicomputers, PCs, Macintosh, Unix and others. Despite the many varieties of
computers that combine to form the Internet, every computer connected to the Internet needs
to be able to communicate with every other computer -- without this ability, there is no
Internet. All of these computers are able to communicate because in a sense they can all
speak the same language -- TCP/IP. TCP/IP actually isn't a language; it is in computer terms
what is known as a "protocol." A protocol is simply a standard for transmitting and receiving
 bits of information. As long as all of the interconnected computers follow the same protocol,
they can exchange information. Unfortunately, when data is sent from one computer to
another on the Internet, every other computer in between has an opportunity to see what's
being sent. This poses an obvious security problem.

Each of the Internet application chapters has a section on security issues, and the section
on Internet hackers provides information about hacking related people, sites, and resources. This
section describes Internet security issues related to the underlying network itself.

Internet security analysis is broken down into a consideration of threats and corresponding
defenses. For most threats there is a defence. The short course advises you to ensure you always
use a firewall, virus protection, and to use encryption when necessary. The following sections
provide more information.

 Internet Confidentiality & Privacy

The Internet provides little assurance of privacy or confidentiality. The use

of firewalls, anonymizers, and encryption can help mitigate the risks. Major
considerations to keep in mind are discussed below

 Silent communications
 Surfing leaves tracks
 Posting is public
 Personal data is cross-referenced

 Internet Anonymizers

Internet anonymizers are services that make your web browsing as anonymous as

possible. Emailanonymizers are discussed on the remailer page. Web anonymizers set up
a secure connection with your computer, surf the sites you wish to visit on your behalf,
and then pass back the results so no one knows which sites you visited or what you've
read or seen.

 Internet Remailers

 Remailer enables you to send and receive email  while keeping your

real email address  secret, by retransmitting your email with an anonymous
return address. While encryption provides protection from reading your
communications, remailing also protects knowledge of your email's true
destination.

 Internet Encryption

 Internet Viruses
 Password Selection

 Internet Security Resources

E-payment system:

Payment is an integral part of mercantile process, electronic payment system is an

integral part of e-commerce. The emergence of e-commerce has created new financial needs
that in many cases cannot be effectively fulfilled by traditional payment systems.
Digital signature process
Unit-4
Privacy issues: