Gheorghe Popescu; Veronica Adriana Popescu; Cristina Raluca Popescu
The article covers:Defining an information system; benefits obtained by introducing new information technologies; IT management;Defining prerequisites, analysis, design, implementation of IS; Information security management system; aspects regarding IS security policy; Conceptual model of a security system; Auditing information security systems and network infrastructure security.
Tao Kuang; Shanhong Zhu
The study built a simulation model for the study of food security information system relay protection. MATLAB-based simulation technology can support the analysis and design of food security information systems. As an example, the food security information system fault simulation, zero-sequence current protection simulation and transformer differential protection simulation are presented in this study. The case studies show that the simulation of food security information system relay protect...
Full Text Available The information and communication technologies advances made available enormous and vast amounts of information. This availability generates also significant risks to computer systems, information and to the critical operations and infrastructures they support. In spite of significant advances in the information security area many information systems are still vulnerable to inside or outside attacks. The existence of an internal audit for information system security increases the probability of adopting adequate security measures and preventing these attacks or lowering the negative consequences. The paper presents an exploratory study on informatics audit for information systems security.
Marius POPA; Mihai DOINEA
The paper presents the main aspects regarding the development of the information security and assurance of their security. The information systems, standards and audit processes definitions are offered. There are presented the most important security standards used in information system security assessment
Liu Baoxu; Mei Jie; Xu Rongsheng; An Dehai; Yu Mingjian; Chen Xiangyang; Zheng Peng
On the basis of analysis of the key elements that will affect the Internet Security Information System, the author takes UNIX Operating System as an example, and provides the important stages that must be considered when implementing the Internet Security Information System. An implemental model of the Internet Security Information System is given
Muhammad Siddique Ansari
Full Text Available Abstract - Business Organizations and Government unequivocally relies on upon data to deal with their business operations. The most unfavorable impact on association is disappointment of friendship, goodness, trustworthiness, legitimacy and probability of data and administrations. There is an approach to ensure data and to deal with the IT framework's Security inside association. Each time the new innovation is made, it presents some new difficulties for the insurance of information and data. To secure the information and data in association is imperative on the grounds that association nowadays inside and remotely joined with systems of IT frameworks. IT structures are inclined to dissatisfaction and security infringement because of slips and vulnerabilities. These slips and vulnerabilities can be brought on by different variables, for example, quickly creating headway, human slip, poor key particulars, poor movement schedules or censuring the threat. Likewise, framework changes, new deserts and new strikes are a huge piece of the time displayed, which helpers augmented vulnerabilities, disappointments and security infringement all through the IT structure life cycle. The business went to the confirmation that it is essentially difficult to ensure a slip free, risk free and secure IT structure in perspective of the disfigurement of the disavowing security parts, human pass or oversight, and part or supplies frustration. Totally secure IT frameworks don't exist; just those in which the holders may have changing degrees of certainty that security needs of a framework are fulfilled do. The key viewpoints identified with security of data outlining are examined in this paper. From the start, the paper recommends pertinent legitimate structure and their duties including open association obligation, and afterward it returns to present and future time, system limits, structure security in business division. At long last, two key inadequacy markers
A methodology is described for system engineering security into large information technology systems under development. The methodology is an integration of a risk management process and a generic system development life cycle process. The methodology is to be used by Security System Engineers to effectively engineer and integrate information technology security into a target system as it progresses through the development life cycle. The methodology can also be used to re-engineer security into a legacy system.
... compounded by the increasingly international nature of information systems, this responsibility still rests with managers only. This paper looks at security concerns related to information systems, identifies the threats and suggests how the security of information systems should be handled. African Journal of Finance and ...
International Organization for Standardization. Geneva
ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following: use within organizations to formulate security requirements and objectives; use within organizations as a way to ensure that security risks are cost effectively managed; use within organizations to ensure comp...
Pereira, Teresa; Santos, Henrique
The widespread adoption of information and communication technology have promoted an increase dependency of organizations in the performance of their Information Systems. As a result, adequate security procedures to properly manage information security must be established by the organizations, in order to protect their valued or critical resources from accidental or intentional attacks, and ensure their normal activity. A conceptual security framework to manage and audit Information System Security is proposed and discussed. The proposed framework intends to assist organizations firstly to understand what they precisely need to protect assets and what are their weaknesses (vulnerabilities), enabling to perform an adequate security management. Secondly, enabling a security audit framework to support the organization to assess the efficiency of the controls and policy adopted to prevent or mitigate attacks, threats and vulnerabilities, promoted by the advances of new technologies and new Internet-enabled services, that the organizations are subject of. The presented framework is based on a conceptual model approach, which contains the semantic description of the concepts defined in information security domain, based on the ISO/IEC_JCT1 standards.
Viewgraphs from the Information Security and Integrity Systems seminar held at the University of Houston-Clear Lake on May 15-16, 1990 are presented. A tutorial on computer security is presented. The goals of this tutorial are the following: to review security requirements imposed by government and by common sense; to examine risk analysis methods to help keep sight of forest while in trees; to discuss the current hot topic of viruses (which will stay hot); to examine network security, now and in the next year to 30 years; to give a brief overview of encryption; to review protection methods in operating systems; to review database security problems; to review the Trusted Computer System Evaluation Criteria (Orange Book); to comment on formal verification methods; to consider new approaches (like intrusion detection and biometrics); to review the old, low tech, and still good solutions; and to give pointers to the literature and to where to get help. Other topics covered include security in software applications and development; risk management; trust: formal methods and associated techniques; secure distributed operating system and verification; trusted Ada; a conceptual model for supporting a B3+ dynamic multilevel security and integrity in the Ada runtime environment; and information intelligence sciences.
Dan Constantin TOFAN
The information security audit is definitely a tool for determining, achieving, and maintaining a proper level of security in an organization. This article offers a comprehensive review of the world's most popular standards related to information systems security audit.
Καραμανλής, Μάνος; Karamanlis, Manos
Secure management of information is becoming critical for any organization because information is one of the most valuable assets in organization’s business operations. An Information security management system (ISMS) consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, mon...
A. N. Tkhishev
Full Text Available A special aspect of aircraft test is carrying out both flight evaluation and ground operation evaluation in a structure of flying aids and special tools equipment. The specific of flight and sea tests involve metering in offshore zone, which excludes the possibility of fixed geodetically related measuring tools. In this regard, the specific role is acquired by shipbased measurement systems, in particular the mobile modular measuring systems. Information processed in the mobile modular measurement systems is a critical resource having a high level of confidentiality. When carrying out their functions, it should be implemented a proper information control of the mobile modular measurement systems to ensure their protection from the risk of data leakage, modification or loss, i.e. to ensure a certain level of information security. Due to the specific of their application it is difficult to solve the problems of information security in such complexes. The intruder model, the threat model, the security requirements generated for fixed informatization objects are not applicable to mobile systems. It was concluded that the advanced mobile modular measuring systems designed for flight experiments monitoring and control should be created due to necessary information protection measures and means. The article contains a diagram of security requirements formation, starting with the data envelopment analysis and ending with the practical implementation. The information security probabilistic model applied to mobile modular measurement systems is developed. The list of current security threats based on the environment and specific of the mobile measurement system functioning is examined. The probabilistic model of the information security evaluation is given. The problems of vulnerabilities transformation of designed information system into the security targets with the subsequent formation of the functional and trust requirements list are examined.
Valery Konstantinovich Ablekov
Full Text Available Existing physical security systems has wide range of lacks, including: high cost, a large number of vulnerabilities, problems of modification and support system. This paper covers an actual problem of developing systems without this list of drawbacks. The paper presents the architecture of the information security system, which operates through the network protocol TCP/IP, including the ability to connect different types of devices and integration with existing security systems. The main advantage is a significant increase in system reliability, scalability, both vertically and horizontally, with minimal cost of both financial and time resources.
Thompson, Dale R.; Di, Jia; Daugherty, Michael K.
The future cyber security workforce needs radio frequency identification (RFID) information systems security (INFOSEC) and threat modeling educational materials. A complete RFID security course with new learning materials and teaching strategies is presented here. A new RFID Reference Model is used in the course to organize discussion of RFID,…
N. S. Rodionova
Full Text Available Summary. Introduction of information technology to improve the efficiency of security activity leads to the need to consider a number of negative factors associated with in consequence of the use of these technologies as a key element of modern security systems. One of the most notable factor is the exposure to information processes in protection systems security threats. This largely relates to integrated security systems (ISS is the system of protection with the highest level of informatization security functions. Significant damage to protected objects that they could potentially incur as a result of abnormal operation ISS, puts a very actual problem of assessing factors that reduce the efficiency of the ISS to justify the ways and methods to improve it. Because of the nature of threats and blocking distortion of information in the ISS of interest are: the volume undistorted ISF working environment, as a characteristic of data integrity; time access to information as a feature of its availability. This in turn leads to the need to use these parameters as the performance characteristics of information processes in the ISS - the completeness and timeliness of information processing. The article proposes performance indicators of information processes in integrated security systems in terms of optimal control procedures to protect information from unauthorized access. Set the considered parameters allows to conduct comprehensive security analysis of integrated security systems, and to provide recommendations to improve the management of information security procedures in them.
Sharma, Aditya; Murphy, Marianne C.; Rosso, Mark A.; Grant, Donna
Information Systems Security as a specialized area of study has mostly been taught at the graduate level. This paper highlights the efforts of establishing an Information Systems (IS) Security track at the undergraduate level. As there were many unanswered questions and concerns regarding the Security curriculum, focus areas, the benefit of…
Health care information systems must reflect at least two basic characteristics of the health care community: the increasing mobility of patients and the personal liability of everyone giving medical treatment. Open distributed information systems bear the potential to reflect these requirements. But the market for open information systems and operating systems hardly provides secure products today. This 'missing link' is approached by the prototype SECURE Talk that provides secure transmission and archiving of files on top of an existing operating system. Its services may be utilized by existing medical applications. SECURE Talk demonstrates secure communication utilizing only standard hardware. Its message is that cryptography (and in particular asymmetric cryptography) is practical for many medical applications even if implemented in software. All mechanisms are software implemented in order to be executable on standard-hardware. One can investigate more or less decentralized forms of public key management and the performance of many different cryptographic mechanisms. That of, e.g. hybrid encryption and decryption (RSA+DES-PCBC) is about 300 kbit/s. That of signing and verifying is approximately the same using RSA with a DES hash function. The internal speed, without disk accesses etc., is about 1.1 Mbit/s. (Apple Quadra 950 (MC 68040, 33 MHz, RAM: 20 MB, 80 ns. Length of RSA modulus is 512 bit).
Although security is an important, nearly billion-dollar-a-year function in the Department of Energy (DOE), key information systems that hold important data about security weaknesses and incidents have limited analytical capabilities and contain unreliable information. The resultant difficulty in identifying patterns and trends reduces managers' ability to ensure the effectiveness of the security program. Resources are also wasted because DOE has deployed incompatible systems that are unable to electronically share or transfer data, often forcing employees to manually re-enter data that are already stored in computers elsewhere. Finally, continuing data problems with other important security information systems, such as those used to track security clearances and classified documents, indicate that information system deficiencies are extensive. A major reason for these problems is that DOE has not done a comprehensive, strategic assessment of its information and information technology needs of the security program. DOE's efforts are fragmented because it has not assigned to any organization the leadership responsibility to determine security information needs and to plan and manage security information resources Department-wide. This paper reports that a number of changes are needed to correct these problems and take advantage of information technology to help strengthen the security program
This research proposes a framework for adaptive information security systems that considers both the technical and social aspects of information systems security. Initial development of information systems security focused on computer technology and communication protocols. Researchers and designers did not consider culture, traditions, ethics, and other social issues of the people using the systems when designing and developing information security systems. They also seemed to ignore environ...
Alsalamah, Shada; Gray, W Alex; Hilton, Jeremy; Alsalamah, Hessah
Enabling Patient-Centred (PC) care in modern healthcare requires the flow of medical information with the patient between different healthcare providers as they follow the patient's treatment plan. However, PC care threatens the stability of the balance of information security in the support systems since legacy systems fall short of attaining a security balance when sharing their information due to compromises made between its availability, integrity, and confidentiality. Results show that the main reason for this is that information security implementation in discrete legacy systems focused mainly on information confidentiality and integrity leaving availability a challenge in collaboration. Through an empirical study using domain analysis, observations, and interviews, this paper identifies a need for six information security requirements in legacy systems to cope with this situation in order to attain the security balance in systems supporting PC care implementation in modern healthcare.
Sur-Kolay, Susmita; Nandy, Subhas C; Bagchi, Aditya
This volume contains articles written by leading researchers in the fields of algorithms, architectures, and information systems security. The first five chapters address several challenging geometric problems and related algorithms. These topics have major applications in pattern recognition, image analysis, digital geometry, surface reconstruction, computer vision and in robotics. The next five chapters focus on various optimization issues in VLSI design and test architectures, and in wireless networks. The last six chapters comprise scholarly articles on information systems security coverin
... 5 Administrative Personnel 2 2010-01-01 2010-01-01 false Information systems security awareness... (MISCELLANEOUS) Information Security Responsibilities for Employees who Manage or Use Federal Information Systems § 930.301 Information systems security awareness training program. Each Executive Agency must develop a...
Trapeznikov, E. V.
The technology development has shown the automated system information security comprehensive analysis necessity. The subject area analysis indicates the study relevance. The research objective is to develop the information security system quality assessment methodology based on the intelligent tools. The basis of the methodology is the information security assessment model in the information system through the neural network. The paper presents the security assessment model, its algorithm. The methodology practical implementation results in the form of the software flow diagram are represented. The practical significance of the model being developed is noted in conclusions.
Kovacich, Gerald L
Information systems security continues to grow and change based on new technology and Internet usage trends. In order to protect your organization's confidential information, you need information on the latest trends and practical advice from an authority you can trust. The new ISSO Guide is just what you need. Information Systems Security Officer's Guide, Second Edition, from Gerald Kovacich has been updated with the latest information and guidance for information security officers. It includes more information on global changes and threats, managing an international information secur
Lenaeu, Joseph D. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); O' Neil, Lori Ross [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Leitch, Rosalyn M. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Glantz, Clifford S. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Landine, Guy P. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Bryant, Janet L. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Lewis, John [National Nuclear Lab., Workington (United Kingdom); Mathers, Gemma [National Nuclear Lab., Workington (United Kingdom); Rodger, Robert [National Nuclear Lab., Workington (United Kingdom); Johnson, Christopher [National Nuclear Lab., Workington (United Kingdom)
The focus of this document is to provide guidance for the development of information security management system planning documents at chemical, biological, radiological, or nuclear (CBRN) facilities. It describes a risk-based approach for planning information security programs based on the sensitivity of the data developed, processed, communicated, and stored on facility information systems.
Lenaeu, Joseph D.; O'Neil, Lori Ross; Leitch, Rosalyn M.; Glantz, Clifford S.; Landine, Guy P.; Bryant, Janet L.; Lewis, John; Mathers, Gemma; Rodger, Robert; Johnson, Christopher
The focus of this document is to provide guidance for the development of information security management system planning documents at chemical, biological, radiological, or nuclear (CBRN) facilities. It describes a risk-based approach for planning information security programs based on the sensitivity of the data developed, processed, communicated, and stored on facility information systems.
Full Text Available Business Information Exchange is an Internet Secure Portal for secure management, distribution, sharing, and use of business e-mails, documents, and messages. It has three applications supporting three major types of information exchange systems: secure e-mail, secure instant messaging, and secure sharing of business documents. In addition to standard security services for e-mail letters, which are also applied to instant messages and documents, the system provides innovative features of privacy and full anonymity of users and their locations, actions, transactions, and exchanged resources. In this paper we describe design, implementation, and use of the system.
Manea, Constantin Adrian
The international management standards allow their integrated approach, thereby combining aspects of particular importance to the activity of any organization, from the quality management systems or the environmental management of the information security systems or the business continuity management systems. Although there is no national or international regulation, nor a defined standard for the Integrated Management System, the need to implement an integrated system occurs within the organization, which feels the opportunity to integrate the management components into a cohesive system, in agreement with the purpose and mission publicly stated. The issues relating to information security in the organization, from the perspective of the management system, raise serious questions to any organization in the current context of electronic information, reason for which we consider not only appropriate but necessary to promote and implement an Integrated Management System Quality - Environment - Health and Operational Security - Information Security
Yow, J Art
The ever-changing world of security electronics is reviewed in this article. The author focuses on its usage in a hospital setting and the need for safety/security and information systems departments to work together to protect and get full value from IP systems.
Liu, Chia-Hui; Chung, Yu-Fang; Chen, Tzer-Shyong; Wang, Sheng-De
With the progress and the development of information technology, the internal data in medical organizations have become computerized and are further established the medical information system. Moreover, the use of the Internet enhances the information communication as well as affects the development of the medical information system that a lot of medical information is transmitted with the Internet. Since there is a network within another network, when all networks are connected together, they will form the "Internet". For this reason, the Internet is considered as a high-risk and public environment which is easily destroyed and invaded so that a relevant protection is acquired. Besides, the data in the medical network system are confidential that it is necessary to protect the personal privacy, such as electronic patient records, medical confidential information, and authorization-controlled data in the hospital. As a consequence, a medical network system is considered as a network requiring high security that excellent protections and managerial strategies are inevitable to prevent illegal events and external attacks from happening. This study proposes secure medical managerial strategies being applied to the network environment of the medical organization information system so as to avoid the external or internal information security events, allow the medical system to work smoothly and safely that not only benefits the patients, but also allows the doctors to use it more conveniently, and further promote the overall medical quality. The objectives could be achieved by preventing from illegal invasion or medical information being stolen, protecting the completeness and security of medical information, avoiding the managerial mistakes of the internal information system in medical organizations, and providing the highly-reliable medical information system.
Lopes, Isabel Maria; Sá-Soares, Filipe de
Information Systems Security is a relevant factor for present organizations. Among the security measures, policies assume a central role in literature. However, there is a reduced number of empirical studies about the adoption of information systems security policies. This paper contributes to mitigate this flaw by presenting the results of a survey in the adoption of Information System Security Policies in Local Public Administration in Portugal. The results are discussed in light of literat...
... NATIONAL SECURITY INFORMATION Safeguarding § 2001.50 Telecommunications automated information systems and... identified in the Committee on National Security Systems (CNSS) issuances and the Intelligence Community Directive (ICD) 503, Intelligence Community Information Technology Systems Security Risk Management...
Full Text Available In this 21st century, the world is moving more and more into the information economy; and information held by organization's information systems is among the most valuable assets in the organization's care and is considered a critical resource, enabling the organizations to achieve their strategic objectives. In-house developed information systems meant to enable organizations to achieve their strategic objectives, are on the increase and security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable information systems and administer other malicious activities aimed at the information systems. The need to secure an information system is imperative for use in today's world. Until recently, information systems security was an afterthought; developers were typically focused on functionality and features, waiting to implement security at the end of development. This approach to information systems security has proven to be disastrous because vulnerabilities have gone undetected allowing information systems to be attacked and damaged. A survey done in three (3 organizations in Tanzania has proved that most of the information systems developers have drawn their background from traditional systems development without the sense of implementing security in the early stage of information system development. This paper attempts to identify in-house developed information system's security deficiencies and related risks to organizations, the paper also attempt to establish technique that can be used to detect those deficiencies. Lastly the paper provide guidance that can be used by organizations to mitigate the risks.
V. S. Oladko
Full Text Available The article deals with the problem assessment of information security risks in the ERP-system. ERP-system functions and architecture are studied. The model malicious impacts on levels of ERP-system architecture are composed. Model-based risk assessment, which is the quantitative and qualitative approach to risk assessment, built on the partial unification 3 methods for studying the risks of information security - security models with full overlapping technique CRAMM and FRAP techniques developed.
Hao, Shuxin; Lü, Yiran; Liu, Jie; Liu, Yue; Xu, Dongqun
To study the application of classified protection of information security in the information system of air pollution and health impact monitoring, so as to solve the possible safety risk of the information system. According to the relevant national standards and requirements for the information system security classified protection, and the professional characteristics of the information system, to design and implement the security architecture of information system, also to determine the protection level of information system. Basic security measures for the information system were developed in the technical safety and management safety aspects according to the protection levels, which effectively prevented the security risk of the information system. The information system established relatively complete information security protection measures, to enhanced the security of professional information and system service, and to ensure the safety of air pollution and health impact monitoring project carried out smoothly.
Κάτσαρης, Δημήτριος Σ.
In this Master’s thesis, the new trend in computer and information security industry called Security Information and Event Management systems will be covered. The evolution, advantages and weaknesses of these systems will be described, as well as a home-based implementation with open source tools will be proposed and implemented.
Jang, Sung Soon; Yoo, Ho Sik
A physical protection system (PPS) integrates people, procedures and equipment for the protection of assets or facilities against theft, sabotage or other malevolent attacks. In the physical protection field, it is important the maintain confidentiality of PPS related information, such as the alarm system layout, detailed maps of buildings, and guard schedules. In this abstract, we suggest establishing a methodology for an information security system. The first step in this methodology is to determine the information to protect and possible adversaries. Next, system designers should draw all possible paths to the information and arrange appropriate protection elements. Finally he/she should analyze and upgrade their information security system
E. V. Belokurova
Full Text Available The article discusses the different approaches to assessing the safety of confidential information-term for information and telecommunication systems of various pre-appreciable destination in the presence of internal and external threats to its integrity and availability. The difficulty of ensuring the security of confidential information from exposure to information and telecommunication systems of external and internal threats at the present time, is of particular relevance. This problem is confirmed by the analysis of available statistical information on the impact of threats on the security circulating in the information and telecommunications system. Leak confidential information, intellectual property, information, know-how is the result of significant material and moral damage caused to the owner of the restricted information. The paper presents the structure of the indicators and criteria shows that the most promising are analytical criteria. However, their use to assess the level of security of confidential information is difficult due to the lack of appropriate mathematical models. The complexity of the problem is that existing traditional mathematical models are not always appropriate for the stated objectives. Therefore, it is necessary to develop mathematical models designed to assess the security of confidential information and its impact on information and telecommunication system threats.
Full Text Available Human health information from healthcare system can provide important diagnosis data and reference to doctors. However, continuous monitoring and security storage of human health data are challenging personal privacy and big data storage. To build secure and efficient healthcare application, Hadoop-based healthcare security communication system is proposed. In wireless biosensor network, authentication and key transfer should be lightweight. An ECC (Elliptic Curve Cryptography based lightweight digital signature and key transmission method are proposed to provide wireless secure communication in healthcare information system. Sunspot wireless sensor nodes are used to build healthcare secure communication network; wireless nodes and base station are assigned different tasks to achieve secure communication goal in healthcare information system. Mysql database is used to store Sunspot security entity table and measure entity table. Hadoop is used to backup and audit the Sunspot security entity table. Sqoop tool is used to import/export data between Mysql database and HDFS (Hadoop distributed file system. Ganglia is used to monitor and measure the performance of Hadoop cluster. Simulation results show that the Hadoop-based healthcare architecture and wireless security communication method are highly effective to build a wireless healthcare information system.
Ibrahim Al Kattan; Ahmed Al Nunu; Kassem Saleh
This article presents a probabilistic security model for supply chain management systems (SCM) in which the basic goals of security (including confidentiality, integrity, availability and accountability, CIAA) are modeled and analyzed. Consequently, the weak points in system security are identified. A stochastic model using measurable values to describe the information system security of a SCM is introduced. Information security is a crucial and integral part of the network of supply chains. ...
The focus of this dissertation was to examine the crucial relationship between organization systems within the framework of the organizational behavior theory and information security awareness (ISA) of users within the framework of the information security theory. Despite advanced security technologies designed to protect information assets,…
Full Text Available Critical Information Infrastructure security will always be difficult to ensure, just because of the features that make it irreplaceable tor other critical infrastructures normal operation. It is decentralized, interconnected interdependent, controlled by multiple actors (mainly private and incorporating diverse types of technologies. It is almost axiomatic that the disruption of the Critical Information Infrastructure affects systems located much farther away, and the cyber problems have direct consequences on the real world. Indeed the Internet can be used as a multiplier in order to amplify the effects of an attack on some critical infrastructures. Security challenges increase with the technological progress. One of the last lines of defense which comes to complete the overall security scheme of the Critical Information Infrastructure is represented by the Network Intrusion Detection Systems.
Mwakalinga, G Jeffy; Kowalski, Stewart; Yngström, Louise
In this paper, we describe a methodology for considering culture of users and environments when developing information security systems. We discuss the problem of how researchers and developers of security for information systems have had difficulties in considering culture of users and environments when they develop information security systems. This has created environments where people serve technology instead of technology serving people. Users have been considered just as any other compo...
Information communication technology has increased globalisation in higher learning institution all over the world. This has been achieved through introduction of systems that ease operations related to information handling in the institutions. The paper assessed and analysed the information systems security performance status in higher learning institutions of Uganda. The existing policies that govern the information security have also been analysed together with the current status of inform...
Pereira, Samáris Ramiro; Fernandes, João Carlos Lopes; Labrada, Luis; Bandiera-Paiva, Paulo
In health, Information Systems are patient records, hospital administration or other, have advantages such as cost, availability and integration. However, for these benefits to be fully met, it is necessary to guarantee the security of information maintained and provided by the systems. The lack of security can lead to serious consequences such as lawsuits and induction to medical errors. The management of information security is complex and is used in various fields of knowledge. Often, it is left in the background for not being the ultimate goal of a computer system, causing huge financial losses to corporations. This paper by systematic review methodologies, presented a mapping in the literature, in order to identify the most relevant aspects that are addressed by security researchers of health information, as to the development of computerized systems. They conclude through the results, some important aspects, for which the managers of computerized health systems should remain alert.
Williams, Patricia A H
It is no small task to manage the protection of healthcare data and healthcare information systems. In an environment that is demanding adaptation to change for all information collection, storage and retrieval systems, including those for of e-health and information systems, it is imperative that good information security governance is in place. This includes understanding and meeting legislative and regulatory requirements. This chapter provides three models to educate and guide organisations in this complex area, and to simplify the process of information security governance and ensure appropriate and effective measures are put in place. The approach is risk based, adapted and contextualized for healthcare. In addition, specific considerations of the impact of cloud services, secondary use of data, big data and mobile health are discussed.
Zhou, Chao; Feng, Renjun; Jiang, Haitao; Huang, Wei; Zhu, Daohua
With the rapid development of social informatization process, the demands of government, enterprise, and individuals for spatial information becomes larger. In addition, the combination of wireless network technology and spatial information technology promotes the generation and development of mobile technologies. In today’s rapidly developed information technology field, network technology and mobile communication have become the two pillar industries by leaps and bounds. They almost absorbed and adopted all the latest information, communication, computer, electronics and so on new technologies. Concomitantly, the network coverage is more and more big, the transmission rate is faster and faster, the volume of user’s terminal is smaller and smaller. What’s more, from LAN to WAN, from wired network to wireless network, from wired access to mobile wireless access, people’s demand for communication technology is increasingly higher. As a result, mobile communication technology is facing unprecedented challenges as well as unprecedented opportunities. When combined with the existing mobile communication network, it led to the development of leaps and bounds. However, due to the inherent dependence of the system on the existing computer communication network, information security problems cannot be ignored. Today’s information security has penetrated into all aspects of life. Information system is a complex computer system, and it’s physical, operational and management vulnerabilities constitute the security vulnerability of the system. Firstly, this paper analyzes the composition of mobile enterprise network and information security threat. Secondly, this paper puts forward the security planning and measures, and constructs the information security structure.
Few decades back most of the I and C systems are Hardwired based. With the developments in digital electronics, micro processors and micro controllers, the I and C systems are becoming more and more Computer based. Though it brought convenience to the designer, comfort to the operator in the form of better GUI, it also brought many challenges in the form of information security. The talk covers the typical I and C design using SCADA systems, the challenges, typical problems faced and the need for information security. The talk illustrates various security measures to be implemented in the design, development and testing stages. These security measures have to be taken both in the development environment and deployment environment. Verification and validation of computer based system is very important. Configuration change management is very essential for smooth running of the plant. The talk illustrates the various measures need to be taken. (author)
José María Díaz Nafría
Full Text Available Different senses of security and its related assumptions, methodologies and contexts are analyzed by first reviewing the liberalistic notions of security and trust, unveiling, on the one hand, the contradictions exhibited between discourse and practice; on the other hand, the historical strategy of concentration of power behind the liberalistic doctrines. The weakness, limits and implications of the liberalistic notions and methods on security and trust are inquired, and subsequently a genuine horizon of security as sustainable and general procurement of positive freedom is advocated. The CyberSyn project successfully implemented in Chile, but tragically and prematurely ending under the hard power in the 9/11 of 1973, serves as model of the posed system approach to security. However, the system model is actualized and completed with elements of the general theory of information in virtue of: the increased complexity of societal systems, its ultimate global dimension, its biospherical closure, the increase of information assets and processes, and some epistemological boundaries. These reasons also set the need of keeping – beside the system approach – a critical and ethical stance.
Ying Li; Li Ping Du; JianWei Guo; Xin Zhao
In order to improve the security of information transmitted in the internet of things, this study designs an information security system architecture of internet of things based on a lightweight cryptography. In this security system, an authentication protocol, encryption/decryption protocol and signature verification protocol are proposed and implemented. All these security protocol are used to verify the legality of access device and to protect the confidentiality and integrity of transform...
Brooks, Nita G.; Greer, Timothy H.; Morris, Steven A.
The authors' focus was the assessment of skill requirements for information systems security positions to understand expectations for security jobs and to highlight issues relevant to curriculum management. The analysis of 798 job advertisements involved the exploration of domain-related and soft skills as well as degree and certification…
Marius Petrescu; Delia Mioara Popescu; Nicoleta Sirbu
Information security has come to be recognized as increasingly important because global communication and information systems allow a potentially large number of unauthorized users to access and possibly alter information from around the world. As the dependence on information systems grows, so the security of information networks becomes ever more critical to any entity, no matter if it is a company or a public institution. Information security involves both technology and people. Any securi...
Kanai, Yoichi; Yachida, Masuyoshi; Yoshikawa, Hiroharu; Yamaguchi, Masahiro; Ohyama, Nagaaki
A new network security protocol that uses smart IC cards has been designed to assure the integrity and privacy of medical information in communication over a non-secure network. Secure communication software has been implemented as a library based on this protocol, which is called the Integrated Secure Communication Layer (ISCL), and has been incorporated into information systems of the National Cancer Center Hospitals and the Health Service Center of the Tokyo Institute of Technology. Both systems have succeeded in communicating digital medical information securely.
Information security management systems are increasingly applied in a number of sectors of the new, global, interconnected economy. They are used by production and service companies, businesses that provide information technology and telecom services, state administration authorities and local governments. Specifically, they are used in case of crime groups or as a means of securing illegal transactions.
V. R. Petrov
Full Text Available The purpose of this paper is the general problems of information security in access control system. The field of using is the in project of reconstruction Physical protection system.
Tettero, Olaf; Tettero, O.
This book presents a systematic approach to embed information security issues in the design process of telematics systems. The approach supports both designers and user organisations. We elaborate on the activities that designers should perform to design telematics systems in which information
Full Text Available Organizations make use of important information in day-to-day business. Protecting sensitive information is imperative and must be managed. Companies in many parts of the world protect sensitive information using the international standard known as the information security management system (ISMS. ISO 27000 series is the international standard ISMS used to protect confidentiality, integrity, and availability of sensitive information. While an ISMS based on ISO 27000 series has no particular flaws for general information systems, it is unfit to manage sensitive information for industrial control systems (ICSs because the first priority of industrial control is safety of the system. Therefore, a new information security management system based on confidentiality, integrity, and availability as well as safety is required for ICSs. This new ISMS must be mutually exclusive of an ICS. This paper provides a new paradigm of ISMS for ICSs, which will be shown to be more suitable than the existing ISMS.
Park, Sanghyun; Lee, Kyungho
Organizations make use of important information in day-to-day business. Protecting sensitive information is imperative and must be managed. Companies in many parts of the world protect sensitive information using the international standard known as the information security management system (ISMS). ISO 27000 series is the international standard ISMS used to protect confidentiality, integrity, and availability of sensitive information. While an ISMS based on ISO 27000 series has no particular flaws for general information systems, it is unfit to manage sensitive information for industrial control systems (ICSs) because the first priority of industrial control is safety of the system. Therefore, a new information security management system based on confidentiality, integrity, and availability as well as safety is required for ICSs. This new ISMS must be mutually exclusive of an ICS. This paper provides a new paradigm of ISMS for ICSs, which will be shown to be more suitable than the existing ISMS.
Organizations make use of important information in day-to-day business. Protecting sensitive information is imperative and must be managed. Companies in many parts of the world protect sensitive information using the international standard known as the information security management system (ISMS). ISO 27000 series is the international standard ISMS used to protect confidentiality, integrity, and availability of sensitive information. While an ISMS based on ISO 27000 series has no particular flaws for general information systems, it is unfit to manage sensitive information for industrial control systems (ICSs) because the first priority of industrial control is safety of the system. Therefore, a new information security management system based on confidentiality, integrity, and availability as well as safety is required for ICSs. This new ISMS must be mutually exclusive of an ICS. This paper provides a new paradigm of ISMS for ICSs, which will be shown to be more suitable than the existing ISMS. PMID:25136659
V. K. Dzhogan
Full Text Available Synthesis of a scorecard is a gradual process of composition, since the set of elements that reflect the original, systematized their condition, and, through a series of intermediates, linking them in a single bound to the structure ends with one element that reflects the purpose of the system. The hierarchical structure of the system performance of information security in computer systems is a structure with regard to “one to many”. The article reflects the extent of information security tools capabilities influence at the security of information resources of computer systems (from indirect — Class 1, to direct — Class 4.
Full Text Available Universities are the leading institutions that are the sources of educated human population who both produce information and ensure to develop new products and new services by using information effectively, and who are needed in every area. Therefore, universities are expected to be institutions where information and information management are used efficiently. In the present study, the topics such as infrastructure, operation, application, information, policy and human-based information security at universities were examined within the scope of the information security standards which are highly required and intended to be available at each university today, and then a comparative analysis was conducted specific to Turkey. Within the present study, the Microsoft Security Assessment Tool developed by Microsoft was used as the risk analysis tool. The analyses aim to enable the universities to compare their information systems with the information systems of other universities within the scope of the information security awareness, and to make suggestions in this regard.
Full Text Available The safety provided by a well configured firewall is no excuse for neglecting the standard security procedures;setting up and installing a firewall is the first line of defense and not a full proof solution, auditing being only onecomponent of the system, whilst the other is protecting the resources and when we consider auditing as being theprocess of recording certain events that take place on a computer or within a network, we must come to the conclusionthat this is the only technique that allows us to identify the source of a possible issue within the network.Information security is used as a means to protect the intellectual property rights, whilst the main objective insetting up an information security system is to enlist the confidence of prospective business partners. In accordancewith the legal requisites and the principle of maximizing one’s investment, regardless of the many forms it could take,or the means through which it is stored, transmitted or distributed, information must be protected.Information security is not only a technical problem, but mainly a managerial issue, as the security standard,ISO/IEC 17799 meets the needs of any type of organization, be it public or private, through a series of practices relatedto the management of information security.This paper aims to present the process of taking entry data from a plethora of programs and storing it in acentral location. Due to its flexibility, this process can be a useful auditing instrument, as long as we are familiar withthe way it works and how the events are recorded.
Glantz, Clifford S.; Lenaeus, Joseph D.; Landine, Guy P.; O' Neil, Lori Ross; Leitch, Rosalyn; Johnson, Christopher; Lewis, John G.; Rodger, Robert M.
The threats to information security have dramatically increased with the proliferation of information systems and the internet. Chemical, biological, radiological, nuclear, and explosives (CBRNe) facilities need to address these threats in order to protect themselves from the loss of intellectual property, theft of valuable or hazardous materials, and sabotage. Project 19 of the European Union CBRN Risk Mitigation Centres of Excellence Initiative is designed to help CBRN security managers, information technology/cybersecurity managers, and other decision-makers deal with these threats through the application of cost-effective information security programs. Project 19 has developed three guidance documents that are publically available to cover information security best practices, planning for an information security management system, and implementing security controls for information security.
Kim, Hyun Tae; Park, Jee Won; Ko Han Suk
A Geographical Information System (GIS) is usually defined as an information system for capturing, checking, storing, retrieving, manipulating, analyzing, and displaying spatial and relevant non-spatial data. Here 'spatial' means 'geo-referenced to the earth'. It is estimated that about 80% of the data used in business and government are of spatial type. The georeferenced information on sensitive location is usually protected as the highest level of confidentiality by the most information system. This paper discusses a commercial satellite imagery based secure Intranet GIS which runs the Microsoft .NET technology
Full Text Available to set up in time for scenarios which require real time information. This may force communications to utilise public infrastructure. Securing communications for military mobile and Web based systems over public networks poses a greater challenge compared...
Aydın, Özlem Müge; Chouseinoglou, Oumout
Health information systems (HIS) are a specific area of information systems (IS), where critical patient data is stored and quality health service is only realized with the correct use and efficient dissemination of this data to health workers. Therefore, a balance needs to be established between the levels of security and flow of information on HIS. Instead of implementing higher levels and further mechanisms of control to increase the security of HIS, it is preferable to deal with the arguably weakest link on HIS chain with respect to security: HIS users. In order to provide solutions and approaches for transforming users to the first line of defense in HIS but also to employ capable and appropriate candidates from the pool of newly graduated students, it is important to assess and evaluate the security awareness levels and characteristics of these existing and future users. This study aims to provide a new perspective to understand the phenomenon of security awareness of HIS users with the use of fuzzy analysis, and to assess the present situation of current and future HIS users of a leading medical and educational institution of Turkey, with respect to their security characteristics based on four different security scales. The results of the fuzzy analysis, the guide on how to implement this fuzzy analysis to any health institution and how to read and interpret these results, together with the possible implications of these results to the organization are provided.
Gritzalis, Dimitris; Lambrinoudakis, Costas
Several hereditary and other chronic diseases necessitate continuous and complicated health care procedures, typically offered in different, often distant, health care units. Inevitably, the medical records of patients suffering from such diseases become complex, grow in size very fast and are scattered all over the units involved in the care process, hindering communication of information between health care professionals. Web-based electronic medical records have been recently proposed as the solution to the above problem, facilitating the interconnection of the health care units in the sense that health care professionals can now access the complete medical record of the patient, even if it is distributed in several remote units. However, by allowing users to access information from virtually anywhere, the universe of ineligible people who may attempt to harm the system is dramatically expanded, thus severely complicating the design and implementation of a secure environment. This paper presents a security architecture that has been mainly designed for providing authentication and authorization services in web-based distributed systems. The architecture has been based on a role-based access scheme and on the implementation of an intelligent security agent per site (i.e. health care unit). This intelligent security agent: (a). authenticates the users, local or remote, that can access the local resources; (b). assigns, through temporary certificates, access privileges to the authenticated users in accordance to their role; and (c). communicates to other sites (through the respective security agents) information about the local users that may need to access information stored in other sites, as well as about local resources that can be accessed remotely.
Yashiro, Shigeo; Aoki, Kazuhisa; Sato, Tomohiko; Tanji, Kazuhiro
With the rapid progress of the utilization of Information Technology (IT), IT infrastructure (network environment and information system) became crucial as a lifeline for promoting business. At the same time, changes in the circumstances surrounding the IT infrastructure globalize the threat of cyber attacks and increase the risk of the information security such as unlawful access to an information system, viral infection, an alteration of a website, disclosure of subtlety information, destruction of an information system and so on. Information security measure is an important issue in Japan Atomic Energy Agency (JAEA). In order to protect the information property of JAEA from the threat, Center for Computational Science and e-Systems (CCSE) has been taking triadic measures for information security: (1) to lay down a set of information security rules, (2) to introduce security equipments to backbone network and (3) to provide information security education. This report is a summary of the contents of the information security education by e-learning. (author)
Dube, Kudakwashe; Shoniregun, Charles A
The ever-increasing healthcare expenditure and pressing demand for improved quality and efficiency of patient care services are driving innovation in healthcare information management. The domain of healthcare has become a challenging testing ground for information security due to the complex nature of healthcare information and individual privacy. ""Electronic Healthcare Information Security"" explores the challenges of e-healthcare information and security policy technologies. It evaluates the effectiveness of security and privacy implementation systems for anonymization methods and techniqu
Intended for IT managers and assets protection professionals, this work aims to bridge the gap between information security, information systems security and information warfare. It covers topics such as the role of the corporate security officer; Corporate cybercrime; Electronic commerce and the global marketplace; Cryptography; and, more.
Brotby, W Krag
Other books on information security metrics discuss number theory and statistics in academic terms. Light on mathematics and heavy on utility, PRAGMATIC Security Metrics: Applying Metametrics to Information Security breaks the mold. This is the ultimate how-to-do-it guide for security metrics.Packed with time-saving tips, the book offers easy-to-follow guidance for those struggling with security metrics. Step by step, it clearly explains how to specify, develop, use, and maintain an information security measurement system (a comprehensive suite of metrics) to
Andany, J; Bjorkendal, C; Ferrara, F M; Scherrer, J R; Spahni, S
The integration and evolution of existing systems represents one of the most urgent priorities of health care information systems in order to allow the whole organisation to meet the increasing clinical organisational and managerial needs. The CEN ENV 12967-1 'Healthcare Information Systems Architecture'(HISA) standard defines an architectural approach based on a middleware of business-specific common services, enabling all parts of the local and geographical system to operate on the common information heritage of the organisation and on exploiting a set of common business-oriented functionality. After an overview on the key aspects of HISA, this paper discusses the positioning of the authorization and security aspects in the overall architecture. A global security framework is finally proposed.
Takamura, Eduardo; Mangum, Kevin
The National Aeronautics and Space Administration (NASA) invests millions of dollars in spacecraft and ground system development, and in mission operations in the pursuit of scientific knowledge of the universe. In recent years, NASA sent a probe to Mars to study the Red Planet's upper atmosphere, obtained high resolution images of Pluto, and it is currently preparing to find new exoplanets, rendezvous with an asteroid, and bring a sample of the asteroid back to Earth for analysis. The success of these missions is enabled by mission assurance. In turn, mission assurance is backed by information assurance. The information systems supporting NASA missions must be reliable as well as secure. NASA - like every other U.S. Federal Government agency - is required to manage the security of its information systems according to federal mandates, the most prominent being the Federal Information Security Management Act (FISMA) of 2002 and the legislative updates that followed it. Like the management of enterprise information technology (IT), federal information security management takes a "one-size fits all" approach for protecting IT systems. While this approach works for most organizations, it does not effectively translate into security of highly specialized systems such as those supporting NASA missions. These systems include command and control (C&C) systems, spacecraft and instrument simulators, and other elements comprising the ground segment. They must be carefully configured, monitored and maintained, sometimes for several years past the missions' initially planned life expectancy, to ensure the ground system is protected and remains operational without any compromise of its confidentiality, integrity and availability. Enterprise policies, processes, procedures and products, if not effectively tailored to meet mission requirements, may not offer the needed security for protecting the information system, and they may even become disruptive to mission operations
Zhou, Chao; Wang, Ziying; Guo, Jing; Guo, Yajuan; Huang, Wei
Informatization has penetrated the whole process of production and operation of electric power enterprises. It not only improves the level of lean management and quality service, but also faces severe security risks. The internal network terminal is the outermost layer and the most vulnerable node of the inner network boundary. It has the characteristics of wide distribution, long depth and large quantity. The user and operation and maintenance personnel technical level and security awareness is uneven, which led to the internal network terminal is the weakest link in information security. Through the implementation of security of management, technology and physics, we should establish an internal network terminal security protection system, so as to fully protect the internal network terminal information security.
Matsui, S [Central Research Institute of Electric Power Industry, Tokyo (Japan)
The latest situation of the security management for a distributed information system was examined and systematically summarized to indicate the management design in future. This paper describes the threat of the distributed information system to security, the risk for confidentiality, integrity, and availability due to the threat, and the measures to be taken. The basic technology of security management is classified into the `user certification to prevent an incorrect access` and the `encipherment to prevent data from being used incorrectly.` The technology for certification has been almost completed. It can be securely done using an expendable password or IC card system. In Internet, multiple enciphering technologies for constructing a virtual private network that can secure the almost the same security as for a private network can be used. In an electronic mail, the enciphering technology can also be used easily. The tool that manages the security of very many servers, clients, and networks is in the initial stage. 16 refs., 1 fig., 5 tabs.
A. M. Chernih
Full Text Available The main approaches to ensuring security of information in the automated training systems are considered, need of application of situational management of security of information for the automated training systems is proved, the mathematical model and a problem definition of situational control is offered, the technique of situational control of security of information is developed.The purpose of the study. The aim of the study is to base the application of situational control of information security by subsystem of the control and protection of information in automated learning systems and to develop implementation methods of the situational control concept.Materials and methods. It is assumed that the automated learning system is a fragment of a larger information system that contains several information paths, each of them treats different information in the protection degree from information, containing constituting state secrets, to open access information.It is considered that the technical methods, measures and means of information protection in automated learning systems implement less than half (30% functions of subsystems of control and protection information. The main part of the functions of this subsystem are organizational measures to protect information. It is obvious that the task of ensuring the security of information in automated learning systems associated with the adoption of decisions on rational selection and proper combination of technical methods and institutional arrangements. Conditions of practical application of automated learning systems change over time and transform the situation of such a decision, and this leads to the use of situational control methods.When situational control is implementing, task of the protection of information in automated learning system is solved by the subsystem control and protection of information by distributing the processes ensuring the security of information and resources of
Hendrawaty, Manise; Harisno, Harisno
Food is the main basic need of human, because of that fulfillment of human need of food has to be fulfilled. So it can fulfill that need, then government institution, Food Security Agency (BKP) is formed so it can monitor fulfillment of food need of society. The goals of this writing are to develop food security information system that provides dashboard facility based on business intelligence, to develop food security information system that can give fast, precise and real time information a...
... INFORMATION CONTACT: Joanna Johnson, Office of Information Technology, TSA-11, Transportation Security... Collection Activity Under OMB Review: Pipeline System Operator Security Information AGENCY: Transportation... System Operator Security Information. Type of Request: New collection. OMB Control Number: Not yet...
Tsohou, Aggeliki; Kokolakis, Spyros; Lambrinoudakis, Costas; Gritzalis, Stefanos
The need for common understanding and agreement of functional and non-functional requirements is well known and understood by information system designers. This is necessary for both: designing the "correct" system and achieving interoperability with other systems. Security is maybe the best example of this need. If the understanding of the security requirements is not the same for all involved parties and the security mechanisms that will be implemented do not comply with some globally accepted rules and practices, then the system that will be designed will not necessarily achieve the desired security level and it will be very difficult to securely interoperate with other systems. It is therefore clear that the role and contribution of international standards to the design and implementation of security mechanisms is dominant. In this paper we provide a state of the art review on information security management standards published by the International Organization for Standardization and the International Electrotechnical Commission. Such an analysis is meaningful to security practitioners for an efficient management of information security. Moreover, the classification of the standards in the clauses of ISO/IEC 27001:2005 that results from our analysis is expected to provide assistance in dealing with the plethora of security standards.
Tipton, Harold F
Since 1993, the Information Security Management Handbook has served not only as an everyday reference for information security practitioners but also as an important document for conducting the intense review necessary to prepare for the Certified Information System Security Professional (CISSP) examination. Now completely revised and updated and in its fifth edition, the handbook maps the ten domains of the Information Security Common Body of Knowledge and provides a complete understanding of all the items in it. This is a ...must have... book, both for preparing for the CISSP exam and as a c
Now updated-your expert guide to twenty-first century information security Information security is a rapidly evolving field. As businesses and consumers become increasingly dependent on complex multinational information systems, it is more imperative than ever to protect the confidentiality and integrity of data. Featuring a wide array of new information on the most current security issues, this fully updated and revised edition of Information Security: Principles and Practice provides the skills and knowledge readers need to tackle any information security challenge. Taking a pract
The growing demand for healthcare services is motivating hospitals to strengthen outpatient case management using information systems in order to serve more patients using the available resources. Though the use of information systems in outpatient case management raises patient data security
Dorodny, V S
Adopting and developing the new generation of information systems will be essential to remain competitive in a quality conscious health care environment. These systems enable physicians to document patient encounters and aggregate the information from the population they treat, while capturing detailed data on chronic medical conditions, medications, treatment plans, risk factors, severity of conditions, and health care resource utilization and management. Today, the knowledge-based information systems should offer instant, around-the-clock access for the provider, support simple order entry, facilitate data capture and retrieval, and provide eligibility verification, electronic authentication, prescription writing, security, and reporting that benchmarks outcomes management based upon clinical/financial decisions and treatment plans. It is an integral part of any information system to incorporate and integrate transactional (financial/administrative) information, as well as analytical (clinical/medical) data in a user-friendly, readily accessible, and secure form. This article explores the technical, financial, logistical, and behavioral obstacles on the way to the Promised Land.
Olga V. Lukinova
Full Text Available Examines the specific issues of building functional and technological profiles of the security systems to ensure the safety of information systems in the paradigm of functional standardization; shows a view of the system of protection based on the model of OSE/RM; studied the composition and structure of the concept of "defense mechanism" for the purpose of profiling third instalment correction representation of the system of protection.
Anatoly A. Malyuk
Full Text Available The formation of a global information society poses a particular challenge to the development of an information security culture. In the Doctrine of Information Security of the Russian Federation, adopted in December 2016, one of the main threats is the low awareness of citizens in matters of ensuring personal information security. One of the most important mechanisms for increasing competence and forming an in-formation security culture, in addition to mass training of people, are methods of propaganda and creation of "hot lines". They allow the general public to take the initiative in monitoring and reporting computer incidents. The development of such approaches should be carried out taking into account the international experience accumulated today. To this end, the article examines the European experience of creating a system of information and advisory assistance in the field of preventing threats to the security of public and corporate information systems, primarily information and telecommunications networks, as well as eliminating the consequences of threats in the information sphere. The analysis of the experience of implementing the pilot project of the European Information Sharing and Alert System has revealed the advisability of designing such systems on the basis of a management model with four players that unites network operators, information producers (who are IT product suppliers or IT security specialists; local information intermediaries and consumers of information. As a model of the information flow, a node can be selected that runs a local web portal that provides information to end users, generates new information, adapts information to the constraints of various distribution channels, and to the characteristics of end-user target groups. The methodology of the pilot project can be used in the design and deployment of a notification and information exchange system aimed at end-users of several regions or countries
Harris, Mark A.
Information security research states that corporate security policy and information security training should be socio-technical in nature and that corporations should consider training as a primary method of protecting their information systems. However, information security policies and training are predominately technical in nature. In addition,…
Radut Carmen; Albici Mihaela; Tenovici Cristina Otilia
Information security is a broader concept which refers to ensuring the integrity, confidentiality and availability of information. The dynamics of information technology to induce new risks to which organizations must implement new measures of control. Technological development has been accompanied by security solutions, equipment manufacturers and applications including technical methods of protection performance. However, while in information technology change is exponential, the human comp...
MARIUS PETRESCU; NICOLETA SÎRBU; ANCA-GABRIELA PETRESCU; MIOARA BRABOVEANU
Information security has come to be recognized as increasingly important because global communication and information systems allow a potentially large number of unauthorized users to access and possibly alter information from around the world. As the dependence on information systems grows, so the security of information networks becomes ever more critical to any entity, no matter if it is a company or a public institution. Information security involves both technology and people. Any securi...
The Army Secure Operating System (ASOS) project, under the management of the U.S. Army CECOM organization, will provide real time systems software necessary for fielding modern Battlefield Automation Systems...
Introduction to Strategic Information SecurityWhat Does It Mean to Be Strategic? Information Security Defined The Security Professional's View of Information Security The Business View of Information SecurityChanges Affecting Business and Risk Management Strategic Security Strategic Security or Security Strategy?Monitoring and MeasurementMoving Forward ORGANIZATIONAL ISSUESThe Life Cycles of Security ManagersIntroductionThe Information Security Manager's Responsibilities The Evolution of Data Security to Information SecurityThe Repository Concept Changing Job Requirements Business Life Cycles
Foltz, C. Bryan; Renwick, Janet S.
The authors examined the extent to which information systems (IS) security and computer crime are covered in information systems programs. Results suggest that IS faculty believe security coverage should be increased in required, elective, and non-IS courses. However, respondent faculty members are concerned that existing curricula leave little…
Chen Ligang; Liu Hongye; Zhang Wei; Sun Jianying; Lan Peng; Dai Sidan
With the rapid development of information technology in enterprise application, industrial control network and management network is becoming more and more closely linked. Development and application of special equipment control system from the traditional industrial control system, not considered when designing communication security problem mainly, therefore, the industrial control system opened at the same time, isolation control system and the outside was weakened, the safety problems of industrial control system had become more and more serious. The practical application combined with the special equipment control system, analysis and elaboration in view of security problems for the control network, also, provide appropriate security solutions for professional characteristics of industrial control network, design on process control system specially, provide security partition protection scheme, in order to improve security ability of industrial control system information. (authors)
Report #2006-P-00021, March 30, 2006. We found that the Office of Water (OW) substantially complied with many of the information security controls reviewed and had implemented practices to ensure production servers are monitored.
Darya Sergeevna Simonenkova
Full Text Available The subject of the research is modeling and security threat assessments of data processed in cloud based information systems (CBIS. This method allow to determine the current security threats of CBIS, state of the system in which vulnerabilities exists, level of possible violators, security properties and to generate recommendations for neutralizing security threats of CBIS.
Jašek, Roman; Králík, Lukáš; Popelka, Miroslav
This paper discusses the context of ITIL framework and management of information security. It is therefore a summary study, where the first part is focused on the safety objectives in connection with the ITIL framework. First of all, there is a focus on ITIL process ISM (Information Security Management), its principle and system management. The conclusion is about link between standards, which are related to security, and ITIL framework
Zarei, Javad; Sadoughi, Farahnaz
In recent years, hospitals in Iran - similar to those in other countries - have experienced growing use of computerized health information systems (CHISs), which play a significant role in the operations of hospitals. But, the major challenge of CHIS use is information security. This study attempts to evaluate CHIS information security risk management at hospitals of Iran. This applied study is a descriptive and cross-sectional research that has been conducted in 2015. The data were collected from 551 hospitals of Iran. Based on literature review, experts' opinion, and observations at five hospitals, our intensive questionnaire was designed to assess security risk management for CHISs at the concerned hospitals, which was then sent to all hospitals in Iran by the Ministry of Health. Sixty-nine percent of the studied hospitals pursue information security policies and procedures in conformity with Iran Hospitals Accreditation Standards. At some hospitals, risk identification, risk evaluation, and risk estimation, as well as risk treatment, are unstructured without any specified approach or methodology. There is no significant structured approach to risk management at the studied hospitals. Information security risk management is not followed by Iran's hospitals and their information security policies. This problem can cause a large number of challenges for their CHIS security in future. Therefore, Iran's Ministry of Health should develop practical policies to improve information security risk management in the hospitals of Iran.
Optical and Digital Techniques for Information Security is the first book in a series focusing on Advanced Sciences and Technologies for Security Applications. This book encompases the results of research investigation and technologies used to secure, verify, recognize, track, and authenticate objects and information from theft, counterfeiting, and manipulation by unauthorized persons and agencies. This Information Security book will draw on the diverse expertise in optical sciences and engineering, digital image processing, imaging systems, information processing, computer based information systems, sensors, detectors, and biometrics to report innovative technologies that can be applied to information security issues. The Advanced Sciences and Technologies for Security Applications series focuses on research monographs in the areas of: -Recognition and identification (including optical imaging, biometrics, authentication, verification, and smart surveillance systems) -Biological and chemical threat detection...
Li, Xuelei; Wen, Qiaoyan; Li, Wenmin; Zhang, Hua; Jin, Zhengping
Healthcare delivery services via telecare medicine information systems (TMIS) can help patients to obtain their desired telemedicine services conveniently. However, information security and privacy protection are important issues and crucial challenges in healthcare information systems, where only authorized patients and doctors can employ telecare medicine facilities and access electronic medical records. Therefore, a secure authentication scheme is urgently required to achieve the goals of entity authentication, data confidentiality and privacy protection. This paper investigates a new biometric authentication with key agreement scheme, which focuses on patient privacy and medical data confidentiality in TMIS. The new scheme employs hash function, fuzzy extractor, nonce and authenticated Diffie-Hellman key agreement as primitives. It provides patient privacy protection, e.g., hiding identity from being theft and tracked by unauthorized participant, and preserving password and biometric template from being compromised by trustless servers. Moreover, key agreement supports secure transmission by symmetric encryption to protect patient's medical data from being leaked. Finally, the analysis shows that our proposal provides more security and privacy protection for TMIS.
Blobel, B; Roger-France, F
A toolset using object-oriented techniques including the nowadays popular unified modelling language (UML) approach has been developed to facilitate the different users' views for security analysis and design of health care information systems. Paradigm and concepts used are based on the component architecture of information systems and on a general layered security model. The toolset was developed in 1996/1997 within the ISHTAR project funded by the European Commission as well as through international standardisation activities. Analysing and systematising real health care scenarios, only six and nine use case types could be found in the health and the security-related view, respectively. By combining these use case types, the analysis and design of any thinkable system architecture can be simplified significantly. Based on generic schemes, the environment needed for both communication and application security can be established by appropriate sets of security services and mechanisms. Because of the importance and the basic character of electronic health care record (EHCR) systems, the understanding of the approach is facilitated by (incomplete) examples for this application.
It briefly describes the impact of large data era on China’s network policy, but also brings more opportunities and challenges to the network information security. This paper reviews for the internationally accepted basic model and characteristics of network information security, and analyses the characteristics of network information security and their relationship. On the basis of the NIST security model, this paper describes three security control schemes in safety management model and the...
Pipkin, Donald L
In this book, IT security expert Donald Pipkin addresses every aspect of information security: the business issues, the technical process issues, and the legal issues. Pipkin starts by reviewing the key business issues: estimating the value of information assets, evaluating the cost to the organization if they are lost or disclosed, and determining the appropriate levels of protection and response to security incidents. Next, he walks through the technical processes required to build a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. Finally, Pipkin reviews the legal issues associated with information security, including corporate officers' personal liability for taking care that information is protected. The book's coverage is applicable to businesses of any size, from 50 employees to 50,000 or more, and ideal for everyone who needs at least a basic understanding of information security: network/system administrators, managers, planners, archite...
Zarei, Javad; Sadoughi, Farahnaz
Background In recent years, hospitals in Iran – similar to those in other countries – have experienced growing use of computerized health information systems (CHISs), which play a significant role in the operations of hospitals. But, the major challenge of CHIS use is information security. This study attempts to evaluate CHIS information security risk management at hospitals of Iran. Materials and methods This applied study is a descriptive and cross-sectional research that has been conducted in 2015. The data were collected from 551 hospitals of Iran. Based on literature review, experts’ opinion, and observations at five hospitals, our intensive questionnaire was designed to assess security risk management for CHISs at the concerned hospitals, which was then sent to all hospitals in Iran by the Ministry of Health. Results Sixty-nine percent of the studied hospitals pursue information security policies and procedures in conformity with Iran Hospitals Accreditation Standards. At some hospitals, risk identification, risk evaluation, and risk estimation, as well as risk treatment, are unstructured without any specified approach or methodology. There is no significant structured approach to risk management at the studied hospitals. Conclusion Information security risk management is not followed by Iran’s hospitals and their information security policies. This problem can cause a large number of challenges for their CHIS security in future. Therefore, Iran’s Ministry of Health should develop practical policies to improve information security risk management in the hospitals of Iran. PMID:27313481
The purpose of the Engineering Principles for Information Technology (IT) Security (HP-ITS) is to present a list of system-level security principles to he considered in the design, development, and operation of an information system...
F. N. Shago
Full Text Available Complication of information security management systems leads to the necessity of improving the scientific and methodological apparatus for these systems auditing. Planning is an important and determining part of information security management systems auditing. Efficiency of audit will be defined by the relation of the reached quality indicators to the spent resources. Thus, there is an important and urgent task of developing methods and techniques for optimization of the audit planning, making it possible to increase its effectiveness. The proposed technique gives the possibility to implement optimal distribution for planning time and material resources on audit stages on the basis of dynamics model for the ISMS quality. Special feature of the proposed approach is the usage of a priori data as well as a posteriori data for the initial audit planning, and also the plan adjustment after each audit event. This gives the possibility to optimize the usage of audit resources in accordance with the selected criteria. Application examples of the technique are given while planning audit information security management system of the organization. The result of computational experiment based on the proposed technique showed that the time (cost audit costs can be reduced by 10-15% and, consequently, quality assessments obtained through audit resources allocation can be improved with respect to well-known methods of audit planning.
Francois, Michael T.
Today's organizations rely heavily on information technology to conduct their daily activities. Therefore, their information security systems are an area of heightened security concern. As a result, organizations implement information security programs to address and mitigate that concern. However, even with the emphasis on information security,…
Security incidents resulting from human error or subversive actions have caused major financial losses, reduced business productivity or efficiency, and threatened national security. Some research suggests that information system security frameworks lack emphasis on human involvement as a significant cause for security problems in a rapidly…
Full Text Available End-users play a critical role in the effective implementation and running of an information security program in any organization. The success of such a program depends primarily on the effective implementation and execution of associated information security policies and controls and the resultant behavior and actions of end-users. However, end-users often have negative perception of information security in the organization and exhibit non-compliance. In order to improve compliance levels, it is vital to improve the image of information security in the minds of end-users. This paper borrows the concepts of brands and branding from the domain of marketing to achieve this objective and applies these concepts to information security. The paper also describes a process for creating the information security service brand in the organization.
Корнієнко, Б.; Національний авіаційний університет
In this article the OSI model in terms of information security classification of vulnerabilities and security measures at the level of model OSI. In order to build a comprehensive information security systems for information and communication systems and networks offer a model to extend the seven- nine levels — through eight levels — level politician and ninth — level users. Рассмотрены модель OSI с точки зрения информационной безопасности, классификация уязвимостей и мероприятий обеспечен...
Dmitry Sergeevich Chernyavskiy
Full Text Available Policy management for network security systems (NSSs is one of the most topical issues of network security management. Incorrect configurations of NSSs lead to system outages and appearance of vulnerabilities. Moreover, policy management process is a time-consuming task, which includes significant amount of manual work. These factors reduce efficiency of NSSs’ utilization. The paper discusses peculiarities of policy management process and existing approaches to policy modeling, presents a model aimed to formalize policies for NSSs independently on NSSs’ platforms and select the most effective NSSs for implementation of the policies.
Kurcheeva, G. I.; Denisov, V. V.; Khvorostov, V. A.
The article discusses issues related to comprehensive development and introduction of technologies such as “Smart city”. The urgency of accelerating the development of such highly organized systems, primarily in terms of reducing threats to information security, is emphasized in the paper. In accordance with authors’ analysis of the composition and structure of the threats to information security, “Accessibility”, “Integrity” and “Confidentiality” are highlighted. Violation of any of them leads to harmful effects on the information and other system resources. The protection of “Accessibility” mobilizes one third of all efforts to ensure information security that must be taken into account when allocating protective actions. The threats associated with failure of the supporting infrastructure are also significantly reduced. But the threats associated with failures of the system itself and failures of users are clearly increasing. There is a high level of society and production informatization, and the threats to information security are changing accordingly.
Quanyan Zhu; Miles McQueen; Craig Rieger; Tamer Basar
The use of information technologies in control systems poses additional potential threats due to the frequent disclosure of software vulnerabilities. The management of information security involves a series of policy-making on the vulnerability discovery, disclosure, patch development and patching. In this paper, we use a system approach to devise a model to understand the interdependencies of these decision processes. In more details, we establish a theoretical framework for making patching decision for control systems, taking into account the requirement of functionability of control systems. We illustrate our results with numerical simulations and show that the optimal operation period of control systems given the currently estimated attack rate is roughly around a half a month.
Prof. Ph.D . Gheorghe Popescu
Full Text Available The rapid and dramatic advances in information technology (IT in recent years have withoutquestion generated tremendous benefits. At the same time, information technology has created significant,nunprecedented risks to government and to entities operations. So, computer security has become muchmore important as all levels of government and entities utilize information systems security measures toavoid data tampering, fraud, disruptions in critical operations, and inappropriate disclosure of sensitiveinformation. Obviously, uses of computer security become essential in minimizing the risk of malicious attacksfrom individuals and groups, considering that there are many current computer systems with onlylimited security precautions in place.As we already know financial audits are the most common examinations that a business manager en-counters.This is a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. They may even be familiar with physical securityaudits. However, they are unlikely to be acquainted with information security audits; that is an audit ofhow the confidentiality, availability and integrity of an organizations information are assured. Any way,if not, they should be, especially that an information security audit is one of the best ways to determine thesecurity of an organizations information without incurring the cost and other associated damages of a securityincident.
Pavel Valerievich Ivonin
The object of research in this article is technology of public clouds, structure and security system of clouds. Problems of information security in clouds are considered, elements of security system in public clouds are described.
Natalia Georgievna Miloslavskaya; Aleksandr Ivanovich Tolstoy
There is a transfer from the simple Log Management Systems and SIEM systems to those supporting Information Security Intelligence (ISI). ISIe as Business Intelligence enables companies to make more informed business decisions through more effective processing of great volumes of available information concerning their IT infrastructure. The relevance of such a transition is defined. The main goal and advantage of ISI are highlighted. The basic functionality of computer-based systems for ISI ar...
Zhang, Jianguo; Chen, Xiaomeng; Zhuang, Jun; Jiang, Jianrong; Zhang, Xiaoyan; Wu, Dongqing; Huang, H. K.
In this paper, we presented a new security approach to provide security measures and features in both healthcare information systems (PACS, RIS/HIS), and electronic patient record (EPR). We introduced two security components, certificate authoring (CA) system and patient record digital signature management (DSPR) system, as well as electronic envelope technology, into the current hospital healthcare information infrastructure to provide security measures and functions such as confidential or privacy, authenticity, integrity, reliability, non-repudiation, and authentication for in-house healthcare information systems daily operating, and EPR exchanging among the hospitals or healthcare administration levels, and the DSPR component manages the all the digital signatures of patient medical records signed through using an-symmetry key encryption technologies. The electronic envelopes used for EPR exchanging are created based on the information of signers, digital signatures, and identifications of patient records stored in CAS and DSMS, as well as the destinations and the remote users. The CAS and DSMS were developed and integrated into a RIS-integrated PACS, and the integration of these new security components is seamless and painless. The electronic envelopes designed for EPR were used successfully in multimedia data transmission.
... 48 Federal Acquisition Regulations System 5 2010-10-01 2010-10-01 false Information security. 1339... CATEGORIES OF CONTRACTING ACQUISITION OF INFORMATION TECHNOLOGY General 1339.107-70 Information security. (a... coordinate with the designated Contracting Officer Representative (COR) to complete the Information Security...
Report #10-P-0146, June 15, 2010. Williams Adley found that EPA program offices lacked evidence that they planned and executed tests of information system security controls as required by federal requirements.
Full Text Available As in any domain that involves the use of software, the library information systems take advantages of cloud computing. The paper highlights the main aspect of cloud based systems, describing some public solutions provided by the most important players on the market. Topics related to content security in cloud based services are tackled in order to emphasize the requirements that must be met by these types of systems. A cloud based implementation of an Information Library System is presented and some adjacent tools that are used together with it to provide digital content and metadata links are described. In a cloud based Information Library System security is approached by means of ontologies. Aspects such as content security in terms of digital rights are presented and a methodology for security optimization is proposed.
Kim, Yeojin; Ahn, Jung-Ho; Byun, Hyeran
As biometric recognition techniques are gradually improved, the stability of biometric authentication systems are enhanced. Although bioinformation has properties that make it resistant to fraud, biometric authentication systems are not immune to hacking. We show a secure biometric authentication system (1) to guarantee the integrity of biometric information by mixing data by use of a biometric key and (2) to raise recognition rates by use of bimodal biometrics.
Natalia Georgievna Miloslavskaya
Full Text Available There is a transfer from the simple Log Management Systems and SIEM systems to those supporting Information Security Intelligence (ISI. ISIe as Business Intelligence enables companies to make more informed business decisions through more effective processing of great volumes of available information concerning their IT infrastructure. The relevance of such a transition is defined. The main goal and advantage of ISI are highlighted. The basic functionality of computer-based systems for ISI are determined.
Awad, Ali Ismail; Fairhurst, Michael
This book outlines key emerging trends in information security from the foundations and technologies in biometrics, cybersecurity, and big data security to applications in hardware and embedded systems security, computer forensics, the Internet of Things security, and network security.
Park, Woo-Sung; Seo, Sun-Won; Son, Seung-Sik; Lee, Mee-Jeong; Kim, Shin-Hyo; Choi, Eun-Mi; Bang, Ji-Eon; Kim, Yea-Eun; Kim, Ok-Nam
Objectives The information security management systems (ISMS) of 5 hospitals with more than 500 beds were evaluated with regards to the level of information security, management, and physical and technical aspects so that we might make recommendations on information security and security countermeasures which meet both international standards and the needs of individual hospitals. Methods The ISMS check-list derived from international/domestic standards was distributed to each hospital to com...
Modern information technologies are the engine of globalization. At the same time, the global market influences the way of looking at information security. Information security thus becomes an increasingly important field. The article discuses the results of research on information security management systems in public administration in Poland.
Ishikawa, Hiroyuki; Tate, Akihiro; Murakami, Tadashi
In J-PARC (Japan Proton Accelerator Research Complex) we have set up intra-network (internal network, we will abbreviate it as JLAN, below) to support research activity and communication among users. In JLAN, we set up various kinds of security devices to keep JLAN secure. However, the servers which provide information or service to public are still in danger of being accessed illegally. If there is an illegal access, that may cause defacement of data or information leak. Furthermore, the victim servers are manipulated by the malicious attackers, and they themselves attack the external information equipments. Vulnerability of servers enables unauthorized access. So, vulnerability test with use of a vulnerability tool is one of the most effective ways to take measures for vulnerability of the equipments. However, it is not enough to just conduct a vulnerability test. It is also essential for information security to take measures to cover constantly for the vulnerability of servers. We focused on the points above, and developed the vulnerability testing system for security. It is not only a testing tool for the vulnerability of servers, but also management system which enables the server administrators in charge of taking measures for vulnerabilities to manage risks and handles PDCA (Plan-Do-Check-Action) cycles as countermeasure for vulnerability. In this paper, we report the technologies and ingenuities for the development of the above system. (author)
Information security is the act of protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction. This book discusses why information security is needed and how security problems can have widespread impacts. It covers the complete security lifecycle of products and services, starting with requirements and policy development and progressing through development, deployment, and operations, and concluding with decommissioning. Professionals in the sciences, engineering, and communications fields will turn to this resource to understand the many legal,
Voeller, John G
Communication and Information Systems Security features articles from the Wiley Handbook of Science and Technology for Homeland Security covering strategies for protecting the telecommunications sector, wireless security, advanced web based technology for emergency situations. Science and technology for critical infrastructure consequence mitigation are also discussed.
Park, Woo-Sung; Seo, Sun-Won; Son, Seung-Sik; Lee, Mee-Jeong; Kim, Shin-Hyo; Choi, Eun-Mi; Bang, Ji-Eon; Kim, Yea-Eun; Kim, Ok-Nam
The information security management systems (ISMS) of 5 hospitals with more than 500 beds were evaluated with regards to the level of information security, management, and physical and technical aspects so that we might make recommendations on information security and security countermeasures which meet both international standards and the needs of individual hospitals. The ISMS check-list derived from international/domestic standards was distributed to each hospital to complete and the staff of each hospital was interviewed. Information Security Indicator and Information Security Values were used to estimate the present security levels and evaluate the application of each hospital's current system. With regard to the moderate clause of the ISMS, the hospitals were determined to be in compliance. The most vulnerable clause was asset management, in particular, information asset classification guidelines. The clauses of information security incident management and business continuity management were deemed necessary for the establishment of successful ISMS. The level of current ISMS in the hospitals evaluated was determined to be insufficient. Establishment of adequate ISMS is necessary to ensure patient privacy and the safe use of medical records for various purposes. Implementation of ISMS which meet international standards with a long-term and comprehensive perspective is of prime importance. To reflect the requirements of the varied interests of medical staff, consumers, and institutions, the establishment of political support is essential to create suitable hospital ISMS.
Lins, Isis Didier; Rêgo, Leandro Chaves; Moura, Márcio das Chagas
This work analyzes the strategic interaction between a defender and an intelligent attacker by means of a game and reliability framework involving a multi-objective approach and imperfect information so as to support decision-makers in choosing efficiently designed security systems. A multi-objective genetic algorithm is used to determine the optimal security system's configurations representing the tradeoff between the probability of a successful defense and the acquisition and operational costs. Games with imperfect information are considered, in which the attacker has limited knowledge about the actual security system. The types of security alternatives are readily observable, but the number of redundancies actually implemented in each security subsystem is not known. The proposed methodology is applied to an illustrative example considering power transmission lines in the Northeast of Brazil, which are often targets for attackers who aims at selling the aluminum conductors. The empirical results show that the framework succeeds in handling this sort of strategic interaction. -- Highlights: ► Security components must have feasible costs and must be reliable. ► The optimal design of security systems considers a multi-objective approach. ► Games of imperfect information enable the choice of non-dominated configurations. ► MOGA, reliability and games support the entire defender's decision process. ► The selection of effective security systems may discourage attacker's actions
Ignatiy A. Grachkov
obtaining unauthorized access to industrial control systems using the Shodan search engine is described and recommendations how to ensure information security of the industrial control system are given.
Peltier, Thomas R
Developing an information security program that adheres to the principle of security as a business enabler must be the first step in an enterprise's effort to build an effective security program. Following in the footsteps of its bestselling predecessor, Information Security Fundamentals, Second Edition provides information security professionals with a clear understanding of the fundamentals of security required to address the range of issues they will experience in the field.The book examines the elements of computer security, employee roles and r
Vasilikos, Panagiotis; Nielson, Flemming; Nielson, Hanne Riis
. In this paper, we develop a formal approach of information flow for timed automata that allows intentional information leaks. The security of a timed automaton is then defined using a bisimulation relation that takes account of the non-determinism and the clocks of timed automata. Finally, we define...... of security goals for confidentiality and integrity. Notions of security based on Information flow control, such as non-interference, provide strong guarantees that no information is leaked; however, many cyberphysical systems leak intentionally some information in order to achieve their purposes...... an algorithm that traverses a timed automaton and imposes information flow constraints on it and we prove that our algorithm is sound with respect to our security notion....
Lundgren, Björn; Möller, Niklas
This article proposes a new definition of information security, the 'Appropriate Access' definition. Apart from providing the basic criteria for a definition-correct demarcation and meaning concerning the state of security-it also aims at being a definition suitable for any information security perspective. As such, it bridges the conceptual divide between so-called 'soft issues' of information security (those including, e.g., humans, organizations, culture, ethics, policies, and law) and more technical issues. Because of this it is also suitable for various analytical purposes, such as analysing possible security breaches, or for studying conflicting attitudes on security in an organization. The need for a new definition is demonstrated by pointing to a number of problems for the standard definition type of information security-the so-called CIA definition. Besides being too broad as well as too narrow, it cannot properly handle the soft issues of information security, nor recognize the contextual and normative nature of security.
A. O. Vybornov
Full Text Available Categories roles of information security employees of the banking organization are defined. Functional roles are described. The relationship between functional roles, employees, functions and authority are defined. The role of information security employees of the banking organization for information security system and information security management system are described. Recommendations for the implementation phases of the selection and appointment of the functional roles and to control the selection and role assignment information security employees of the banking organization are stated.
suggestions for reducing the burden, to the Department of Defense, Executive Service Directorate (0704-0188). Respondents should be aware that...improve the precision of security enforcement, and to provide greater assurance of information security. This grant focuses on two key projects: language...based control of authority; and formal guarantees for the correctness of audit information. 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17
.... To determine the status of computer security within VHA, we (1) evaluated information system general controls at the VA Maryland Health Cafe System, the New Mexico VA Health Care System, and the VA North Texas Health Care System and (2...
Alexandr Diomidovich Afanasyev
Full Text Available An issue of topological analysis has been claimed as a key one while creating robust and secure network systems. Some examples of complex network applications in information security domain have been cited.
Full Text Available The paper presents a mathematical model for the optimal security-technology investment evaluation and decision-making processes based on the quantitative analysis of security risks and digital asset assessments in an enterprise. The model makes use of the quantitative analysis of different security measures that counteract individual risks by identifying the information system processes in an enterprise and the potential threats. The model comprises the target security levels for all identified business processes and the probability of a security accident together with the possible loss the enterprise may suffer. The selection of security technology is based on the efficiency of selected security measures. Economic metrics are applied for the efficiency assessment and comparative analysis of different protection technologies. Unlike the existing models for evaluation of the security investment, the proposed model allows direct comparison and quantitative assessment of different security measures. The model allows deep analyses and computations providing quantitative assessments of different options for investments, which translate into recommendations facilitating the selection of the best solution and the decision-making thereof. The model was tested using empirical examples with data from real business environment.
Martins, José; Dos Santos, Henrique
The principle objective of this article is to present a literature review for the methods used in the security of information at the level of organizations. Some of the principle problems are identified and a first group of relevant dimensions is presented for an efficient management of information security. The study is based on the literature review made, using some of the more relevant certified articles of this theme, in international reports and in the principle norms of management of information security. From the readings that were done, we identified some of the methods oriented for risk management, norms of certification and good practice of security of information. Some of the norms are oriented for the certification of the product or system and others oriented to the processes of the business. There are also studies with the proposal of Frameworks that suggest the integration of different approaches with the foundation of norms focused on technologies, in processes and taking into consideration the organizational and human environment of the organizations. In our perspective, the biggest contribute to the security of information is the development of a method of security of information for an organization in a conflicting environment. This should make available the security of information, against the possible dimensions of attack that the threats could exploit, through the vulnerability of the organizational actives. This method should support the new concepts of "Network centric warfare", "Information superiority" and "Information warfare" especially developed in this last decade, where information is seen simultaneously as a weapon and as a target.
Trabelsi, Zouheir; McCoey, Margaret
Teaching offensive security (ethical hacking) is becoming a necessary component of information security curricula with a goal of developing better security professionals. The offensive security components extend curricula beyond system defense strategies. This paper identifies and discusses the learning outcomes achieved as a result of hands-on…
Satoh, Hitoshi; Niki, Noboru; Eguchi, Kenji; Ohmatsu, Hironobu; Kusumoto, Masahiro; Kaneko, Masahiro; Kakinuma, Ryutaru; Moriyama, Noriyuki
We have developed the teleradiology network system with a new information security solution that provided with web medical image conference system. In the teleradiology network system, the security of information network is very important subjects. We are studying the secret sharing scheme and the tokenization as a method safely to store or to transmit the confidential medical information used with the teleradiology network system. The confidential medical information is exposed to the risk of the damage and intercept. Secret sharing scheme is a method of dividing the confidential medical information into two or more tallies. Individual medical information cannot be decoded by using one tally at all. Our method has the function of automatic backup. With automatic backup technology, if there is a failure in a single tally, there is redundant data already copied to other tally. Confidential information is preserved at an individual Data Center connected through internet because individual medical information cannot be decoded by using one tally at all. Therefore, even if one of the Data Centers is struck and information is damaged due to the large area disaster like the great earthquake of Japan, the confidential medical information can be decoded by using the tallies preserved at the data center to which it escapes damage. Moreover, by using tokenization, the history information of dividing the confidential medical information into two or more tallies is prevented from lying scattered by replacing the history information with another character string (Make it to powerlessness). As a result, information is available only to those who have rightful access it and the sender of a message and the message itself are verified at the receiving point. We propose a new information transmission method and a new information storage method with a new information security solution.
Alexander A. Galushkin
In the present article author analyzes value of the concepts "national security", "information security", "national information security". Author gives opinions of scientists-jurists, definitions given by legislators and normotvorets in various regulations.
Karabatis, George; Aleroud, Ahmed
This book highlights several gaps that have not been addressed in existing cyber security research. It first discusses the recent attack prediction techniques that utilize one or more aspects of information to create attack prediction models. The second part is dedicated to new trends on information fusion and their applicability to cyber security; in particular, graph data analytics for cyber security, unwanted traffic detection and control based on trust management software defined networks, security in wireless sensor networks & their applications, and emerging trends in security system design using the concept of social behavioral biometric. The book guides the design of new commercialized tools that can be introduced to improve the accuracy of existing attack prediction models. Furthermore, the book advances the use of Knowledge-based Intrusion Detection Systems (IDS) to complement existing IDS technologies. It is aimed towards cyber security researchers. .
Full Text Available Cloud computing has made it possible for private companies to make rapid changes in their computing environments. However, in the public sector, security issues hinder institutions from adopting cloud computing. To solve these security challenges, in this paper, we propose a methodology for information security management, which quantitatively classifies the importance of information in cloud systems in the public sector. In this study, we adopt a Delphi approach to establish the classification criteria of the proposed methodology in an objective and systematic manner. Further, through a case study of a public corporation, we try to validate the usefulness of the proposed methodology. The results of this study will help public institutions to consider introducing cloud computing and to manage cloud systems effectively and securely.
Alexandria, Joao Carlos Soares de
The increase of the connectivity in the business environment, combined with the growing dependency of information systems, has become the information security management an important governance tool. Information security has as main goal to protect the business transactions in order to work normally. In this way, It will be safeguarding the business continuity. The threats of information come from hackers' attacks, electronic frauds and spying, as well as fire, electrical energy interruption and humans fault. Information security is made by implementation of a set of controls, including of the others politics, processes, procedures, organizational structures, software and hardware, which require a continuous management and a well established structure to be able to face such challenges. This work tried to search the reasons why the organizations have difficulties to make a practice of information security management. Many of them just limit to adopt points measures, sometimes they are not consistent with their realities. The market counts on enough quantity of standards and regulations related to information security issues, for example, ISO/IEC 27002, American Sarbanes-Oxley act, Basel capital accord, regulations from regulatory agency (such as the Brazilians ones ANATEL, ANVISA and CVM). The market researches have showed that the information security implementation is concentrated on a well-defined group of organization mainly formed by large companies and from specifics sectors of economy, for example, financial and telecommunication. However, information security must be done by all organizations that use information systems to carry out their activities, independently of its size or economic area that it belongs. The situation of information security in the governmental sector of Brazil, and inside its research institutions, is considered worrying by the Brazilian Court of Accounts (TCU). This research work presents an assessment and diagnostic proposal of
Nicolaides, S. [Numerex, Atlanta, GA (United States)
As part of North America's national critical infrastructure, utilities are finding themselves at the forefront of a security issue. In October 2007, a leading security service provider reported a 90 per cent increase in the number of hackers attempting to attack its utility clients in just one year. Utilities are vulnerable to cyber attacks that could disrupt power production and the transmission system. This article discussed the need for intelligent technologies in securely enabling resource management and operational efficiency of the utilities market. It discussed the unique security challenges that utilities face at a time of greater regulatory activity, heightened environmental concerns, tighter data security requirements and an increasing need for remote monitoring and control. A new tool has emerged for cyber security in the form of an international standard that may offer a strong guideline to work toward 11 security domains. These include security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition; development and maintenance; information security incident management; business continuity management; and compliance. 2 figs.
Mehraeen, Esmaeil; Ayatollahi, Haleh; Ahmadi, Maryam
A hospital information system has potentials to improve the accessibility of clinical information and the quality of health care. However, the use of this system has resulted in new challenges, such as concerns over health information security. This paper aims to assess the status of information security in terms of administrative, technical and physical safeguards in the university hospitals. This was a survey study in which the participants were information technology (IT) managers (n=36) who worked in the hospitals affiliated to the top ranked medical universities (university A and university B). Data were collected using a questionnaire. The content validity of the questionnaire was examined by the experts and the reliability of the questionnaire was determined using Cronbach's coefficient alpha (α=0.75). The results showed that the administrative safeguards were arranged at a medium level. In terms of the technical safeguards and the physical safeguards, the IT managers rated them at a strong level. According to the results, among three types of security safeguards, the administrative safeguards were assessed at the medium level. To improve it, developing security policies, implementing access control models and training users are recommended.
Anton Sergeevich Zaytsev
Full Text Available In this article the author considers documents and scientific articles that should be used to configure monitoring and information security incident management process in an organization of banking system of Russia. Also key principles of monitoring configuration were marked up and a technique of monitoring configuration was proposed. Principles of monitoring system configuration were defined and a set of documents used to legitimate monitoring and information incident management process was considered.
Jašek, Roman; Králík, Lukáš; Popelka, Miroslav [Tomas Bata University in Zlin, Faculty of Applied Informatics NadStranemi 4511, 760 05 Zlin (Czech Republic)
This paper discusses the context of ITIL framework and management of information security. It is therefore a summary study, where the first part is focused on the safety objectives in connection with the ITIL framework. First of all, there is a focus on ITIL process ISM (Information Security Management), its principle and system management. The conclusion is about link between standards, which are related to security, and ITIL framework.
Fernandez de Miguel, C.
Information security is a key issue for companies that manage and process nuclear business related data. Availability of information systems as well as new data exchange facilities through simple and broad communication networks are the pillars of cooperation between different organizations, generating significant savings in costs and expanding the capacity to minimeze them. In this regard, information security is one of the major challenges for IT departments. This articles presents Tecnatoms experience in the Information Security Management Implementation project. Over several years, since 2004, the information security management has been developed and consolidated as an ongoing and horizontal process. (Author)
William C. Figg, Ph.D.; Hwee Joo Kam, M.S.
Modern medicine is facing a complex environment, not from medical technology but rather government regulations and information vulnerability. HIPPA is the government’s attempt to protect patient’s information yet this only addresses traditional record handling. The main threat is from the evolving security issues. Many medical offices and facilities have multiple areas of information security concerns. Physical security is often weak, office personnel are not always aware of security needs an...
Li, Chun-Ta; Weng, Chi-Yao; Lee, Cheng-Chi
Radio Frequency Identification (RFID) based solutions are widely used for providing many healthcare applications include patient monitoring, object traceability, drug administration system and telecare medicine information system (TMIS) etc. In order to reduce malpractices and ensure patient privacy, in 2015, Srivastava et al. proposed a hash based RFID tag authentication protocol in TMIS. Their protocol uses lightweight hash operation and synchronized secret value shared between back-end server and tag, which is more secure and efficient than other related RFID authentication protocols. Unfortunately, in this paper, we demonstrate that Srivastava et al.'s tag authentication protocol has a serious security problem in that an adversary may use the stolen/lost reader to connect to the medical back-end server that store information associated with tagged objects and this privacy damage causing the adversary could reveal medical data obtained from stolen/lost readers in a malicious way. Therefore, we propose a secure and efficient RFID tag authentication protocol to overcome security flaws and improve the system efficiency. Compared with Srivastava et al.'s protocol, the proposed protocol not only inherits the advantages of Srivastava et al.'s authentication protocol for TMIS but also provides better security with high system efficiency.
A good security system enables access and protects information from damage or tampering, but the most important aspects of a security system aren't technical. A security procedures manual addresses the human element of computer security. (MLW)
Mense, Alexander; Hoheiser-Pförtner, Franz; Schmid, Martin; Wahl, Harald
Working with health related data necessitates appropriate levels of security and privacy. Information security, meaning ensuring confidentiality, integrity, and availability, is more organizational, than technical in nature. It includes many organizational and management measures, is based on well-defined security roles, processes, and documents, and needs permanent adaption of security policies, continuously monitoring, and measures assessment. This big challenge for any organization leads to implementation of an information security management system (ISMS). In the context of establishing a regional or national electronic health record for integrated care (ICEHR), the situation is worse. Changing the medical information exchange from on-demand peer-to-peer connections to health information networks requires all organizations participating in the EHR system to have consistent security levels and to follow the same security guidelines and rules. Also, the implementation must be monitored and audited, establishing cross-organizational information security management systems (ISMS) based on international standards. This paper evaluates requirements and defines basic concepts for an ISO 27000 series-based cross-organizational ISMS in the healthcare domain and especially for the implementation of the nationwide electronic health record in Austria (ELGA).
Sushko, O. P.
The role of information technologies in providing technological security for energy enterprises is a component of the economic security for the northern Arctic region in general. Applying instruments and methods of information protection modelling of the energy enterprises' business process in the northern Arctic region (such as Arkhenergo and Komienergo), the authors analysed and identified most frequent risks of information security. With the analytic hierarchy process based on weighting factor estimations, information risks of energy enterprises' technological processes were ranked. The economic estimation of the information security within an energy enterprise considers weighting factor-adjusted variables (risks). Investments in information security systems of energy enterprises in the northern Arctic region are related to necessary security elements installation; current operating expenses on business process protection systems become materialized economic damage.
Correia, Anacleto; Gonçalves, António; Teodoro, M. Filomena
The availability, integrity and confidentiality of information are fundamental to the long-term survival of any organization. Information security is a complex issue that must be holistically approached, combining assets that support corporate systems, in an extended network of business partners, vendors, customers and other stakeholders. This paper addresses the conception and implementation of information security systems, conform the ISO/IEC 27000 set of standards, using the model-driven approach. The process begins with the conception of a domain level model (computation independent model) based on information security vocabulary present in the ISO/IEC 27001 standard. Based on this model, after embedding in the model mandatory rules for attaining ISO/IEC 27001 conformance, a platform independent model is derived. Finally, a platform specific model serves the base for testing the compliance of information security systems with the ISO/IEC 27000 set of standards.
Lykov, V.A.; Shein, A.V.; Piskarev, A.S.; Devaney, D.M.; Melton, R.B.; Hunteman, W.J.; Prommel, J.M.; Rothfuss, J.S.
The purpose of this paper is to discuss the information security assessment criteria used in Russia and compare it with that used in the United States. The computer system security assessment criteria utilized by the State Technical Commission of Russia and similar criteria utilized by the US Department of Defense (TCSEC) are intended for the development and implementation of proven methods for achieving a required level of information security. These criteria are utilized, first and foremost, when conducting certification assessments of general purpose systems. The Russian Federation is creating specialized systems for nuclear material control and accountancy (MC and A) within the framework of the international laboratory-to-laboratory collaboration. Depending on the conditions in which the MC and A system is intended to operate, some of the criteria and the attendant certification requirements may exceed those established or may overlap the requirements established for attestation of such systems. In this regard it is possible to modify the certification and attestation requirements depending on the conditions in which a system will operate in order to achieve the ultimate goal--implementation of the systems in the industry
Alaíde Barbosa Martins
Full Text Available Information security has actually been a major challenge to most organizations. Indeed, information security is an ongoing risk management process that covers all of the information that needs to be protected. ISO 17799 offers what companies need in order to better manage information security. The best way to implement this standard is to ease the security management process using a methodology that will define will define guidelines, procedures and tools that will be needed along the way. Hence, this paper proposes a methodology to assist companies in assessing their compliance with BS 7799/ ISO 17799 as well as planning and implementing the actions necessary to become compliant or certified to the standard. The concepts and ideas presented here had been applied in a case study involving the Cetrel S/A - Company of Environmental Protection. For this company, responsible for treatment of industrial residues generated by the Camaçari Petrochemical Complex and adjacent areas, to assure confidentiality and integrity of customers' data is a basic requirement.
Ademola P. Abidoye
Full Text Available The sensitivity of health-care information and its accessibility via the Internet and mobile technology systems is a cause for concern in these modern times. The privacy, integrity and confidentiality of a patient’s data are key factors to be considered in the transmission of medical information for use by authorised health-care personnel. Mobile communication has enabled medical consultancy, treatment, drug administration and the provision of laboratory results to take place outside the hospital. With the implementation of electronic patient records and the Internet and Intranets, medical information sharing amongst relevant health-care providers was made possible. But the vital issue in this method of information sharing is security: the patient’s privacy, as well as the confidentiality and integrity of the health-care information system, should not be compromised. We examine various ways of ensuring the security and privacy of a patient’s electronic medical information in order to ensure the integrity and confidentiality of the information.
... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2010-0066] Proposed Recommendation to the Social Security Administration for Occupational Information System (OIS) Development Planning; Request for Comment...) to provide independent advice and recommendations on plans and activities to create an occupational...
Norman, Thomas L
Integrated Security Systems Design, 2nd Edition, is recognized as the industry-leading book on the subject of security systems design. It explains how to design a fully integrated security system that ties together numerous subsystems into one complete, highly coordinated, and highly functional system. With a flexible and scalable enterprise-level system, security decision makers can make better informed decisions when incidents occur and improve their operational efficiencies in ways never before possible. The revised edition covers why designing an integrated security system is essential a
A. V. Skrypnikov
Full Text Available The article is devoted to the method of experimental estimation of parameters of functioning of standard information protection systems from unauthorized access, certified, widely used in organizations operating automated information systems. In the course of the experiment, statistical data were evaluated in the dynamics of the functioning of information security systems against unauthorized access in automated information systems. Registration of the parameters for the execution time of protective protection functions was carried out using a special utility called ProcessMonitor from the Sysinternals suite of utilities used to filter processes and threads. The loading of the processor and main memory of the computer with the use of special software, specially designed for performing experimental research, simulates the operation of GIS in real-world work for its intended purpose. A special software for simulating the work of a system with high load is developed in "VisualStudio 2015" within the framework of "ConsoleApplication". At the same time, the processor is loaded at a level of 50-70% and 60-80% of the operative memory. The obtained values of the time of implementation of protective functions in conditions of high utilization of resources of computer facilities for their intended purpose will allow us to assess the conflict and dynamic properties of the GIS. In the future, the obtained experimental estimates can be used to develop a model of information security in automated information systems, as well as in the formation of quality requirements (resource intensity, response time to the user's request, availability, etc.. Also, the results of the computational experiment in the future can be used to develop a software package for assessing the dynamic performance of information security systems against unauthorized access in automated information systems
Doddrell, Gregory R.
As business relies less on "fortress" style central computers and more on distributed systems, the risk of disruption increases because of inadequate physical security, support services, and site monitoring. This article discusses information security and why protection is required on the Internet, presents a best practice firewall, and…
Ayyagari, Ramakrishna; Tyks, Jonathan
Security and disaster training is identified as a top Information Technology (IT) required skill that needs to be taught in Information Systems (IS) curriculums. Accordingly, information security and privacy have become core concepts in information system education. Providing IT security on a shoestring budget is always difficult and many small…
Peng, Xiang; Zhang, Peng; Cai, Lilong
In this paper, we present a virtual-optical based information security system model with the aid of public-key-infrastructure (PKI) techniques. The proposed model employs a hybrid architecture in which our previously published encryption algorithm based on virtual-optics imaging methodology (VOIM) can be used to encipher and decipher data while an asymmetric algorithm, for example RSA, is applied for enciphering and deciphering the session key(s). For an asymmetric system, given an encryption key, it is computationally infeasible to determine the decryption key and vice versa. The whole information security model is run under the framework of PKI, which is on basis of public-key cryptography and digital signatures. This PKI-based VOIM security approach has additional features like confidentiality, authentication, and integrity for the purpose of data encryption under the environment of network.
Full Text Available With the rapid growth of the Internet, a lot of electronic patient records (EPRs have been developed for e-medicine systems. The security and privacy issues of EPRs are important for the patients in order to understand how the hospitals control the use of their personal information, such as name, address, e-mail, medical records, etc. of a particular patient. Recently, Lee et al. proposed a simple group password-based authenticated key agreement protocol for the integrated EPR information system (SGPAKE. However, in this paper, we show that Lee et al.’s protocol is vulnerable to the off-line weak password guessing attack and as a result, their scheme does not provide users’ privacy. To withstand this security weakness found in Lee et al.’s scheme, we aim to propose an effective dynamic group password-based authenticated key exchange scheme for the integrated EPR information system, which retains the original merits of Lee et al.’s scheme. Through the informal and formal security analysis, we show that our scheme provides users’ privacy, perfect forward security and known-key security, and also protects online and offline password guessing attacks. Furthermore, our scheme efficiently supports the dynamic group password-based authenticated key agreement for the integrated EPR information system. In addition, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications tool and show that our scheme is secure against passive and active attacks.
Ekaterina Gennadievna Kondratova
Full Text Available It is defined in the article social networks as a tool in the hands of cyber-criminals to compromise the organization’s data. The author focuses on a list of threats to information security caused by social networks usage, which should be considered in the set up of information security management system of the company.
C Language Integration Production System (CLIPS), a NASA-developed expert systems program, has enabled a security systems manufacturer to design a new generation of hardware. C.CURESystem 1 Plus, manufactured by Software House, is a software based system that is used with a variety of access control hardware at installations around the world. Users can manage large amounts of information, solve unique security problems and control entry and time scheduling. CLIPS acts as an information management tool when accessed by C.CURESystem 1 Plus. It asks questions about the hardware and when given the answer, recommends possible quick solutions by non-expert persons.
Yulia G. Krasnozhon
Full Text Available Modern information technologies have an increasing importance for development dynamics and management structure of an enterprise. The management efficiency of implementation of modern information technologies directly related to the quality of information security incident management. However, issues of assessment of the impact of information security incidents management on quality and efficiency of the enterprise management system are not sufficiently highlighted neither in Russian nor in foreign literature. The main direction to approach these problems is the optimization of the process automation system of the information security incident management. Today a special attention is paid to IT-technologies while dealing with information security incidents at mission-critical facilities in Russian Federation such as the Federal Tax Service of Russia (FTS. It is proposed to use the mathematical apparatus of queueing theory in order to build a mathematical model of the system optimization. The developed model allows to estimate quality of the management taking into account the rules and restrictions imposed on the system by the effects of information security incidents. Here an example is given in order to demonstrate the system in work. The obtained statistical data are shown. An implementation of the system discussed here will improve the quality of the Russian FTS services and make responses to information security incidents faster.
Mohammad Reza Taghva
Full Text Available In recent years, the researchers have emphasized on positive effect of information system on supply chain performance such as organizational processes integration, information sharing, information technology, etc. In other hand, information security management system is one of the subjects that researches considered its effects on increase accuracy and effective information exchange, access to accurate and timely information and reduce errors of information system. Since, any research has not been done on this ground (the importance of ISMS on supply chain performance. Therefore, it was felt that a research should have done on these approaches on supply chain. In this respect, current research was seeking that how ISMS had impact on supply chain performance in automotive industry and this was the innovative aspect of this paper. So first of all, after the review of the information security management system literature, supply chain performance was considered by the balanced scorecard approach then the most important factors of these two subjects was extracted by correlation analysis. In this way, it was considered that how ISMS had impact on supply chain performance by correlation analysis. The results showed that different dimensions of ISMS (information uniformity, prevent the human and machine mistake, information be accuracy, and rectitude and instruction for users had impact on four dimensions of supply chain performance (customers, financial, internal processes and learning and growth in three levels (strategic, technical, and operational in supply chain. At the end, it was showed that ISMS lays the ground for increase supply chain performance.
Orel, Andrej; Bernik, Igor
Using widely spread common approaches to systems security in health dedicated controlled environments, a level of awareness, confidence and acceptance of relevant standardisation is evaluated. Patients' information is sensitive, so putting appropriate organisational techniques as well as modern technology in place to secure health information is of paramount importance. Mobile devices are becoming the top priorities in advanced information security planning with healthcare environments being no exception. There are less and less application areas in healthcare without having a need for a mobile functionality which represents an even greater information security challenge. This is also true in emergency treatments, rehabilitation and homecare just to mention a few areas outside hospital controlled environments. Unfortunately quite often traditional unsecured communications principles are still in routine use for communicating sensitive health related information. The security awareness level with users, patients and care professionals is not high enough so potential threats and risks may not be addressed and the respective information security management is therefore weak. Standards like ISO/IEC 27000 ISMS family, the ISO/IEC 27799 information security guidelines in health are often not well known, but together with legislation principles such as HIPAA, they can help.
D.Phil. Computer-based information systems will probably always have to contend with security issues. Much research have already gone into the field of information security. These research results have yielded some very sophisticated and effective security mechanisms and procedures. However, due to the ever increasing sophistication of criminals, combined with the ever changing and evolving information technology environment, some limitations still exist within the field of information sec...
This document is the second of a planned four-volume work that comprehensively discusses the security classification of information. The main focus of Volume 2 is on the principles for classification of information. Included herein are descriptions of the two major types of information that governments classify for national security reasons (subjective and objective information), guidance to use when determining whether information under consideration for classification is controlled by the government (a necessary requirement for classification to be effective), information disclosure risks and benefits (the benefits and costs of classification), standards to use when balancing information disclosure risks and benefits, guidance for assigning classification levels (Top Secret, Secret, or Confidential) to classified information, guidance for determining how long information should be classified (classification duration), classification of associations of information, classification of compilations of information, and principles for declassifying and downgrading information. Rules or principles of certain areas of our legal system (e.g., trade secret law) are sometimes mentioned to .provide added support to some of those classification principles.
Mayo, Jackson R. (Sandia National Laboratories, Livermore, CA); Torgerson, Mark Dolan; Walker, Andrea Mae; Armstrong, Robert C. (Sandia National Laboratories, Livermore, CA); Allan, Benjamin A. (Sandia National Laboratories, Livermore, CA); Pierson, Lyndon George
The goal of this research was to explore first principles associated with mixing of diverse implementations in a redundant fashion to increase the security and/or reliability of information systems. Inspired by basic results in computer science on the undecidable behavior of programs and by previous work on fault tolerance in hardware and software, we have investigated the problem and solution space for addressing potentially unknown and unknowable vulnerabilities via ensembles of implementations. We have obtained theoretical results on the degree of security and reliability benefits from particular diverse system designs, and mapped promising approaches for generating and measuring diversity. We have also empirically studied some vulnerabilities in common implementations of the Linux operating system and demonstrated the potential for diversity to mitigate these vulnerabilities. Our results provide foundational insights for further research on diversity and redundancy approaches for information systems.
USDA has taken positive steps to begin improving its information security by developing its August 1999 Action Plan with recommendations to strengthen department-wide information security and hiring...
Farhadi, Akram; Ahmadi, Maryam
Picture Archiving and Communications System (PACS) was originally developed for radiology services over 20 years ago to capture medical images electronically. Medical diagnosis methods are based on images such as clinical radiographs, ultrasounds, CT scans, MRIs, or other imaging modalities. Information obtained from these images is correlated with patient information. So with regards to the important role of PACS in hospitals, we aimed to evaluate the PACS and survey the information security needed in the Radiological Information system. First, we surveyed the different aspects of PACS that should be in any health organizations based on Department of Health standards and prepared checklists for assessing the PACS in different hospitals. Second, we surveyed the security controls that should be implemented in PACS. Checklists reliability is affirmed by professors of Tehran Science University. Then, the final data are inputted in SPSS software and analyzed. The results indicate that PACS in hospitals can transfer patient demographic information but they do not show route of information. These systems are not open source. They don't use XML-based standard and HL7 standard for exchanging the data. They do not use DS digital signature. They use passwords and the user can correct or change the medical information. PACS can detect alternation rendered. The survey of results demonstrates that PACS in all hospitals has the same features. These systems have the patient demographic data but they do not have suitable flexibility to interface network or taking reports. For the privacy of PACS in all hospitals, there were passwords for users and the system could show the changes that have been made; but there was no water making or digital signature for the users.
Mwakalinga, G. Jeffy; Yngström, Louise; Kowalski, Stewart
This paper presents a Framework for adaptive information security systems for securing information systems. Information systems today are vulnerable and not adaptive to the dynamic environments because initial development of these systems focused on computer technology and communications protocol only. Most research in information security does not consider culture of users, system environments and does not pay enough attention to the enemies of information systems. As a result, users serve t...
Otero, Angel R.
In an era where use and dependence of information systems is significantly high, the threat of incidents related to information security that could jeopardize the information held by organizations is more and more serious. Alarming facts within the literature point to inadequacies in information security practices, particularly the evaluation of…
Information Technology (IT) Security Risk Management is a critical task for the organization to protect against the loss of confidentiality, integrity and availability of IT resources. As systems bgecome more complex and diverse and and attacks from intrusions and malicious content increase, it is becoming increasingly difficult to manage IT security risk. This paper describes a two-pronged approach in addressing IT security risk and risk management in the organization: 1) an institutional enterprise appraoch, and 2) a project life cycle approach.
I. A. Zikratov
Full Text Available The paper deals with the issues on protection of multi-agent robotic systems against attacks by robots-saboteurs. The operation analysis of such systems with decentralized control is carried out. Concept of harmful information impact (attack from a robot-saboteur to the multi-agent robotic system is given. The class of attacks is considered using interception of messages, formation and transfer of misinformation to group of robots, and also carrying out other actions with vulnerabilities of multiagent algorithms without obviously identified signs of invasion of robots-saboteurs. The model of information security is developed, in which robots-agents work out trust levels to each other analyzing the events occurring in the system. The idea of trust model consists in the analysis of transferred information by each robot and the executed actions of other members in a group, comparison of chosen decision on iteration step k with objective function of the group. Distinctive feature of the trust model in comparison with the closest analogue - Buddy Security Model in which the exchange between the agents security tokens is done — is involvement of the time factor during which agents have to "prove" by their actions the usefulness in achievement of a common goal to members of the group. Variants of this model realization and ways of an assessment of trust levels for agents in view of the security policy accepted in the group are proposed.
Yau, Wei-Chuen; Phan, Raphael C-W
Many authentication schemes have been proposed for telecare medicine information systems (TMIS) to ensure the privacy, integrity, and availability of patient records. These schemes are crucial for TMIS systems because otherwise patients' medical records become susceptible to tampering thus hampering diagnosis or private medical conditions of patients could be disclosed to parties who do not have a right to access such information. Very recently, Hao et al. proposed a chaotic map-based authentication scheme for telecare medicine information systems in a recent issue of Journal of Medical Systems. They claimed that the authentication scheme can withstand various attacks and it is secure to be used in TMIS. In this paper, we show that this authentication scheme is vulnerable to key-compromise impersonation attacks, off-line password guessing attacks upon compromising of a smart card, and parallel session attacks. We also exploit weaknesses in the password change phase of the scheme to mount a denial-of-service attack. Our results show that this scheme cannot be used to provide security in a telecare medicine information system.
A. V. Masloboev
Full Text Available The paper deals with engineering problems and application perspectives of virtual cognitive centers as intelligent systems for information support of interagency activities in the field of complex security management of regional development. A research prototype of virtual cognitive center for regional security management in crisis situations, implemented as hybrid cloud service based on IaaS architectural framework with the usage of multi-agent and web-service technologies has been developed. Virtual cognitive center is a training simulator software system and is intended for solving on the basis of distributed simulation such problems as: strategic planning and forecasting of risk-sustainable development of regional socioeconomic systems, agents of management interaction specification synthesis for regional components security in different crisis situations within the planning stage of joint anti-crisis actions.
Full Text Available Rapidly increasing numbers of sophisticated mobile devices (smart phones, tab computers, etc. all over the world mean that ensuring information security will only become a more pronounced problem for individuals and organizations. It’s important to effectively protect data stored on or accessed by mobile devices, and also during transmission of data between devices and between device and information system. Technological and other trends show, that the cyber threats are also rapidly developing and spreading. It's crucial to educate users about safe usage and to increase their awareness of security issues. Ideally, users should keep-up with technological trends and be well equipped with knowledge otherwise mobile technology will significantly increase security risks. Most important is that we start educating youth so that our next generations of employees will be part of a culture of data and information security awareness.
The Information Security Management Handbook continues its tradition of consistently communicating the fundamental concepts of security needed to be a true CISSP. In response to new developments, Volume 4 supplements the previous volumes with new information covering topics such as wireless, HIPAA, the latest hacker attacks and defenses, intrusion detection, and provides expanded coverage on security management issues and applications security. Even those that don't plan on sitting for the CISSP exam will find that this handbook is a great information security reference.The changes in the tech
Bazavan, Ioana V
While information security is an ever-present challenge for all types of organizations today, most focus on providing security without addressing the necessities of staff, time, or budget in a practical manner.Information Security Cost Management offers a pragmatic approach to implementing information security, taking budgetary and real-world constraints into consideration. By providing frameworks, step-by-step processes, and project management breakdowns, this book demonstrates how to design the best security strategy with the resources you have available. Organized into five sections, the book-Focuses on setting the right road map so that you can be most effective in your information security implementationsDiscusses cost-effective staffing, the single biggest expense to the security organizationPresents practical ways to build and manage the documentation that details strategy, provides resources for operating annual audits, and illustrates how to advertise accomplishments to senior management effectivelyI...
Irina Yurievna Alekseeva
Full Text Available Building a culture of information security involves consideration of problems of management in society. Ideas and approaches developed in philosophy of management are relevant to studies in problems of information security in broader methodological and social context. The article focuses on problems of information and psychological security in social systems. The author considers disorienting signs and signals as information threat to security of persons and societies. The author argues that management ideology of pseudo-economical reductionism makes distortion at the level of values and priorities of the system. This ideology exalts competitiveness to the detriment of the systems’ viability. Philosophy of complexity (better known as “philosophy of complex systems” embraces new visions for methodology of management in XXI century. “Observer of complexity” and “complexity of observer of complexity” phenomena are central in this context. The problem of appropriate language for system self-description is of critical importance. This language is necessary for substantive production of intellectual tools for problems solving and decision making; refusal to produce such tools is fraught with decrease of information security level.
This paper describes some experiences with using the Common Criteria for Information Security Evaluation as the basis for a design methodology for secure application systems. The examples considered include a Point-of-Sale (POS) system, a wind turbine park monitoring and control system and a secu...... an effective and secure design, starting with the formulation of a Protection Profile and ending with a concrete design, within the project timeframe.......This paper describes some experiences with using the Common Criteria for Information Security Evaluation as the basis for a design methodology for secure application systems. The examples considered include a Point-of-Sale (POS) system, a wind turbine park monitoring and control system and a secure...
Reviewed by Yavuz AKBULUT
andcommunication technologies provided in the source can help educationaladministrators and policy-makers. Table of contents along with the names ofcontributors are provided below: 3D Avatars and Collaborative Virtual Environments/Koon-Ying Raymond Li,James Sofra, and Mark Power Access Control for Healthcare/Yifeng Shen Advertising in the Networked Environment/Savvas Papagiannidis and MichaelBourlakis Anonymous Peer-to-Peer Systems/Wenbing Zhao Argumentation and Computing/Ephraim Nissan Argumentation with Wigmore Charts and Computing/Ephraim Nissan Artificial Intelligence Tools for Handling Legal Evidence/Ephraim Nissan Barriers Facing African American Women in Technology/Jianxia Du, George H.Pate, Deneen Sherrod, and Wei-Chieh Yu B-POS Secure Mobile Payment System/Antonio Grillo, Alessandro Lentini, andGianluigi Me Building Secure and Dependable Information Systems/Wenbing Zhao Classifying Articles in Information Ethics and Security/Zack Jourdan, R. KellyRainer Jr., and Thomas E. Marshall Computational Ethics/Alicia I. Ruvinsky Computer Ethics and Intelligent Technologies/Yefim Kats Computer Worms, Detection, and Defense/Robert J. Cole and Chao-Hsien Chu Conflicting Value of Digital Music Piracy/Matthew Butler Content Filtering Methods for Internet Pornography/Jengchung V. Chen andShaoYu F. Huang Cyber-Terrorism in Australia/Christopher Beggs Data Security and Chase/Zbigniew W. Ras and Seunghyun Im Defending against Distributed Denial of Service/Yang Xiang and Wanlei Zhou Digital Divide Implications and Trends/Irene Chen and Terry T. Kidd Digital Rights Management Metadata and Standards/Jo Anne Cote and Eun G.Park235 Dilemmas of Online Identity Theft/Omer Mahmood Document Security in the Ancient World/Christopher H. Walker DRM Practices in the E-Publication Industry/Bong Wee Kiau and NorshuhadaShiratuddin Educational Technology Practitioner-Research Ethics/Kathleen Gray E-Health and Ensuring Quality
Information security is all about the protection of digital assets, such as digital content, personal health records, state secrets etc. These assets can be handled by a party who is authorised to access and control the asset or a party who is not authorised to do so. Authorisation determines who is trusted to actually handle an asset. Two concepts complement authorisation. Authentication deter-mines who makes a request to handle an asset. To decide who is authorised, a system needs to au-the...
Tomlinson, J. J.; Elliott-Smith, W.; Radosta, T.
A chain of custody (COC) is required in many laboratories that handle forensics, drugs of abuse, environmental, clinical, and DNA testing, as well as other laboratories that want to assure reliability of reported results. Maintaining a dependable COC can be laborious, but with the recent establishment of the criteria for electronic records and signatures by US regulatory agencies, laboratory information management systems (LIMSs) are now being developed to fully automate COCs. The extent of automation and of data reliability can vary, and FDA- and EPA-compliant electronic signatures and system security are rare. PMID:17671623
Tajuddin, Sharul; Olphert, Wendy; Doherty, Neil
The study, reported in this paper, aims to explore the relationship between the stakeholders' perceptions about the value of information and their resultant information security behaviours. Moreover, this study seeks to explore the role of national and organisational culture in facilitating information value assignment. Information Security is a concept that formed from the recognition that information is valuable and that there is a need to protect it. The ISO 27002 defines information as an asset, which, like other important business assets, is essential to an organisation's business and consequently needs to be appropriately protected. By definition, an asset has a value to the organisation hence it requires protection. Information protection is typically accomplished through the implementation of countermeasures against the threats and vulnerabilities of information security, for example, implementation of technological processes and mechanisms such as firewall and authorization and authentication systems, set-up of deterrence procedures such as password control and enforcement of organisational policy on information handling procedures. However, evidence routinely shows that despite such measures, information security breaches and incidents are on the rise. These breaches lead to loss of information, personal records, or other data, with consequent implications for the value of the information asset. A number of studies have suggested that such problems are not related primarily to technology problems or procedural deficiencies, but rather to stakeholders' poor compliance with the security measures that are in place. Research indicates that compliance behaviour is affected by many variables including perceived costs and benefits, national and organisational culture and norms. However, there has been little research to understand the concept of information value from the perspective of those who interact with the data, and the consequences for information
S K Hafizul Islam
Full Text Available Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.'s scheme for integrated electronic patient record (EPR information system, which has been analyzed in this study. We have found that Wen's scheme still has the following inefficiencies: (1 the correctness of identity and password are not verified during the login and password change phases; (2 it is vulnerable to impersonation attack and privileged-insider attack; (3 it is designed without the revocation of lost/stolen smart card; (4 the explicit key confirmation and the no key control properties are absent, and (5 user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature.
Pierre, Joseph D.
Information security systems (ISS) have been designed to protect assets from damages and from unauthorized access internally as well as externally. This research is promising similar protection from ISS methods that could prevent intoxicated individuals under the influence of alcohol from driving. However, previous research has shown significant…
Okolo, Nkiru Benjamin
Information systems of today face more potential security infringement than ever before. The regular susceptibility of data to breaches is a function of systems users' disinclination to follow appropriate security measures. A well-secured system maintains integrity, confidentiality, and availability, while providing appropriate and consistent…
Ayatollahi, Haleh; Shagerdi, Ghazal
To date, many efforts have been made to classify information security threats, especially in the healthcare area. However, there are still many unknown risks which may threat the security of health information and their resources especially in the hospitals. The aim of this study was to assess the risks threatening information security in the hospitals located in one of the northwest cities of Iran. This study was completed in 2014. The participants were information technology managers who worked in the hospitals (n=27). The research instrument was a questionnaire composed of a number of open and closed questions. The content validity of the questionnaire was confirmed, and the reliability of the closed questions was measured by using the test-retest method (r =0.78). The results showed that among the information security risks, fire found to be a high probability/high impact risk factor. Human and physical/environmental threats were among the low probability risk factors. Regarding the information security safeguards used in the hospitals, the results showed that the use of the technical safeguards was the most frequent one (n =22, 91.7%) compared to the administrative (n =21, 87.5%) and the physical safeguards (n =16, 66.7%). The high probability risk factors require quick corrective actions to be taken. Therefore, the underlying causes of such threats should be identified and controlled before experiencing adverse effects. It is also important to note that information security in health care systems needs to be considered at a macro level with respect to the national interests and policies.
Bompard, E.; Napoli, R.; Xue, F.
In the analysis of power systems security, recently a new concern related to possible malicious attacks caught much attention. Coordination among different transmission system operators (TSO) in an interconnected power system to counteract such attacks has become an important problem. This paper presents a general framework for describing the physical, cyber and decision-making aspects of the problem and their interrelations; within this framework, an analytic tool for the assessment of information impacts in handling on-line security after a malicious attack is proposed and discussed. The model is based on the socially rational multi-agent systems and the equilibrium of a fictitious play is considered to analyze the impacts of various levels of information available to the interconnected system operators on the outcomes of the decision-making process under attack. A 34-buses test system, with 3 systems interconnected by tie-lines, is presented to illustrate the model and compare the impacts of different information scenarios
Bompard, E. [Dipartimento di Ingegneria Elettrica, Politecnico di Torino, I-10129 Torino (Italy)], E-mail: firstname.lastname@example.org; Napoli, R.; Xue, F. [Dipartimento di Ingegneria Elettrica, Politecnico di Torino, I-10129 Torino (Italy)
In the analysis of power systems security, recently a new concern related to possible malicious attacks caught much attention. Coordination among different transmission system operators (TSO) in an interconnected power system to counteract such attacks has become an important problem. This paper presents a general framework for describing the physical, cyber and decision-making aspects of the problem and their interrelations; within this framework, an analytic tool for the assessment of information impacts in handling on-line security after a malicious attack is proposed and discussed. The model is based on the socially rational multi-agent systems and the equilibrium of a fictitious play is considered to analyze the impacts of various levels of information available to the interconnected system operators on the outcomes of the decision-making process under attack. A 34-buses test system, with 3 systems interconnected by tie-lines, is presented to illustrate the model and compare the impacts of different information scenarios.
Sharp, Robin; Pedersen, Allan; Hedegaard, Anders
This paper describes some experiences with using the ''Common Criteria for Information Security Evaluation'' as the basis for a design methodology when designing secure systems. As an example, the design process for a Point-of-Sale (POS) system is described.......This paper describes some experiences with using the ''Common Criteria for Information Security Evaluation'' as the basis for a design methodology when designing secure systems. As an example, the design process for a Point-of-Sale (POS) system is described....
P. Deivendran; Dr. R. Dhanapal Ph.D
We present a framework for managing system security, based on a SNMP Management Information Base (MIB), namely the System Security MIB (SSEC MIB), We have defined managed objects and completed the ASN.1 description of the MIB that embeds them. The related security management functions are mainly focused on monitoring external script execution for system security scanning and access control. The main goal of this work is to introduce the semantics and a standard interface that will allow the r...
Sousa, Kenneth J.; MacDonald, Laurie E.; Fougere, Kenneth T.
The authors conducted an evaluation of Management Information Systems (MIS) textbooks and found that computer security receives very little in-depth coverage. The textbooks provide, at best, superficial treatment of security issues. The research results suggest that MIS faculty need to provide material to supplement the textbook to provide…
Sang Hoon Kim
Full Text Available The authors found the behavioral factors that influence the organization members’ compliance with the information security policy in organizations on the basis of neutralization theory, Theory of planned behavior, and protection motivation theory. Depending on the theory of planned behavior, members’ attitudes towards compliance, as well as normative belief and self-efficacy, were believed to determine the intention to comply with the information security policy. Neutralization theory, a prominent theory in criminology, could be expected to provide the explanation for information system security policy violations. Based on the protection motivation theory, it was inferred that the expected efficacy could have an impact on intentions of compliance. By the above logical reasoning, the integrative behavioral model and eight hypotheses could be derived. Data were collected by conducting a survey; 194 out of 207 questionnaires were available. The test of the causal model was conducted by PLS. The reliability, validity, and model fit were found to be statistically significant. The results of the hypotheses tests showed that seven of the eight hypotheses were acceptable. The theoretical implications of this study are as follows: (1 the study is expected to play a role of the baseline for future research about organization members’ compliance with the information security policy, (2 the study attempted an interdisciplinary approach by combining psychology and information system security research, and (3 the study suggested concrete operational definitions of influencing factors for information security policy compliance through a comprehensive theoretical review. Also, the study has some practical implications. First, it can provide the guideline to support the successful execution of the strategic establishment for the implement of information system security policies in organizations. Second, it proves that the need of education and training
Kim, Sang Hoon; Yang, Kyung Hoon; Park, Sunyoung
The authors found the behavioral factors that influence the organization members' compliance with the information security policy in organizations on the basis of neutralization theory, Theory of planned behavior, and protection motivation theory. Depending on the theory of planned behavior, members' attitudes towards compliance, as well as normative belief and self-efficacy, were believed to determine the intention to comply with the information security policy. Neutralization theory, a prominent theory in criminology, could be expected to provide the explanation for information system security policy violations. Based on the protection motivation theory, it was inferred that the expected efficacy could have an impact on intentions of compliance. By the above logical reasoning, the integrative behavioral model and eight hypotheses could be derived. Data were collected by conducting a survey; 194 out of 207 questionnaires were available. The test of the causal model was conducted by PLS. The reliability, validity, and model fit were found to be statistically significant. The results of the hypotheses tests showed that seven of the eight hypotheses were acceptable. The theoretical implications of this study are as follows: (1) the study is expected to play a role of the baseline for future research about organization members' compliance with the information security policy, (2) the study attempted an interdisciplinary approach by combining psychology and information system security research, and (3) the study suggested concrete operational definitions of influencing factors for information security policy compliance through a comprehensive theoretical review. Also, the study has some practical implications. First, it can provide the guideline to support the successful execution of the strategic establishment for the implement of information system security policies in organizations. Second, it proves that the need of education and training programs suppressing
Konstantin Vyacheslavovich Ivanov
Full Text Available The paper is devoted to specific methods of information security for nuclear materials control and accounting automate systems which is not required of OS and DBMS certifications and allowed to programs modification for clients specific without defenses modification. System ACCORD-2005 demonstrates the realization of this method.
The development of information security is addressed in relation to the development of information technology. The leading question is: how has information security developed itself so far, and how should it progress to address tomorrow's security needs. An overwiew is given of the use of
Das, Ashok Kumar
An integrated EPR (Electronic Patient Record) information system of all the patients provides the medical institutions and the academia with most of the patients' information in details for them to make corrective decisions and clinical decisions in order to maintain and analyze patients' health. In such system, the illegal access must be restricted and the information from theft during transmission over the insecure Internet must be prevented. Lee et al. proposed an efficient password-based remote user authentication scheme using smart card for the integrated EPR information system. Their scheme is very efficient due to usage of one-way hash function and bitwise exclusive-or (XOR) operations. However, in this paper, we show that though their scheme is very efficient, their scheme has three security weaknesses such as (1) it has design flaws in password change phase, (2) it fails to protect privileged insider attack and (3) it lacks the formal security verification. We also find that another recently proposed Wen's scheme has the same security drawbacks as in Lee at al.'s scheme. In order to remedy these security weaknesses found in Lee et al.'s scheme and Wen's scheme, we propose a secure and efficient password-based remote user authentication scheme using smart cards for the integrated EPR information system. We show that our scheme is also efficient as compared to Lee et al.'s scheme and Wen's scheme as our scheme only uses one-way hash function and bitwise exclusive-or (XOR) operations. Through the security analysis, we show that our scheme is secure against possible known attacks. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks.
Cazier, Joseph A; Medlin, B Dawn
For most healthcare information systems, passwords are the first line of defense in keeping patient and administrative records private and secure. However, this defense is only as strong as the passwords employees chose to use. A weak or easily guessed password is like an open door to the medical records room, allowing unauthorized access to sensitive information. In this paper, we present the results of a study of actual healthcare workers' password practices. In general, the vast majority of these passwords have significant security problems on several dimensions. Implications for healthcare professionals are discussed.
... 48 Federal Acquisition Regulations System 6 2010-10-01 2010-10-01 true Information Technology... Provisions and Clauses 2452.239-71 Information Technology Virus Security. As prescribed in 2439.107(b), insert the following clause: Information Technology Virus Security (FEB 2006) (a) The contractor hereby...
Lee, Tian-Fu; Chang, I-Pin; Lin, Tsung-Hung; Wang, Ching-Cheng
The integrated EPR information system supports convenient and rapid e-medicine services. A secure and efficient authentication scheme for the integrated EPR information system provides safeguarding patients' electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Wu et al. proposed an efficient password-based user authentication scheme using smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various malicious attacks. However, their scheme is still vulnerable to lost smart card and stolen verifier attacks. This investigation discusses these weaknesses and proposes a secure and efficient authentication scheme for the integrated EPR information system as alternative. Compared with related approaches, the proposed scheme not only retains a lower computational cost and does not require verifier tables for storing users' secrets, but also solves the security problems in previous schemes and withstands possible attacks.
Hallberg, J; Hallberg, N; Timpka, T
Conventional smart card-based authentication systems used in health care alleviate some of the security issues in user and system authentication. Existing models still do not cover all security aspects. To enable new protective measures to be developed, an extended model of the authentication process is presented. This model includes a new entity referred to as secure server. Assuming a secure server, a method where the smart card is aware of the status of the terminal integrity verification becomes feasible. The card can then act upon this knowledge and restrict the exposure of sensitive information to the terminal as required in order to minimize the risks. The secure server model can be used to illuminate the weaknesses of current approaches and the need for extensions which alleviate the resulting risks.
Smart card based authentication and key agreement schemes for telecare medicine information systems (TMIS) enable doctors, nurses, patients and health visitors to use smart cards for secure login to medical information systems. In recent years, several authentication and key agreement schemes have been proposed to present secure and efficient solution for TMIS. Most of the existing authentication schemes for TMIS have either higher computation overhead or are vulnerable to attacks. To reduce the computational overhead and enhance the security, Lee recently proposed an authentication and key agreement scheme using chaotic maps for TMIS. Xu et al. also proposed a password based authentication and key agreement scheme for TMIS using elliptic curve cryptography. Both the schemes provide better efficiency from the conventional public key cryptography based schemes. These schemes are important as they present an efficient solution for TMIS. We analyze the security of both Lee's scheme and Xu et al.'s schemes. Unfortunately, we identify that both the schemes are vulnerable to denial of service attack. To understand the security failures of these cryptographic schemes which are the key of patching existing schemes and designing future schemes, we demonstrate the security loopholes of Lee's scheme and Xu et al.'s scheme in this paper.
Saigushev, N. Y.; Mikhailova, U. V.; Vedeneeva, O. A.; Tsaran, A. A.
No enterprise and company can do without designing its own corporate network in today's information society. It accelerates and facilitates the work of employees at any level, but contains a big threat to confidential information of the company. In addition to the data theft attackers, there are plenty of information threats posed by modern malware effects. In this regard, the computational security of corporate networks is an important component of modern information technologies of computer security for any enterprise. This article says about the design of the protected corporate network of the enterprise that provides the computers on the network access to the Internet, as well interoperability with the branch. The access speed to the Internet at a high level is provided through the use of high-speed access channels and load balancing between devices. The security of the designed network is performed through the use of VLAN technology as well as access lists and AAA server.
Telecare medical information systems (TMIS) enable healthcare delivery services. However, access of these services via public channel raises security and privacy issues. In recent years, several smart card based authentication schemes have been introduced to ensure secure and authorized communication between remote entities over the public channel for the (TMIS). We analyze the security of some of the recently proposed authentication schemes of Lin, Xie et al., Cao and Zhai, and Wu and Xu's for TMIS. Unfortunately, we identify that these schemes failed to satisfy desirable security attributes. In this article we briefly discuss four dynamic ID-based authentication schemes and demonstrate their failure to satisfy desirable security attributes. The study is aimed to demonstrate how inefficient password change phase can lead to denial of server scenario for an authorized user, and how an inefficient login phase causes the communication and computational overhead and decrease the performance of the system. Moreover, we show the vulnerability of Cao and Zhai's scheme to known session specific temporary information attack, vulnerability of Wu and Xu's scheme to off-line password guessing attack, and vulnerability of Xie et al.'s scheme to untraceable on-line password guessing attack.
This article presents a concise reliability analysis of network security abstracted from stochastic modeling, reliability, and queuing theories. Network security analysis is composed of threats, their impacts, and recovery of the failed systems. A unique framework with a collection of the key reliability models is presented here to guide the determination of the system reliability based on the strength of malicious acts and performance of the recovery processes. A unique model, called Attack-obstacle model, is also proposed here for analyzing systems with immunity growth features. Most computer science curricula do not contain courses in reliability modeling applicable to different areas of computer engineering. Hence, the topic of reliability analysis is often too diffuse to most computer engineers and researchers dealing with network security. This work is thus aimed at shedding some light on this issue, which can be useful in identifying models, their assumptions and practical parameters for estimating the reliability of threatened systems and for assessing the performance of recovery facilities. It can also be useful for the classification of processes and states regarding the reliability of information systems. Systems with stochastic behaviors undergoing queue operations and random state transitions can also benefit from the approaches presented here. - Highlights: • A concise survey and tutorial in model-based reliability analysis applicable to information security. • A framework of key modeling approaches for assessing reliability of networked systems. • The framework facilitates quantitative risk assessment tasks guided by stochastic modeling and queuing theory. • Evaluation of approaches and models for modeling threats, failures, impacts, and recovery analysis of information systems
LOPES, S. F.
Full Text Available Hyperconnectivity due to online social networks exposed security issues on data stored in these systems. This article presents an analysis on how online social networks designers have been communicating information security aspects through these systems’ interfaces. This analysis was made using the Semiotic Inspection Method on Facebook since it is largely used in Brazil and all over the world. Results showed that there is major concern with security information properties. Nevertheless it was possible to identify interface problems that could compromise use and understanding of such security properties
... RULEMAKING PROCEDURES Rulemaking Procedures General § 11.35 Does FAA include sensitive security information and proprietary information in the Federal Docket Management System (FDMS)? (a) Sensitive security information. You should not submit sensitive security information to the rulemaking docket, unless you are...
de Oliveira Albuquerque, Robson; García Villalba, Luis Javier; Sandoval Orozco, Ana Lucila; Buiati, Fábio; Kim, Tai-Hoon
Information can be considered the most important asset of any modern organization. Securing this information involves preserving confidentially, integrity and availability, the well-known CIA triad. In addition, information security is a risk management job; the task is to manage the inherent risks of information disclosure. Current information security platforms do not deal with the different facets of information technology. This paper presents a layered trust information security architecture (TISA) and its creation was motivated by the need to consider information and security from different points of view in order to protect it. This paper also extends and discusses security information extensions as a way of helping the CIA triad. Furthermore, this paper suggests information representation and treatment elements, operations and support components that can be integrated to show the various risk sources when dealing with both information and security. An overview of how information is represented and treated nowadays in the technological environment is shown, and the reason why it is so difficult to guarantee security in all aspects of the information pathway is discussed. PMID:25470490
de Oliveira Albuquerque, Robson; Villalba, Luis Javier García; Orozco, Ana Lucila Sandoval; Buiati, Fábio; Kim, Tai-Hoon
Information can be considered the most important asset of any modern organization. Securing this information involves preserving confidentially, integrity and availability, the well-known CIA triad. In addition, information security is a risk management job; the task is to manage the inherent risks of information disclosure. Current information security platforms do not deal with the different facets of information technology. This paper presents a layered trust information security architecture (TISA) and its creation was motivated by the need to consider information and security from different points of view in order to protect it. This paper also extends and discusses security information extensions as a way of helping the CIA triad. Furthermore, this paper suggests information representation and treatment elements, operations and support components that can be integrated to show the various risk sources when dealing with both information and security. An overview of how information is represented and treated nowadays in the technological environment is shown, and the reason why it is so difficult to guarantee security in all aspects of the information pathway is discussed.
Robson de Oliveira Albuquerque
Full Text Available Information can be considered the most important asset of any modern organization. Securing this information involves preserving confidentially, integrity and availability, the well-known CIA triad. In addition, information security is a risk management job; the task is to manage the inherent risks of information disclosure. Current information security platforms do not deal with the different facets of information technology. This paper presents a layered trust information security architecture (TISA and its creation was motivated by the need to consider information and security from different points of view in order to protect it. This paper also extends and discusses security information extensions as a way of helping the CIA triad. Furthermore, this paper suggests information representation and treatment elements, operations and support components that can be integrated to show the various risk sources when dealing with both information and security. An overview of how information is represented and treated nowadays in the technological environment is shown, and the reason why it is so difficult to guarantee security in all aspects of the information pathway is discussed.
Tipton, Harold F
Access Control Systems and Methodology. Telecommunications and Network Security. Security Management Practices. Application Program Security. Cryptography. Computer, System, and Security Architecture. Operations Security. Business Continuity Planning and Disaster Recovery Planning. Law, Investigation and Ethics. Physical Security.
Network Systems Security Analysis has utmost importance in today's world. Many companies, like banks which give priority to data management, test their own data security systems with "Penetration Tests" by time to time. In this context, companies must also test their own network/server systems and take precautions, as the data security draws attention. Based on this idea, the study cyber-attacks are researched throughoutly and Penetration Test technics are examined. With these information on, classification is made for the cyber-attacks and later network systems' security is tested systematically. After the testing period, all data is reported and filed for future reference. Consequently, it is found out that human beings are the weakest circle of the chain and simple mistakes may unintentionally cause huge problems. Thus, it is clear that some precautions must be taken to avoid such threats like updating the security software.
Full Text Available Securing sensitive organizational data has become increasingly vital to organizations. An Information Security Management System (ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security. Key elements of the operation of an ISMS are ISMS processes. However, and in spite of its importance, an ISMS process framework with a description of ISMS processes and their interaction as well as the interaction with other management processes is not available in the literature. Cost benefit analysis of information security investments regarding single measures protecting information and ISMS processes are not in the focus of current research, mostly focused on economics. This article aims to fill this research gap by proposing such an ISMS process framework as the main contribution. Based on a set of agreed upon ISMS processes in existing standards like ISO 27000 series, COBIT and ITIL. Within the framework, identified processes are described and their interaction and interfaces are specified. This framework helps to focus on the operation of the ISMS, instead of focusing on measures and controls. By this, as a main finding, the systemic character of the ISMS consisting of processes and the perception of relevant roles of the ISMS is strengthened.
Satoh, Hitoshi; Niki, Noboru; Eguchi, Kenji; Ohmatsu, Hironobu; Kaneko, Masahiro; Kakinuma, Ryutaro; Moriyama, Noriyuki
Diagnostic MDCT imaging requires a considerable number of images to be read. Moreover, the doctor who diagnoses a medical image is insufficient in Japan. Because of such a background, we have provided diagnostic assistance methods to medical screening specialists by developing a lung cancer screening algorithm that automatically detects suspected lung cancers in helical CT images, a coronary artery calcification screening algorithm that automatically detects suspected coronary artery calcification and a vertebra body analysis algorithm for quantitative evaluation of osteoporosis. We also have developed the teleradiology network system by using web medical image conference system. In the teleradiology network system, the security of information network is very important subjects. Our teleradiology network system can perform Web medical image conference in the medical institutions of a remote place using the web medical image conference system. We completed the basic proof experiment of the web medical image conference system with information security solution. We can share the screen of web medical image conference system from two or more web conference terminals at the same time. An opinion can be exchanged mutually by using a camera and a microphone that are connected with the workstation that builds in some diagnostic assistance methods. Biometric face authentication used on site of teleradiology makes "Encryption of file" and "Success in login" effective. Our Privacy and information security technology of information security solution ensures compliance with Japanese regulations. As a result, patients' private information is protected. Based on these diagnostic assistance methods, we have developed a new computer-aided workstation and a new teleradiology network that can display suspected lesions three-dimensionally in a short time. The results of this study indicate that our radiological information system without film by using computer-aided diagnosis
Satoh, Hitoshi; Niki, Noboru; Eguchi, Kenji; Ohmatsu, Hironobu; Kaneko, Masahiro; Kakinuma, Ryutaru; Moriyama, Noriyuki
We have developed the teleradiology network system with a new information security solution that provided with web medical image conference system. In the teleradiology network system, the security of information network is very important subjects. We are studying the secret sharing scheme as a method safely to store or to transmit the confidential medical information used with the teleradiology network system. The confidential medical information is exposed to the risk of the damage and intercept. Secret sharing scheme is a method of dividing the confidential medical information into two or more tallies. Individual medical information cannot be decoded by using one tally at all. Our method has the function of RAID. With RAID technology, if there is a failure in a single tally, there is redundant data already copied to other tally. Confidential information is preserved at an individual Data Center connected through internet because individual medical information cannot be decoded by using one tally at all. Therefore, even if one of the Data Centers is struck and information is damaged, the confidential medical information can be decoded by using the tallies preserved at the data center to which it escapes damage. We can safely share the screen of workstation to which the medical image of Data Center is displayed from two or more web conference terminals at the same time. Moreover, Real time biometric face authentication system is connected with Data Center. Real time biometric face authentication system analyzes the feature of the face image of which it takes a picture in 20 seconds with the camera and defends the safety of the medical information. We propose a new information transmission method and a new information storage method with a new information security solution.
Ayyagari, Ramakrishna; Figueroa, Norilyz
Information Security issues are one of the top concerns of CEOs. Accordingly, information systems education and research have addressed security issues. One of the main areas of research is the behavioral issues in Information Security, primarily focusing on users' compliance to information security policies. We contribute to this literature by…
Kegel, Roeland Hendrik,Pieter
The human element is often found to be the weakest link in the information security chain. The Personal Information Security Assistant project aims to address this by improving the privacy and security awareness of end-users and by aligning the user's personal IT environment to the user's security
M. M. Koptenkov
Full Text Available This article reveals the necessity and importance of information categorizing in the area of information security systems development. This paper describes an information categorizing method based on the assessment of damages in a breach of confidentiality, integrity and availability of processed information. This method allows us to classify information on the degree of its value to the organization and most effectively implement an access control system.
Full Text Available Today's, Organizations are exposed with huge and diversity of information and information assets that are produced in different systems shuch as KMS, financial and accounting systems, official and industrial automation sysytems and so on and protection of these information is necessary. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released.several benefits of this model cuses that organization has a great trend to implementing Cloud computing. Maintaining and management of information security is the main challenges in developing and accepting of this model. In this paper, at first, according to "design science research methodology" and compatible with "design process at information systems research", a complete categorization of organizational assets, including 355 different types of information assets in 7 groups and 3 level, is presented to managers be able to plan corresponding security controls according to importance of each groups. Then, for directing of organization to architect it’s information security in cloud computing environment, appropriate methodology is presented. Presented cloud computing security architecture , resulted proposed methodology, and presented classification model according to Delphi method and expers comments discussed and verified.
An information security architecture is made up of several components. Each component in the architecture focuses on establishing acceptable levels of control. These controls are then applied to the operating environment of an organization. Functionally, information security architecture combines technical, practical, and cost-effective solutions to provide an adequate and appropriate level of security.Information Security Architecture: An Integrated Approach to Security in the Organization details the five key components of an information security architecture. It provides C-level executives
Hernandez, Alejandro Mario
properties. This is also restricted to distributed systems in which the set of locations is known a priori. All this follows techniques borrowed from both the model checking and the static analysis communities. In the end, we reach a step towards solving the problem of enforcing security in distributed...... systems. We achieve the goal of showing how this can be done, though we restrict ourselves to closed systems and with a limited set of enforceable security policies. In this setting, our approach proves to be efficient. Finally, we achieve all this by bringing together several fields of Computer Science......The goal of the present thesis is to discuss, argue and conclude about ways to provide security to the information travelling around computer systems consisting of several known locations. When developing software systems, security of the information managed by these plays an important role...
V, Stepanov L.; V, Parinov A.; P, Korotkikh L.; S, Koltsov A.
In the article, the way of formalization of different types of threats of information security and vulnerabilities of an information system of the enterprise and establishment is considered. In a type of complexity of ensuring information security of application of any new organized system, the concept and decisions in the sphere of information security are expedient. One of such approaches is the method of a genetic algorithm. For the enterprises of any fields of activity, the question of complex estimation of the level of security of information systems taking into account the quantitative and qualitative factors characterizing components of information security is relevant.
Witzke, Edward L. [Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
In 2014, the United States Department of Defense started tra nsitioning the way it performs risk management and accreditation of informatio n systems to a process entitled Risk Management Framework for DoD Information Technology or RMF for DoD IT. There are many more security and privacy contro ls (and control enhancements) from which to select in RMF, than there w ere in the previous Information Assurance process. This report is an attempt t o clarify the way security controls and enhancements are selected. After a brief overview and comparison of RMF for DoD I T with the previously used process, this report looks at the determination of systems as National Security Systems (NSS). Once deemed to be an NSS, this report addr esses the categorization of the information system with respect to impact level s of the various security objectives and the selection of an initial baseline o f controls. Next, the report describes tailoring the controls through the use of overl ays and scoping considerations. Finally, the report discusses organizatio n-defined values for tuning the security controls to the needs of the information system.
Hurlburt, George; Hildreth, Bradley; Acevedo, Teresa
The Test and Evaluation Community Network (TECNET) is building a Multilevel Secure (MLS) system. This system features simultaneous access to classified and unclassified information and easy access through widely available communications channels. It provides the necessary separation of classification levels, assured through the use of trusted system design techniques, security assessments and evaluations. This system enables cleared T&E users to view and manipulate classified and unclassified information resources either using a single terminal interface or multiple windows in a graphical user interface. TECNET is in direct partnership with the National Security Agency (NSA) to develop and field the MLS TECNET capability in the near term. The centerpiece of this partnership is a state-of-the-art Concurrent Systems Security Engineering (CSSE) process. In developing the MLS TECNET capability, TECNET and NSA are providing members, with various expertise and diverse backgrounds, to participate in the CSSE process. The CSSE process is founded on the concepts of both Systems Engineering and Concurrent Engineering. Systems Engineering is an interdisciplinary approach to evolve and verify an integrated and life cycle balanced set of system product and process solutions that satisfy customer needs (ASD/ENS-MIL STD 499B 1992). Concurrent Engineering is design and development using the simultaneous, applied talents of a diverse group of people with the appropriate skills. Harnessing diverse talents to support CSSE requires active participation by team members in an environment that both respects and encourages diversity.
Aurel Serb; Constantin Baron; Nicoleta Magdalena Iacob; Costinela-Luminita Defta
Security issues in financial accounting are complex, and the risks are often difficult to stipulate, even for experts. The issues presented in this article try to be formed in a contribution to the consolidation of problems in the field of risk, and former vulnerabilities in cyber security in financial accounting. The use of an information security management system became a requirement for organizations because on the states began adopting mandatory data protection legislation and informatio...
Dmitriy Nikolaevich Bespalov
Full Text Available The article presents the opposite, but dependent on each other's reality - Revolutionary War information,information security goals and objectives of their study within the scheme "challenge-response", methodological and analytical support, the role of elites and the information society in promoting information security. One of the features of contemporaneityis the global spread of ICT, combined with poor governance and other difficulties in the construction of innovation infrastructures that are based on them in some countries. This leads to the reproduction of threats, primarily related to the ability to use ICT for purposes that are inconsistent with the objectives of maintaining international peace and security, compliance with the principles of non-use of force, non-interference in the internal affairs of states, etc. In this regard, include such terms as "a threat of information warfare", "information terrorism" and so forth. Information warfare, which stay in the policy declared the struggle for existence, and relationships are defined in terms of "friend-enemy", "ours-foreign". Superiority over the opponent or "capture of its territory" is the aim of political activity. And information security, serving activities similar process of political control, including a set of components, is a technology until their humanitarian. From the context and the decision itself is the ratio of the achieved results of information and political influence to the target - a positive image of Russia. Bringing its policy in line with the demands of a healthy public opinion provides conductivity of theauthorities initiatives in the country and increases the legitimacy of the Russian Federation actions in the world.
Alkhateeb, A; Singer, H; Yakami, M; Takahashi, T
The rapid development of the Internet and the increasing interest in Internet-based solutions has promoted the idea of creating Internet-based health information applications. This will force a change in the role of IC cards in healthcare card systems from a data carrier to an access key medium. At the Medical Informatics Department of Kyoto University Hospital we are developing a smart card patient information project where patient databases are accessed via the Internet. Strong end-to-end data encryption is performed via Secure Socket Layers, transparent to transmit patient information. The smart card is playing the crucial role of access key to the database: user authentication is performed internally without ever revealing the actual key. For easy acceptance by healthcare professionals, the user interface is integrated as a plug-in for two familiar Web browsers, Netscape Navigator and MS Internet Explorer.
... Collection; Financial Information Security Request Form AGENCY: Forest Service, USDA. ACTION: Notice; Request... currently approved information collection; Financial Information Security Request Form. DATES: Comments must... Standard Time, Monday through Friday. SUPPLEMENTARY INFORMATION: Title: Financial Information Security...
Report #14-P-0142, March 21, 2014. The EPA places its information systems and data at risk due to an organizational structure that has not specified required duties and responsibilities to ensure personnel are trained on key information security roles.
Satoh, Hitoshi; Niki, Noboru; Eguchi, Kenji; Ohmatsu, Hironobu; Kusumoto, Masahiko; Kaneko, Masahiro; Moriyama, Noriyuki
We have developed an external storage system by using secret sharing scheme and tokenization for regional medical cooperation, PHR service and information preservation. The use of mobile devices such as smart phones and tablets will be accelerated for a PHR service, and the confidential medical information is exposed to the risk of damage and intercept. We verified the transfer rate of the sending and receiving of data to and from the external storage system that connected it with PACS by the Internet this time. External storage systems are the data centers that exist in Okinawa, in Osaka, in Sapporo and in Tokyo by using secret sharing scheme. PACS continuously transmitted 382 CT images to the external data centers. Total capacity of the CT images is about 200MB. The total time that had been required to transmit was about 250 seconds. Because the preservation method to use secret sharing scheme is applied, security is strong. But, it also takes the information transfer time of this system too much. Therefore, DICOM data is masked to the header information part because it is made to anonymity in our method. The DICOM data made anonymous is preserved in the data base in the hospital. Header information including individual information is divided into two or more tallies by secret sharing scheme, and preserved at two or more external data centers. The token to relate the DICOM data anonymity made to header information preserved outside is strictly preserved in the token server. The capacity of header information that contains patient's individual information is only about 2% of the entire DICOM data. This total time that had been required to transmit was about 5 seconds. Other, common solutions that can protect computer communication networks from attacks are classified as cryptographic techniques or authentication techniques. Individual number IC card is connected with electronic certification authority of web medical image conference system. Individual number IC
Report #16-P-0086, January 27, 2016. The effectiveness of the CSB’s information security program is challenged by its lack of personal identity verification cards for logical access, complete system inventory.
Flentge, Felix; Eggleston, James; Garcia Mateos, Marc
A common approach to address information security has been implemented in ESA's Mission Operations (MOI) Infrastructure during the last years. This paper reports on the specific challenges to the Data Systems domain within the MOI and how security can be properly managed with an Information Security Management System (ISMS) according to ISO 27001. Results of an initial security risk assessment are reported and the different types of security controls that are being implemented in order to reduce the risks are briefly described.
Wolfgang. "Appraisal of the effectivness and efficiency of an Information Security Management System based on ISO 27001 ." International Conference on...of corporate information resources (Doherty and 29 Fulford, 2006) ( ISO /IEC 17799, 2005). Both public and private sectors of business have...Science Ltd, 2002. Iacovou, Charalambos L. "The IPACS project: when IT hits the fan." Journal of Information Technology, 1999: 267-275. ISO /IEC 17799
Maria Cristina RĂDULESCU
Full Text Available This paper provides a set of guidelines that can be used for prescribing a methodology or a detailed process for selecting and prioritizing security projects or solutions. It is based on the idea that costs of security solutions should be justified by their contribution to ensuring adequate protection of information resources in the organization which implements them. The article reviews general issues of security risks and costs, arguing the need for explicit consideration of information resources security requirements in order to validate decisions concerning security projects implementation. In such an approach, security requirements of information resources are used as a reference system to quantify the benefits and limitations of security solutions defined as alternative or complementary responses to certain security risks as their implementation faces budget constraints.
SABAU-POPA CLAUDIA DIANA
Full Text Available The information confidentiality and cyber security risk affects the right to confidentiality and privacy of the patient, as regulated in Romania by the Law 46/2002. The manifestation of the cyber security risk event affects the reputation of the healthcare institution and is becoming more and more complex and often due to the: development of network technology, the medical equipment connected to wifi and the electronic databases. The databases containing medical records were implemented due to automation. Thus, transforming data into medical knowledge contribute to a better understanding of the disease. Due to these factors, the measures taken by the hospital management for this type of risk are adapted to the cyber changes. The hospital objectives aim: the implementation of a robust information system, the early threats identifications and the incident reporting. Neglecting this type of risk can generate financial loss, inability to continue providing health care services for a certain period of time, providing an erroneous diagnosis, medical equipment errors etc. Thus, in a digital age the appropriate risk management for the information security and cyber risk represent a necessity. The main concern of hospitals worldwide is to align with international requirements and obtain credentials in terms of data security from the International Organisation for Standardization, which regulates the management of this type of risk. Romania is at the beginning in terms of concerns regarding the management, avoidance and mitigation of information security, the health system being most highly exposed to its manifestation. The present paper examines the concerns of the health system to the confidentiality of information and cyber security risk and its management arrangements. Thus, a set of key risk indicators is implemented and monitored for 2011-2013, using a user interface, a Dashboard, which acts as an early warning system of the manifestation of the
Li, Bo; Zhang, Lichen
In recent years, Cyber-Physical System (CPS) has become an important research direction of academic circles and scientific and technological circles at home and abroad, is considered to be following the third wave of world information technology after the computer, the Internet. PS is a multi-dimensional, heterogeneous, deep integration of open systems, Involving the computer, communication, control and other disciplines of knowledge. As the various disciplines in the research theory and methods are significantly different, so the application of CPS has brought great challenges. This paper introduces the definition and characteristics of CPS, analyzes the current situation of CPS, analyzes the security threats faced by CPS, and gives the security solution for security threats. It also discusses CPS-specific security technology, to promote the healthy development of CPS in information security.
Sutrala, Anil Kumar; Das, Ashok Kumar; Odelu, Vanga; Wazid, Mohammad; Kumari, Saru
Information and communication and technology (ICT) has changed the entire paradigm of society. ICT facilitates people to use medical services over the Internet, thereby reducing the travel cost, hospitalization cost and time to a greater extent. Recent advancements in Telecare Medicine Information System (TMIS) facilitate users/patients to access medical services over the Internet by gaining health monitoring facilities at home. Amin and Biswas recently proposed a RSA-based user authentication and session key agreement protocol usable for TMIS, which is an improvement over Giri et al.'s RSA-based user authentication scheme for TMIS. In this paper, we show that though Amin-Biswas's scheme considerably improves the security drawbacks of Giri et al.'s scheme, their scheme has security weaknesses as it suffers from attacks such as privileged insider attack, user impersonation attack, replay attack and also offline password guessing attack. A new RSA-based user authentication scheme for TMIS is proposed, which overcomes the security pitfalls of Amin-Biswas's scheme and also preserves user anonymity property. The careful formal security analysis using the two widely accepted Burrows-Abadi-Needham (BAN) logic and the random oracle models is done. Moreover, the informal security analysis of the scheme is also done. These security analyses show the robustness of our new scheme against the various known attacks as well as attacks found in Amin-Biswas's scheme. The simulation of the proposed scheme using the widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool is also done. We present a new user authentication and session key agreement scheme for TMIS, which fixes the mentioned security pitfalls found in Amin-Biswas's scheme, and we also show that the proposed scheme provides better security than other existing schemes through the rigorous security analysis and verification tool. Furthermore, we present the formal security
Sazonets Olga M.
Full Text Available The aim of the article is to study the peculiarities of the innovative activity in the context of providing the enterprise information security. By analyzing, systematizing and summarizing the scientific works of many scientists the essence of the concept of «information security» has been considered and components of the innovation development process from the standpoint of providing information security have been identified. The article discusses issues of providing information security on the basis of introducing innovations, which will allow achieving a state in which there would be realized a sustainable, protected from threats, development of the enterprise. It has been proved that the formation of the innovative enterprise policy should include measures to ensure information security. As a result of the study the types of threats to the enterprise information security have been identified. It has been determined that the innovation process in the field of information security is provided by means of research, administrative, industrial, technological and commercial activities leading to the emergence and commercialization of innovations. The prospect for further research in this area is determining a system of indicators for forecasting the integral innovation indicator of economic information security. The system of indicators for diagnostics of the enterprise information security level enables monitoring the indicators of the state of the enterprise innovation and information activity in order to prevent the emergence of threats.
Anderson, Ross; Moore, Tyler
Until ca. 2000, information security was seen as a technological discipline, based on computer science but with mathematics helping in the design of ciphers and protocols. That perspective started to change as researchers and practitioners realized the importance of economics. As distributed systems are increasingly composed of machines that belong to principals with divergent interests, incentives are becoming as important to dependability as technical design. A thriving new field of information security economics provides valuable insights not just into 'security' topics such as privacy, bugs, spam and phishing, but into more general areas of system dependability and policy. This research programme has recently started to interact with psychology. One thread is in response to phishing, the most rapidly growing form of online crime, in which fraudsters trick people into giving their credentials to bogus websites; a second is through the increasing importance of security usability; and a third comes through the psychology-and-economics tradition. The promise of this multidisciplinary research programme is a novel framework for analysing information security problems-one that is both principled and effective.
Taylor, Andy; Finch, Amanda; Sutton, David; Taylor, Andy
In today's technology-driven environment, there is an ever-increasing demand for information delivery. A compromise has to be struck between security and availability. This book is a pragmatic guide to information assurance for both business professionals and technical experts. This second edition includes the security of cloud-based resources.
Koskosas, loannis Vasileios
This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University. This thesis takes a social and organizational point of view for studying information systems security in the context of internet banking. While the internet provides opportunities for businesses to extend their public network infrastructure, reduce transaction costs, and sell a wide range of products and services worldwide, security threats impede the business. Although, a number ...
Durowoju, Olatunde; Chan, Hing; Wang, Xiaojun
This study draws on information theory and aims to provide simulated evidence using real historical and statistical data to demonstrate how various levels of integration moderate the impact and uncertainties of information security breach on supply chain performance. We find that the supply chain behaves differently under various levels of integration when a security breach occurs. The entropy analysis revealed that the wholesaler experience the most uncertainty under system failure and data ...
The aim of this thesis is to provide a comprehensive overview of database systems security. Reader is introduced into the basis of information security and its development. Following chapter defines a concept of database system security using ISO/IEC 27000 Standard. The findings from this chapter form a complex list of requirements on database security. One chapter also deals with legal aspects of this domain. Second part of this thesis offers a comparison of four object-relational database s...
Iryna V. Zolotarenko
Full Text Available Relevance of the material contained in the article is conditioned by pressing needs of society in creating secure information systems, facilitating the introduction of advanced information technologies in the education department. Security is important for the reliability and efficiency of such systems. One way of solving the security problem is the distribution of categories of users and granting their rights at different levels. The paper analyzes general approaches to organize groups and permission levels of users in information systems developed based on MS SharePoint. The main design decisions on security in information system planning research at the National Academy of Pedagogical Sciences of Ukraine based on the Internet use the conceptual results of this article.
... CENTRAL INTELLIGENCE AGENCY 32 CFR Part 1902 Information Security Regulations AGENCY: Central... information security regulations which have become outdated. The Executive Order upon which the regulations... CFR Part 1902 Information security regulations. PART 1902 [REMOVED AND RESERVED] Sec. 1902.13 [Removed...
... DEPARTMENT OF AGRICULTURE Forest Service Information Collection; Financial Information Security..., Financial Information Security Request Form. DATES: Comments must be received in writing on or before... Information Security Request Form. OMB Number: 0596-0204. Expiration Date of Approval: 02/28/2014. Type of...
Levitin, Gregory; Hausken, Kjell; Taboada, Heidi A.; Coit, David W.
A multiple objective problem formulation and solution methodology is presented to select optimal information and data storage configurations considering both data survivability and data security, as well as cost. This paper considers a situation where the information is divided into several separately stored blocks in order to mitigate the risk of unauthorized access or theft. The information can be used only if all of the blocks are accessed. To impede the information theft, the defender prefers to maximize the number of blocks. On the other hand the destruction of any block destroys the integrity of information and makes it impossible to use. To impede the information destruction, the defender prefers to maximize the number of parallel (reserve) copies of each block, regardless how many blocks in series there are. Given the set of available information storage resources, the defender must consider a multi-objective optimization problem to determine how many blocks and their copies to create, and how to distribute them among available resources in order to minimize information vulnerability, insecurity, and storage cost. Non-dominated solutions to this problem are determined using a multiple objective genetic algorithm (MOGA). This methodology is demonstrated with two general examples.
Arshad, Hamed; Teymoori, Vahid; Nikooghadam, Morteza; Abbassi, Hassan
Telecare medicine information systems (TMISs) aim to deliver appropriate healthcare services in an efficient and secure manner to patients. A secure mechanism for authentication and key agreement is required to provide proper security in these systems. Recently, Bin Muhaya demonstrated some security weaknesses of Zhu's authentication and key agreement scheme and proposed a security enhanced authentication and key agreement scheme for TMISs. However, we show that Bin Muhaya's scheme is vulnerable to off-line password guessing attacks and does not provide perfect forward secrecy. Furthermore, in order to overcome the mentioned weaknesses, we propose a new two-factor anonymous authentication and key agreement scheme using the elliptic curve cryptosystem. Security and performance analyses demonstrate that the proposed scheme not only overcomes the weaknesses of Bin Muhaya's scheme, but also is about 2.73 times faster than Bin Muhaya's scheme.
Information security management is an area with a lot of theoretical models. The models are designed to guide practitioners in prioritizing management resources in companies. Information security management education should address the gap between the academic ideals and practice. This paper introduces a teaching method that has been in use as…
Lee, Tian-Fu; Liu, Chuan-Ming
A smart-card based authentication scheme for telecare medicine information systems enables patients, doctors, nurses, health visitors and the medicine information systems to establish a secure communication platform through public networks. Zhu recently presented an improved authentication scheme in order to solve the weakness of the authentication scheme of Wei et al., where the off-line password guessing attacks cannot be resisted. This investigation indicates that the improved scheme of Zhu has some faults such that the authentication scheme cannot execute correctly and is vulnerable to the attack of parallel sessions. Additionally, an enhanced authentication scheme based on the scheme of Zhu is proposed. The enhanced scheme not only avoids the weakness in the original scheme, but also provides users' anonymity and authenticated key agreements for secure data communications.
Detecting, investigating and prosecuting cybercrime? Extremely important, but not really the solution for the problem. Prevention is better! The sectors that have joined the Cybercrime Information Exchange have accepted the challenge of ensuring the effectiveness of the (information) security of process control systems (PCS), including SCADA. This publication makes it clear why it is vital that organizations establish and maintain control over the security of the information and communication...
SECURITY CONCEPTSUsing ModelsIntroduction: Understanding, Selecting, and Applying Models Understanding AssetsLayered Security Using Models in Security Security Models for Information Systems Shortcomings of Models in SecuritySecurity in Context Reference Defining Information SecurityConfidentiality, Integrity, and Availability Information AttributesIntrinsic versus Imputed Value Information as an Asset The Elements of Security Security Is Security Only in Context Information as an Asset Introduction Determining Value Managing Information Resources ReferencesUnderstanding Threat and Its Relatio
... FEDERAL MARITIME COMMISSION 46 CFR Part 503 [Docket No. 11-01] RIN 3072-AC40 Information Security... (FMC or Commission) amends its regulations relating to its Information Security Program to reflect the changes implemented by Executive Order 13526--Classified National Security Information--that took effect...
... 14 Aeronautics and Space 5 2010-01-01 2010-01-01 false Information security objectives. 1203.201 Section 1203.201 Aeronautics and Space NATIONAL AERONAUTICS AND SPACE ADMINISTRATION INFORMATION SECURITY PROGRAM NASA Information Security Program § 1203.201 Information security objectives. The objectives of...
Management information system can be compared to the nervous system of a company. Its malfunction may cause adverse effects in many different areas of the company. Information Security Management is understood as tool of the information confidentiality, availability and integrity assurance. An effective information security management system reduces the risk of crisis in the company. It also allows to reduce the effects of the crisis occurring outside the company.
Cazemier, Jacques A; Peters, Louk
This groundbreaking new title looks at Information Security from defining what security measures positively support the business, to implementation to maintaining the required level and anticipating required changes. It covers:Fundamentals of information security ? providing readers insight and give background about what is going to be managed. Topics covered include: types of security controls, business benefits and the perspectives of business, customers, partners, service providers, and auditors.Fundamentals of management of information security - explains what information security manageme
Lenaeus, Joseph D.; O'Neil, Lori Ross; Leitch, Rosalyn M.; Glantz, Clifford S.; Landine, Guy P.; Bryant, Janet L.; Lewis, John; Mathers, Gemma; Rodger, Robert; Johnson, Christopher
This document was prepared by PNNL within the framework of Project 19 of the European Union Chemical Biological Radiological and Nuclear Risk Mitigation Centres of Excellence Initiative entitled, ''Development of procedures and guidelines to create and improve secure information management systems and data exchange mechanisms for CBRN materials under regulatory control.'' It provides management and workers at CBRN facilities, parent organization managers responsible for those facilities, and regulatory agencies (governmental and nongovernmental) with guidance on the best practices for protecting information security. The security mitigation approaches presented in this document were chosen because they present generally accepted guidance in an easy-to-understand manner, making it easier for facility personnel to grasp key concepts and envision how security controls could be implemented by the facility. This guidance is presented from a risk management perspective.
Lenaeus, Joseph D. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); O' Neil, Lori Ross [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Leitch, Rosalyn M. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Glantz, Clifford S. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Landine, Guy P. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Bryant, Janet L. [Pacific Northwest National Lab. (PNNL), Richland, WA (United States); Lewis, John [National Nuclear Lab., Workington (United Kingdom); Mathers, Gemma [National Nuclear Lab., Workington (United Kingdom); Rodger, Robert [National Nuclear Lab., Workington (United Kingdom); Johnson, Christopher [National Nuclear Lab., Workington (United Kingdom)
This document was prepared by PNNL within the framework of Project 19 of the European Union Chemical Biological Radiological and Nuclear Risk Mitigation Centres of Excellence Initiative entitled, ''Development of procedures and guidelines to create and improve secure information management systems and data exchange mechanisms for CBRN materials under regulatory control.'' It provides management and workers at CBRN facilities, parent organization managers responsible for those facilities, and regulatory agencies (governmental and nongovernmental) with guidance on the best practices for protecting information security. The security mitigation approaches presented in this document were chosen because they present generally accepted guidance in an easy-to-understand manner, making it easier for facility personnel to grasp key concepts and envision how security controls could be implemented by the facility. This guidance is presented from a risk management perspective.
... 48 Federal Acquisition Regulations System 4 2010-10-01 2010-10-01 false Information Technology... Clauses 652.239-70 Information Technology Security Plan and Accreditation. As prescribed in 639.107-70(a), insert the following provision: Information Technology Security Plan and Accreditation (SEP 2007) All...
... 48 Federal Acquisition Regulations System 5 2010-10-01 2010-10-01 false Information technology... Provisions and Clauses 1252.239-71 Information technology security plan and accreditation. As prescribed in (TAR) 48 CFR 1239.70, insert the following provision: Information Technology Security Plan and...
... 12 Banks and Banking 6 2010-01-01 2010-01-01 false Information Security Officer. 605.501 Section... Information Security Officer. (a) The Information Security Officer of the Farm Credit Administration shall be responsible for implementation and oversight of the information security program and procedures adopted by the...
Haneda, Kiyofumi; Umeda, Tokuo; Koyama, Tadashi; Harauchi, Hajime; Inamura, Kiyonari
The target of our study is to establish the methodology for analyzing level of security requirements, for searching suitable security measures and for optimizing security distribution to every portion of medical practice. Quantitative expression must be introduced to our study as possible for the purpose of easy follow up of security procedures and easy evaluation of security outcomes or results. Results of system analysis by fault tree analysis (FTA) clarified that subdivided system elements in detail contribute to much more accurate analysis. Such subdivided composition factors very much depended on behavior of staff, interactive terminal devices, kinds of service, and routes of network. As conclusion, we found the methods to analyze levels of security requirements for each medical information systems employing FTA, basic events for each composition factor and combination of basic events. Methods for searching suitable security measures were found. Namely risk factors for each basic event, number of elements for each composition factor and candidates of security measure elements were found. Method to optimize the security measures for each medical information system was proposed. Namely optimum distribution of risk factors in terms of basic events were figured out, and comparison of them between each medical information systems became possible.
...] Information Collection; Implementation of Information Technology Security Provision AGENCY: General Services... collection requirement regarding Implementation of Information Technology Security Provision. Public comments... Information Collection 3090- 0294, Implementation of Information Technology Security Provision, by any of the...
Gary Gorton; Ping He; Lixin Huang
Trade in securities markets is conducted by agents acting for principals, using "mark-to-market" contracts whereby performance is assessed using security market prices. We endogenize contract choices, information production, informed trading, and security price informativeness. But there is a contract externality. Prices are informative only because other principals induce their agents to trade based on privately produced information. The agent-traders then have an incentive to coordinate and...
This publication provides guidance on implementing the principle of confidentiality and on the broader aspects of information security (i.e. integrity and availability). It assists States in bridging the gap between existing government and industry standards on information security, the particular concepts and considerations that apply to nuclear security and the special provisions and conditions that exist when dealing with nuclear material and other radioactive material. Specifically it seeks to assist states in the identification, classification, and assignment of appropriate security controls to information that could adversely impact nuclear security if compromised
... NIST on information security and privacy issues pertaining to federal computer systems. Details... Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet...
Gabriela GHEORGHE; Ioana LUPASC
In present, the cyber attack move to a global scale, also the online business cyber threats have the effect of impeding and even huge losses. Security issues currently facing online commerce, online payment systems require finding solutions to improve the security solutions offered by the providers of Business Information solution.
Takamura, Eduardo; Gomez-Rosa, Carlos A.; Mangum, Kevin; Wasiak, Fran
As the first interplanetary mission managed by the NASA Goddard Space Flight Center, the Mars Atmosphere and Volatile EvolutioN (MAVEN) had three IT security goals for its ground system: COMPLIANCE, (IT) RISK REDUCTION, and COST REDUCTION. In a multiorganizational environment in which government, industry and academia work together in support of the ground system and mission operations, information security governance, risk management, and compliance (GRC) becomes a challenge as each component of the ground system has and follows its own set of IT security requirements. These requirements are not necessarily the same or even similar to each other's, making the auditing of the ground system security a challenging feat. A combination of standards-based information security management based on the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), due diligence by the Mission's leadership, and effective collaboration among all elements of the ground system enabled MAVEN to successfully meet NASA's requirements for IT security, and therefore meet Federal Information Security Management Act (FISMA) mandate on the Agency. Throughout the implementation of GRC on MAVEN during the early stages of the mission development, the Project faced many challenges some of which have been identified in this paper. The purpose of this paper is to document these challenges, and provide a brief analysis of the lessons MAVEN learned. The historical information documented herein, derived from an internal pre-launch lessons learned analysis, can be used by current and future missions and organizations implementing and auditing GRC.
Sebastian Lopienski is CERN's Deputy Computer Security Officer. He works on security strategy and policies; offers internal consultancy and audit services; develops and maintains security tools for vulnerability assessment and intrusion detection; provides training and awareness raising; and does incident investigation and response. During his work at CERN since 2001, Sebastian has had various assignments, including designing and developing software to manage and support services hosted in the CERN Computer Centre; providing Central CVS Service for software projects at CERN; and development of applications for accelerator controls in Java. He graduated from the University of Warsaw (MSc in Computer Science) in 2002, and earned an MBA degree at the Enterprise Administration Institute in Aix-en-Provence and Haute Ecole de Gestion in Geneva in 2010. His professional interests include software and network security, distributed systems, and Web and mobile technologies. With the prevalence of modern information te...
Full Text Available The contribution deals with the actual methods and technologies of information and communication systems security. It introduces the overview of electronic identification elements such as static password, dynamic password and single sign-on. Into this category belong also biometric and dynamic characteristics of verified person. Widespread is authentication based on identification elements ownership, such as various cards and authentication calculators. In the next part is specified a definition and characterization of electronic signature, its basic functions and certificate categories. Practical utilization of electronic signature consists of electronic signature acquirement, signature of outgoing email message, receiving of electronic signature and verification of electronic signature. The use of electronic signature is continuously growing and in connection with legislation development it exercises in all resorts.
Hajrahimi, Nafiseh; Dehaghani, Sayed Mehdi Hejazi; Sheikhtaheri, Abbas
Health Information System (HIS) is considered a unique factor in improving the quality of health care activities and cost reduction, but today with the development of information technology and use of internet and computer networks, patients' electronic records and health information systems have become a source for hackers. This study aims at checking health information security of three selected medical centers in Iran using AHP fuzzy and TOPSIS compound model. To achieve that security measures were identified, based on the research literature and decision making matrix using experts' points of view. Among the 27 indicators, seven indicators were selected as effective indicators and Fuzzy AHP technique was used to determine the importance of security indicators. Based on the comparisons made between the three selected medical centers to assess the security of health information, it is concluded that Chamran hospital has the most acceptable level of security and attention in three indicators of "verification and system design, user access management, access control system", Al Zahra Hospital in two indicators of "access management and network access control" and Amin Hospital in "equipment safety and system design". In terms of information security, Chamran Hospital ranked first, Al-Zahra Hospital ranked second and Al- Zahra hospital has the third place.
de Carvalho Junior, Marcelo Antonio; Bandiera-Paiva, Paulo
This article objective is to highlight implementation characteristics, concerns, or limitations over role-based access control (RBAC) use on health information system (HIS) using industry-focused literature review of current publishing for that purpose. Based on the findings, assessment for indication of RBAC is obsolete considering HIS authorization control needs. We have selected articles related to our investigation theme "RBAC trends and limitations" in 4 different sources related to health informatics or to the engineering technical field. To do so, we have applied the following search query string: "Role-Based Access Control" OR "RBAC" AND "Health information System" OR "EHR" AND "Trends" OR "Challenges" OR "Security" OR "Authorization" OR "Attacks" OR "Permission Assignment" OR "Permission Relation" OR "Permission Mapping" OR "Constraint". We followed PRISMA applicable flow and general methodology used on software engineering for systematic review. 20 articles were selected after applying inclusion and exclusion criteria resulting contributions from 10 different countries. 17 articles advocate RBAC adaptations. The main security trends and limitations mapped were related to emergency access, grant delegation, and interdomain access control. Several publishing proposed RBAC adaptations and enhancements in order to cope current HIS use characteristics. Most of the existent RBAC studies are not related to health informatics industry though. There is no clear indication of RBAC obsolescence for HIS use.
Ackoski, Jugoslav; Trajkovik, Vladimir; Davcev, Danco
Security is important requirement for service-oriented architecture (SOA), because SOA considers widespread services on different location and diverse operational platforms. Main challenge for SOA Security still drifts around “clouds” and that is insufficient frameworks for security models based on consistent and convenient methods. Contemporary security architectures and security protocols are in the phase of developing. SOA based systems are characterized with differences ...
A. P. Durakovskiy
Full Text Available None of the critically important facilities can operate without the engineered safety system. Functionally varied security networks or a fire alarm system can refer to this system as well as safety and reliability which are provided by secured energy, water and heating supply. In the process of attestation according to the requirements of information security of information objects with such technical means, it is necessary to conduct special investigations of protection against leakage of acoustic speech information through the channels of the acousto-electrical transformations (AET. There are major aspects in the data leak via AET, which currently include the following: lack of and /or obtaining legal and safety norms to regulate specified parameters; lack of the automated hardware and software system for some AET variations to carry out measurements; lack of specified safety equipment for some AET variations; lack of shelter security units; high costs of AET measurement and control units; and low measurement repeatability.
Mohsen Shafiei Nikabadi; Ahmad Jafarian; Azam Jalili Bolhasani
: The major purpose of this article was that how information security management has effect on supply chain integration and the effect of implementing "information security management system" on enhancing supplies chain integration. In this respect, current research was seeking a combination overview to these tow approaches (Information Security Management and Organizational Processes Integration by Enterprise Resources Planning System) and after that determined factors of these two import...
Rocha Flores, Waldo; Antonsen, Egil; Ekstedt, Mathias
This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledg...
Taylor, Richard G.
With the increasing amount and severity of information security incidents, organizations are constantly looking for better ways to protect their information. The implementation of physical safeguards such as firewalls and intrusion detection systems is an integral part on an organization's overall information security; however these safeguards…
Security threat assessment of the Internet security system has become a greater concern in recent years because of the progress and diversification of information technology. Traditionally, the failure probabilities of bottom events of an Internet security system are treated as exact values when the failure probability of the entire system is estimated. However, security threat assessment when the malfunction data of the system’s elementary event are incomplete—the traditional approach for ca...
Iannarelli, John G
Information Governance and Security shows managers in any size organization how to create and implement the policies, procedures and training necessary to keep their organization's most important asset-its proprietary information-safe from cyber and physical compromise. Many intrusions can be prevented if appropriate precautions are taken, and this book establishes the enterprise-level systems and disciplines necessary for managing all the information generated by an organization. In addition, the book encompasses the human element by considering proprietary information lost, damaged, or destroyed through negligence. By implementing the policies and procedures outlined in Information Governance and Security, organizations can proactively protect their reputation against the threats that most managers have never even thought of. Provides a step-by-step outline for developing an information governance policy that is appropriate for your organization Includes real-world examples and cases to help illustrate key ...
Bauereiss , Thomas; Hutter , Dieter
Part 6: Information Flow Control; International audience; Motivated by typical security requirements of workflow management systems, we consider the integrated verification of both safety properties (e.g. separation of duty) and information flow security predicates of the MAKS framework (e.g. modeling confidentiality requirements). Due to the refinement paradox, enforcement of safety properties might violate possibilistic information flow properties of a system. We present an approach where s...
Full Text Available In present, the cyber attack move to a global scale, also the online business cyber threats have the effect of impeding and even huge losses. Security issues currently facing online commerce, online payment systems require finding solutions to improve the security solutions offered by the providers of Business Information solution.
Waddell, Stanie Adolphus
Many articles within the literature point to the information security policy as one of the most important elements of an effective information security program. Even though this belief is continually referred to in many information security scholarly articles, very few research studies have been performed to corroborate this sentiment. Doherty and…
Alwi, Najwa Hayaati Mohd; Fan, Ip-Shing
ELearning systems are increasingly used by educational institutions to support their academic activities. A simple use of an eLearning system is to make materials and notes available to students at anytime and anywhere; more sophisticated uses of eLearning support the interaction and assessment processes. Depending on how eLearning systems are used, information security issues such as intellectual property protection, personal data protection and continuity of service can become significant f...
... MARINE MAMMAL COMMISSION Classified National Security Information [Directive 11-01] AGENCY: Marine... Commission's (MMC) policy on classified information, as directed by Information Security Oversight Office... of Executive Order 13526, ``Classified National Security Information,'' and 32 CFR part 2001...
Shaffer, Alan B
Within a multilevel secure (MLS) system, flaws in design and implementation can result in overt and covert channels, both of which may be exploited by malicious software to cause unauthorized information flows...
Varlataya, S. K.; Evdokimov, V. E.; Urzov, A. Y.
This article describes a process of calculating a certain complex information security system (CISS) reliability using the example of the technospheric security management model as well as ability to determine the frequency of its maintenance using the system reliability parameter which allows one to assess man-made risks and to forecast natural and man-made emergencies. The relevance of this article is explained by the fact the CISS reliability is closely related to information security (IS) risks. Since reliability (or resiliency) is a probabilistic characteristic of the system showing the possibility of its failure (and as a consequence - threats to the protected information assets emergence), it is seen as a component of the overall IS risk in the system. As it is known, there is a certain acceptable level of IS risk assigned by experts for a particular information system; in case of reliability being a risk-forming factor maintaining an acceptable risk level should be carried out by the routine analysis of the condition of CISS and its elements and their timely service. The article presents a reliability parameter calculation for the CISS with a mixed type of element connection, a formula of the dynamics of such system reliability is written. The chart of CISS reliability change is a S-shaped curve which can be divided into 3 periods: almost invariable high level of reliability, uniform reliability reduction, almost invariable low level of reliability. Setting the minimum acceptable level of reliability, the graph (or formula) can be used to determine the period of time during which the system would meet requirements. Ideally, this period should not be longer than the first period of the graph. Thus, the proposed method of calculating the CISS maintenance frequency helps to solve a voluminous and critical task of the information assets risk management.
Companies and organizations world-wide depend more and more on IT infrastructure and operations. Computer systems store vital information and sensitive data; computing services are essential for main business processes. This high dependency comes with a number of security risks, which have to be managed correctly on technological, organizational and human levels. Addressing the human aspects of information security often boils down just to procedures, training and awareness raising. On the other hand, employees and collaborators do not adopt security attitude and habits simply when told to do so – a real change in behaviour requires an established security culture. But how to introduce a security culture? This thesis outlines the need of developing or improving security culture, and discusses how this can be done. The proposed approach is to gradually build security knowledge and awareness, and influence behaviours. The way to achieve this is to make security communication pervasive by embedding security me...
Ndungu , Maryanne; Kandel, Sushila
In today's globally interconnected economy, information security has become one of the most complex issues of concern at the world's leading organizations. The capital value of information is significantly increasing and forming a large part of the shareholder value due to increased dependence on information. Organizations that want to achieve competitive advantage amongst other goals have information security at the centre of their concerns. It is now evident that information is a busin...
One topic that is beginning to influence the systems that support these goals is that of Information Technology (IT) Security. Unsecure systems are vulnerable to increasing attacks and other negative consequences; sponsoring agencies are correspondingly responding with more refined policies and more stringent security requirements. These affect how EO systems can meet the goals of data and service interoperability and harmonization through open access, transformation and visualization services. Contemporary systems, including the vision of a system-of-systems (such as GEOSS, the Global Earth Observation System of Systems), utilize technologies that support a distributed, global, net-centric environment. These types of systems have a high reliance on the open systems, web services, shared infrastructure and data standards. The broader IT industry has developed and used these technologies in their business and mission critical systems for many years. Unfortunately, the IT industry, and their customers have learned the importance of protecting their assets and resources (computing and information) as they have been forced to respond to an ever increasing number and more complex illegitimate “attackers”. This presentation will offer an overview of work done by the CEOS WGISS organization in summarizing security threats, the challenges to responding to them and capturing the current state of the practice within the EO community.
Iureva, R. A.; Andreev, Y. S.; Iuvshin, A. M.; Timko, A. S.
In several years, technologies and systems based on the Internet of things (IoT) will be widely used in all smart factories. When processing a huge array of unstructured data, their filtration and adequate interpretation are a priority for enterprises. In this context, the correct representation of information in a user-friendly form acquires special importance, for which the market today presents advanced analytical platforms designed to collect, store and analyze data on technological processes and events in real time. The main idea of the paper is the statement of the information security problem in IoT and integrity of processed information.
Mohsen Shafiei Nikabadi
Full Text Available : The major purpose of this article was that how information security management has effect on supply chain integration and the effect of implementing "information security management system" on enhancing supplies chain integration. In this respect, current research was seeking a combination overview to these tow approaches (Information Security Management and Organizational Processes Integration by Enterprise Resources Planning System and after that determined factors of these two important issue by factor analysis. Researchers using a series of comments in the automotive experts (production planning and management and supply chain experts and caregivers car makers and suppliers in the first level and second level supply chain industry. In this way, it has been done that impact on how information security management processes enterprise supply chain integration with the help of statistical correlation analysis. The results of this investigation indicated effect of "information security management system" various dimensions that were coordination of information, prevent human errors and hardware, the accuracy of information and education for users on two dimensions of internal and external integration of business processes, supply chain and finally, it can increased integration of business processes in supply chain. At the end owing to quite these results, deployment of "information security management system" increased the integration of organizational processes in supply chain. It could be demonstrate with the consideration of relation of organizational integration processes whit the level of coordination of information, prevent errors and accuracy of information throughout the supply chain.
Business process management systems play a central role in supporting the business operations of medium and large organizations. Because of this the security characteristics of these systems are becoming very important. The present paper describes the BWS architecture used to implement the open process aware information system DocuMentor. Using the proposed platform, the article identifies the security characteristics of such systems, shows the correlation between these characteristics and th...
... 6 Domestic Security 1 2010-01-01 2010-01-01 false Security of systems of records. 5.31 Section 5.31 Domestic Security DEPARTMENT OF HOMELAND SECURITY, OFFICE OF THE SECRETARY DISCLOSURE OF RECORDS AND INFORMATION Privacy Act § 5.31 Security of systems of records. (a) In general. Each component...
... 39 Postal Service 1 2010-07-01 2010-07-01 false Information security standards. 267.4 Section 267... INFORMATION § 267.4 Information security standards. (a) The Postal Service will operate under a uniform set of information security standards which address the following functional aspects of information flow and...
Zhuang Yongzhi; Zhao Jinzao
Objective: To design a security scheme of radiotherapy planning administration system. Methods: Power Builder 9i language was used to program the system through the model of client-server machine. Oracle 9i was used as the database server. Results In this system, user registration management, user login management, application-level functions of control, database access control, and audit trail were designed to provide system security. Conclusions: As a prototype for the security analysis and protection of this scheme provides security of the system, application system, important data and message, which ensures the system work normally. (authors)
Grigory Grigorievich Novikov
Full Text Available The main reason of the article is how to use one of new fuzzy search method for information security of business or some other purposes. So many sensitive information leaks are through non-classified documents legal publishing. That’s why many intelligence services like to use the “mosaic” information collection method so much: This article is about how to prevent it.
... 48 Federal Acquisition Regulations System 6 2010-10-01 2010-10-01 true Security requirements for unclassified information technology (IT) resources. 1804.470 Section 1804.470 Federal Acquisition Regulations... Classified Information Within Industry 1804.470 Security requirements for unclassified information technology...
...) Systems, and 33-2, Information Protection. This instruction prescribes the requirements, responsibilities and procedures for the security program for the Strategic Automated Command Control System-Data Transmission Subsystem (SACCS-DTS...
This system design description (SDD) addresses the Cold Vacuum Drying (CVD) Facility security system. The system's primary purpose is to provide reasonable assurance that breaches of security boundaries are detected and assessment information is provided to protective force personnel. In addition, the system is utilized by Operations to support reduced personnel radiation goals and to provide reasonable assurance that only authorized personnel are allowed to enter designated security areas
Full Text Available The need for building the national statistical system (NSS as the framework for coordination of statistical works is substantiated. NSS is defined on the basis of system approach. It is emphasized that the essential conditions underlying NSS are strategic planning, reliance on internationally adopted methods and due consideration to country-specific environment. The role of the state coordination policy in organizing statistical activities in the NSS framework is highlighted, key objectives of the integrated national policy on coordination of statistical activities are given. Threats arising from non-existence of NSS in a country are shown: “irregular” pattern of statistical activities, resulting from absence of common legal, methodological and organizational grounds; high costs involved in the finished information product in parallel with its low quality; impossibility of administering the statistical information security in a coherent manner, i. e. keeping with the rules on confidentiality of data, preventing intentional distortion of information and keeping with the rules of treatment with data making the state secret. An extensive review of NSS functional objectives is made: to ensure the system development of the official statistics; to ensure confidentiality and protection of individual data; to establish interdepartmental mechanisms for control and protection of secret statistical information; to broaden and regulate the access to statistical data and their effective use. The need for creating the National Statistical Commission is grounded.
Updated annually, the Information Security Management Handbook, Sixth Edition, Volume 7 is the most comprehensive and up-to-date reference available on information security and assurance. Bringing together the knowledge, skills, techniques, and tools required of IT security professionals, it facilitates the up-to-date understanding required to stay one step ahead of evolving threats, standards, and regulations. Reporting on the latest developments in information security and recent changes to the (ISC)2(R) CISSP Common Body of Knowledge (CBK(R)), this volume features 27 new chapters on topics
Full Text Available The purpose of the article is to determine the place, the role and features of cybernetic security and improve the business intelligence scheme in the system of diagnosing economic security of the enterprise. It had been found out that: 1 the term “cybernetic security of an enterprise” should be understood as the state of the protection of the cybernetic space of the whole enterprise or individual objects of its information infrastructure (computer system, computer data, etc. from the risk of external cybernetic influence, which ensures their sustainable development and the formation of prospects, as well as timely detection, prevention and neutralization of real and potential cybernetic interruptions and threats to the interests of the enterprise; 2 the main components of cybernetic security in the system of diagnostics of economic security of the enterprise are: investigation of information and telecommunication systems and cryptosystems of the opposing sides; cybernetic effects; protection of information sphere. It was established that the main task of business intelligence in the system of diagnosing economic security of the enterprise is the verification of the reliability of business information, the provision of cybernetic protection of information resources, information and communication technologies and systems and the elimination of the possibility of misinformation of senior management by the managers of the middle level, suppliers, marketing intermediaries, clientele, competitors or contact audiences of the enterprise. The prospect of further research in this direction is the development of a system of goals of the polycriterial diagnostics of the activity (economic diagnostics of the enterprise (on the basis of the isolation and systematization of its diagnostic purposes, taking into account the presented results of the study.
The availability and security of many services we rely upon-including water treatment, electricity, healthcare, transportation, and financial transactions-are routinely put at risk by cyber threats. The Handbook of SCADA/Control Systems Security is a fundamental outline of security concepts, methodologies, and relevant information pertaining to the supervisory control and data acquisition (SCADA) systems and technology that quietly operate in the background of critical utility and industrial facilities worldwide. Divided into five sections, the book examines topics comprising functions within
Mishra, Raghavendra; Barnwal, Amit Kumar
The Telecare medical information system (TMIS) presents effective healthcare delivery services by employing information and communication technologies. The emerging privacy and security are always a matter of great concern in TMIS. Recently, Chen at al. presented a password based authentication schemes to address the privacy and security. Later on, it is proved insecure against various active and passive attacks. To erase the drawbacks of Chen et al.'s anonymous authentication scheme, several password based authentication schemes have been proposed using public key cryptosystem. However, most of them do not present pre-smart card authentication which leads to inefficient login and password change phases. To present an authentication scheme with pre-smart card authentication, we present an improved anonymous smart card based authentication scheme for TMIS. The proposed scheme protects user anonymity and satisfies all the desirable security attributes. Moreover, the proposed scheme presents efficient login and password change phases where incorrect input can be quickly detected and a user can freely change his password without server assistance. Moreover, we demonstrate the validity of the proposed scheme by utilizing the widely-accepted BAN (Burrows, Abadi, and Needham) logic. The proposed scheme is also comparable in terms of computational overheads with relevant schemes.
Vitaly Eduardovich Dorokhov
Full Text Available The article deals with accounting reputational risks arising through information security breaches in the management of a business entity. Security breach incidents which results to the loss of reputation are identified. Based on this analysis the definition of reputational risk in information security is given.
... security and privacy issues pertaining to federal computer systems. Details regarding the ISPAB's... Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB) will meet...
Szmoski, R.M.; Ferrari, F.A.S. [Department of Physics, Universidade Estadual de Ponta Grossa, 84030-900, Ponta Grossa (Brazil); Pinto, S.E. de S, E-mail: email@example.com [Department of Physics, Universidade Estadual de Ponta Grossa, 84030-900, Ponta Grossa (Brazil); Baptista, M.S. [Institute for Complex Systems and Mathematical Biology, SUPA, University of Aberdeen, Aberdeen (United Kingdom); Viana, R.L. [Department of Physics, Universidade Federal do Parana, 81531-990, Curitiba, Parana (Brazil)
There is a broad area of research to ensure that information is transmitted securely. Within this scope, chaos-based cryptography takes a prominent role due to its nonlinear properties. Using these properties, we propose a secure mechanism for transmitting data that relies on chaotic networks. We use a nonlinear on–off device to cipher the message, and the transfer entropy to retrieve it. We analyze the system capability for sending messages, and we obtain expressions for the operating time. We demonstrate the system efficiency for a wide range of parameters. We find similarities between our method and the reservoir computing.
... 32 National Defense 6 2010-07-01 2010-07-01 false Information Security Oversight Committee. 2700... MICRONESIAN STATUS NEGOTIATIONS SECURITY INFORMATION REGULATIONS Implementation and Review § 2700.51 Information Security Oversight Committee. The OMSN Information Security Oversight Committee shall be chaired...
The Idea and background to the study subject lies in the interest in security, leadership and organizational development. The research question was how to provide best practices to fit these all together in harmony. The objective was to help small and medium sized organizations to understand the multifaceted nature of cybersecurity and requirements for successful implementation of information security management system (ISMS). ISMS help companies to form the needed security structures in pra...
Information Security Architecture, Second Edition incorporates the knowledge developed during the past decade that has pushed the information security life cycle from infancy to a more mature, understandable, and manageable state. It simplifies security by providing clear and organized methods and by guiding you to the most effective resources available.
Miloslavskaya , Natalia; Senatorov , Mikhail; Tolstoy , Alexandr; Zapechnikov , Sergei
Part 1: WISE 8; International audience; The experience of preparing for the "Business Continuity and Information Security Maintenance" (BC&ISM) Masters’ program implementation and realization at the "Information Security of Banking Systems" Department of the National Research Nuclear University MEPhI (NRNU MEPhI, Moscow, Russia) is presented. Justification of the educational direction choice for BC&ISM professionals is given. The model of IS Master being trained on this program is described. ...
Information Security Maturity Model
To ensure security, it is important to build-in security in both the planning and the design phases andadapt a security architecture which makes sure that regular and security related tasks, are deployedcorrectly. Security requirements must be linked to the business goals. We identified four domains thataffect security at an organization namely, organization governance, organizational culture, thearchitecture of the systems, and service management. In order to identify and explore the strengt...
Growing information security cases and scope illustrate that the relevance of information security issues becomes critical and present information security means are not sufficient enough to manage information security. Narrow comprehension of information security merely as technological problem is broadened by the research results of economic, managerial, psychological, legal and other related aspects’ influence to information security. Information is named as the object of information s...
The contractor will research and further develop the technology supporting an agent-based architecture for an information security system and a formal framework to specify a model of distributed knowledge...
Security threat assessment of the Internet security system has become a greater concern in recent years because of the progress and diversification of information technology. Traditionally, the failure probabilities of bottom events of an Internet security system are treated as exact values when the failure probability of the entire system is estimated. However, security threat assessment when the malfunction data of the system's elementary event are incomplete--the traditional approach for calculating reliability--is no longer applicable. Moreover, it does not consider the failure probability of the bottom events suffered in the attack, which may bias conclusions. In order to effectively solve the problem above, this paper proposes a novel technique, integrating attack tree and vague sets for security threat assessment. For verification of the proposed approach, a numerical example of an Internet security system security threat assessment is adopted in this paper. The result of the proposed method is compared with the listing approaches of security threat assessment methods.
Damiani, Ernesto; El Ioini, Nabil
Open Source Advances in Computer Applications book series provides timely technological and business information for: Enabling Open Source Systems (OSS) to become an integral part of systems and devices produced by technology companies; Inserting OSS in the critical path of complex network development and embedded products, including methodologies and tools for domain-specific OSS testing (lab code available), plus certification of security, dependability and safety properties for complex systems; Ensuring integrated systems, including OSS, meet performance and security requirements as well as achieving the necessary certifications, according to the overall strategy of OSS usage on the part of the adopter
Muhammad Qaiser Saleem; Jafreezal Jaafar; Mohd Fadzil Hassan
Currently most of the enterprises are using SOA and web services technologies to build their web information system. They are using MDA principles for design and development of WIS and using UML as a modelling language for business process modelling. Along with the increased connectivity in SOA environment, security risks rise exponentially. Security is not defined during the early phases of development and left onto developer. Properly configuring security requirements in SOA applications is...
Douglas P. Twitchell
Full Text Available A major portion of government and business organizationsâ€™ attempts to counteract information security threats is teams of security personnel.Â These teams often consist of personnel of diverse backgrounds in specific specialties such as network administration, application development, and business administration, resulting in possible conflicts between security, functionality, and availability.Â This paper discusses the use of games to teach and research information security teams and outlines research to design and build a simple, team-oriented, configurable, information security game. It will be used to study how information security teams work together to defend against attacks using a multi-player game, and to study the use of games in training security teams.Â Studying how information security teams work, especially considering the topic of shared-situational awareness, could lead to better ways of forming, managing, and training teams.Â Studying the effectiveness of the game as a training tool could lead to better training for security teams.Â
Kim, Yong-Woon; Cho, Namin; Jang, Hye-Jung
Information technology involves a risk of privacy violation in providing easy access to confidential information,such as personal information and medical information through the Internet. In this study, we investigated medical information security to gain a better understanding of trends in research related to medical information security. We researched papers published on '의료정보' and 'medical information' in various Korean journals during a 10-year period from 2005 to 2015. We also analyzed these journal papers for each fiscal year; these papers were categorized into the areas of literature research and empirical research, and were further subdivided according to themes and subjects. It was confirmed that 48 papers were submitted to 35 academic journals. There were 33 (68.8%) literature review articles, and analysis of secondary data was not carried out at all. In terms of empirical research, 8 (16.7%) surveys and 7 (14.6%) program developments were studied. As a result of analyzing these papers according to the research theme by research method, 17 (35.4%) papers on laws, systems, and policies were the most numerous. It was found that among the literature research papers on medical personnel were the most common, and among the empirical research papers, research on experts in information protection and medical personnel were the most common. We suggest that further research should be done in terms of social perception, human resource development, and technology development to improve risk management in medical information systems.
Bagheri, Nasoor; Knudsen, Lars Ramkilde; Naderi, Majid
Information theoretic security is an important security notion in cryptography as it provides a true lower bound for attack complexities. However, in practice attacks often have a higher cost than the information theoretic bound. In this paper we study the relationship between information theoretic...
This handbook is a quick reference guide to some of the most important points of the London 2012 information security policy. This information security handbook outlines the policies that all staff, secondees, volunteers and certain third parties who process LOCOG information must comply with.
Kim, Kee-Won; Lee, Jae-Dong
The telecare medical information systems (TMISs) support convenient and rapid health-care services. A secure and efficient authentication scheme for TMIS provides safeguarding patients' electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Kumari et al. proposed a password based user authentication scheme using smart cards for TMIS, and claimed that the proposed scheme could resist various malicious attacks. However, we point out that their scheme is still vulnerable to lost smart card and cannot provide forward secrecy. Subsequently, Das and Goswami proposed a secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. They simulated their scheme for the formal security verification using the widely-accepted automated validation of Internet security protocols and applications (AVISPA) tool to ensure that their scheme is secure against passive and active attacks. However, we show that their scheme is still vulnerable to smart card loss attacks and cannot provide forward secrecy property. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.
I. A. Zikratov
Full Text Available This paper focuses on aspects of information security for group of mobile robotic systems with swarm intellect. The ways for hidden attacks realization by the opposing party on swarm algorithm are discussed. We have fulfilled numerical modeling of potentially destructive information influence on the ant shortest path algorithm. We have demonstrated the consequences of attacks on the ant algorithm with different concentration in a swarm of subversive robots. Approaches are suggested for information security mechanisms in swarm robotic systems, based on the principles of centralized security management for mobile agents. We have developed the method of forming a self-organizing information security management system for robotic agents in swarm groups implementing POM (Police Office Model – a security model based on police offices, to provide information security in multi-agent systems. The method is based on the usage of police station network in the graph nodes, which have functions of identification and authentication of agents, identifying subversive robots by both their formal characteristics and their behavior in the swarm. We have suggested a list of software and hardware components for police stations, consisting of: communication channels between the robots in police office, nodes register, a database of robotic agents, a database of encryption and decryption module. We have suggested the variants of logic for the mechanism of information security in swarm systems with different temporary diagrams of data communication between police stations. We present comparative analysis of implementation of protected swarm systems depending on the functioning logic of police offices, integrated in swarm system. It is shown that the security model saves the ability to operate in noisy environments, when the duration of the interference is comparable to the time necessary for the agent to overcome the path between police stations.
This is the first book to provide an in-depth coverage of all the developments, issues and challenges in secure databases and applications. It provides directions for data and application security, including securing emerging applications such as bioinformatics, stream information processing and peer-to-peer computing. Divided into eight sections, each of which focuses on a key concept of secure databases and applications, this book deals with all aspects of technology, including secure relational databases, inference problems, secure object databases, secure distributed databases and emerging
... 39 Postal Service 1 2010-07-01 2010-07-01 false National Security Information. 267.5 Section 267.5... § 267.5 National Security Information. (a) Purpose and scope. The purpose of this section is to provide regulations implementing Executive Order 12356 National Security Information (hereinafter referred to as the...
Mohd Alwi, Najwa Hayaati
The motivation to conduct this research has come from awareness that the Internet exposes the e-learning environment to information security threats and vulnerabilities. Information security management as practised as a top down approach in many organisations tend to detach of people’s responsibility in ensuring the security of e-learning. Literature has pointed out that people’s behaviour required to be addressed to control the information security threats. This research proposes an ISM huma...
Hartel, Pieter H.; Suryana Herman, Nanna; Leukfeldt, E.R.; Stol, W.Ph.
Information security is all about the protection of digital assets, such as digital content, personal health records, state secrets etc. These assets can be handled by a party who is authorised to access and control the asset or a party who is not authorised to do so. Authorisation determines who is
This research paper presentation will feature current frameworks to addressing risk and security modeling and metrics. The paper will analyze technical level risk and security metrics of Common Criteria/ISO15408, Centre for Internet Security guidelines, NSA configuration guidelines and metrics used at this level. Information IT operational standards view on security metrics such as GMITS/ISO13335, ITIL/ITMS and architectural guidelines such as ISO7498-2 will be explained. Business process level standards such as ISO17799, COSO and CobiT will be presented with their control approach to security metrics. Top level, the maturity standards such as SSE-CMM/ISO21827, NSA Infosec Assessment and CobiT will be explored and reviewed. For each defined level of security metrics the research presentation will explore the appropriate usage of these standards. The paper will discuss standards approaches to conducting the risk and security metrics. The research findings will demonstrate the need for common baseline for both risk and security metrics. This paper will show the relation between the attribute based common baseline and corporate assets and controls for risk and security metrics. IT will be shown that such approach spans over all mentioned standards. The proposed approach 3D visual presentation and development of the Information Security Model will be analyzed and postulated. Presentation will clearly demonstrate the benefits of proposed attributes based approach and defined risk and security space for modeling and measuring.
The purpose of the Optimal AIDE Security Information Search (OASIS) effort was to investigate and prototype a tool that can assist the network security analyst in collecting useful information to defend the networks they manage...
... 32 National Defense 6 2010-07-01 2010-07-01 false Information Security Oversight Committee. 2103... BE DECLASSIFIED Implementation and Review § 2103.51 Information Security Oversight Committee. The NCS Information Security Oversight Committee shall be chaired by the Staff Counsel of the National Security...
... 12 Banks and Banking 6 2010-01-01 2010-01-01 false Security of systems of records. 792.67 Section... AND PRIVACY ACT, AND BY SUBPOENA; SECURITY PROCEDURES FOR CLASSIFIED INFORMATION The Privacy Act § 792.67 Security of systems of records. (a) Each system manager, with the approval of the head of that...
Thunem, Atoosa P-J.
Rapid application growth of complex Information and Communication Technologies (ICT) in every society and state infrastructure as well as industry has revealed vulnerabilities that eventually have given rise to serious security breaches. These vulnerabilities together with the course of the breaches from cause to consequence are gradually about to convince the field experts that ensuring the security of ICT-driven systems is no longer possible by only relying on the fundaments of computer science, IT, or telecommunications. Appropriating knowledge from other disciplines is not only beneficial, but indeed very necessary. At the same time, it is a common observation today that ICT-driven systems are used everywhere, from the nuclear, aviation, commerce and healthcare domains to camera-equipped web-enabled cellular phones. The increasing interdisciplinary and inter-sectoral aspects of ICT security worldwide have been providing updated and useful information to the nuclear domain, as one of the emerging users of ICT-driven systems. Nevertheless, such aspects have also contributed to new and complicated challenges, as ICT security for the nuclear domain is in a much more delicate manner than for any other domains related to the concept of safety, at least from the public standpoint. This report addresses some important aspects of ICT security that need to be considered at nuclear facilities. It deals with ICT security and the relationship between security and safety from a rather different perspective than usually observed and applied. The report especially highlights the influence on the security of ICT-driven systems by all other dependability factors, and on that basis suggests a framework for ICT security profiling, where several security profiles are assumed to be valid and used in parallel for each ICT-driven system, sub-system or unit at nuclear facilities. The report also covers a related research topic of the Halden Project with focus on cyber threats and
Arakelyan, E. K.; Andryushin, A. V.; Mezin, S. V.; Kosoy, A. A.; Kalinina, Ya V.; Khokhlov, I. S.
The principle of interaction of the specified systems of technological protections by the Automated process control system (APCS) and information safety in case of incorrect execution of the algorithm of technological protection is offered. - checking the correctness of the operation of technological protection in each specific situation using the functional relationship between the monitored parameters. The methodology for assessing the economic feasibility of developing and implementing an information security system.
... information security and privacy issues pertaining to federal computer systems. Details regarding the ISPAB's... of the Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB...
Embedded real-time systems have been adopted in a wide range of safety-critical applications—including automotive, avionics, and train control systems—where the focus has long been on safety (i.e., protecting the external world from the potential damage caused by the system) rather than security (i.......e., protecting the system from the external world). With increased connectivity of these systems to external networks the attack surface has grown, and consequently there is a need for securing the system from external attacks. Introducing security protocols in safety critical systems requires careful...... in this direction is to extend saturation-based techniques so that enough state information can be modelled and analysed. Finally, we present a methodology for proving the same security properties in the computational model, by means of typing protocol implementations....
... 32 National Defense 6 2010-07-01 2010-07-01 false Information Security Program Review. 2400.45... SECURITY PROGRAM Office of Science and Technology Policy Information Security Program Management § 2400.45 Information Security Program Review. (a) The Director, OSTP, shall require an annual formal review of the OSTP...
Fukaya, Kiyoyuki; Komoda, Norihisa
Accompanying the spread of Internet and the change of business models, electronic commerce expands buisness areas. Electronic finance commerce becomes popular and especially online security tradings becoome very popular in this area. This online securitiy tradings have some good points such as less mistakes than telephone calls. In order to expand this online security tradings, the transfer of the security paper is one the largest problems to be solved. Because it takes a few days to transfer the security paper from a seller to a buyer. So the dematerialization of security papers is one of the solutions. The demterilization needs the information systems for setteling security. Some countries such as France, German, United Kingdom and U.S.A. have been strating the dematerialization projects. The legacy assesments on these projects focus from the viewpoint of the legal schemes only and there is no assessment from system architectures. This paper focuses on the information system scheme and valuates these dematerlization projects by AHP methods from the viewpoints of “dematerializaion of security papers", “speed of transfer", “usefulness on the system" and “accumulation of risks". This is the first case of valuations on security settlements systems by AHP methods, especially four counties’ systems.
Hartel, Pieter H.; Junger, Marianne; Wieringa, Roelf J.
Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality,
... 2700-AD61 NASA Information Security Protection AGENCY: National Aeronautics and Space Administration..., projects, plans, or protection services relating to the national security; or (h) The development... implement the provisions of Executive Order (E.O.) 13526, Classified National Security Information, and...
Full Text Available Cooperation of suppliers of raw materials, semi-finished products, finished products, wholesalers, retailers in the form of the supply chain, as well as outsourcing of specialized logistics service require ensuring adequate support of information. It concerns the use of appropriate computer tools. The security of information in such conditions of collaboration becomes the important problem for parties of contract. The objective of the paper is to characterize main issues relating to security of information in logistics cooperation.
... 49 Transportation 1 2010-10-01 2010-10-01 false Information Security Review Committee. 8.9 Section.../DECLASSIFICATION/ACCESS Classification/Declassification of Information § 8.9 Information Security Review Committee. (a) There is hereby established a Department of Transportation Information Security Review Committee...
How do you, as a busy security executive or manager, stay current with evolving issues, familiarize yourself with the successful practices of your peers, and transfer this information to build a knowledgeable, skilled workforce the times now demand? With Security Leader Insights for Information Protection, a collection of timeless leadership best practices featuring insights from some of the nation's most successful security practitioners, you can. This book can be used as a quick and effective resource to bring your security staff up to speed on security's role in information protection. I
Full Text Available A new type of student information management system is designed to implement student information identification and management based on fingerprint identification. In order to ensure the security of data transmission, this paper proposes a data encryption method based on an improved AES algorithm. A new S-box is cleverly designed, which can significantly reduce the encryption time by improving ByteSub, ShiftRow, and MixColumn in the round transformation of the traditional AES algorithm with the process of look-up table. Experimental results show that the proposed algorithm can significantly improve the encryption time compared with the traditional AES algorithm.
Report #2006-P-00019, March 28, 2006. OSWER’s implemented practices to ensure production servers were being monitored for known vulnerabilities and personnel with significant security responsibility completed the Agency’s recommended security training.
Brey, Philip A.E.; Petkovic, Milan; Jonker, Willem
This chapter reviews ethical aspects of computer and information security and privacy. After an introduction to ethical approaches to information technology, the focus is first on ethical aspects of computer security. These include the moral importance of computer security, the relation between
... Commerce and the Director of NIST on security and privacy issues pertaining to federal computer systems... Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB...
Wayne F. Boyer; Scott A. McBride
This document provides information for a report to congress on Smart Grid security as required by Section 1309 of Title XIII of the Energy Independence and Security Act of 2007. The security of any future Smart Grid is dependent on successfully addressing the cyber security issues associated with the nation’s current power grid. Smart Grid will utilize numerous legacy systems and technologies that are currently installed. Therefore, known vulnerabilities in these legacy systems must be remediated and associated risks mitigated in order to increase the security and success of the Smart Grid. The implementation of Smart Grid will include the deployment of many new technologies and multiple communication infrastructures. This report describes the main technologies that support Smart Grid and summarizes the status of implementation into the existing U.S. electrical infrastructure.
Sandia National Laboratories developed an Authenticated Secure Container System (ASCS) for the International Atomic Energy Agency (IAEA). Agency standard weights and safeguards samples can be stored in the ASCS to provide continuity of knowledge. The ASCS consists of an optically clear cover, a base containing the Authenticated Item Monitoring System (AIMS) transmitter, and the AIMS receiver unit for data collection. The ASCS will provide the Inspector with information concerning the status of the system, during a surveillance period, such as state of health, tampering attempts, and movement of the container system. The secure container is located inside a Glove Box with the receiver located remotely from the Glove Box. AIMS technology uses rf transmission from the secure container to the receiver to provide a record of state of health and tampering. The data is stored in the receiver for analysis by the Inspector during a future inspection visit. 2 refs
Full Text Available Diversity of command languages on network security solutions’ (NSS interfaces causes problems in a process of information security policy (ISP deployment. Unified model for security policy representation and implementation in NSS could aid to avoid such problems and consequently enhance efficiency of the process. The proposed solution is Unified language for network security policy (ULNSP. The language is based on formal languages theory, and being coupled with its translator, ULNSP makes it possible to formalize and implement ISP independently of particular NSS.
The Department of Homeland Security’s Control Systems Security Program (CSSP) is working with industry to secure critical infrastructure sectors from cyber intrusions that could compromise control systems. This document describes CSSP’s current activities with industry organizations in developing cyber security standards for control systems. In addition, it summarizes the standards work being conducted by organizations within the sector and provides a brief listing of sector meetings and conferences that might be of interest for each sector. Control systems cyber security standards are part of a rapidly changing environment. The participation of CSSP in the development effort for these standards has provided consistency in the technical content of the standards while ensuring that information developed by CSSP is included.
The need for data security in Information and Communications Technology (ICT) can not be overemphasized. In this paper, the use of symmetric and asymmetric key cryptographies to clearly achieve the required protection by means of prime number system and modular multiplicative inverse has been highlighted and ...
Grossklags, Jens; Johnson, Benjamin; Christin, Nicolas
This paper presents a formal, quantitative evaluation of the impact of bounded-rational security decision-making subject to limited information and externalities. We investigate a mixed economy of an individual rational expert and several naïve near-sighted agents. We further model three canonical types of negative externalities (weakest-link, best shot and total effort), and study the impact of two information regimes on the threat level agents are facing.
Михаил Иванович Бочаров
Full Text Available In the article the questions of the optimization of the contents of education and the processes of its formation and renewal in dynamically developed subject areas are considered. As an example training process of information security according to suggested by the models of the vital cycle of knowledges system of continuing education is investigated.
... Security, consistent with Federal policies for the security of unclassified information and information... Certification Program, and provide a Web site link within a contract clause to a library where contractors can... Security should be addressed through government-wide policies, standards, and requirements. NASA response...
Chick, Morey J.
The first of two articles on the nature of the growing problem of automated information systems security, especially in the federal government, this article presents a brief history of the problem and describes the need for integrating security activities into overall policies and programs to help reduce system vulnerabilities and risks. (23…
Andriole, Katherine P
The responsibility that physicians have to protect their patients from harm extends to protecting the privacy and confidentiality of patient health information including that contained within radiological images. The intent of HIPAA and subsequent HIPAA Privacy and Security Rules is to keep patients' private information confidential while allowing providers access to and maintaining the integrity of relevant information needed to provide care. Failure to comply with electronic protected health information (ePHI) regulations could result in financial or criminal penalties or both. Protected health information refers to anything that can reasonably be used to identify a patient (eg, name, age, date of birth, social security number, radiology examination accession number). The basic tools and techniques used to maintain medical information security and patient privacy described in this article include physical safeguards such as computer device isolation and data backup, technical safeguards such as firewalls and secure transmission modes, and administrative safeguards including documentation of security policies, training of staff, and audit tracking through system logs. Other important concepts related to privacy and security are explained, including user authentication, authorization, availability, confidentiality, data integrity, and nonrepudiation. Patient privacy and security of medical information are critical elements in today's electronic health care environment. Radiology has led the way in adopting digital systems to make possible the availability of medical information anywhere anytime, and in identifying and working to eliminate any risks to patients. Copyright © 2014 American College of Radiology. Published by Elsevier Inc. All rights reserved.
While the philosophical foundations of information security have been unexamined, there is an implicit philosophy of what protection of information is. This philosophy is based on the notion of containment, taken from analogies with things that offer physical security (e.g., buildings, safes,
Most work concerning secure computer systems has dealt with the design, verification, and implementation of provably secure computer systems, or has explored ways of making existing computer systems more secure. The problem of locating security holes in existing systems has received considerably less attention; methods generally rely on thought experiments as a critical step in the procedure. The difficulty is that such experiments require that a large amount of information be available in a format that makes correlating the details of various programs straightforward. This paper describes a method of providing such a basis for the thought experiment by writing a special manual for parts of the operating system, system programs, and library subroutines.
Operating systems provide the fundamental mechanisms for securing computer processing. Since the 1960s, operating systems designers have explored how to build "secure" operating systems - operating systems whose mechanisms protect the system against a motivated adversary. Recently, the importance of ensuring such security has become a mainstream issue for all operating systems. In this book, we examine past research that outlines the requirements for a secure operating system and research that implements example systems that aim for such requirements. For system designs that aimed to
Full Text Available Payment systems play a significant role in our daily lives. They are an important driver of economic activities and a vital part of the banking infrastructure of any country. Several current payment systems focus on security and reliability but pay less attention to users’ needs and behaviors. For example, people may share their bankcards with friends or relatives to withdraw money for various reasons. This behavior can lead to a variety of privacy and security issues since the cardholder has to share a bankcard and other sensitive information such as a personal identification number (PIN. In addition, it is commonplace that cardholders may lose their cards, and may not be able to access their accounts due to various reasons. Furthermore, transferring money to an individual who has lost their bankcard and identification information is not a straightforward task. A user-friendly person-to-person payment system is urgently needed to perform secure and reliable transactions that benefit from current technological advancements. In this paper, we propose two secure fund transfer methods termed QuickCash Online and QuickCash Offline to transfer money from peer to peer using the existing banking infrastructure. Our methods provide a convenient way to transfer money quickly, and they do not require using bank cards or any identification card. Unlike other person-to-person payment systems, the proposed methods do not require the receiving entity to have a bank account, or to perform any registration procedure. We implement our QuickCash payment systems and analyze their security strengths and properties.
Alhothaily, Abdulrahman; Alrawais, Arwa; Song, Tianyi; Lin, Bin; Cheng, Xiuzhen
Payment systems play a significant role in our daily lives. They are an important driver of economic activities and a vital part of the banking infrastructure of any country. Several current payment systems focus on security and reliability but pay less attention to users’ needs and behaviors. For example, people may share their bankcards with friends or relatives to withdraw money for various reasons. This behavior can lead to a variety of privacy and security issues since the cardholder has to share a bankcard and other sensitive information such as a personal identification number (PIN). In addition, it is commonplace that cardholders may lose their cards, and may not be able to access their accounts due to various reasons. Furthermore, transferring money to an individual who has lost their bankcard and identification information is not a straightforward task. A user-friendly person-to-person payment system is urgently needed to perform secure and reliable transactions that benefit from current technological advancements. In this paper, we propose two secure fund transfer methods termed QuickCash Online and QuickCash Offline to transfer money from peer to peer using the existing banking infrastructure. Our methods provide a convenient way to transfer money quickly, and they do not require using bank cards or any identification card. Unlike other person-to-person payment systems, the proposed methods do not require the receiving entity to have a bank account, or to perform any registration procedure. We implement our QuickCash payment systems and analyze their security strengths and properties. PMID:28608846
Alhothaily, Abdulrahman; Alrawais, Arwa; Song, Tianyi; Lin, Bin; Cheng, Xiuzhen
Payment systems play a significant role in our daily lives. They are an important driver of economic activities and a vital part of the banking infrastructure of any country. Several current payment systems focus on security and reliability but pay less attention to users' needs and behaviors. For example, people may share their bankcards with friends or relatives to withdraw money for various reasons. This behavior can lead to a variety of privacy and security issues since the cardholder has to share a bankcard and other sensitive information such as a personal identification number (PIN). In addition, it is commonplace that cardholders may lose their cards, and may not be able to access their accounts due to various reasons. Furthermore, transferring money to an individual who has lost their bankcard and identification information is not a straightforward task. A user-friendly person-to-person payment system is urgently needed to perform secure and reliable transactions that benefit from current technological advancements. In this paper, we propose two secure fund transfer methods termed QuickCash Online and QuickCash Offline to transfer money from peer to peer using the existing banking infrastructure. Our methods provide a convenient way to transfer money quickly, and they do not require using bank cards or any identification card. Unlike other person-to-person payment systems, the proposed methods do not require the receiving entity to have a bank account, or to perform any registration procedure. We implement our QuickCash payment systems and analyze their security strengths and properties.
Lee, Chul Ho
This dissertation studies three incentive issues in information security management. The first essay studies contract issues between a firm that outsources security functions and a managed security service provider (MSSP) that provides security functions to the firm. Since MSSP and firms cannot observe each other's actions, both can suffer…
... Declassification of National Security Information AGENCY: National Archives and Records Administration. ACTION... classified national security information in records transferred to NARA's legal custody. The rule incorporates changes resulting from issuance of Executive Order 13526, Classified National Security Information...
A. P. Kurilo
Full Text Available The theorem of system of indicators for an estimation of the security of information processes in the computer systems is formulated and proved. A number of the signs is proved, allowing to consider set of the indicators of efficiency of counteraction to the threats of information safety of the computer systems as the system.
... NATIONAL ARCHIVES AND RECORDS ADMINISTRATION Information Security Oversight Office; National Industrial Security Program Policy Advisory Committee (NISPPAC) AGENCY: National Archives and Records... individuals planning to attend must be submitted to the Information Security Oversight Office (ISOO) no later...
Peng, Xiang; Zhang, Peng; Cai, Lilong; Niu, Hanben
A virtual-optical based encryption model with the aid of public key infrastructure (PKI) is presented in this paper. The proposed model employs a hybrid architecture in which our previously published encryption method based on virtual-optics scheme (VOS) can be used to encipher and decipher data while an asymmetric algorithm, for example RSA, is applied for enciphering and deciphering the session key(s). The whole information security model is run under the framework of international standard ITU-T X.509 PKI, which is on basis of public-key cryptography and digital signatures. This PKI-based VOS security approach has additional features like confidentiality, authentication, and integrity for the purpose of data encryption under the environment of network. Numerical experiments prove the effectiveness of the method. The security of proposed model is briefly analyzed by examining some possible attacks from the viewpoint of a cryptanalysis.
Full Text Available Internet information traffic becomes greater and moreimportant. With increasing growth of information importancerequirement for its security becomes indispensable. Theinformation security problem especially affect large and smallcompanies whose prosperity is depending on Internet presence.This affecting the three areas of Internet commerce: credit cardtransactions, virtual private networks and digital certification.To ensure information traffic it is necessary to find a solution,in a proper way, for three major problems: frontier problem,market problem and government problem. While the eventualemergence of security standards for Internet transactions isexpected, it will not automatically result in secure Internettransactions. In future, there is a wealth of security issues thatwill continue to require attention: internal security, continuedhacking, social engineering, malicious code, reliability andperformance, skills shortages and denial of se1vice attacks.
A. Yu. Bykov
Full Text Available Modern practical task-solving techniques for designing information security systems in different purpose automated systems assume the solution of optimization tasks when choosing different elements of a security system. Formulations of mathematical programming tasks are rather often used, but in practical tasks it is not always analytically possible to set target function and (or restrictions in an explicit form. Sometimes, calculation of the target function value or checking of restrictions for the possible decision can be reduced to carrying out experiments on a simulation model of system. Similar tasks are considered within optimization-simulation approach and require the ad hoc methods of optimization considering the possible high computational effort of simulation.The article offers a modified recession vector method, which is used in tasks of discrete optimization to solve the similar problems. The method is applied when the task to be solved is to minimize the cost of selected information security tools in case of restriction on the maximum possible damage. The cost index is the linear function of the Boolean variables, which specify the selected security tools, with the restriction set as an "example simulator". Restrictions can be actually set implicitly. A validity of the possible solution is checked using a simulation model of the system.The offered algorithm of a method considers features of an objective. The main advantage of algorithm is that it requires a maximum of m+1 of steps where m is a dimensionality of the required vector of Boolean variables. The algorithm provides finding a local minimum by using the Hamming metrics in the discrete space; the radius of neighborhood is equal to 1. These statements are proved.The paper presents solution results of choosing security tools with the specified basic data.
Kenneth J. Knapp
Full Text Available This study proposes using an established common body of knowledge (CBK as one means of organizing information security literature.Â Consistent with calls for more relevant information systems (IS research, this industry-developed framework can motivate future research towards topics that are important to the security practitioner.Â In this review, forty-eight articles from ten IS journals from 1995 to 2004 are selected and cross-referenced to the ten domains of the information security CBK.Â Further, we distinguish articles as empirical research, frameworks, or tutorials.Â Generally, this study identified a need for additional empirical research in every CBK domain including topics related to legal aspects of information security.Â Specifically, this study identified a need for additional IS security research relating to applications development, physical security, operations security, and business continuity.Â The CBK framework is inherently practitioner oriented and using it will promote relevancy by steering IS research towards topics important to practitioners.Â This is important considering the frequent calls by prominent information systems scholars for more relevant research.Â Few research frameworks have emerged from the literature that specifically classify the diversity of security threats and range of problems that businesses today face.Â With the recent surge of interest in security, the need for a comprehensive framework that also promotes relevant research can be of great value.
... 10 Energy 2 2010-01-01 2010-01-01 false Security of automatic data processing (ADP) systems. 95.49 Section 95.49 Energy NUCLEAR REGULATORY COMMISSION (CONTINUED) FACILITY SECURITY CLEARANCE AND SAFEGUARDING OF NATIONAL SECURITY INFORMATION AND RESTRICTED DATA Control of Information § 95.49 Security of...
Smart Cards, integrated circuits embedded into credit cards, have been proposed for many computer and physical security applications. The cards have shown promise in improving both the security and monitoring of systems ranging from computer network identification through physical protection and access control. With the increasing computational power embedded within these cards, advanced encryption techniques such as public key cryptography can now be realized, enabling more sophisticated uses
Kurnianto, Ari; Isnanto, Rizal; Widodo, Aris Puji
Information security is a problem effected business process of an organization, so it needs special concern. Information security assessment which is good and has international standard is done using Information Security Management System (ISMS) ISO/IEC 27001:2013. In this research, the high level assessment has been done using ISO/IEC 27001:2013 to observe the strength of information secuity in Ministry of Internal Affairs. The research explains about the assessment of information security management which is built using PHP. The input data use primary and secondary data which passed observation. The process gets maturity using the assessment of ISO/IEC 27001:2013. GAP Analysis observes the condition now a days and then to get recommendation and road map. The result of this research gets all of the information security process which has not been already good enough in Ministry of Internal Affairs, gives recommendation and road map to improve part of all information system being running. It indicates that ISO/IEC 27001:2013 is good used to rate maturity of information security management. As the next analyzation, this research use Clause and Annex in ISO/IEC 27001:2013 which is suitable with condition of Data Center and Data Recovery Center, so it gets optimum result and solving problem of the weakness information security.
Syed; Rahman, M.; Donahue, Shannon E.
As physical and information security boundaries have become increasingly blurry many organizations are experiencing challenges with how to effectively and efficiently manage security within the corporate. There is no current standard or best practice offered by the security community regarding convergence; however many organizations such as the Alliance for Enterprise Security Risk Management (AESRM) offer some excellent suggestions for integrating a converged security program. This paper rep...
Full Text Available With the development of information and communication technologies, issues of providing information security are becoming more and more aggravated. These are crimes related to the use of electronic computers, systems and computer networks and telecommunication networks, the propaganda of separatism and extremism, etc. While providing information security in the digital environment, the role of technical and legal human rights guarantees, due to technical means of protection, is increasing. Relying on the developers of technical means of protection determines the difference between the aforesaid concepts and the traditional approach to ensuring the protection of human and citizen rights, in which responsibilities are put on information intermediaries, owners of confidential information. Technical guarantees of human rights are a necessary component of ensuring information security, but the effectiveness of the application is provided in conjunction with the legal guarantees of human rights, as evidenced by the tendency to recognize the principles of inviolability of privacy on the basis of design decisions in the law of the European Union as legal acts. Providing information security is a legitimate goal of establishing constraints of human rights, since it can be correlated with the norms of international law. The establishment of constraints of human rights is permissible in order to attain other objectives–ensuring state security, public order, health, rights and freedoms of the person in the information sphere. The legitimacy of this goal is determined by its compliance with the objectives envisaged by international agreements ratified in an established order. The article examines the impact of the use of technical means in the field of providing information security in the aspect of following the fundamental human and civil rights in Ukraine, taking into account the legislation of the European Union and the decision of the European Court
Sushko, O. P.; Kaznin, A. A.; Babkin, A. V.; Bogdanov, D. A.
The study we are conducting involves the analysis of information security levels achieved by energy providers operating in the North Arctic Region. We look into whether the energy providers’ current information security levels meet reliability standards and determine what further actions may be needed for upgrading information security in the context of the digital transformation that the world community is undergoing. When developing the information security systems for electric energy providers or selecting the protection means for them, we are governed by the fact that the assets to be protected are process technologies. While information security risk can be assessed using different methods, the evaluation of the economic damage from these risks appears to be a difficult task. The most probable and harmful risks we have identified when evaluating the electric energy providers’ information security will be used by us as variables. To provide the evaluation, it is necessary to calculate the costs relating to elimination of the risks identified. The final stage of the study will involve the development of an operation algorithm for the North Arctic Region’s energy provider’s business information protection security system - a set of information security services, and security software and hardware.
...-2011-0268] RIN 3150-AJ07 Facility Security Clearance and Safeguarding of National Security Information..., Classified National Security Information. The rule would allow licensees flexibility in determining the means... licensee security education and training programs and enhances the protection of classified information...
Liu Baoxu; Wang Xiaozhen
With the rapidly development of the computer network technology and informationize working of our Country, Network and Information Security issues becomes the focal point problem that people shows solicitude for. On the basis analysing security threat and challenge of network information and their developing trend. This paper briefly analyses and discusses the main relatively study direction and content about the theory, technology and practice of Network and Information Security. (authors)
Trent D. Nelson
Industry is aware of the need for Control System (CS) security, but in on-site assessments, Idaho National Laboratory (INL) has observed that security procedures and devices are not consistently and effectively implemented. The Department of Homeland Security (DHS), National Cyber Security Division (NCSD), established the Control Systems Security Center (CSSC) at INL to help industry and government improve the security of the CSs used in the nation's critical infrastructures. One of the main CSSC objectives is to identify control system vulnerabilities and develop effective mitigations for them. This paper discusses common problems and vulnerabilities seen in on-site CS assessments and suggests mitigation strategies to provide asset owners with the information they need to better protect their systems from common security flows.
Lewis, Nick; Campbell, Mark J.
The past decade has seen a significant rise in research on high-consequence human and animal pathogens, many now known as “select agents.” While physical security around these agents is tightly regulated, information security standards are still lagging. The understanding of the threats unique to the academic and research environment is still evolving, in part due to poor communication between the various stakeholders. Perhaps as a result, information security guidelines published by select agent regulators lack the critical details and directives needed to achieve even the lowest security level of the Federal Information Security Management Act (FISMA). While only government agencies are currently required to abide by the provisions of FISMA (unless specified as preconditions for obtaining government grants or contracts—still a relatively rare or narrowly scoped occurrence), the same strategies were recently recommended by executive order for others. We propose that information security guidelines for select agent research be updated to promulgate and detail FISMA standards and processes and that the latter be ultimately incorporated into select agent regulations. We also suggest that information security in academic and research institutions would greatly benefit from active efforts to improve communication among the biosecurity, security, and information technology communities, and from a secure venue for exchange of timely information on emerging threats and solutions in the research environment. PMID:26042864
Lewis, Nick; Campbell, Mark J; Baskin, Carole R
The past decade has seen a significant rise in research on high-consequence human and animal pathogens, many now known as "select agents." While physical security around these agents is tightly regulated, information security standards are still lagging. The understanding of the threats unique to the academic and research environment is still evolving, in part due to poor communication between the various stakeholders. Perhaps as a result, information security guidelines published by select agent regulators lack the critical details and directives needed to achieve even the lowest security level of the Federal Information Security Management Act (FISMA). While only government agencies are currently required to abide by the provisions of FISMA (unless specified as preconditions for obtaining government grants or contracts--still a relatively rare or narrowly scoped occurrence), the same strategies were recently recommended by executive order for others. We propose that information security guidelines for select agent research be updated to promulgate and detail FISMA standards and processes and that the latter be ultimately incorporated into select agent regulations. We also suggest that information security in academic and research institutions would greatly benefit from active efforts to improve communication among the biosecurity, security, and information technology communities, and from a secure venue for exchange of timely information on emerging threats and solutions in the research environment.
Mathew, Gloriya; Thomas, Shiney
User authentication is one of the most important part of information security. Computer security most commonly depends on passwords to authenticate human users. Password authentication systems will be either been usable but not secure, or secure but not usable. While there are different types of authentication systems available alphanumeric password is the most commonly used authentication mechanism. But this method has significant drawbacks. An alternative solution to the text based authenti...
Elena Vladimirovna Doynikova
Full Text Available The paper suggests an approach to the security assessment of computer networks. The approach is based on attack graphs and intended for Security Information and Events Management systems (SIEM-systems. Key feature of the approach consists in the application of the multilevel security metrics taxonomy. The taxonomy allows definition of the system profile according to the input data used for the metrics calculation and techniques of security metrics calculation. This allows specification of the security assessment in near real time, identification of previous and future attacker steps, identification of attackers goals and characteristics. A security assessment system prototype is implemented for the suggested approach. Analysis of its operation is conducted for several attack scenarios.
At present, control system security efforts are primarily technical and reactive in nature. What has been overlooked is the need for proactive efforts, focused on the IT security research community from which new threats might emerge. Evaluating cutting edge IT security research and how it is evolving can provide defenders with valuable information regarding what new threats and tools they can anticipate in the future. Only known attack methodologies can be blocked, and there is a gap between what is known to the general security community and what is being done by cutting edge researchers --both those trying to protect systems and those trying to compromise them. The best security researchers communicate with others in their field; they know what cutting edge research is being done; what software can be penetrated via this research; and what new attack techniques and methodologies are being circulated in the black hat community. Standardization of control system applications, operating systems, and networking protocols is occurring at a rapid rate, following a path similar to the standardization of modern IT networks. Many attack methodologies used on IT systems can be ported over to the control system environment with little difficulty. It is extremely important to take advantage of the lag time between new research, its use on traditional IT networks, and the time it takes to port the research over for use on a control system network. Analyzing nascent trends in IT security and determining their applicability to control system networks provides significant information regarding defense mechanisms needed to secure critical infrastructure more effectively. This work provides the critical infrastructure community with a better understanding of how new attacks might be launched, what layers of defense will be needed to deter them, how the attacks could be detected, and how their impact could be limited.
Full Text Available Video surveillance system senses and trails out all the threatening issues in the real time environment. It prevents from security threats with the help of visual devices which gather the information related to videos like CCTV’S and IP (Internet Protocol cameras. Video surveillance system has become a key for addressing problems in the public security. They are mostly deployed on the IP based network. So, all the possible security threats exist in the IP based application might also be the threats available for the reliable application which is available for video surveillance. In result, it may increase cybercrime, illegal video access, mishandling videos and so on. Hence, in this paper an intelligent model is used to propose security for video surveillance system which ensures safety and it provides secured access on video.
Gupta, Puneet; Stoller, Scott D.
Many security requirements for enterprise systems can be expressed in a natural way as high-level access control policies. A high-level policy may refer to abstract information resources, independent of where the information is stored; it controls both direct and indirect accesses to the information; it may refer to the context of a request, i.e., the request’s path through the system; and its enforcement point and enforcement mechanism may be unspecified. Enforcement of a high-level policy may depend on the system architecture and the configurations of a variety of security mechanisms, such as firewalls, host login permissions, file permissions, DBMS access control, and application-specific security mechanisms. This paper presents a framework in which all of these can be conveniently and formally expressed, a method to verify that a high-level policy is enforced, and an algorithm to determine a trusted computing base for each resource.
Shaw, R. S.; Chen, Charlie C.; Harris, Albert L.; Huang, Hui-Jou
In recent years, rapid progress in the use of the internet has resulted in huge losses in many organizations due to lax security. As a result, information security awareness is becoming an important issue to anyone using the Internet. To reduce losses, organizations have made information security awareness a top priority. The three main barriers…
O. S. Zozulya
The article analyzed the of dissertations for science «Public Administration» on the problems ensuring information security of Ukraine. According to the data system catalog Vernadsky National Library of Ukraine was found that within the limits of science «Public Administration» problems of ensuring information security were devoted only 4 work. In view of the small number of dissertations, which explored the problems of public-management of ensuring information security Ukraine, we have to ad...
While security is generally perceived to be a complicated and expensive process, Zen and the Art of Information Security makes security understandable to the average person in a completely non-technical, concise, and entertaining format. Through the use of analogies and just plain common sense, readers see through the hype and become comfortable taking very simple actions to secure themselves. Even highly technical people have misperceptions about security concerns and will also benefit from Ira Winkler's experiences making security understandable to the business world. Mr. Winkler is one of the most popular and highly rated speakers in the field of security, and lectures to tens of thousands of people a year. Zen and the Art of Information Security is based on one of his most well received international presentations.
Joshua Onome Imoniana
Full Text Available Validity is concerned with establishing evidence for the use of a method to be used with a particular set of population. Thus, when we address the issue of application of security policy models, we are concerned with the implementation of a certain policy, taking into consideration the standards required, through attribution of scores to every item in the research instrument. En today's globalized economic scenarios, the implementation of information security policy, in an information technology environment, is a condition sine qua non for the strategic management process of any organization. Regarding this topic, various studies present evidences that, the responsibility for maintaining a policy rests primarily with the Chief Security Officer. The Chief Security Officer, in doing so, strives to enhance the updating of technologies, in order to meet all-inclusive business continuity planning policies. Therefore, for such policy to be effective, it has to be entirely embraced by the Chief Executive Officer. This study was developed with the purpose of validating specific theoretical models, whose designs were based on literature review, by sampling 10 of the Automobile Industries located in the ABC region of Metropolitan São Paulo City. This sampling was based on the representativeness of such industries, particularly with regards to each one's implementation of information technology in the region. The current study concludes, presenting evidence of the discriminating validity of four key dimensions of the security policy, being such: the Physical Security, the Logical Access Security, the Administrative Security, and the Legal & Environmental Security. On analyzing the Alpha of Crombach structure of these security items, results not only attest that the capacity of those industries to implement security policies is indisputable, but also, the items involved, homogeneously correlate to each other.
Muller, George; Perkins, Casey J.; Lancaster, Mary J.; MacDonald, Douglas G.; Clements, Samuel L.; Hutton, William J.; Patrick, Scott W.; Key, Bradley Robert
Computer-implemented security evaluation methods, security evaluation systems, and articles of manufacture are described. According to one aspect, a computer-implemented security evaluation method includes accessing information regarding a physical architecture and a cyber architecture of a facility, building a model of the facility comprising a plurality of physical areas of the physical architecture, a plurality of cyber areas of the cyber architecture, and a plurality of pathways between the physical areas and the cyber areas, identifying a target within the facility, executing the model a plurality of times to simulate a plurality of attacks against the target by an adversary traversing at least one of the areas in the physical domain and at least one of the areas in the cyber domain, and using results of the executing, providing information regarding a security risk of the facility with respect to the target.
Vacca, John R
The second edition of this comprehensive handbook of computer and information security provides the most complete view of computer security and privacy available. It offers in-depth coverage of security theory, technology, and practice as they relate to established technologies as well as recent advances. It explores practical solutions to many security issues. Individual chapters are authored by leading experts in the field and address the immediate and long-term challenges in the authors' respective areas of expertise. The book is organized into 10 parts comprised of 70 contributed
V. K. Fisenko
Full Text Available Problem of information security systems certification is analyzed and the tasks of initial data analysis are carried out. The objectives, indices and decision making criteria, as well as the challenges to be addressed are formulated. It is shown that, in order to improve quality, reduce time and cost of preparation for certification, it is reasonable to use software system for automatization of the process of initial data analysis, presented by the owner of the information system.
Amer A. Al-Rawas
Full Text Available This paper is concerned with issues relating to security in the provision of information systems (IS services within a campus environment. It is based on experiences with a specific known environment; namely Sultan Qaboos University. In considering the risks and challenges that face us in the provision of IS services we need to consider a number of interwoven subject areas. These are: the importance of information to campus communities, the types of information utilised, and the risk factors that relate to the provision of IS services. Based on our discussion of the risk factors identified within this paper, we make a number of recommendations for improving security within any environment that wishes to take the matter seriously. These recommendations are classified into three main groups: general, which are applicable to the entire institution; social, aimed at the work attitudes of staff and students; and technical, addressing the skills and technologies required.
... DEPARTMENT OF HOMELAND SECURITY [Docket No. DHS-2011-0107] Homeland Security Information Network... Information Network Advisory Committee. SUMMARY: The Secretary of Homeland Security has determined that the renewal of the Homeland Security Information Network Advisory Committee (HSINAC) is necessary and in the...
Bess, Donald Arlo
Information systems are considered to be a critical and strategic part of most organizations today. Because of this it has become increasingly important to ensure that there is an effective information security program in place protecting those information systems. It has been well established by researchers that the success of an information…
OS level, Flume  has even been shown to be information flow secure through abstractions such as processes, pipes, file systems etc, while seL4 ...Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. sel4 : formal verification of an
Full Text Available Information security is a problem effected business process of an organization, so it needs special concern. Information security assessment which is good and has international standard is done using Information Security Management System (ISMS ISO/IEC 27001:2013. In this research, the high level assessment has been done using ISO/IEC 27001:2013 to observe the strength of information secuity in Ministry of Internal Affairs. The research explains about the assessment of information security management which is built using PHP. The input data use primary and secondary data which passed observation. The process gets maturity using the assessment of ISO/IEC 27001:2013. GAP Analysis observes the condition now a days and then to get recommendation and road map. The result of this research gets all of the information security process which has not been already good enough in Ministry of Internal Affairs, gives recommendation and road map to improve part of all information system being running. It indicates that ISO/IEC 27001:2013 is good used to rate maturity of information security management. As the next analyzation, this research use Clause and Annex in ISO/IEC 27001:2013 which is suitable with condition of Data Center and Data Recovery Center, so it gets optimum result and solving problem of the weakness information security.
Isabel Maria Lopes
Full Text Available Information Systems Security (ISS is a relevant fact for current organizations. This paper focuses on Small and Medium Sized Enterprises (SMEs. This article aims to constitute an empirical study on the applicability of the Action Research (AR method in information systems, more specifically by assessing the adoption of an ISS policy in six SMEs, and identifying the critical success factors in adopting an ISS policy. The research question we intend to answer is to what extent this research method is adequate to reach the proposed goal. The results of the study suggest that AR is a promising means for the evaluation of ISS policies adoption. It can both act as a research method that improves the understanding about the reasons why the policy has been abandoned, and as a change method, assisting practitioners to overcome barriers and suggesting measures to be implemented.
Al-Jaljouli, Raja; Abawajy, Jemal
Mobile agents have been implemented in e-Commerce to search and filter information of interest from electronic markets. When the information is very sensitive and critical, it is important to develop a novel security protocol that can efficiently protect the information from malicious tampering as well as unauthorized disclosure or at least detect any malicious act of intruders. In this chapter, we describe robust security techniques that ensure a sound security of information gathered throughout agent’s itinerary against various security attacks, as well as truncation attacks. A sound security protocol is described, which implements the various security techniques that would jointly prevent or at least detect any malicious act of intruders. We reason about the soundness of the protocol usingSymbolic Trace Analyzer (STA), a formal verification tool that is based on symbolic techniques. We analyze the protocol in key configurations and show that it is free of flaws. We also show that the protocol fulfils the various security requirements of exchanged information in MAS, including data-integrity, data-confidentiality, data-authenticity, origin confidentiality and data non-repudiability.
Full Text Available With the rapid development of embedded systems, the systems’ security has become more and more important. Most embedded systems are at the risk of series of software attacks, such as buffer overflow attack, Trojan virus. In addition, with the rapid growth in the number of embedded systems and wide application, followed embedded hardware attacks are also increasing. This paper presents a new hardware assisted security mechanism to protect the program’s code and data, monitoring its normal execution. The mechanism mainly monitors three types of information: the start/end address of the program of basic blocks; the lightweight hash value in basic blocks and address of the next basic block. These parameters are extracted through additional tools running on PC. The information will be stored in the security module. During normal program execution, the security module is designed to compare the real-time state of program with the information in the security module. If abnormal, it will trigger the appropriate security response, suspend the program and jump to the specified location. The module has been tested and validated on the SOPC with OR1200 processor. The experimental analysis shows that the proposed mechanism can defence a wide range of common software and physical attacks with low performance penalties and minimal overheads.
Patricia A.H. Williams
Full Text Available Information governance is becoming an important aspect of organisational accountability. In consideration that information is an integral asset of most organisations, the protection of this asset will increasingly rely on organisational capabilities in security. In the medical arena this information is primarily sensitive patient-based information. Previous research has shown that application of security measures is a low priority for primary care medical practice and that awareness of the risks are seriously underestimated. Consequently, information security governance will be a key issue for medical practice in the future. Information security governance is a relatively new term and there is little existing research into how to meet governance requirements. The limited research that exists describes information security governance frameworks at a strategic level. However, since medical practice is already lagging in the implementation of appropriate security, such definition may not be practical although it is obviously desirable. This paper describes an on-going action research project undertaken in the area of medical information security, and presents a tactical approach model aimed at addressing information security governance and the protection of medical data.
... designed to protect National Security information. The report provides an authoritative compendium for lawyers, security officers and for managers of corporations who must deal with the legal and procedural aspects of security clearances...
Grimes, John G
.... The CNSS performs the vital function of mobilizing the full, interagency National Security Community for the protection of telecommunications and information systems that support U.S. national security...
... 2001.1 Concerned with reports that continuing, pervasive information security weaknesses place federal operations at significant risk of disruption, tampering, fraud, and inappropriate disclosures...
Full Text Available For many individuals and organizations, cyber-insurance is the most practical and only way of handling a major financial impact of an information security event. However, the cyber-insurance market suffers from the problem of information asymmetry, lack of product diversity, illiquidity, high transaction cost, and so on. On the other hand, in theory, capital market-based financial instruments can provide a risk transfer mechanism with the ability to absorb the adverse impact of an information security event. Thus, this article addresses the limitations in the cyber-(reinsurance markets with a set of capital market-based financial instruments. This article presents a set of information security derivatives, namely options, vanilla options, swap, and futures that can be traded at an information security prediction market. Furthermore, this article demonstrates the usefulness of information security derivatives in a given scenario and presents an evaluation of the same in comparison with cyber-insurance. In our analysis, we found that the information security derivatives can at least be a partial solution to the problems in the cyber-insurance markets. The information security derivatives can be used as an effective tool for information elicitation and aggregation, cyber risk pricing, risk hedging, and strategic decision making for information security risk management.
Barletta, William A.
Assuring the security and privacy of institutionalinformation assets is a complex task for the line manager responsible forinternational and multi-national transactions. In the face of an unsureand often conflicting international legal framework, the line managermust employ all available tools in an Integrated Security and PrivacyManagement framework that ranges from legal obligations, to policy, toprocedure, to cutting edge technology to counter the rapidly evolvingcyber threat to information assets and the physical systems thatinformation systems control.
Chen, Hung-Ming; Lo, Jung-Wen; Yeh, Chang-Kuo
The rapidly increased availability of always-on broadband telecommunication environments and lower-cost vital signs monitoring devices bring the advantages of telemedicine directly into the patient's home. Hence, the control of access to remote medical servers' resources has become a crucial challenge. A secure authentication scheme between the medical server and remote users is therefore needed to safeguard data integrity, confidentiality and to ensure availability. Recently, many authentication schemes that use low-cost mobile devices have been proposed to meet these requirements. In contrast to previous schemes, Khan et al. proposed a dynamic ID-based remote user authentication scheme that reduces computational complexity and includes features such as a provision for the revocation of lost or stolen smart cards and a time expiry check for the authentication process. However, Khan et al.'s scheme has some security drawbacks. To remedy theses, this study proposes an enhanced authentication scheme that overcomes the weaknesses inherent in Khan et al.'s scheme and demonstrated this scheme is more secure and robust for use in a telecare medical information system.
... Clearance and Safeguarding of National Security Information and Restricted Data AGENCY: Nuclear Regulatory... the objectives of Executive Order 13526, Classified National Security Information. The rule allows... signed Executive Order 13526, Classified National Security Information, which was published in the...
Das, Ashok Kumar
Recent advanced technology enables the telecare medicine information system (TMIS) for the patients to gain the health monitoring facility at home and also to access medical services over the Internet of mobile networks. Several remote user authentication schemes have been proposed in the literature for TMIS. However, most of them are either insecure against various known attacks or they are inefficient. Recently, Tan proposed an efficient user anonymity preserving three-factor authentication scheme for TMIS. In this paper, we show that though Tan's scheme is efficient, it has several security drawbacks such as (1) it fails to provide proper authentication during the login phase, (2) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, and (3) it fails to protect against replay attack. In addition, Tan's scheme lacks the formal security analysis and verification. Later, Arshad and Nikooghadam also pointed out some security flaws in Tan's scheme and then presented an improvement on Tan's s scheme. However, we show that Arshad and Nikooghadam's scheme is still insecure against the privileged-insider attack through the stolen smart-card attack, and it also lacks the formal security analysis and verification. In order to withstand those security loopholes found in both Tan's scheme, and Arshad and Nikooghadam's scheme, we aim to propose an effective and more secure three-factor remote user authentication scheme for TMIS. Our scheme provides the user anonymity property. Through the rigorous informal and formal security analysis using random oracle models and the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is secure against various known attacks, including the replay and man-in-the-middle attacks. Furthermore, our scheme is also efficient as compared to other related schemes.
Vladimirov, Andrew; Michajlowski, Andriej
This book deals with the philosophy, strategy and tactics of soliciting, managing and conducting information security audits of all flavours. It will give readers the founding principles around information security assessments and why they are important, whilst providing a fluid framework for developing an astute 'information security mind' capable of rapid adaptation to evolving technologies, markets, regulations, and laws.
... information for parties; security clearances. 2.905 Section 2.905 Energy NUCLEAR REGULATORY COMMISSION RULES... to Adjudicatory Proceedings Involving Restricted Data and/or National Security Information § 2.905 Access to restricted data and national security information for parties; security clearances. (a) Access...
My job title is IT Security support for the Spaceport Command & Control System Development. As a cyber-security analyst it is my job to ensure NASA's information stays safe from cyber threats, such as, viruses, malware and denial-of-service attacks by establishing and enforcing system access controls. Security is very important in the world of technology and it is used everywhere from personal computers to giant networks ran by Government agencies worldwide. Without constant monitoring analysis, businesses, public organizations and government agencies are vulnerable to potential harmful infiltration of their computer information system. It is my responsibility to ensure authorized access by examining improper access, reporting violations, revoke access, monitor information request by new programming and recommend improvements. My department oversees the Launch Control System and networks. An audit will be conducted for the LCS based on compliance with the Federal Information Security Management Act (FISMA) and The National Institute of Standards and Technology (NIST). I recently finished analyzing the SANS top 20 critical controls to give cost effective recommendations on various software and hardware products for compliance. Upon my completion of this internship, I will have successfully completed my duties as well as gain knowledge that will be helpful to my career in the future as a Cyber Security Analyst.
The purpose of this guidance is to provide an alternative manual process for disseminating EPA Information Security Awareness Training (ISAT) materials and collecting results from EPA users who elect to complete the ISAT manually.
Novel approach to information security management of confidential and propriety information ... Journal of Fundamental and Applied Sciences ... valuable information by using steganography it can have a major impact security management.
Collmann, Jeff; Cooper, Ted
This case study describes and analyzes a breach of the confidentiality and integrity of personally identified health information (e.g. appointment details, answers to patients' questions, medical advice) for over 800 Kaiser Permanente (KP) members through KP Online, a web-enabled health care portal. The authors obtained and analyzed multiple types of qualitative data about this incident including interviews with KP staff, incident reports, root cause analyses, and media reports. Reasons at multiple levels account for the breach, including the architecture of the information system, the motivations of individual staff members, and differences among the subcultures of individual groups within as well as technical and social relations across the Kaiser IT program. None of these reasons could be classified, strictly speaking, as "security violations." This case study, thus, suggests that, to protect sensitive patient information, health care organizations should build safe organizational contexts for complex health information systems in addition to complying with good information security practice and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Information security breaches pose a significant and increasing threat to national security and economic well-being. In the Symantec Internet Security Threat Report (2003), companies surveyed experienced an average of about 30 attacks per week. Anecdotal evidence suggests that losses from cyber-attacks can run into millions of dollars. The CSI-FBI…
... CARRIER SECURITY § 1548.19 Security Directives and Information Circulars. (a) TSA may issue an Information... aviation, TSA issues a Security Directive setting forth mandatory measures. (1) Each indirect air carrier... Security Directive that TSA issues to it, within the time prescribed in the Security Directive for...
Full Text Available A Security Maturity Model (SMM) provides an organisation with a distinct Information Security framework. Organisations that conform to these models are likely to pursue satisfactory Information Security. Additionally, the use of Security Maturity...
Zhou, Linqi; Gu, Weihong; Huang, Cheng; Huang, Aijun; Bai, Yongbin
Big data is becoming another hotspot in the field of information technology after the cloud computing and the Internet of Things. However, the existing information security methods can no longer meet the information security requirements in the era of big data. This paper analyzes the challenges and a cause of data security brought by big data, discusses the development trend of network attacks under the background of big data, and puts forward my own opinions on the development of security defense in technology, strategy and product.
This paper exposes security vulnerabilities of the web based Open Source Information Systems (OSIS) from both system angle and human perspectives.It shows the extent of risk that can likely hinder adopting organization from attaning full intended benefits of using OSIS software. To undertake this study, a case study ...
Su, X.; Bolzoni, D.; van Eck, Pascal
In this paper we present an approach for specifying and prioritizing information security requirements in organizations. We propose to explicitly link security requirements with the organizations' business vision, i.e. to provide business rationale for security requirements. The rationale is then
Perez, Rafael G.
The purpose of this quantitative inferential study is to determine the level of correlation between the organizational factors of information security awareness, balanced security processes, and organizational structure with the size of the estimation gap of information security implementations mediated by the end user intentionality. The study…
Valdevit, Thierry; Mayer, Nicolas; Barafort, Béatrix
While Information Security Management Systems (ISMS) are being adopted by the biggest IT companies, it remains quite difficult for smaller entities to implement and maintain all the requirements of ISO/IEC 27001. In order to increase information security in Luxembourg, the Public Research Centre Henri Tudor has been charged by the Luxembourg Ministry of Economy and Foreign Trade to find solutions to facilitate ISMS deployment for SMEs. After an initial experiment aiming at assisting a SME in getting the first national ISO/IEC 27001 certification for a private company, an implementation guide for deploying an ISMS, validated by local experts and experimented in SMEs, has been released and is presented in this paper.
Lee, Hsien-Hsin S
The overall objective of this research project is to develop novel architectural techniques as well as system software to achieve a highly secure and intrusion-tolerant computing system. Such system will be autonomous, self-adapting, introspective, with self-healing capability under the circumstances of improper operations, abnormal workloads, and malicious attacks. The scope of this research includes: (1) System-wide, unified introspection techniques for autonomic systems, (2) Secure information-flow microarchitecture, (3) Memory-centric security architecture, (4) Authentication control and its implication to security, (5) Digital right management, (5) Microarchitectural denial-of-service attacks on shared resources. During the period of the project, we developed several architectural techniques and system software for achieving a robust, secure, and reliable computing system toward our goal.
Awad, Ahmed; Woungang, Isaac
This book introduces novel research targeting technical aspects of protecting information security and establishing trust in the digital space. New paradigms, and emerging threats and solutions are presented in topics such as application security and threat management; modern authentication paradigms; digital fraud detection; social engineering and insider threats; cyber threat intelligence; intrusion detection; behavioral biometrics recognition; hardware security analysis. The book presents both the important core and the specialized issues in the areas of protection, assurance, and trust in information security practice. It is intended to be a valuable resource and reference for researchers, instructors, students, scientists, engineers, managers, and industry practitioners. .
This paper considers a zero-sum two-player asymmetric information stochastic game where only one player knows the system state, and the transition law is controlled by the informed player only. For the informed player, it has been shown that the security strategy only depends on the belief and the current stage. We provide LP formulations whose size is only linear in the size of the uninformed player\\'s action set to compute both history based and belief based security strategies. For the uninformed player, we focus on the regret, the difference between 0 and the future payoff guaranteed by the uninformed player in every possible state. Regret is a real vector of the same size as the belief, and depends only on the action of the informed player and the strategy of the uninformed player. This paper shows that the uninformed player has a security strategy that only depends on the regret and the current stage. LP formulations are then given to compute the history based security strategy, the regret at every stage, and the regret based security strategy. The size of the LP formulations are again linear in the size of the uninformed player action set. Finally, an intrusion detection problem is studied to demonstrate the main results in this paper.
Full Text Available This article is an extended version of the study presented at the IEEE Ecuador Technical Chapters Meeting (ETCM-2016. At that time, a methodological proposal was designed, implemented, and applied in a group of industrial plants for the management of the information security of the Industrial control systems (ICS. The present study displays an adaptation and improvement of such methodology with the purpose of aligning the proposal for the effective management of information security with the strategic objectives. The development of this study has been divided into three distinctive phases. Firstly, we induced the articulation of PMI-PMBOK v5 and ITIL v3 both for the management of the project and for the verification of risks in the IT services. Second, we applied a set of risk mitigation strategies based on international standards as NIST 800-82 and 800-30. Thirdly, we assembled the two mentioned phases in a Guide for standards-based instructions and security policies, which previously have been encouraged on NIST 800-82, 800-53 and 800-12. Hereby, we observed the reduction of incidents of information security, the correct delimitation of the functions of the direct responsible of the ICS and the improvement of the communication between the operative and technical areas of the involved companies. The results demonstrate the functionality of these improvements, especially in the context of the availability and integrity of information, which generates an added value to the enterprise.
... Development and Research, Occupational Information Development Project, Social Security Administration, 3-E-26... the unit's emerging and ongoing ideas, research, and methods. 5. Need for Basic & Applied Research The... SOCIAL SECURITY ADMINISTRATION [Docket No. SSA-2010-0018] Occupational Information System AGENCY...
Mutchler, Leigh Ann
The purpose of the present study is to make contributions to the area of behavioral information security in the field of Information Systems and to assist in the improved development of Information Security Policy instructional programs to increase the policy compliance of individuals. The role of an individual's experience in the context of…
... SMALL BUSINESS ADMINISTRATION Small Business Information Security Task Force AGENCY: U.S. Small... publish meeting minutes for the Small Business Information Security Task Force Meeting. DATES: 1 p.m... 2009, SBA submits the meeting minutes for the third meeting of the Small Business Information Security...
... SMALL BUSINESS ADMINISTRATION Small Business Information Security Task Force AGENCY: U.S. Small... publish meeting minutes for the Small Business Information Security Task Force Meeting. DATES: 1 p.m... 2009, SBA submits the meeting minutes for the second meeting of the Small Business Information Security...
... SMALL BUSINESS ADMINISTRATION Small Business Information Security Task Force AGENCY: U.S. Small... publish meeting minutes for the Small Business Information Security Task Force Meeting. DATES: 1 p.m... 2009, SBA submits the meeting minutes for the first meeting of the Small Business Information Security...
... SMALL BUSINESS ADMINISTRATION Small Business Information Security Task Force AGENCY: U.S. Small... publish meeting minutes for the Small Business Information Security Task Force Meeting. DATES: 1 p.m... 2009, SBA submits the meeting minutes for the third meeting of the Small Business Information Security...
... 32 National Defense 1 2010-07-01 2010-07-01 false Evaluation of personnel security information... SECURITY DEPARTMENT OF DEFENSE PERSONNEL SECURITY PROGRAM REGULATION Adjudication § 154.42 Evaluation of personnel security information. (a) The criteria and adjudicative policy to be used in applying the...
Mishra, Dheerendra; Mukhopadhyay, Sourav; Kumari, Saru; Khan, Muhammad Khurram; Chaturvedi, Ankita
Telecare medicine information systems (TMIS) present the platform to deliver clinical service door to door. The technological advances in mobile computing are enhancing the quality of healthcare and a user can access these services using its mobile device. However, user and Telecare system communicate via public channels in these online services which increase the security risk. Therefore, it is required to ensure that only authorized user is accessing the system and user is interacting with the correct system. The mutual authentication provides the way to achieve this. Although existing schemes are either vulnerable to attacks or they have higher computational cost while an scalable authentication scheme for mobile devices should be secure and efficient. Recently, Awasthi and Srivastava presented a biometric based authentication scheme for TMIS with nonce. Their scheme only requires the computation of the hash and XOR functions.pagebreak Thus, this scheme fits for TMIS. However, we observe that Awasthi and Srivastava's scheme does not achieve efficient password change phase. Moreover, their scheme does not resist off-line password guessing attack. Further, we propose an improvement of Awasthi and Srivastava's scheme with the aim to remove the drawbacks of their scheme.
This paper researches the information security value in e-entrepreneurship by revising the literature that establishes the entrepreneurial domain and by relating it with the development of technological resources that create value for the customer in an online business. It details multiple paradigms regarding consumer’s values of information security, while relating them with common practices and previous researches in technological entrepreneurship. This research presents and discusses the b...
Faysel, Mohammad A
Most of the cyber security systems use simulated data in evaluating their detection capabilities. The proposed cyber security system utilizes real hospital network connections. It uses a probabilistic data mining algorithm to detect anomalous events and takes appropriate response in real-time. On an evaluation using real-world hospital network data consisting of incoming network connections collected for a 24-hour period, the proposed system detected 15 unusual connections which were undetected by a commercial intrusion prevention system for the same network connections. Evaluation of the proposed system shows a potential to secure protected patient health information on a hospital network.
Full Text Available Organizations should measure their information security performance if they wish to take the right decisions and develop it in line with their security needs. Since the measurement of information security is generally underdeveloped in practice and many organizations find the existing recommendations too complex, the paper presents a solution in the form of a 10 by 10 information security performance measurement model. The model-ISP 10×10M is composed of ten critical success factors, 100 key performance indicators and 6 performance levels. Its content was devised on the basis of findings presented in the current research studies and standards, while its structure results from an empirical research conducted among information security professionals from Slovenia. Results of the study show that a high level of information security performance is mostly dependent on measures aimed at managing information risks, employees and information sources, while formal and environmental factors have a lesser impact. Experts believe that information security should evolve systematically, where it's recommended that beginning steps include technical, logical and physical security controls, while advanced activities should relate predominantly strategic management activities. By applying the proposed model, organizations are able to determine the actual level of information security performance based on the weighted indexing technique. In this manner they identify the measures they ought to develop in order to improve the current situation. The ISP 10×10M is a useful tool for conducting internal system evaluations and decision-making. It may also be applied to a larger sample of organizations in order to determine the general state-of-play for research purposes.
Bernik, Igor; Prislan, Kaja
Organizations should measure their information security performance if they wish to take the right decisions and develop it in line with their security needs. Since the measurement of information security is generally underdeveloped in practice and many organizations find the existing recommendations too complex, the paper presents a solution in the form of a 10 by 10 information security performance measurement model. The model-ISP 10×10M is composed of ten critical success factors, 100 key performance indicators and 6 performance levels. Its content was devised on the basis of findings presented in the current research studies and standards, while its structure results from an empirical research conducted among information security professionals from Slovenia. Results of the study show that a high level of information security performance is mostly dependent on measures aimed at managing information risks, employees and information sources, while formal and environmental factors have a lesser impact. Experts believe that information security should evolve systematically, where it's recommended that beginning steps include technical, logical and physical security controls, while advanced activities should relate predominantly strategic management activities. By applying the proposed model, organizations are able to determine the actual level of information security performance based on the weighted indexing technique. In this manner they identify the measures they ought to develop in order to improve the current situation. The ISP 10×10M is a useful tool for conducting internal system evaluations and decision-making. It may also be applied to a larger sample of organizations in order to determine the general state-of-play for research purposes.
Lenstra, A.K.; Voss, T.; Wang, H.; Pieprzyk, J.; Varadharajan, V.
As part of their compliance process with the Basel 2 operational risk management requirements, banks must define how they deal with information security risk management. In this paper we describe work in progress on a new quantitative model to assess and aggregate information security risks that is
Kegel, Roeland Hendrik,Pieter; Wieringa, Roelf J.; Kulyk, Olga Anatoliyivna; Kelders, S.; van Gemert-Pijnen, L.; Oinas-Kukkonen, H
This article proposes to use Behavior Change Support Systems (BCSSs) to improve the security of IT applications and the privacy of its users. We discuss challenges specific to BCSSs applied to information security, list research questions to be answered in order to meet these challenges, and propose
As part of the Syngress Basics series, The Basics of Information Security provides you with fundamental knowledge of information security in both theoretical and practical aspects. Author Jason Andress gives you the basic knowledge needed to understand the key concepts of confidentiality, integrity, and availability, and then dives into practical applications of these ideas in the areas of operational, physical, network, application, and operating system security. The Basics of Information Security gives you clear-non-technical explanations of how infosec works and how to apply these princi
... DEPARTMENT OF HOMELAND SECURITY [Docket No. DHS-2013-0005] Homeland Security Information Network... Committee Meeting. SUMMARY: The Homeland Security Information Network Advisory Committee (HSIN AC) will meet... received by the (Homeland Security Information Network Advisory Committee), go to http://www.regulations...
Wu, Fan; Xu, Lili
Nowadays, patients can gain many kinds of medical service on line via Telecare Medical Information Systems(TMIS) due to the fast development of computer technology. So security of communication through network between the users and the server is very significant. Authentication plays an important part to protect information from being attacked by malicious attackers. Recently, Jiang et al. proposed a privacy enhanced scheme for TMIS using smart cards and claimed their scheme was better than Chen et al.'s. However, we have showed that Jiang et al.'s scheme has the weakness of ID uselessness and is vulnerable to off-line password guessing attack and user impersonation attack if an attacker compromises the legal user's smart card. Also, it can't resist DoS attack in two cases: after a successful impersonation attack and wrong password input in Password change phase. Then we propose an improved mutual authentication scheme used for a telecare medical information system. Remote monitoring, checking patients' past medical history record and medical consultant can be applied in the system where information transmits via Internet. Finally, our analysis indicates that the suggested scheme overcomes the disadvantages of Jiang et al.'s scheme and is practical for TMIS.
Kraemer, Sara; Carayon, Pascale
This paper describes human errors and violations of end users and network administration in computer and information security. This information is summarized in a conceptual framework for examining the human and organizational factors contributing to computer and information security. This framework includes human error taxonomies to describe the work conditions that contribute adversely to computer and information security, i.e. to security vulnerabilities and breaches. The issue of human error and violation in computer and information security was explored through a series of 16 interviews with network administrators and security specialists. The interviews were audio taped, transcribed, and analyzed by coding specific themes in a node structure. The result is an expanded framework that classifies types of human error and identifies specific human and organizational factors that contribute to computer and information security. Network administrators tended to view errors created by end users as more intentional than unintentional, while errors created by network administrators as more unintentional than intentional. Organizational factors, such as communication, security culture, policy, and organizational structure, were the most frequently cited factors associated with computer and information security.
... 41 Public Contracts and Property Management 3 2010-07-01 2010-07-01 false Information Security... FUNCTIONS Central Offices § 105-53.133 Information Security Oversight Office. (a) Creation and authority. The Information Security Oversight Office (ISOO), headed by the Director of ISOO, who is appointed by...
von Faber, Eberhard
Measuring information security is a genuine interest of security managers. With metrics they can develop their security organization's visibility and standing within the enterprise or public authority as a whole. Organizations using information technology need to use security metrics. Despite the clear demands and advantages, security metrics are often poorly developed or ineffective parameters are collected and analysed. This paper describes best practices for the development of security metrics. First attention is drawn to motivation showing both requirements and benefits. The main body of this paper lists things which need to be observed (characteristic of metrics), things which can be measured (how measurements can be conducted) and steps for the development and implementation of metrics (procedures and planning). Analysis and communication is also key when using security metrics. Examples are also given in order to develop a better understanding. The author wants to resume, continue and develop the discussion about a topic which is or increasingly will be a critical factor of success for any security managers in larger organizations.
Full Text Available Purpose of the research is to ensure the securities of information system asset and to ensure if informa-tion system support the operational and data collected was valid. Research method that used in this research were library studies and field studies. Field studies such an observation, questioner, and inter-view. the expected result are founding the weakness of security management control, operational man-agement control, input control, and output control of risk happened in the company. Conclusion of this research are the system on the company work good and there’s no potential risk happened and make an impact to the delivery process of information system.Index Terms - Auditing Information system, Delivery product process.
To improve SSAs IT management practices, we recommend that the Acting Commissioner of Social Security direct the Chief Information Officer and the Deputy Commissioner for Systems to complete the following actions...
manaOptimizing risk to information to protect the enterprise as well as to satisfy government and industry mandates is a core function of most information security departments. Risk management is the discipline that is focused on assessing, mitigating, monitoring and optimizing risks to information. Risk assessments and analyses are critical…
Voeller, John G
Detection and Intelligent Systems for Homeland Security features articles from the Wiley Handbook of Science and Technology for Homeland Security covering advanced technology for image and video interpretation systems used for surveillance, which help in solving such problems as identifying faces from live streaming or stored videos. Biometrics for human identification, including eye retinas and irises, and facial patterns are also presented. The book then provides information on sensors for detection of explosive and radioactive materials and methods for sensing chemical
Wynn, Cynthia L.
An increase in information technology has caused and increased in threats towards information security. Threats are malware, viruses, sabotage from employees, and hacking into computer systems. Organizations have to find new ways to combat vulnerabilities and threats of internal and external threats to protect their information security and…
Craig A. Horne
Full Text Available Dependence on information, including for some of the world’s largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences indicate that attacks are escalating on organisations conducting these information-based activities. Organisations need to formulate strategy to secure their information, however gaps exist in knowledge. Through a thematic review of academic security literature, (1 we analyse the antecedent conditions that motivate the adoption of a comprehensive information security strategy, (2 the conceptual elements of strategy and (3 the benefits that are enjoyed post-adoption. Our contributions include a definition of information security strategy that moves from an internally-focussed protection of information towards a strategic view that considers the organisation, its resources and capabilities, and its external environment. Our findings are then used to suggest future research directions.
Vuppala, V.; Vincent, J.; Kusler, J.; Davidson, K.
Recent incidents of breaches, in control systems in specific and information systems in general, have emphasized the importance of security and operational continuity in achieving the quality objectives of an organization, and the safety of its personnel and infrastructure. However, security and disaster recovery are either completely ignored or given a low priority during the design and development of an accelerator control system, the underlying technologies, and the overlaid applications. This leads to an operational facility that is easy to breach, and difficult to recover. Retrofitting security into a control system becomes much more difficult during operations. In this paper we describe our experiences with implementing ISO/IEC 27001 Standard for information security at the Electronics Department of the National Superconducting Cyclotron Laboratory (NSCL) located on the campus of Michigan State University. We describe our risk assessment methodology, the identified risks, the selected controls, their implementation, and our documentation structure. We also report the current status of the project. We conclude with the challenges faced and the lessons learnt. (authors)
Full Text Available Historically developed for secure communication and military use, CDMA has been identified as a major modulation and multiple-access technique for 3G systems and beyond. In addition to the wide bandwidth and low power-spectrum density which make CDMA signals robust to narrowband jamming and easy to be concealed within the noise floor, the physical layer built-in information privacy of CDMA system is provided by pseudorandom scrambling. In this paper, first, security weakness of the operational and proposed CDMA airlink interfaces is analyzed. Second, based on the advanced encryption standard (AES, we propose to enhance the physical layer built-in security of CDMA systems through secure scrambling. Performance analysis demonstrates that while providing significantly improved information privacy, CDMA systems with secure scrambling have comparable computational complexity and overall system performance with that of conventionally scrambled systems. Moreover, it is shown that by scrambling the training sequence and the message sequence separately with two independent scrambling sequences, both information privacy and system performance can be further improved. The proposed scheme can readily be applied to 3G systems and beyond.
Yoon, Cheolho; Hwang, Jae-Won; Kim, Rosemary
Due to the ever-increasing use of the Internet, information security has become a critical issue in society. This is especially the case for young adults who have different attitudes towards information security practices. In this research, we examine factors that motivate college students' information security behaviors. Based on the concept of…
... privacy issues pertaining to federal computer systems. Details regarding the ISPAB's activities are... of the Information Security and Privacy Advisory Board AGENCY: National Institute of Standards and Technology, Commerce. ACTION: Notice. SUMMARY: The Information Security and Privacy Advisory Board (ISPAB...
Imam, Abbas H.
Complexity of information security has become a major issue for organizations due to incessant threats to information assets. Healthcare organizations are particularly concerned with security owing to the inherent vulnerability of sensitive information assets in health informatics. While the non-technical security management elements have been at…
Full Text Available The field of information security includes diverse contents such as network security and computer forensics which are highly technical-oriented topics. In addition, information forensic requires the background of criminology. The information security also includes non-technical content such as information ethics and security laws. Because the diverse nature of information security, Shing et al. has proposed the use of team teaching and collaborative learning for the information security classes. Although team teaching seems to be efficient in information security, practically it needs a few challenges. The Purdue's case mentioned in Shing's paper has funding support of National Security Agency (NSA. However, a vast amount of resources may not be available for an instructor in a normal university. In addition, many obstacles are related to the administration problems. For example, how are the teaching evaluations computed if there are multiple instructors for a single course? How will instructors in a computer forensics class prepare students (criminal justice majors and information technology majors before taking the same class with diverse background? The paper surveyed approximately 25 students in a university in Virginia concerning the satisfaction of team-teaching. Finally, this paper describes ways to meet those challenges.
Full Text Available Pervasive wireless systems have significantly improved end-users’ quality of life. As manufacturing costs decrease, communications bandwidth increases, and contextual information is made more readily available, the role of next generation wireless systems in facilitating users’ daily activities will grow. Unique security and privacy issues exist in these wireless, context-aware, often decentralized systems. For example, the pervasive nature of such systems allows adversaries to launch stealthy attacks against them. In this review paper, we survey several emergent personal wireless systems and their applications. These systems include mobile social networks, active implantable medical devices, and consumer products. We explore each system’s usage of contextual information and provide insight into its security vulnerabilities. Where possible, we describe existing solutions for defendingagainst these vulnerabilities. Finally, we point out promising future research directions for improving these systems’ robustness and security
Gilliam, David P.; Feather, Martin S.
Information Technology (IT) Security Risk Management is a critical task in the organization, which must protect its resources and data against the loss of confidentiality, integrity, and availability. As systems become more complex and diverse, and more vulnerabilities are discovered while attacks from intrusions and malicious content increase, it is becoming increasingly difficult to manage IT security. This paper describes an approach to address IT security risk through risk management and mitigation in both the institution and in the project life cycle.
Okoye, Stella Ifeyinwa
Business leaders in Nigeria are concerned about the high rates of business failure and economic loss from security incidents and may not understand strategies for reducing the effects of information security threats on business performance. Guided by general systems theory and transformational leadership theory, the focus of this exploratory…
I. E. L'vovich
Full Text Available Summary. Now to increase of indicators of efficiency and operability of difficult systems apply an automation equipment. The increasing role of information which became universal goods for relationship between various structures is noted. The question of its protection becomes the most actual. Special value is allocated for optimum design at creation of systems of the protection, allowing with the greatest probability to choose the best decisions on a set of alternatives. Now it becomes actual for the majority of the industrial enterprises as correctly designed and introduced system of protection will be pledge of successful functioning and competitiveness of all organization. Stages of works on creation of an information security system of the industrial enterprise are presented. The attention is focused on one of the most important approaches to realization of optimum design – multialternative optimization. In article the structure of creation of system of protection from the point of view of various models is considered, each of which gives an idea of features of design of system as a whole. The special attention is paid to a problem of creation of an information security system as it has the most difficult structure. Tasks for processes of automation of each of design stages of system of information security of the industrial enterprises are designated. Idea of each of stages of works is given at design of system of protection that allows to understand in the best way internal structure of creation of system of protection. Therefore, it is given the chance of evident submission of necessary requirements to creation of a reliable complex of information security of the industrial enterprise. Thereby it is given the chance of leveling of risks at early design stages of systems of protection, the organization and definition of necessary types of hardware-software complexes for future system.
Mrowca, B.; Eltawila, F.
Safety-security interface is a term that is used as part of the commercial nuclear power security framework to promote coordination of the many potentially adverse interactions between plant security and plant safety. Its object is to prevent the compromise of either. It is also used to describe the concept of building security into a plant's design similar to the long standing practices used for safety therefore reducing the complexity of the operational security while maintaining or enhancing overall security. With this in mind, the concept of safety-security interface, when fully implemented, can influence a plant's design, operation and maintenance. It brings the approach use for plant security to one that is similar to that used for safety. Also, as with safety, the application of risk-informed techniques to fully implement and integrate safety and security is important. Just as designers and operators have applied these techniques to enhance and focus safety, these same techniques can be applied to security to not only enhance and focus the security but also to aid in the implementation of effective techniques to address the safety-security interfaces. Implementing this safety-security concept early within the design process can prevent or reduce security vulnerabilities through low cost solutions that often become difficult and expensive to retrofit later in the design and/or post construction period. These security considerations address many of the same issues as safety in ensuring that the response of equipment and plant personnel are adequate. That is, both safety and security are focused on reaching safe shutdown and preventing radiological release. However, the initiation of challenges and the progression of actions in response these challenges and even the definitions of safe shutdown can be considerably different. This paper explores the techniques and limitations that are employed to fully implement a risk-informed, safety-security interface
Elena S. Zinovieva
Full Text Available The article discusses the key trends shaping the international regime on information security. International cooperation in this area at the global level encounters contradictions of state interest. The main actors of the information security are the United States, Russia, China and the EU countries (Britain, France and Germany. The main contradiction is developing between the US on one side and Russia and China on the other. EU countries occupy the middle position, gravitating to that of US. The article proves that international cooperation on information security will reflect the overall logic of the development of international cooperation, which is characterized by a new model of cooperation, with the participation of state and non-state actors, known as multi-stakeholder partnerships and multi-level cooperation. The logic of the formation of an international regime on information security is closest to the logic of the formation of the international non-proliferation regime. It is in the interest of Russia to support the trend towards regionalization of information security regime. Russia can form a regional information security regime in the former Soviet Union on the basis of the CSTO and SCO and potentially on a wider Eurasian space. Such regional regime would give Russia an opportunity to shape the international regime and closely monitor emerging information security issues in the former Soviet Union, and remove the potential threat of "color revolutions".
The following report describes information security and data breach notification requirements included in the Privacy Act, the Federal Information...information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and...Feinstein), S. 495 (Leahy), and S. 1178 (Inouye)--were reported favorably out of Senate committees. Those bills include information security and data
minimal standards of security may become a precondition for Federal regulatory approval (e.g., phone system or power-generation franchises often...technologies suggests that it fundamentally misunderstood them. Information technology especially rewards innovation and entrepreneurship (the proverbial two... entrepreneurship , science, and openness—qualities that are not about to atrophy if the government fails to take charge. Indeed, state-led competition in
Ula, M.; Ula, M.; Fuadi, W.
As modern banking increasingly relies on the internet and computer technologies to operate their businesses and market interactions, the threats and security breaches have highly increased in recent years. Insider and outsider attacks have caused global businesses lost trillions of Dollars a year. Therefore, that is a need for a proper framework to govern the information security in the banking system. The aim of this research is to propose and design an enhanced method to evaluate information security governance (ISG) implementation in banking environment. This research examines and compares the elements from the commonly used information security governance frameworks, standards and best practices. Their strength and weakness are considered in its approaches. The initial framework for governing the information security in banking system was constructed from document review. The framework was categorized into three levels which are Governance level, Managerial level, and technical level. The study further conducts an online survey for banking security professionals to get their professional judgment about the ISG most critical components and the importance for each ISG component that should be implemented in banking environment. Data from the survey was used to construct a mathematical model for ISG evaluation, component importance data used as weighting coefficient for the related component in the mathematical model. The research further develops a method for evaluating ISG implementation in banking based on the mathematical model. The proposed method was tested through real bank case study in an Indonesian local bank. The study evidently proves that the proposed method has sufficient coverage of ISG in banking environment and effectively evaluates the ISG implementation in banking environment.
Namoğlu, Nihan; Ulgen, Yekta
Healthcare industry has become widely dependent on information technology and internet as it moves from paper to electronic records. Healthcare Information System has to provide a high quality service to patients and a productive knowledge share between healthcare staff by means of patient data. With the internet being commonly used across hospitals, healthcare industry got its own share from cyber threats like other industries in the world. The challenge is allowing knowledge transfer to hospital staff while still ensuring compliance with security mandates. Working in collaboration with a private hospital in Turkey; this study aims to reveal the essential elements of a 21st century business continuity plan for hospitals while presenting the security vulnerabilities in the current hospital information systems and personal privacy auditing standards proposed by regulations and laws. We will survey the accreditation criteria in Turkey and counterparts in US and EU. We will also interview with medical staff in the hospital to understand the needs for personal privacy and the technical staff to perceive the technical requirements in terms of network security configuration and deployment. As hospitals are adopting electronic transactions, it should be considered a must to protect these electronic health records in terms of personal privacy aspects.
Full Text Available by province Various groups in business requires differentiated views and this remains true on a national level. Figure 4 is a graph view representing all internet facing devices grouped by their detected province. While not strictly related to security...Anonymous 2012, .  J. Webb, S. Maynard, A. Ahmad and G. Shanks. Towards an intelligence-driven information security risk management process for organisations. Presented at 24th Australasian Conference on Information Systems Proceedings. 2013, . [14...
Full Text Available The article presents several arguments on the need to study the critical infrastructure in Romania including various systems (networks and special military communications. It emphasizes the role and place of such systems and networks to provide national defense and security and the risks and vulnerabilities faced by these infrastructures, and some necessary measures to be taken for the physical and informational protection in the case of hostile military actions, natural disasters or other negative phenomena. Finally some conclusions and proposals are formulated.
Han, Dongmei; Dai, Yonghui; Han, Tianlin; Dai, Xingyun
With the rapid development of the internet and information technology, the increasingly diversified portable mobile terminals, online shopping, and social media have facilitated information exchange, social communication, and financial payment for people more and more than ever before. In the meantime, information security and privacy protection have been meeting with new severe challenges. Although we have taken a variety of information security measures in both management and technology, the actual effectiveness depends firstly on people's awareness of information security and the cognition of potential risks. In order to explore the new technology for the objective assessment of people's awareness and cognition on information security, this paper takes the online financial payment as example and conducts an experimental study based on the analysis of electrophysiological signals. Results indicate that left hemisphere and beta rhythms of electroencephalogram (EEG) signal are sensitive to the cognitive degree of risks in the awareness of information security, which may be probably considered as the sign to assess people's cognition of potential risks in online financial payment.
Full Text Available With the rapid development of the internet and information technology, the increasingly diversified portable mobile terminals, online shopping, and social media have facilitated information exchange, social communication, and financial payment for people more and more than ever before. In the meantime, information security and privacy protection have been meeting with new severe challenges. Although we have taken a variety of information security measures in both management and technology, the actual effectiveness depends firstly on people’s awareness of information security and the cognition of potential risks. In order to explore the new technology for the objective assessment of people’s awareness and cognition on information security, this paper takes the online financial payment as example and conducts an experimental study based on the analysis of electrophysiological signals. Results indicate that left hemisphere and beta rhythms of electroencephalogram (EEG signal are sensitive to the cognitive degree of risks in the awareness of information security, which may be probably considered as the sign to assess people’s cognition of potential risks in online financial payment.
Sihombing, P.; Siregar, Y. M.; Tarigan, J. T.; Jaya, I.; Turnip, A.
Security system is one of the common problems to protect an environment such as personal house or a warehouse. There are numerous methods and technologies that can be used as part of a security system. In this paper, we present a security system that offers a better efficiency. The purpose of this study is to build a system that can monitor home security at any time in particular fire and theft. Through sensors, the system will be able to provide warning information of hazard conditions via LCD monitor, sound, and alarm. This information will be sent automatically to the home owner’s smartphone as well as to the corresponding to the security agency. Thus the prevention of theft and fire hazards can be immediately anticipated by the police and firefighters. The system will also notify the position of the coordinates of the location of the building (the house) by a link to the Google map in order to make it easier to get the location quickly.
Trinckes, John J
Supplying a complete overview of the concepts executives need to know, this book provides the tools needed to ensure your organization has an effective information security management program in place. It also includes a ready-to use security framework for developing workable programs and supplies proven tips for avoiding common pitfalls.
This book represents a timely overview of advances in systems safety and security, based on selected, revised and extended contributions from the 2nd and 3rd editions of the International Workshop on Systems Safety and Security – IWSSS, held in 2014 and 2015, respectively, in Bucharest, Romania. It includes 14 chapters, co-authored by 34 researchers from 7 countries. The book provides an useful reference from both theoretical and applied perspectives in what concerns recent progress in this area of critical interest. Contributions, broadly grouped by core topic, address challenges related to information theoretic methods for assuring systems safety and security, cloud-based solutions, image processing approaches, distributed sensor networks and legal or risk analysis viewpoints. These are mostly accompanied by associated case studies providing additional practical value and underlying the broad relevance and impact of the field.
Full Text Available Today we are living in 21st century where crime become increasing and everyone wants to secure they asset at their home. In that situation user must have system with advance technology so person do not worry when getting away from his home. It is therefore the purpose of this design to provide home security device, which send fast information to user GSM (Global System for Mobile mobile device using SMS (Short Messaging System and also activate - deactivate system by SMS. The Modular design of this Home Security System make expandable their capability by add more sensors on that system. Hardware of this system has been designed using microcontroller AT Mega 328, PIR (Passive Infra Red motion sensor as the primary sensor for motion detection, camera for capturing images, GSM module for sending and receiving SMS and buzzer for alarm. For software this system using Arduino IDE for Arduino and Putty for testing connection programming in GSM module. This Home Security System can monitor home area that surrounding by PIR sensor and sending SMS, save images capture by camera, and make people panic by turn on the buzzer when trespassing surrounding area that detected by PIR sensor. The Modular Home Security System has been tested and succeed detect human movement.
The objective of my research is to improve and support the process of Information security Risk Assessment by designing a scalable Risk argumentation framework for socio-digital-technical Risk. Due to the various types of IT systems, diversity of architectures and dynamic nature of Risk, there is no
Rednic, Emanuil; Toma, Andrei
In database security, the issue of providing a level of security for multimedia information is getting more and more known. For the moment the security of multimedia information is done through the security of the database itself, in the same way, for all classic and multimedia records. So what is the reason for the creation of a security…
Discusses collecting and collating information on needs integrated in Nuclear Security Support Plans and analyzing data on illicit trafficking and nuclear security incidents. Coordination with donor States and international organizations on Illicit trafficking Database reports and other related information provided by states.
Sun Qiong; Min Liu; Shiming Pang
With the promotion of Internet sales, the security of personal information to network users have become increasingly demanding. The existing network of sales channels has personal information security risks, vulnerable to hacker attacking. Taking full advantage of cloud security management strategy, cloud computing security management model is introduced to the network sale of personal information security applications, which is to solve the problem of information leakage. Then we proposed me...
Information security doesn’t involve only large organizations. Small and medium-sized companies must closely examine this issue too, because they are increasingly threatened by cyber attacks. Many of them mistakenly believe, that security of their valuable data is sufficient, or that the attackers are not interested in them. Existing standards and methodologies for implementation and management of information security are often hard to transfer to the environment of small and medium-sized bus...
Ivanov, Vladimir I; Yu, Paul L; Baras, John S
Medical information is extremely sensitive in nature - a compromise, such as eavesdropping or tampering by a malicious third party, may result in identity theft, incorrect diagnosis and treatment, and even death. Therefore, it is important to secure the transfer of medical information from the patient to the recording system. We consider a portable, wireless device transferring medical information to a remote server. We decompose this problem into two sub-problems and propose security solutions to each of them: (1) to secure the link between the patient and the portable device, and (2) to secure the link between the portable device and the network. Thus we push the limits of the network security to the edge by authenticating the user using their biometric information; authenticating the device to the network at the physical layer; and strengthening the security of the wireless link with a key exchange mechanism. The proposed authentication methods can be used for recording the readings of medical data in a central database and for accessing medical records in various settings.
Full Text Available With the increasing use of computers nowadays, information security is becoming an important issue for private companies and government organizations. Various security technologies have been developed, such as authentication, authorization, and auditing. However, once a user logs on, it is assumed that the system would be controlled by the same person. To address this flaw, we developed a demonstration system that uses facial recognition technology to periodically verify the identity of the user. If the authenticated user's face disappears, the system automatically performs a log-off or screen-lock operation. This paper presents our further efforts in developing image preprocessing algorithms and dealing with angled facial images. The objective is to improve the accuracy of facial recognition under uncontrolled conditions. To compare the results with others, the frontal pose subset of the Face Recognition Technology (FERET database was used for the test. The experiments showed that the proposed algorithms provided promising results.
Xiao, Qinghan; Yang, Xue-Dong
With the increasing use of computers nowadays, information security is becoming an important issue for private companies and government organizations. Various security technologies have been developed, such as authentication, authorization, and auditing. However, once a user logs on, it is assumed that the system would be controlled by the same person. To address this flaw, we developed a demonstration system that uses facial recognition technology to periodically verify the identity of the user. If the authenticated user's face disappears, the system automatically performs a log-off or screen-lock operation. This paper presents our further efforts in developing image preprocessing algorithms and dealing with angled facial images. The objective is to improve the accuracy of facial recognition under uncontrolled conditions. To compare the results with others, the frontal pose subset of the Face Recognition Technology (FERET) database was used for the test. The experiments showed that the proposed algorithms provided promising results.
Rajivan, Prashanth; Cooke, Nancy J
Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.
IoT refers to the infrastructure of connected physical devices which is growing at a rapid rate as huge number of devices and objects are getting associated to the Internet. Home security is a very useful application of IoT and we are using it to create an inexpensive security system for homes as well as industrial use. The system will inform the owner about any unauthorized entry or whenever the door is opened by sending a notification to the user. After the user gets the notification, he can take the necessary actions. The security system will use a microcontroller known as Arduino Uno to interface between the components, a magnetic Reed sensor to monitor the status, a buzzer for sounding the alarm, and a WiFi module, ESP8266 to connect and communicate using the Internet. The main advantages of such a system includes the ease of setting up, lower costs and low maintenance.
... 10 Energy 2 2010-01-01 2010-01-01 false Security facility approval and safeguarding of National Security Information and Restricted Data. 76.119 Section 76.119 Energy NUCLEAR REGULATORY COMMISSION... approval and safeguarding of National Security Information and Restricted Data. The requirements for...
Full Text Available Methodological problems related to the lack of guidance in the provisions (standards of accounting on the reflection in the accounting and financial reporting of the research object. In this connection, it is proposed to amend the provisions (standards of accounting. This will allow to come to the consistency of accounting methods of operations with elements of investment activity. Based on analysis of the information needs of users suggested indicators identikativnye blocks (block corporate finance unit assess the relationship with financial institutions, block the fulfillment of obligations according to the calculations, the investment unit, a science and innovation, investment security and developed forms of internal accounting controls and improvements to existing forms financial statements for the investment activities of the enterprise. Using enterprise data reporting forms provide timely and reliable information on the identity and structure of investment security and enable the company to effectively plan and develop personnel policies for enterprise management.
... by the Computer Security Act of 1987 (Pub. L. 100-235) and amended by the Federal Information... NIST on security and privacy issues pertaining to federal computer systems. Details regarding the ISPAB... security research, --Presentation from National Protection and Programs Directorate, DHS, on the white...