6 SYSTEMS MAINTENANCE

6.4 SYSTEM SECURITY

As information systems are essential to organisations, it is crucial that they are available when required and that they continue working correctly even when events such as deliberate threats, accidents or disasters occur. Establishing a secure system is a complex business and covers not just the hardware and software but also the way in which people interact with the system.

The CIA triad is a model which shows the three main goals for information systems security.

Information security

Confidentiality

Fig 6.1 CIA triad

Confidentiality is the protection of information from unauthorised access. This is particularly important when personal or sensitive information is to be managed. It can be maintained safely if suitable access controls are put in place to ensure users can only access permitted information.

Integrity is the keeping of accurate information. It is important to ensure that information cannot be changed or lost due to errors or improper access. Access controls can be put in place to avoid this.

Availability is making information available when and where needed. This means ensuring that the system can keep functioning so as to provide the required information. Security mechanisms need to be in place to ensure that the system components are secure and that the system can continue to operate under a range of conditions.

The above goals must be considered as part of the system security policy. In order to produce the policy, it will be necessary to undertake a risk assessment to identify likely threats and how vulnerable the system would be to them. Typical threats may include hardware or software failures, human errors, power failures, physical damage or theft and software attacks such as viruses or ransomware. Once risks have been identified, preventative actions can be taken to address them.

Download free eBooks at bookboon.com

Physical attacks can be addressed by putting in place adequate physical access and security around hardware locations such as server rooms. Where computer centres are used these will normally have user access controls in place to prevent unauthorised persons gaining access to the centre, usually involving electronic door access systems. Where PCs, laptops and smaller IT devices are located in more open environments such as offices, they can be secured with physical locking mechanisms.

In order to ensure that the system hardware can function unimpeded by power cuts, backup generators or uninterruptable power supplies can be utilised. For highly critical systems a disaster recovery plan will be developed to allow an organisation to continue its operations in the event of a major disruption, which may include maintaining a duplicate system at a different geographic location which can be put in to operation promptly.

Networks also need to be secured, which involves ensuring data traffic is encrypted and, in the case of wireless networks, ensuring that security protocols such as Wi-Fi Protected Access 2 (WPA2) are implemented. In order to prevent unauthorised access to the network via the Internet a firewall needs to be in place. In addition to firewalls, host and network intrusion detection systems (HIDS/NIDS) can be used to identify possible threats from hackers or crackers.

Typical software controls include application permissions which restrict user access to only specified parts of the system, usually controlled by means of passwords assigned by the system administrator. Access logs are also used in some situations which log users’ access to the system and can be used to highlight misuse. The integrity of the system data is vital and is aided by validation techniques within the software to ensure that only valid data is entered.

Files or database tables can have permissions placed on them which limit a user’s access rights. Read allows a file to be read, Write allows the file to be written to, Execute allows a program file to be run. These rights may be assigned to user groups or to individual users.

Operational security revolves around having procedures in place that all staff adhere to in order to ensure that security is maintained. This covers the safekeeping of passwords and system outputs such as reports or file copies.

Finally, backup procedures need to be established to ensure that the data and software are kept safely to allow for recovery in the event of a service disruption. Recovery will involve reloading program or data files that may have been lost or corrupted. There are four main approaches to backups:-

Download free eBooks at bookboon.com

Full backups where all system files are copied. This method takes the longest and uses the most storage but does allow for a simpler and quicker recovery.

Incremental backups only back up files that have changed or are new since the last backup was made. This type of backup is quicker than a full backup and uses less storage but will take longer to restore as more than one backup may have to be restored.

Differential backups are similar to incremental ones in that they backup files that are new or have changed since the last full backup. This is faster than a full backup and uses less storage. Restores can be completed using the last full backup and the last differential backup.

The above backup methods are usually performed monthly, weekly or daily as required.

The backup files should be kept in a safe location away from the in-use versions so as to minimise the risk of them being lost in the event of a disaster.

Continuous or mirror backups involve mirroring or copying the system files continuously.

This is the costliest approach as the hardware and network infrastructure must support it, however it does provide for fast restores to a point before a problem was detected.

Download free eBooks at bookboon.com Click on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read moreClick on the ad to read more