Information Systems Audit reports are an important product of our office because they identify a range of issues that can seriously affect the operations of University if not addressed in advance. Concerns about security of electronic networks and information systems have been growing along with the rapid increase in the number of network users and the value of their transactions. Security has now reached a critical point where it represents a prerequisite for the growth of electronic businesses and the functioning of the whole system. Considering this is a growing University we would like to perform an audit for the school. We focus on the business needs first of the school rather than the technology needs. One of the most valuable assets is data, without data, the University loses its record of transactions and its ability to deliver value to the students and staff as well as parents and guardians.
$45 Bundle: 3 Expertly Crafted Essays!
Expert Editing Included
All the organizations we audit understand the criticality of their IT systems to their operations and yet, too many underestimate the risks that exist to those systems. I trust that the guidance we will mention on this report will make it easier for Riara University to review its practices and improve the security of information they hold.
The analysis of the network and information security issues
What is network and information security?
Networks are systems on which data are stored, processed and through which they circulate. They are composed of transmission components (cables, wireless links, satellites, routers, gateways, switches) and support services (domain name system including the root servers, caller identification service, authentication services). Attached to networks is an increasingly wide range of applications (e-mail delivery systems, browsers) and terminal equipment (telephone set, host computers, PCs, mobile phones, personal organizers,).
The protection of information and the critical elements, including systems and hardware that use, store, and transmit that information. The value of information varies from various aspects like Availability, Confidentiality and Integrity.
Overview of security threats
Management must be informed of the various kinds of threats facing the University. A threat could an object, staff or students that possess constant danger to an asset, by examining all threat category in turn. The objective of these sections is to specify the type of security risks in order to lay the basis for the establishment of a policy framework to improve security. Below are the various threats that could occur in Riara University:
Interception of communications
Information transmitted through the networks could be copied or modified through various ways: these include the physical access of network lines e.g. wiretapping and monitoring radio transmissions. Malicious interception of information should be curbed especially from the students on things like examination results or personal information of the student faculty in the various school departments. Unlawful interception can cause damage both through invasion of the privacy of school faculty and through the exploitation of data intercepted: such as passwords or examination details, for sabotage.
Unauthorized access into computer and computer networks
Unauthorized access to a computer or network of computers is usually done with malicious intent to copy, modify or destroy data. Technically this is called intrusion and can be done in many ways including exploiting inside information, dictionary attacks, brute force attacks, exploiting people’s tendency to use predictable passwords, social engineering and password interception. It is often performed from within the University. Some students would take advantage of the other students’ ignorance of not changing their passwords occasionally and check on their personal details.
Networks are now largely digitized and controlled by computers. Nowadays, the most disrupting attacks tend to exploit the weaknesses and vulnerabilities of network components ,operating systems, routers, switches, name servers, etc. The internet is a major component of the access and transfer of information in Riara University. The various internet service providers used could have downtime where it could prove potential risk to the Information. The school also allows the students to save information on the cloud. In cases of network disruption the availability of this information will not be there.
Execution of malicious software that modifies or destroys data
Computers in the University run with software. Software can unfortunately also be used to disable a computer, to delete or modify data. As the above descriptions show, if such a computer is part of the network management it’s malfunctioning can have far-reaching effects. A virus is one form of malicious software. It is a program that reproduces its own code by attaching itself to other programs in such a way that the virus code is executed when the infected computer program is executed. The University has Computers in the lab that could be infected with a virus or a worm. Students could plug in infected flash drives unintentionally or intentionally and could affect the whole system. Some of these viruses could be added when students download items from the internet and could be embedded in this files hence corrupt the system which could spread through the networked computers.
Environmental and unintentional events
Many security incidents are due to unforeseen and unintentional events caused by: natural disasters (e.g. storms, floods, fires, earthquakes),third parties without any contractual relation with the operator or the user (e.g. interruption of service because of the service providers constructional workings), third parties with a contractual relation with the operator or the user (e.g. hardware or software failures in delivered components or programs), human error or poor management of the operator (including the service provider) or the user. Hence why students are asked when using the Computer lab not to carry food or drinks inside. As well as not to change the connection of the wires done in the lab. Natural disasters cause disruption in the availability of networks. Unfortunately it is during such events that functioning communication lines are most needed. Hardware failures and poor software design can create vulnerabilities which cause immediate disruption or are exploited by attackers. Poor management of network capacity can lead to congestion that slows down or disrupts the communication channels.
Methodology on how to curb these threats
Networks and information systems carry more and more sensitive data and economic valuable information which will increase the incentive for attacks. However, the disruption can also be on a much more critical scale, up to the level of interference with highly sensitive communications, significant power cuts, or major loss of University through denial of service attacks or confidentiality breaches.
The speed of technology change poses new challenges, problems of yesterday disappear and today's solutions are meaningless. The following are the methodologies that we will use to prevent or curb the threats:
- Having a secure computer can definitely provide peace of mind. These are the various way we will enforce to prevent unauthorized access into computer and the computer network:
- Passwords – make sure that all the various platforms that have confidential information are password protected. We will provide training of helpful password tips to help the University faculty not to make obvious passwords that could be easily guessed. We will explain the importance of changing the passwords to the faculty and the University could make it a routine in the school.
- Firewalls - We highly recommend all computer users have a firewall solution. There are two ways a firewall can protect your computer and network. Hardware firewall - A hardware firewall is a physical device that is connected to your network. Software firewall - A software firewall is a software program that you install on your computer to helps protect it from unauthorized incoming and outgoing data. Keep in mind that a software firewall is only going to protect the computer on which it has been installed. Additionally, many antivirus scanners include their own version of a firewall program. This saves the University some money especially if they buy the premium Anti Viruses software.
- Interruptions have been damaging for certain high-profile websites. Increasingly companies rely on the availability of their websites for their business and those companies that depend on it for ‘just in time’ supply is particularly vulnerable. Attacks on DNS servers are, in principle, easily dealt with by extending the DNS protocols, for example using secure DNS extensions based on public key cryptography.
- Malicious software has become more evolved and sophisticated, so have the software and hardware technologies for helping to prevent malware threats and attacks. Malware threats have been very costly for midsize businesses in both attack defense and response technologies and operations. The Internet has significantly raised the profile of external threats to midsize business environments while some of the greatest threats still continue, such as internal attacks. Although, internal attacks that have the highest potential for damage result from the activities of insiders in the most trusted positions, such as network administrators. Insiders are likely to have specific goals and objectives, such as planting a Trojan horse or unauthorized file system browsing while maintaining legitimate access to the systems.
- The University could also adopt on stronger security measures: like people could be searched when coming in and out of the school to prevent theft. They could also take up insure the equipment’s found in the school area in case of natural disasters.
However, this involves installing new software on client machines and has not been widely deployed. Also, the administrative process required to enhance the trust between DNS domains needs to become more effective. Attacks on the routing system are much harder to defend. The Internet was designed to maximize flexibility in routing as this reduces the probability of service being lost if one part of the network infrastructure breaks down.
The Human Resource department could come up with an oath form where the employees of the university will sign not to disclose any information regarding the school and if found it will cause serious repercussions. The university ICT department could also adopt a routine checkup of the system after a period of time. In this they will be able to assess the extent as to which the malware has caused damage, evaluate control strategies that they would use, implement these control strategies on the system.