Today, information security is one of the highest priorities on the IT agenda. In 2003, Luftman and McLean (2004) conducted a survey of Society for Information Management members to identify the top 20 information technology (IT) issues for executives. Security and privacy issues were ranked third, after IT/ business alignment and IT strategic planning. Concept of information security applies to all the data stored in information systems or being communicated in information networks and encompasses measures applied on all layers of open system interconnect (OSI) model of international standards such as application, networking, and physical. Sophisticated technologies and methods have been developed to: • Control access to computer networks • Secure information systems with advanced cryptography and security models • Establish standards for operating systems with focus on confidentiality • Communication integrity and availability for securing different types of networks • Manage trustworthy networks and support business continuity planning, disaster recovery, and auditing The most widely recognized standards are: • In the United States: Trusted Computer System Evaluation Criteria (TCSEC). • In Canada: Canadian Trusted Computer Product Evaluation Criteria (CTCPEC). • In Europe: Information Technology Security Evaluation Criteria (ITSEC). All of theses standards have recently been aggregated into Common Criteria standards. And yet, the information systems continue to be penetrated internally and externally at a high rate by malicious code, attacks leading to loss of processing capability (like distributed denial-of-service attack), impersonation and session hijacking (like man-in-the-middle attack), sniffing, illegal data mining, spying, and others. The problem points to three areas: technology, law, and IT administration. Even prior to the drama of 9/11, several computer laws were enacted in the USA and yet more may come in the future. Still the fundamental threats to information security, whether they originated outside the network or by the company’s insiders, are based on fundamental vulnerabilities inherent to the most common communication protocols, operating systems, hardware, application systems, and operational procedures. Among all technologies, the Internet, which originally was created for communication where trust was not a characteristic, presents the greatest source of vulnerabilities for public information systems infrastructures. Here, a threat is a probable activity, which, if realized, can cause damage to a system or create a loss of confidentiality, integrity, or availability of data. Consequently, vulnerability is a weakness in a system that can be exploited by a threat. Although, some of these attacks may ultimately lead to an organization’s financial disaster, an all-out defense against these threats may not be economically feasible. The defense actions must be focused and measured to correspond to risk assessment analysis provided by the business and IT management. That puts IT management at the helm of the information security strategy in public organizations.
Secure Information Systems Engineering: Experiences and Lessons Learned from Two Health Care Projects