Informationsecurity is important to the development of any organization the postconcerned with the issues related to the information systems securityis charged with quite a number of critical assignments. Among theminclude evaluating and advising on the formation of “server farm”to the network administrator. The server farm is to be configured toallow a proxy fire wall in the command centre’s DMZ to access aninternal web server as opposed to the web server in the DMZ. For theestablishment of the system a critical consideration of theDepartment of Defense (DoD) information security policies and NSTISSpolicies regarding appropriate network components .Additionally,operational considerations and security considerations based on themodel and operation of the network.
Informationsecurity is mainly referred to help protect information from unwanteddisclosure and access. Towards this a policy framework has been setup to be followed and help curb the information getting into wronghands (Simon,2011).Theregulations need to enforce. Among the regulations include an offshelf of security information systems that provide security services.Additionally, the devices and software are expected to function asadvertised. This would help curb the threat of information landing inlong hands. Furthermore, Information Assurant It products should beacquired with the approval of the guidelines set by the NationalInformation Assurance Policy. Among the various regulations includeFederal information processing Standard (FIPS) that is a validationprogram. The validation program will ensure that the nationalsecurity is not threatened by any party. Additionally, the Departmentof Defense will feel that the country security is well protected dueto proper information security mechanism being put in place. The IA –enabled productsinclude systems that offer security serviceswithin applications (Simon,2011). Theyinclude the web browsers, the trusted operating system, and packetscreening routers, in addition to security –enabled messagingsystems in the country.
Toevaluate IA and IA enabled products the organization will be requiredto pay for the evaluation and put in place all the documentationrequired to make the evaluation process a success. If the evaluationsystem to be adopted in evaluation of the design and development ofserver components is the common criteria evaluation .The SecurityTarget document will be required to be prepared that explains thefunctionality of the security within the product .The ST is requiredto have all claims of the information security in the products thatis being bought by the organization. The ST may contain more than oneProtection Profiles (PP) that helps inimplementing a customer’sability to formally state their specific security considerations andrequirements. This gives the client the benefit of stating thedesired security system profile in their specific environment. Therobustness of the security system is also evaluated in the processenabling the management to make informed decisions. Other than the STthe product that is Target of Evaluation (TOE) is required to undergoa lab test to ascertain the security performance claims .The lab isrequired to have been approved by international CC system. Afterevaluation a report known as the Evaluation technical report isprepared to ensure that the components used in the organization’ssecurity system are up to speed with required security level. Thereport is cascaded to the higher body that is in charge of theevaluation and reviewing. Upon concurrence with the prepared reportthe body issues a certificate of Common Criteria. Afterwards, thecertificate is put in the registry for future references(Simon, 2011). .The process is important in the evaluation of an information securitysystem in that future requirement for the evaluation in a number ofcountries that are signatories to the Common Criteria MutualRecognition Arrangement (CCMRA) are mostly eliminated (Kizza,2005). Theundertaking of the process is important as it indicates theseriousness that the organization is treating the computer securityrelated issues. This helps win over more clients in addition towinning the governments confidence since the setup systems areinformation security compliant. This puts the country’s security ina proper situation to overcome any potential threat.
Theapplication of appropriate security models is key to the success ofthe proposed information security system. The architecture and thesources of code management are among the key issues that requirebeing isolated and addressed .Aspect Oriented Programming has beenencouraged to give an improved security feature. This is due to theseparation of the security from other non functional requirements andas result maintaining a secure source code. Instead of programmerstreating security as the last thing to consider in softwaredevelopment the item is required to be addressed at every stage ofthe development. Modularization through the usage of the componentsis encouraged to make the software more manageable(Kizza, 2005). Improvedcode architecture in addition to management is encouraged. To achievethis, information system security is required to be treated as non–functional component of the information system. They are varioussecurity models and concepts namely the Bell –Lapadula model andBiba.The Bell –LaPadula model is mathematics based model thatexplains computer systems (Weber,1999).The aspect of information security is addressed in the system isinductive. It guides the process of gaining access in any form byreading, executing, appending and writing. Discretional access to thesystem is set up to help curb unwanted access to the system. Themodel is mainly applicable in military based systems since itprovides exceptional confidentiality. Additionally, it is importantto note that subject might not be able to write to objects with alower classification. The Biba model on the other hand that wasdeveloped after the LaPadula’s model similarly uses mathematicalconcepts to address data confidentiality models. Data integrity isaddressed at length in the model. The model states that a simpleintegrity rule should be followed”subjects may not read an objectat lower integrity. Additionally, the other rule stating no read downpolicy had to be instituted to ensure data security in theorganization. The model is mainly used in commercial institutionswhere data integrity is mostly required as opposed toconfidentiality.
TheInformation Technology Security Evaluation Criteria refers to astructured set of criteria used in evaluating a computer securitywithin a system or products (Weber,1999).The program has certification and evaluation programs that are meantto help evaluate the security levels and functionality of variouscomputer systems in an organization within the scope area. Thecriterion used was developed in US by the defense establishment. Thesystem requires the evaluation of the targets for the informationsecurity compliance. It main benefit is that a target of evaluationmay be able to provide the authentication evidence and integrityfeature without comprising on integrity. ITSEC award a level E6security level –level title that is the highest to the mostcompliant organization. The authentication ensures the informationdoesn’t get in to wrong hands that may use it for malicious purposeor to the detriments of the society.
Thenational Security Telecommunication and Information System SecurityCommittee (NSTISSC) (Weber,1999).Provides guidelines that enable the security condition of the countryto be improved. The guidelines provided enable organization to set upinformation security systems that are compliant with the highestlevels of integrity and confidentiality to address the interest f theindividuals and the country as a whole(Merkow, 2005).The body is headed by the Defense head in the country that isrequired to ensure compliance in the country with the informationsystem and other security programs. Trainings are conducted toacquaint various professionals the knowledge about the properinformation security systems. The guidelines of the committee requireeach firm to have employed properly trained information securityprofessional that are well trained based on provided guidelines(Weber, 1999).The information system security is important not only to theorganization but also to the national security. Additionally, theinformation is important to the department of defense in that theyare able to gather intelligence and also monitor the information flowthrough various channels in the country. Aspects such as objectoriented programming could be undertaken to ensure that security isenhanced in the information system. Furthermore, role based accesscontrols and Bell –LaPadulla security models should be implementedin object oriented programming.
Inconclusion, it is important to note that the role of an informationsystems security officer is critical to the success of norganization. Through that role the officer is required to ensurecompliance to the states regulations. Additionally, they are requiredto ensure that the information systems of the firm are kept in thecondition ensuring integrity and confidentiality of the informationstored, received and sent.
Copeland,D. C. (2000). Theorigins of major war.Ithaca [u.a.: Cornell Univ. Press.Top of Form
Kizza,J. M. (2005). ComputerNetwork Security.New York, NY: Springer
Merkow,M. S., & Breithaupt, J. (2005). Computersecurity assurance using the common criteria.Clifton Park, NY: Delmar Learning.
Simon,R. J., & Abdel-Moneim, M. A. (2011). Ahandbook of military conscription and composition the world over.Lanham, Md: Lexington Books
Weber,R. E. (1999). Spymasters:Ten CIA officers in their own words.Wilmington, Del: SR Books.