Computer Security
CIA and DAD triads are security models that are designed to assist people to think about critical aspects of IT security. CIA triad represents the core concepts of information security. The initials stand for confidentiality, integrity, and availability. Confidentiality is about data classification and recognizes that not all information is confidential (Solomon & Chapple, 2009). Confidential information or data should only be accessible to authorized people. Integrity ensures that all data is accurate and reliable. For information systems and information security to be effective, the information ought to be available.
The DAD triad consists of disclosure, alteration, and destruction. Disclosure is the revealing of information and confidentiality aims to prevent disclosure of information to unauthorized users. Data may be altered at rest or while in transit (Solomon & Chapple, 2009). Any information that cannot be trusted can be categorized as data. Data alteration can be avoided when users apply integrity in data handling. Destruction is makes information unavailable and inaccessible to the users. Destroyed data is no longer available while altered data is data that is still available.
Security principle is a statement of value, operation, or belief that drives all the elements of a security framework. A collection of principles provide the security philosophy that guides the development of security policies. A security policy includes the rules and regulations that govern a security system. Security policies should be founded on business principles of corporate philosophy. The policy communicates to the users and managers on what they need to know in order to make the decisions on information security. The security policy protects confidentiality, availability, and utilization of information by defining what is acceptable or unacceptable in dealing with security. It also protects the authenticity and the integrity of the information presented (Khosrowpour, 2009). A security policy framework aims to manage risk and maintain employee accountability for the protection of the information. A security policy may be required to protect an organization legally incase an employee violates it. If an organization does not have a security policy, it may be difficult to hold employees responsible for their actions.
The information security communication policy for the New Jersey University is easy to understand since simple language has been used (NJCU, 2012). The policy has been defined well and the performance indicators have been elaborated. In the introduction, the importance of information security has been mentioned in order to introduce the user on the university’s security policy. In my opinion, none of the security policies is missing.
The policy document shows that the senior management in the university is concerned with the information security (NJCU, 2012). It is stated in the security policy document that all Deans, Directors, and Departmental Heads are responsible for the security of information resources in all the offices under their jurisdiction.
The information security policy describes the university’s approach to information security. According to the policy, the person assigned the university owned computing hardware is responsible for the safekeeping of the hardware and the software. To acknowledge this responsibility, a data confidentiality form must be signed. The data ownership remains with the person assigned to the log-in details. It is the responsibility of the data custodian to archive data in accordance to the established data archival procedures.
Although information security is not defined verbatim in the policy, the documented has defined hardware security and the responsibilities of a custodian in ensuring information security measures are enhanced (NJCU, 2012). In addition, the data user responsibilities have been defined where users are informed to comply with security measures that are specified by the owner or custodian. Users are also advised not to disclose any information or data unless authorized in writing by the data owner.
The information security management responsibilities have been outlined in the document with the emphasis being on the custodian and data user responsibilities. The custodian provides the general security access system and should ensure compliance of data users with the security procedures in the university (NJCU, 2012). The custodian should only use data for the purposes defined by the owner and no data or information should be disclosed by the custodian without the express permission from the owner.
Some of the other documents mentioned to support the information security policy include data collection policy, data confidentiality policy, information privacy policy, and desktop security guidelines document (NJCU, 2012). The data confidentiality policy states all the regulations to ensure data confidentiality while the desktop guidelines outline the necessary procedures to be observed by a user to avoid a breach of information security. These include regular updating of computer software and installation of antivirus.
The owner of the security policy has been defined. New Jersey City University is the owner of the security policy while the management of the policy is done by the Director of Information Technology Services. The owner has the overall responsibility of developing security policy and is also responsible for ensuring effective management of the security policy.
References
Khosrowpour, M. (2009). Managing Information Technology Resources in Organizations. New York: Idea Group Inc.
NJCU. (2012). Information Security Policy. Retrieved from http://www.njcu.edu/it/policies/ on 20th March 2013.
Solomon, M., & Chapple, M. (2009). Information Security Illuminated. New York: Jones and Barlet.
Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.
[order_calculator]