Information systems is a discipline that encompasses all the matters regarding the protection of data and information , the relevant technology used for communications, processing and storage of information and, computer resources utilized for the same (Gelbstein & Kamal , 2002, p.13). Some of the fundamental advantages of implementing I.C.T is speed and minimal delays in completing tasks (Kvassov, 2002, p3).The great advancement and sophistication of ICT has also brought in a more complex problem of cyber crime and cyber terrorism. The impact of cyber crime and cyber terrorism cuts deep into the economic and social structure of life globally (Gelbstein & Kamal, 2002, p.1-2). There is concern on the increased awareness and use of information exploitation devices by criminal elements therefore the U.S Army requires identifying selecting and deploying proper and reliable information systems that cannot be compromised by its real and perceived enemies. Such an information system needs to factor in strategies for restoration and recovery of data in the event of an attack on the information system or the failure of the same. This brings in the issue of security awareness. It a proactive process of educating towards mitigation against threats to the information systems. It is an appropriate remedial measure (Sans Institute,2001, p6). The insider threat from disgruntled personnel is an issue that cannot be overlooked. Insider attacks are generated by stressful occurrences that cause unbecoming behavioral traits in personnel predisposed to acts of malice (Band et al, 2006, p30).
Table of Contents
Data Restoration and Recovery Strategy. 5
I.T Mission Impact Analysis. 5
Information technology risk assessment 6
Information technology mission continuity planning. 8
Evaluation and reassessment 9
Information Security Technologies-strengths and weaknesses. 9
Information is power, as Francis Bacon stated as early as the mid-1600’s. This statement is as relevant today as it was over three centuries ago, although the information age can be said to have started with the invention of the electric telegraph in 1840, (Gelbstein & Kamal , 2002, p.6). ICT has been aggressively integrated into
the management and day-day running of organizations. Its impact on managerial productivity has raised several issues (Kvassov, 2002, p3). The U.S Army relies greatly on ICT systems in carrying out its missions. This weighty integration of ICT is not only advantageous but also makes the U.S Army greatly vulnerable. This consequently means that the higher the degree of vulnerability the greater the simplicity in which the information systems of an organization can be manipulated. It is paramount that the U.S Army ensures the security of its information system to prevent criminal manipulation and access to its sensitive data (Dacey & Rhodes, 2004, p.2). An example of criminal intention regarding Information Systems in the U.S. Army was in 1989 when Peri Micahel, an electronic warfare signals specialist fled to enemy territory with classified computer data. He was later charged with espionage (Band et al, 2006, p102).
There exist about 18 different information system security technologies that protect the ICT infrastructure and are classified into categories according to their operations and usefulness (Dacey & Rhodes, 2004, p.2)
Data Restoration and Recovery Strategy
The major cause of information security problems can be traced to the absence of successful management programs for the same. For the purpose of this paper, only a brief overview of the available information system security technologies is provided. An in-depth study into the effectiveness of these technologies is beyond the scope of this paper.
A comprehensive strategy for restoration of information system operations and the recovery of data should entail a risk management program. Risk management program is a process that identifies, controls, and manages the resultant impact of detrimental occurrences in relation to the value of the protected interests. This program can be broken down into several steps .The process will shed light on what risks exist in the information technology environment and how best to mitigate against those risks (Davis & Payne,2004).
I.T Mission Impact Analysis
This entails the identification of significant assets such as- information to be protected, the relevant hardware and software, the army personnel that need to be safeguarded against unavailability of data, illegal access, tampering, leakage or other security violations. To determine which of the U.S Army’s assets are critical the following questions must be answered; What is the mission of the department/army, the key role the army performs in realization of its mission, What I.T hardware infrastructure and assets are key to the performance of the identified functions Examples of the I.T hardware infrastructure are computer desk tops, servers, PDAs , and laptops., What I.T software and data assets are key to the performance of the identified functions, What I.T personnel are important to the performance of the major functions. Examples here are; Server administrators, Local Support Partner (LSP) or Associate (LSA), and Data base administrators (Davis & Payne, 2004).
Information technology risk assessment: This is the determination and appraisal of the threats to the assets identified by the mission impact analysis. It entails need for integrity of data, accessibility, confidentiality, accountability and acceptance (Grance et al. 2003, 18). This is carried out in the following manner; Appraise the army’s security procedure against audit, state and federal principles, chart the army’s assets mentioned above to the threat situation provided, gauge each threat to the assets based on the probability of its occurrence and the influence of any vulnerability, Prioritize the threats, chart these threats back to the response policy developed, formulate the security strategy to or put up with the identified risks, take into consideration any formerly employed strategies and accessible plans, lastly record the important assessments and validations (Davis & Payne,2004).
The following are proposed requirements in risk assessment to address physical security of information systems: All computers and important mission systems should be located in secure areas. These must be areas that are not easily accessible for unauthorized personnel. Physical security of army premises should be reviewed periodically. Computer desktops and note books should be equipped with devises that discourage theft. The I.T premises should have smoke detectors, water detectors, fire suppression systems and temperature sensors. All important computer hardware should be connected to uninterruptible power supply devices such as UPS to avoid damage and loss of data in case of power surges. Any hacker attempt should be reported immediately to the relevant authority and necessary action taken. There should be an updated/accurate inventory of all hardware and software.
In addressing account and password management, the following should be observed: There should be clearly documented criteria for accessing data which must be pegged on job responsibilities. The data used to determine the authenticity of a user must be secured and maintained as confidential. Passwords should be changed from time-time. Users should only be allowed access to the data required for their official tasks. Shared accounts should be audited from time-time. There should be a locking out after three unsuccessful attempts to log-in. Unauthorized use of modems that can receive calls attached to desktops and servers must be discouraged (Davis & Payne,2004).
Protection from viruses is of paramount importance in protection of information systems. This should be address by installing anti-virus software in all the computers. Periodic updating of the anti-virus software and scanning must be done. In addressing data backup and recovery, the U.S. Army personnel must be aware of the recommended computer backup options and cycles available. The backup needs must be periodically reviewed and instructions for off-site storage of data must be provided.
Only the recommended Operating systems should be used. Updating of the operating systems as well as security patches is necessary. Scanning for security vulnerability should be done periodically. Personnel should have access to software applications commensurate to their official responsibilities. Access to sensitive data must be censored(Davis & Payne,2004). These recommended requirements are however not exhaustive, but provide guidelines on issues to consider in risk assessment regarding preventing and managing system failures in data restoration and recovery.
Information technology mission continuity planning: This is the development of a plan of action for the restoration of assets identified in the mission impact analysis and for the continuity of functions during the restoration process. In mission continuity planning, develop/update a reaction plan in case important I.T assets (particularly data) are lost, inaccessible, corrupted or divulged. Lastly test the developed plan. In this step, the identification of rolling plans to provide continuity of the mission-critical functions in case of failure of the responses highlighted in the previous steps or n unforeseen risk occurs in the information systems. In this step, develop a response plan to be implemented in case of failure of the information systems. The cost implication of the data recovery process has to be factored in. The U.S. Army, being a large institution will benefit from the economies of scale. Factors to consider in this process are: How long can the Army function in case of a failure in its information systems? Can the functions run from the failed systems run from different servers? Identify the recovery team. An emergency procurement procedure must be in place. Staff training on data recovery is necessary. This will not only reduce cost incurred from outsourcing of experts but will ensure confidentiality of classified data. A simple disaster recovery plan check list would entail; assessing the damage encountered, notify all relevant authorities/personnel, provide the recovery team, provide the necessary infrastructural required, secure appropriate hardware, the information stored off-site should be brought back, appropriate operating systems should be installed, restoration of all data, lastly before commencing operations, test the process for compliance (Davis & Payne,2004). In providing an interim manual process to cater for continuity of operations, a simple procedure checklist would entail; identification of the appropriate procedure to be implemented, competent data recovery personnel should be identified (Sans Institute, 2001,p 6), establish the duration the process can hold before manual the process is complete. The manual procedure should follow well documented. Lastly establish the reintegration procedure of the recovered data is to be done. This will assist in the development of the information technology mission continuity plan.
Evaluation and reassessment: This is the replication of the steps mentioned above. This should be done periodically, preferably every three years. Evaluation and reassessment should also be done every time there are major changes in the Information Technology department or the perceived risk situation. The success of the former analysis should be subjected to review, and testing. Determine if the responses made are remedial, defensive or post-incident. The responses thus obtained should be incorporated into the superseding changes in operating systems, important applications or data, or government standards. Some important factors to consider in this step are: has step 1 been adequately addressed as in protecting what was recommended to be protected? Has the response to compromised data been successful? Has the operating systems been reviewed for compliance? Are there any new changes in the relevant technology in the market?
In all the four steps aforementioned, deadlines must be applied for successful completion of each, for the U.S Army to be able to ensure steady progress.
Information Security Technologies-strengths and weaknesses
There are basically five general categories, these are; access controls, system integrity controls, cryptography controls, audit and monitoring controls, and finally configuration management and assurance controls (Dacey & Rhodes, 2004, p.11) .
Access controls help in protecting data from unauthorized access.
Strengths; it simplifies security by minimizing vulnerability. It makes it more difficult to infiltrate information systems. This is by use of boundary protection and authentication technologies. Access to sensitive data is restricted only to authenticated personnel. Boundary technologies are used also to keep track of network connections for in-bound and out-bound data flow. Firewalls are versatile thus enabling easy deployment into the information network. They have speed and flexibility (Dacey & Rhodes, 2004, p.19).
Weakness; It is possible for a user to by-pass the controls. Viruses already in the internal network may corrupt data. They are vulnerable in that flaws within the information system such as TCP/IP protocol will disable its usefulness. Some access control technologies can only provide limited support. Others like proxy gateway firewalls are not effective in high-bandwidth or real-time applications.
System integrity controls ensures data is not manipulated by use of a malevolent code. These codes include viruses, worms and Trojan horses. System integrity controls has technologies that protect against these. Anti-virus software is installed to identify the in-bound or already existing viruses, Trojan horses and worms in the information system (Office of the manager national communication system, 2000, p 20)
Strengths; they are effective against Trojan horses and worms
Weakness; certain viruses change codes when they infect other computers thus making the anti-virus software ineffective. Some software is generally ineffective against certain viruses
Cryptography controls are used to encrypt data to ensure access only to authorized users. The cryptography controls has technologies such as secret keys
Strength; they provide assurance on the data confidentiality, integrity, and authentication of users. Other technologies such as virtual private networks (VPN) offer access from remote networks away from the office.
Weakness; It is necessary to periodically change the keys, and when they are used by many parties, it creates a huge financial and logistical hurdle. Technologies such as digital certificates can be forged hence unauthorized users can access the information system. The virtual private networks (VPN) can be easily compromised in case the networks connected to them are not appropriately secure (Dacey & Rhodes, 2004, p.40-51).
Audit and monitoring controls are used for investigation purposes in case of an attack on the information systems. Configuration management and assurance controls are used to review, verify and change, if necessary the security settings of the information systems and ensure safe operations (Dacey & Rhodes, 2004, p.51).
Strengths technologies in this control are able to ‘learn’ acceptable commands and jam irregular data. The Intrusion Prevention System (IPS) technology maps out the origin of the attack (Dacey & Rhodes, 2004, p.55)
Weakness Technologies such as intrusion detection systems (IDS) can only work with human input. IDS only respond to known attacks. An attacker can compromise the information system if he attacks while the IDS is disabled (Dacey & Rhodes, 2004, p.54-55).
Band, R. S., Cappelli, M. D., Fischer, F. L., Moore, P. A., Shaw, D. E.,
Trzeciak, F. R., (2006), Comparing Insider I.T. Sabotage and Espionage: A Model- Based Analysis. Pittsburg: CERT Program
Dacey, R. F., & Rhodes, A. K., (2004), Information Security: Technologies To Secure Federal Systems. Washington, D.C: United States General Accounting Office.
Davis, B., & Payne, S., (2004), University of Virginia Information Technology Security Risk Management (ITS-RM) Program. OIT’s Security and Policy Office. Retrieved February 11, 2009.from
Gelbstein. E., & Kamal. A., (2002). Information Insecurity: A Survival Guide to the Uncharted Territories of Cyber-Threats and Cyber Security. New York: United Nations ICT Task Force and the United Nations Institute for Training and Research.
Grance, T., Hash, J., Stevens, M., (2003). Security Considerations in the Development Life Cycle: Recommendations of the National Institute of Standards and Technology. Gaithersburg: Computer Security Division Information Technology Laboratory
Kvassov. V.,(2002). Linking Personalization of Information System To Managerial Productivity. Finland: Turku Centre for Computer Science
Office of the Manager National Communications System, (2000). The Electronic Intrusion Threat to National Security and Emergency Preparedness (NS/EP) Internet Communications: An Awareness Document. Arlington.
Sans Institute, (2001).Sans Institute Infosec Reading Room.
Retrieved February 11 2009. from