information management and security -...
TRANSCRIPT
INFORMATION MANAGEMENT AND
SECURITY
Professional Training in
Information and Communication Technology (ICT) and E-Governance
For Class III Officers of the Government of Nepal2016/05/24
Need to know
WE are now responsible for managing information in OUR
workplace.
Identifying and saving official records is a VERY important
part of OUR responsibility.
Managing information effectively ensures that information
is available (captured, organized, maintained, preserved),
protected and disposed of in accordance with legislation
and policy requirements.
“In an era where decisions get made on BlackBerry handhelds and
over mobile phones, the paper trail”
Outcome
Understand about data and information
Characteristics of data and information
Overview about information management
Understanding about the records and its types (official and transitory)
Importance of IM
How IM will benefit for you?
IM and its lifecycle
Types of information system
Understand policies and procedures
The goals of IM
Strategic to implement IM
Recommendations
Introduction about Data, Records and
Information
Data and Information
Ask yourself about data & information???
Definition
“It is said that information (or knowledge) is power, but
on the other hand, that information by itself is worthless
and cannot solve problems. Information has power only
when used and applied effectively.”
- (Boon 1992; Martin 1984; Paez-Urdaneta 1989)
Sources
Characteristics of Data & Information
Data that is:
Accurate and timely,
Specific and organized for a purpose,
Presented within a context that gives it meaning and relevance, and
Can lead to an increase in understanding and decrease in uncertainty.
Data mining is an emerging concept which is used to extract hidden and previouslyunknown information form the large amount of data.
Information is valuable because it can affect
Behavior,
A decision,
An outcome
For example, if a manager is told his/her company's net profit decreased in thepast month, he/she may use this information as a reason to cut financial spending for thenext month.
A piece of information is considered valueless if, after receiving it, things remainunchanged.
Records
A record is essential for the business;
They hold evidentiary value of either a business decision or
are kept for compliance reasons.
A record has strict rules associated with it and is mainly kept in
a separate repository from normal working documents.
Common example of records are;
Details of appointment, transfer, posting of, receipt of medical expenses,
availing of study leave, extra-ordinary leave, maternity leave, maternity
care leave and leave without pay by, civil employees shall be updated
in the seat roll (personal description) of the concerned employees
maintained in the Civil Employees Record Office. (Extracted from Civil Service
Rules, 2050 (1993))
Official Records
In order to ensure that the Government of Nepal and the
other organization can provide documentary evidence of all
of its activities, all government/public company’s employees
should maintain the official records.
All employees should be able to identify an official record
Official records means a document or provide evidence of an
activities
Save all of official records
This means email too
Current practices may be manual
Example of official records
Briefing notes, directives,
policies, final reports and
recommendations.
Workplans, schedules,
assignments and performance
results.
Materials that document a
decision, a transaction or the
position of the department.
Deliverables.
Materials of historical or
research importance.
Information and deliverables
from outside sources.
Agendas and meeting minutes.
Documents that result in a decision, or that result in the implementation of a policy or activity.
Documents that require a signature (must be printed and filed as hard copy).
Materials that would allow for the reconstruction of the evolution of policy and program decisions.
Materials that would be required to support a financial, administrative, or legal audit.
Transitory Records
Transitory records are information sources that are only required
for a limited period of time, in order to complete a routine action
or to prepare a subsequent record.
All employees regularly delete transitory records
Dispose of or delete transitory records once they have served
their purpose
BUT -
If you are ever in doubt about a record’s status….
Keep it!
Example of Transitory Records
Duplicate copies used for
convenience or reference
(originally maintained by
somebody else)
Information received as
part of a distribution list
Miscellaneous, “FYI”
notices or memoranda on
meetings, etc.
Casual communication and
personal messages
Any of the following would be considered transitory records:
Photocopies of departmental
publications
Draft documents where all
critical content changes
have been incorporated into
a subsequent document
Working versions not
communicated outside
Importance of Information
We must be able to easily produce all of the appropriateinformation when the public, or other departments, ask for it– transparency.
We must share information (make it accessible)appropriately among our colleagues, betweendepartments/agencies and across government to facilitate,enhance and make more efficient everyone’s work –collaboration.
We must be able to use the information that we have tomake effective and informed decisions.
Implementation of Information
Management
Information Management(IM)
Information management (IM) is the collection and managementof information from one or more sources
Distribution of that information to one or more audiences.
Control over the structure, processing and delivery of information.
Information may electronic and physical.
All information management throughout the information lifecycle.
Information will be collected regardless of source or format(data, paper documents, electronic documents, audio, video, etc.).
Information may delivery through multiple channels that mayinclude cell phones and web interfaces as well.
Architecture
Benefits of Information Management
Find the right information faster and easier - when we need it.
Reduce ‘level of effort’ by minimizing duplication of work.
Will be able to more easily share information with ourcolleagues.
Will be able to provide easy access to quality, reliableinformation to others in the department, inter-departmentally, inprivate industry and in the public, as appropriate.
Will be able to make informed decisions based on up-to-dateinformation,
Will increase our ability to meet business, legal andaccountability requirements, such as access to informationrequests, litigation and reports to the parliament and concerndepartment.
Information Management Life Cycle
Source: Association of Information and Image Management
Capture Information
Office Document
Forms
Rich Media
Micro Films
ERP
eForms
Finance
XML
Technologies used to capture information are:
OCR/HCR/ICR/OMR/IDR/MICR
Document Imaging
Forms processing
Web forms
Aggregation
COLD/ERM
Manage and Preserve Information
Electronic record management
Digital Assets Management
Document Management
Email Management
Web Management
Business Process Management
Collaboration
Work Flow
Technologies used to store information
are:
SAN, NAS, Magneto Optical, DVD, CD-
ROM, Tape, Magnetic Storage, RAID,
Optical Disc
Necessary archiving, their proper
retention and proper management to be
in place with appropriate technology.
Deliver Information
Print Distribution
Paper
Fax
Web Distribution
Internet
Extranet
Intranet
Portal
Communication Distribution
Mobile Device
eStatment
Transformation Technology
COLD/ERM
Personalization
XML
Format
Compression
Syndication
Security Technologies
PKI
Watermark/Digital
Rights Management
XML
hgtfsf] ;"rgf ;DaGwL clwsf/sf] ;+/If0f ug{ / ;/sf/L /fhkq, P]g, gLlt, lgod, ljlgod, lgb]{lzsf, ah]6, sfo{qmdx? tyf ;/sf/L kmf/fdx? ;/nLs/0f u/L l8lh6fOh];g u/]/ ;fj{hlgs k|of]usf nflu ;/sf/L Portal df k|sfzg ul/g] / ;a} ;]jfu|fxLx?nfO{ pQm kmf/fdx? k|of]u ug{ k|f]T;fxg ul/g]5 . -;fef/– ;"rgf k|ljlw gLlt, @)^&_
Inline with Policies
Information management must always be aware of and respect the legislative and policy of requirements:
Privacy;
Security;
Copyright;
Retention;
Access to Information;
Language; etc.Governmental Documents Disposal Rules, 2027 (1971)
Information Technology Policy (2067)
The Electronic Transactions Act, 2063 (2008)
Electronic Transactions Rules 2064 (2007)
The Copyright Act, 2059 (2002)
Information Technology Guidelines (2012)
Information Management Overview
Information Management System
Types of Information System
Information Description
Transaction Processing
System(TPS)
These are the information system application, which gets the data and process them
for business transaction.
Management Information
System(MIS)
Provided management oriented report in predetermined fixed format. This helps
managers on planning, monitoring, and controlling the various operation.
Decision Support System
(DSS)
Help user to make decision by providing useful information that support
unstructured decision. DSS identifies problems, purpose possible solutions, access to
information needed, analyze possible decisions and simulate their likely results.
Expert System (ES) Simulate the thinking of experts. This will be implemented with artificial intelligence
technology.
Office Information System
(OIS)
Support wide range of office activities for day to day operation. Supports and
improve workflow between workers regardless of their physical locations.
Personal and Workgroup
Information System
(PIS/WIS)
Personal information system is for individual productivity and design to support a
single user’s needs. Workgroup information system for meets the needs of work
group and increase the productivity of groups.
Goals of Information Management
Quality information is created and provided
Government program and service delivery is efficient
Decisions are documented
Information is available (captured, organized, accessible, maintained, preserved)
Information is protected in accordance with legislation and policy requirements
Information is disposed of in accordance with legislation and policy requirements.
Strategic to Implement
“Information is a strategic resource just as important to the business ofgovernment as human resources and financial resources!”
In recognition of this fact the government and public sector of Nepal should:
Fund tools and processes for the management of information;
Hire and develop specialists to look after the information, informationsystems and support employees in managing information;
Support all employees in their IM responsibilities through training andawareness;
Enforce managers to be responsible for the IM practices of theiremployees;
Enforce employees to manage their information.
Recommendations
Manage information as a key corporate resource;
Plan information needs;
Collect and create information to support program/activity and information needs;
Identify, file and organize information for quick and easy retrieval;
Provide access to information and respect the information, and privacy, rights of others;
Retain and dispose of information appropriately;
Protect information and the privacy rights of others;
Comply with information policy and legal requirements; and
Take responsibility for performance in the management of information .
Computer and Network Security Requirements
Confidentiality
o Requires information in a computer system only be accessible for reading by authorized parties
Integrity
o Assets can be modified by authorized parties only
Availability
o Assets be available to authorized parties
Authenticity
o Requires that a computer system be able to verify the identity of a user
Types of Threats
Interruption
o An asset of the system is destroyed of
becomes unavailable or unusable
o Attack on availability
o Destruction of hardware
o Cutting of a communication line
o Disabling the file management system
Types of Threats
Interception
o An unauthorized party gains access to
an asset
o Attack on confidentiality
o Wiretapping to capture data in a
network
o Illegal copying of files or programs
Types of Threats
Modification
o An unauthorized party not only gains access but tampers with an asset
o Attack on integrity
o Changing values in a data file
o Altering a program so that it performs differently
o Modifying the content of messages being transmitted in a network
Types of Threats
Fabrication
o An unauthorized party inserts counterfeit objects
into the system
o Attack on authenticity
o Insertion of spurious messages in a network
o Addition of records to a file
Computer System Assets
Hardware
o Threats include accidental and deliberate damage
Software
o Threats include deletion, alteration, damage
o Backups of the most recent versions can maintain high availability
Computer System Assets
Data & Information
o Involves files
o Security concerns fro availability,
secrecy, and integrity
o Statistical analysis can lead to
determination of individual information
which threatens privacy
Computer System Assets
Communication Lines and Networks –
Passive Attacks
o Release of message contents for a
telephone conversion, an electronic mail
message, and a transferred file are
subject to these threats
Computer System Assets
Communication Lines and Networks –
Active Attacks
o Masquerade takes place when one entity pretends to be a
different entity
o Replay involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized effect
o Modification of messages means that some portion of a
legitimate message is altered, or that messages are
delayed or reordered, to produce an unauthorized effect
Protection
No protection
Isolation
o Each process operates separately from
other processes with no sharing or
communication
Protection
Share all or share nothing
o Owner of an object declares it public or
private
Share via access limitation
o checks the permissibility of each access
by a specific user to a specific object
User-Oriented Access Control
Log on
o Requires both a user identifier (ID) and a password
o System only allows users to log on if the ID is known to the system and password associated with the ID is correct
o Users can reveal their password to others either intentionally or accidentally
o Hackers are skillful at guessing passwords
o ID/password file can be obtained
Data-Oriented Access Control
Associated with each user, there can be a
user profile that specifies permissible
operations and file accesses
Operating system enforces these rules
Database management system controls
access to specific records or portions of
records
Access Matrix
Subject
o An entity capable of accessing objects
Object
o Anything to which access is controlled
Access rights
o The way in which an object is accessed
by a subject
Access Matrix
Access Control List
Matrix decomposed by columns
For each object, an access control list
gives users and their permitted access
rights
Access Control List
Capability Tickets
Decomposition of access matrix by rows
Specifies authorized object and
operations for a user
Capability Tickets
Intrusion Techniques
Objective of intruder is the gain access to
the system or to increase the range of
privileges accessible on a system
Protected information that an intruder
acquires is a password
Techniques for Learning Passwords
Try default password used with standard
accounts shipped with computer
Exhaustively try all short passwords
Try words in dictionary or a list of likely
passwords
Collect information about users and use
these items as passwords
Techniques for Learning Passwords
Try user’s phone numbers, social security numbers, and room numbers
Try all legitimate license plate numbers for this state
Use a Trojan horse to bypass restrictions on access
Tap the line between a remote user and the host system
ID Provides Security
Determines whether the user is authorized to gain
access to a system
Determines the privileges accorded to the user
o Guest or anonymous accounts have mover limited privileges
than others
ID is used for discretionary access control
o A user may grant permission to files to others by ID
Password Selection Strategies
Computer generated passwords
o Users have difficulty remembering them
o Need to write it down
o Have history of poor acceptance
Password Selection Strategies
Reactive password checking strategy
o System periodically runs its own password
cracker to find guessable passwords
o System cancels passwords that are guessed
and notifies user
o Consumes resources to do this
o Hacker can use this on their own machine
with a copy of the password file
Password Selection Strategies
Proactive password checker
o The system checks at the time of
selection if the password is allowable
o With guidance from the system users
can select memorable passwords that
are difficult to guess
Intrusion Detection
Assume the behavior of the intruder
differs from the legitimate user
Statistical anomaly detection
o Collect data related to the behavior of
legitimate users over a period of time
o Statistical tests are used to determine if
the behavior is not legitimate behavior
Intrusion Detection
Rule-based detection
o Rules are developed to detect deviation
form previous usage pattern
o Expert system searches for suspicious
behavior
Intrusion Detection
Audit record
o Native audit records
All operating systems include accounting software that collects information on user activity
o Detection-specific audit records
Collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system
Malicious Programs
Those that need a host program
o Fragments of programs that cannot exist independently of some application program, utility, or system program
Independent
o Self-contained programs that can be scheduled and run by the operating system
Logic Bomb
Code embedded in a legitimate program
that is set to “explode” when certain
conditions are met
o Presence or absence of certain files
o Particular day of the week
o Particular user running application
Trojan Horse
Useful program that contains hidden code that when invoked performs some unwanted or harmful function
Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly
o User may set file permission so everyone has
Viruses
Program that can “infect” other programs
by modifying them
o Modification includes copy of virus
program
o The infected program can infect other
programs
Worms
Use network connections to spread form system to system
Electronic mail facilityo A worm mails a copy of itself to other systems
Remote execution capabilityo A worm executes a copy of itself on another system
Remote log-in capabilityo A worm logs on to a remote system as a user and then uses
commands to copy itself from one system to the other
Zombie
Program that secretly takes over another
Internet-attached computer
It uses that computer to launch attacks
that are difficult to trace to the zombie’s
creator
Virus Stages
Dormant phase
o Virus is idle
Propagation phase
o Virus places an identical copy of itself
into other programs or into certain
system areas on the disk
Virus Stages
Triggering phase
o Virus is activated to perform the
function for which it was intended
o Caused by a variety of system events
Execution phase
o Function is performed
Types of Viruses
Parasitico Attaches itself to executable files and
replicateso When the infected program is executed, it
looks for other executables to infect Memory-resident
o Lodges in main memory as part of a resident system program
o Once in memory, it infects every program that executes
Types of Viruses
Boot sector
o Infects boot record
o Spreads when system is booted from the disk containing the virus
Stealth
o Designed to hide itself form detection by antivirus software
o May use compression
Types of Viruses
Polymorphic
o Mutates with every infection, making detection by the “signature” of the virus impossible
o Mutation engine creates a random encryption key to encrypt the remainder of the virus
The key is stored with the virus
Macro Viruses
Platform independent
o Most infect Microsoft Word
Infect document, not executable portions
of code
Easily spread
Macro Viruses
A macro is an executable program embedded in a word processing document or other type of file
Autoexecuting macros in Word
o Autoexecute
Executes when Word is started
o Automacro
Executes when defined event occurs such as opening or closing a document
o Command macro
Executed when user invokes a command (e.g., File Save)
Antivirus Approaches
Detection
Identification
Removal
Generic Decryption
CPU emulator
o Instructions in an executable file are interpreted by the emulator rather than the processor
Virus signature scanner
o Scan target code looking for known
Emulation control module
o Controls the execution of the target code
Digital Immune System
Developed by IBM
Motivation has been the rising threat of
Internet-based virus propagation
o Integrated mail systems
o Mobile-program system
E-mail Virus
Activated when recipient opens the e-mail
attachment
Activated by open an e-mail that contains
the virus
Uses Visual Basic scripting language
Propagates itself to all of the e-mail
addresses known to the infected host
Trusted Systems
Multilevel security
o Information organized into categories
o No read up
Only read objects of a less or equal security level
o No write down
Only write objects of greater or equal security level
Access Token
Security ID
o Identifies a user uniquely across all the machines on the network (logon name)
Group SIDs
o List of the groups to which this user belongs
Privileges
o List of security-sensitive system services that this user may call
Access token
Default owner
o If this process crates another object, this
field specifies who is the owner
Default ACL
o Initial list of protections applied to the
objects that the user creates
Security Descriptor
Flagso Defines type and contents of a security descriptor
Ownero Owner of the object can generally perform any action on
the security descriptor
System Access Control List (SACL)o Specifies what kinds of operations on the object should
generate audit messages
Discretionary Access Control List (DACL)o Determines which users and groups can access this object for
which operations