Information Management: Software Security Essay

Question:

Discuss about the Information Management for Software Security.

Answer:

Introduction

The report is presented to managing the transfer and exchange of information effectively within Remarkable University while developing a student grading system. The topic also focuses on the various ways of assessing risks and handles the assets properly for implementing the right kinds of security strategies with ease and effectiveness. With the management of security of student grading system, it will be easy to maintain databases where proper data and information can be stored as well as fit for the purposes and manage security from different types of threats (Basole & Bellamy, 2014). The grading system needs to be secure so that proper controls are enabled, and information flows in a proper manner to ensure that the database where data is kept secured remains protected from automated attacks and grade hacking.

Scope description

The description of scope has helped in identifying the most important components of the grading system such as the front end web application server that has been used by the students, staffs and other university officials. The scope of the project is effective for developing ideas that can help in deploying the servers in a secure manner as well as maintain the security of the grading system by preventing automated and simple manual attacks (Brettel et al., 2014). The project scope enables to authenticate users and manage access control too for the management of security of databases and servers.

Risk assessment

User authentication and access control

Authentication of users is essential for making sure that no external threats occur and make sure that unregistered or unauthorised users cannot gain access to the grading system. Unauthorized access can often lead to loss of data and information and furthermore hinder the security of databases and grading systems (Ogiela & Ogiela, 2012).

Server security

With the presence of malicious traffic in the server, the network functioning might deteriorate and even terminate the internet connection by using which users enter the system. Server security can also result in risks, which can terminate the internet connection in computer systems as well as create complexities to enter the databases and system with ease (Jain & Paul, 2013). The grading system security is essential to keep the data, information and components related to the grades of students confidential and ensure that the accessibility to servers is prevented by unauthorised users.

Software security

There are various risks to confidentiality and integrity, and so different software and applications are used for keeping information confidential as well as maintain integrity. The software risks include damaging the reliability of software and making it not being able to function properly (Kahate, 2013).

Network Security

Using USB and external media can create potential risks for the network of the company. The emails and internet faculties used by the staffs must be properly understood; otherwise, it might lead to security issues as well like loss of information from the system and database, and this would create security leaks as well. The wireless hardware components with poor security features can also pose a serious threat to the network (Laudon et al., 2012). There are chances of employees to willingly destroy the confidential information of the company, which could even deteriorate the ability to access, modify and distribute information and data from the system. The hand held devices used by staffs are often capable of formatting the whole content of the company and result in theft issues as well (Li, 2014).

Risk register

Risks

Probability

Tenure of loss

Exposure

Unauthorized access

65 %

10 days

8.5

Lack of Confidentiality and integrity

75 %

15 days

10

Malicious traffic terminating the internet connection and damaging server

60 %

8 days

6.8

Viruses spread from use of external media components

50 %

12 days

5

Security strategies and actions

The security strategies are implemented for reducing the chances of risks and remain cost effective all throughout by treating the risks properly. The most important components of a security plan include periodically assessing the risks, documentation for an entry wide security program plan, develop a security management structure, implement proper security related personnel policies and finally monitor the efficiency of the security plan and make necessary changes and improvements (Liu, Xiao & Chen, 2012). The system administrator is responsible for handling the entire student grading system within Remarkable University to strengthen the security mechanisms, manage security controls as well as handle certain incidents properly.

User authentication and control

The identity management and access system or IAM develops an effective framework for business which can allow for authentication of individuals and services and even keep those authorised and audited appropriately. To manage authentication, it is important to prov8ide a password, cryptographic key and a personal identification number of PIN. MAAC is an effective software tool used for the user authentication and managing access control (Peppard & Ward, 2016).

Server security

Fire walls can be used for managing network traffic as well as prevent malicious traffic from coming into the web server used by Remarkable University. A virtual private network (VPN) manages extension of the private network across a public network, which can enable the users to transfer and exchange data and information across the shared networks with the help of connecting computer systems with the private network (Yang, Shieh & Tzeng, 2013). The IP addresses can be changed along with securing the data by keeping it encrypted, which creates better possibilities for securing the information from hacking. The administrator has access to the system and can even manage the administrative processes to keep the information and data stored in the databases and systems secured and confidential (Ruj, Stojmenovic & Nayak, 2012).

Software security

The software security is maintained by enabling the application testing tool, which can identify vulnerabilities present in software prior to its deployment and prevent the occurrence of threats. There are code reviewing tools that can examine the computer generated codes and check for any mistakes and fix those in the development stage, thereby would improve the overall quality of software too and enhance the security (Stallings & Tahiliani, 2014). Kaspersky anti-virus is also effective for preventing viruses and malware to create complexities for running of software. Penetration testing is another security strategy that can automate various tasks and improve the effectiveness of testing process by identifying the potential issues that may be difficult to identify with the use of manual analysis tools (Willcocks, 2013).

Runtime application self-protection or RASP is another security mechanism that has been developed into the system application for identifying the real time application attacks. The security review software enables identification of vulnerabilities that might be exploited within the program codes and allow for outsourcing of development and buying of third party software (Basole & Bellamy, 2014). To manage information confidential and secure in the system, it is the duty of systems security administrator to use the software testing tools for analysing the codes before the development of software and check its reliability.

Network Security

Wireshark is an effective open source multi-platform enabled network protocol analyser that can examine data from the live network and browse the data by understanding the level of packet detail. Metaspoilt is another network security tool used for developing, testing and utilising the exploit codes for managing the security of software used to manage the student grading system within Remarkable University (Brettel et al., 2014). The staffs must take responsibility for their actions when it comes to the organisation’s network security. The devices like smart phone and tablets that are connected to the network of the university should be configured with minimum access to information and data of the company and must be applied with proper security controls too. This would minimise the risks and create a good system where information should be kept secured in an effective way (Ogiela & Ogiela, 2012).

Residual risks

The residual risks remain after all the cost effective risk mitigation procedures are completed. These kinds of risks include malicious codes like worms, malware, phishing attempts, grade hacking, exploit tools and automated scanning (Jain & Paul, 2013).

Phishing is the process where important information like the usernames, passwords, and other personal details of students and staffs are obtained and used for malicious purposes during electronic communication and management of information.

A computer worm poses a serious threat, spreads to other computer systems, and results in security failures, which can make users unable to access the system (Kahate, 2013). The grade hacking is another risk where the grades of students are reviewed, and wrong results are provided.

Resources

The human resources mean the staffs and employees working within Remarkable University to manage the entire grading system. The staffs must be skilful and knowledgeable about the network security and make sure that they could properly manage authentication of users and create good frameworks and program plan for securing the entire system with ease and effectiveness (Laudon et al., 2012). Wireshark, Metaspoilt and Kali Linux and important software components used for managing the security of servers and networks. Firewalls, VPN and Kaspersky, are other software components, which can be beneficial for securing the systems and its networks. The hardware components include computer systems with 16 GB RAM, Microsoft Windows 10 or 7 operating system, 4 TB hard disk, a powerful processor of speed more than 3.5 GHz (Li, 2014).

Maintenance and training

Maintenance should be done by providing training and development sessions to the staffs so that they are well aware of the kinds of things that they would be working on. Training and maintenance could also help in enhancing their skills, knowledge and expertise level for allowing them to perform to their potential with much more dedication and commitment (Peppard & Ward, 2016). Maintenance means testing the system software within Remarkable University and checking whether the student grading system has managed to store the data and information properly in a secured manner or not.

Conclusion

The topic focused on the various aspects of managing information and maintaining a good students grading system within Remarkable University, The various security risks related to server, network, software and user authentication and control were demonstrated and probable security measures for preventing those had been included as well. The residual risks, resources and ways by which maintenance and training could benefit the organization as well as enhance the efficiency of the system had been illustrated here as well.

References

Basole, R. C., & Bellamy, M. A. (2014). Visual analysis of supply network risks: Insights from the electronics industry. Decision Support Systems, 67, 109-120.

Brettel, M., Friederichsen, N., Keller, M., & Rosenberg, M. (2014). How virtualization, decentralization and network building change the manufacturing landscape: An industry 4.0 perspective. International Journal of Mechanical, Industrial Science and Engineering, 8(1), 37-44.

Ogiela, M. R., & Ogiela, U. (2012). Linguistic protocols for secure information management and sharing. Computers & Mathematics with Applications, 63(2), 564-572.

Jain, R., & Paul, S. (2013). Network virtualization and software defined networking for cloud computing: a survey. IEEE Communications Magazine, 51(11), 24-31.

Kahate, A. (2013). Cryptography and network security. Tata McGraw-Hill Education.

Laudon, K. C., Laudon, J. P., Brabston, M. E., Chaney, M., Hawkins, L., & Gaskin, S. (2012). Management Information Systems: Managing the Digital Firm, Seventh Canadian Edition (7th. Pearson.

Li, W. (2014). Risk assessment of power systems: models, methods, and applications. John Wiley & Sons.

Liu, J., Xiao, Y., & Chen, C. P. (2012, June). Authentication and access control in the internet of things. In Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on (pp. 588-592). IEEE.

Peppard, J., & Ward, J. (2016). The strategic management of information systems: Building a digital strategy. John Wiley & Sons.

Yang, Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, 482-500.

Ruj, S., Stojmenovic, M., & Nayak, A. (2012, May). Privacy preserving access control with authentication for securing data in clouds. In Cluster, Cloud and Grid Computing (CCGrid), 2012 12th IEEE/ACM International Symposium on(pp. 556-563). IEEE.

Stallings, W., & Tahiliani, M. P. (2014). Cryptography and network security: principles and practice (Vol. 6). London: Pearson.

Willcocks, L. (2013). Information management: the evaluation of information systems investments. Springer.

How to cite this essay: