Assessment of Technology centric Strategies for information security Essay

Assessment of Technology centric Strategies for tuition security in an giving medication - Essay ExampleIt is a best practices strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the security carcass capability and cost, performance, and operational considerations. National pledge AgencyFahey (2004) graduated from the SANS GSEC course and uses their systematic approach to addressing risk through defense in depth. The SANS approach promulgates an efficient and cost impressive methodology for improving security. The organization for which he works already had a number of policies, each designed to address a multi-layered approach to IT security much(prenominal) as operations security, physical security and contingency and disaster recovery. Furthermore external security personnel routinely came to the organization to perform security audits. He was concerned that one area which had not been addressed wasa systematic procedure designed to protect against electronic attacks from hackers. This was due in part to the imitative sense of security which comes from being behind a firewall and partly from a lack of experience in the information security field. (Fahey, 2004, p3)In putting in concert a Defense in Depth security policy one must consider the characteristics of ones adversary, the motivation behind an attack and the class of attack. An adversary may be anyone from a competitor to a hacker. They may be motivated by theft of intellectual property, denial of service or simply vainglory in bringing down a target. Classes of attack include passive or active monitoring of communications, identity theft or close-in attacks. Besides metric attacks there may also be inadvertent attacks on the system, such as fire, flood, power outages - and most frequently - user error.Information Assurance is achieved when information and information systems are protected again st such attacks through the application of security services such asAvailability, Integrity, Authentication, Confidentiality, and Non-Repudiation. The application of these services should be based on the Protect, Detect, and React paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these attacks. No system is perfectly secure, and it has been argued that no system needs to be. To achieve Information Assurance focus must be balanced on three elements People, Technology and Operations.Security goals have their own contradictions because confidentiality, integrity, privacy, accountability, and recovery often conflict fundamentally. For example, accountability requires a strong audit trail and end-user authentication, which conflicts with privacy needs for user anonymity. (Sandhu 2004, page 3)Faheys methodology for evaluating risk used the confidentiality, integrity, and availability (CIA) approach which emphasizes the importance to the organization of a particular information asset. This approach focuses budget managers on the real threats to reputation and hence the business ability to survive against its competitors.Fahey focuses on 3 security risks in his article passwords, policies and patches. Faheys risk assessment relies heavily on SANS assessment of the top 20 risks for networks in 2003/4. This brings to light the