Information systems are increasingly taking on a strategic place in companies. Thus the notion of the risk related to these becomes a source of concern and important data to take into account, starting from the design phase of an information system until its implementation and monitoring of its operation.
Information systems security practices are becoming increasingly important in the IT ecosystem, which is becoming open and accessible by enterprise users, partners, and service providers. It becomes essential for companies to know their information system resources and to define the sensitive perimeters to be protected in order to guarantee a controlled and reasoned exploitation of these resources.
In addition, the new trends of nomadism and in-the-cloud computing not only allow users to access resources but also to transport part of the information system outside the secure infrastructure of the network. the company. Hence the need to put in place procedures and measures to assess the risks and define the security objectives to be achieved.
Thus computer security is a set of technical, organizational, legal and human means necessary to preserve, restore and guarantee the security of the information system [cf. Wikipedia].
It can be deduced from these observations that the IT security approach is a managerial activity of information systems and that it is also necessary to establish a management dashboard associated with a security policy comprising vital organs constituting a company.
- Computer threats
The computer threat represents the type of actions that could harm an IT system in absolute terms. In terms of IT security threats can be the result of various actions from multiple origins:
These threats are related to a state of the system at a given time. They can be the result of a software bug (Buffer Overflows, format string … etc.), A user input filtering error (typically XSS and SQL injection), a malfunction of the processing logic or a configuration error
They may be of accidental, natural or criminal origin. Examples include natural disasters, equipment breakdowns or breaks, fire or power cuts.
These threats are directly associated with human error, whether in the design of an information system or in the way it is used. Thus they may be the result of a design or configuration error as a lack of awareness of users faces the risk associated with the use of a computer system.
Thus, in the face of this panoply of threats, computer security aims to define a blueprint for dealing with these threats and to ensure the healthy and effective operation of information systems.
IT security is a lifelong process to improve the level of security by instituting a security policy within organizations and overcoming certain organizational and technological weaknesses.
- Challenges of information system security
The information system is an essential asset of companies. Consisting of a set of hardware and software resources, it can process, store and transfer business data. Thus the security of information systems seeks to provide a better control of the risks that really weigh on the company and meet certain issues that can be summarized in 4 letters “DICA” (availability, integrity, confidentiality, and auditability).
Availability: Ensuring access to resources, at the right time, to those who have access to these resources.
Integrity: ensuring that the data exchanged is accurate and complete.
Confidentiality: Ensure that only authorized individuals have access to company data and resources.
Auditability: to guarantee the traceability of the accesses and the attempts of access and the conservation of these traces as exploitable proofs
In general, computer security is about ensuring that the hardware or software resources of an organization are only used for the purposes for which they were originally designed. In addition, it aims to register the evolution of computer systems as part of a process of continuous improvement.
- Establishment of the PSSI
The security of information systems relies on several models to address the issues related to computer systems companies (DAC, RBAC, BIBA, Bell-La Padula, Wall of China … etc.). These models are usually limited to formalizing multi-level security policies to ensure access rights to the data and resources of a given system.
However, despite the diversity of these models, the implementation of an information system security policy will probably involve adapting a model to the real case. This will lead to the creation of a dashboard to carry out the different steps of securing their information systems. Finally, the model will allow for the establishment of authentication and control mechanisms to ensure that resource users have only the rights they have been granted.
In other words, the information systems security policy is a concrete and real implementation of the principle of least privilege.
Computer security mechanisms can be a source of some inconvenience to information system users. In this way, the PSSI seeks to find a middle ground to guarantee, on the one hand, the effectiveness of an information system and, on the other hand, to assess the risk and determine its level of acceptability in order to ensure users’ satisfaction.
Thus, several methods make it possible to formalize the IT security policy and define all the orientations followed by an organization in terms of security, in particular, the BIOS, MEHARI and the ISO 2700x family of methods. It is possible to find common frames for these methods:
Identify the need in terms of computer security, study the context to secure and identify the IT risks related to the latter.
Develop the procedures and rules to be put in place to cover the identified risks.
Monitor and detect possible vulnerabilities in the information system and set up a vulnerability watch system and a policy for updating the software and hardware resources used.
Define the actions to be taken and the people to contact in case of real threat detection on the information system.
Of course, an information systems security policy does not prevent a global approach to IT security. This means that IT security needs to be addressed in a holistic way in order to take into account certain aspects that the PSSI can handle with greater finesse.
Computer security must answer several problems on the reasoned methods of use of an information system. This is happening from user awareness to security issues, since there is no patch for human stupidity to answer purely technical questions that ensure the effectiveness of the security mechanisms to be implemented, including the physical and logical security of a user. information system. In the iconic phrases of the computer security environment, it is also worth mentioning Bruce Schneier “Security is a process, not a product”. The basic idea being that the security process is the cornerstone, not the firewall or the antivirus, too many leaders have believed that sheltering behind a product avoids the worst. A security policy also provides the worst and the means to respond to it, which the products do not do.
- Security process
As we have already mentioned, computer security is a constantly evolving process. This process makes it possible to evolve the information system at the level of the technological choices or at the level of the organization of the resources used to ensure its functioning.
In general, computer security is based on the Deming wheel principle or the Plan-Do-Check-Act (PDCA) method to establish an IT risk management method within an organization. This principle makes it possible to define the approach followed for the implementation of an effective security policy and to include it in a context of continuous improvement in order to guarantee a serene and controlled evolution of a given information system.
The implementation of such a process first involves defining the IT security policy in order to identify the risks and develop the security objectives (Plan).
Then we must implement the security measures defined to achieve the objectives set by the PSSI (Do).
Afterward, it must be verified that these measures cover most of the information system’s security chain, knowing that the security of the latter is compared to that of its weakest link (Check).
Finally, analyze the results, react according to the level of security obtained, identify the resources that require modifications and of course follow the evolution of new threats and translate them into security measures in the PSSI (Act).
In addition, the majority of methods for analyzing the security of information systems aim at setting up a computer security management system (WSIS) within the organizations. Indeed, these methods take the outline of the PDCA to formalize an ISMS and then go into more detail to ensure a rational governance of IT security within companies.
The security of information systems today represents a fundamental task to be taken into account by any company wishing to have a set of tools and methods that allow it and ensure the governance of its information system. Thus several methods of analysis of computer systems propose certification procedures in order to guarantee a lasting image to the companies integrating the security processes in the list of their managerial concerns.
Of course, 100% security remains an ideal to achieve, especially given the wide range of threats that endanger the operation of an information system. Thus, it is important to formalize a security policy by taking into account the real risks that a computer system incurs and by evaluating the costs that the problems resulting from these risks can generate compared to the cost necessary to put in place the solutions. palliative to these problems.