Concept of Information Security: Its Nature, Elements, and Strategies

Information Security, from an academic perspective, is the science that explores theories and strategies for providing protection to information against risks that threaten it and activities that may violate it. From a technical perspective, it refers to the means, tools, and procedures necessary to ensure the protection of information from internal and external threats. Legally, information security is the subject of studies and measures aimed at protecting the confidentiality, integrity, and availability of information, as well as combating activities that violate or exploit systems to commit crimes. This is the goal and purpose of legislations designed to protect information from illegal and unauthorized activities targeting the information and its systems (computer and internet crimes).

The term “Information Security” has been used long before the advent of information technology tools, but it found its practical and common usage within the realm of data processing and transmission via computing and communication tools. As technological means for processing, storing, and exchanging data have become widespread—particularly through information networks, and specifically the internet—research and studies in information security have substantially grown among various information technology fields, possibly becoming one of the main concerns for different entities.

What Are We Protecting—Generally Speaking—Regarding Information?

(Elements of Information Security)

The objectives of research, strategies, and means of information security, whether technical or procedural, as well as the purpose of legislative measures in this field, aim to ensure the availability of the following elements for any information that requires adequate protection:

1. Confidentiality: This means ensuring that information is not disclosed or accessed by unauthorized individuals.
2. Integrity: This entails ensuring that the content of information is accurate, has not been altered or tampered with, and specifically that the content will not be destroyed or changed at any stage of processing or exchange, whether during internal handling of the information or through unauthorized interventions.
3. Availability: This refers to ensuring the continuous operation of the information system and the ability to interact with the information and provide services without users being prevented from accessing or using it.
4. Non-repudiation: This means ensuring that individuals who performed actions related to information or its sites cannot deny that they executed those actions, allowing for the capability to prove that an action was performed by a specific person at a certain time.

Do All Information Types Require The Same Protection Elements Equally?

(Principles of the Information Protection Plan)

The guarantee of all or some elements of information security depends on the information being protected and its uses as well as the services related to it. Not all information requires confidentiality or assurance of non-disclosure; not all information within a single entity holds the same significance regarding access or safeguarding against tampering. Consequently, information security plans begin by answering a series of sequential questions:

First Question: What do we want to protect? The answer to this question determines the classification of data and information in terms of the necessity for protection, as information is classified based on each specific case, ranging from information requiring no protection to information needing maximum security.

Second Question: What are the risks necessitating such protection? The process of identifying risks begins by envisioning any threat that may impact the information being protected or jeopardize its security, starting from the disconnection of the power supply to a computer, to potential external system breaches through one or more means exploiting vulnerabilities, including misuse of employees’ passwords. These risks are then categorized into lists based on classification criteria, assessing risks by their source, means of execution, purpose of those causing the risks, and their impact on the protection system and the information at stake. This will be elaborated on in detail later. Once this classification is completed, we move to the next question.

Third Question: How will we provide protection for what we wish to safeguard against the identified risks? Here, each entity has its particular methods for securing itself against the specified risks, within the framework of the identified specific information protection requirements and its available financial resources and allocated budget for security measures. Security procedures should not be ineffective, but neither should they be excessive to the point of adversely affecting system performance. For instance, if someone wanted to secure the money in their home, it would be reasonable to place it in a safe and reinforce the windows with metal bars or install an alarm against any intrusion, while these three measures would be an acceptable means of securing against theft. However, it would not be logical or reasonable for this person to protect their money by employing guards at their house, installing electric shocks on fences, reinforcing doors and windows with metal bars, and adding alarms for every point in their home. If we entered and found surveillance cameras at every point, discovering that access to the room containing the safe required overcoming specific identification measures like an ID card or a pin number, and upon entering the room, we observed that it wasn’t just an ordinary safe but a complex storage cabinet requiring multiple keys or combinations, it would be evident that such protection would be excessive and counterproductive.

This kind of security is unacceptable, as it complicates the process for that person in accessing their money, potentially leading them to neglect all these security measures, making them more susceptible to theft than others. This is what we refer to as affecting performance efficiency and effectiveness. In an information environment, it is natural to employ a password for accessing important files or the entire system on a personal computer and not share this password with anyone, alongside having one or more programs to combat harmful malware, while adopting reasonable entry security measures for internet access and verifying the source of emails, for example. If the computer is part of an organization and contains important data classified as confidential, additional security measures may be required; for example, the system should include firewalls that limit external access and prevent organized attacks on the system or information site. If the system exchanges emails with data at risk of exposure, appropriate encryption techniques must be applied. Conversely, it would be unreasonable to install multiple types of firewalls on a standalone computer not connected to a public network, or to require multiple identification methods (like password, biometric scans, and voice recognition) for accessing a website, imposing an excessive number of filters, firewalls, and long-term encryption across all data present and exchanged through it. Similarly, a secured site containing highly confidential data cannot merely rely on a password for system entry. This highlights that security measures must originate from the appropriate security needs; thus, if they exceed their limits, they negatively impact performance, leading to slow and ineffective site or system operations, and if they fall short of requisite levels, vulnerability points increase, making them more susceptible to internal and external breaches.

Final Inquiry: What to do if any identified risks materialize despite the security measures? The response to this question involves disaster response planning when incidents occur, which includes successive stages, starting from the necessary technical, administrative, informational, and legal procedures upon occurrence, proceeding to a phase of analysis to assess the nature of the risks that occurred, their causes, and how to prevent future occurrences. Finally, recovery procedures are implemented to return to the pre-risk state, ensuring the execution of actions highlighted by the analysis to prevent risk recurrence.

Thus, while certain pieces of information, such as those related to national security and military secrets, require utmost attention to the elements of confidentiality and integrity, in banking contexts, there is a necessity to also prioritize the element of availability equally within the system itself. In cases where banks operate in the realm of electronic banking or remote services, the non-repudiation factor holds equal significance alongside other elements. For websites, prioritization of the availability component becomes essential, while e-commerce websites necessitate a balanced focus on all four elements, ensuring confidentiality—especially regarding customer data such as credit card numbers—as well as integrity and safety for data exchanged via emails between the customer and the site, ensuring that purchase orders are not subject to alteration or distortion, while guaranteeing the continuity of the site’s services and enabling customer access at all times during browsing and purchasing, or whenever they wish to enter the site. It is also crucial to ensure the customer does not deny that the action they performed on the site (such as making a purchase) was indeed conducted by them, nor can the site deny its contractual relations with the customer concerning a given matter.

Where are the Risks and Attacks in the Information Environment Heading?

Risks and attacks in the information environment target four essential components that make up information technology in its most modern manifestations:

1. Devices: These encompass all the physical equipment and tools that form systems, such as monitors, printers, internal components, physical storage media, and others.
2. Software: This includes commands arranged in a specific order to accomplish tasks, which can be either independent of or stored within the system.
3. Data: Often referred to as the lifeblood of systems, data will also be the subject of computer crimes, as we will see. It includes all input data and information extracted after processing, and in its broad sense encompasses software stored within systems. Data might be in the process of input, output, storage, or exchange between systems through networks, and it can be stored within systems or on external storage media.
4. Communications: This covers the communication networks that connect technology devices locally, regionally, and internationally, providing opportunities to breach systems and serving as a genuine risk source in itself.

The focal point of risk is the human element, whether the user or the individual assigned specific technical tasks related to the system. The awareness of this individual regarding the limits of their authority, their understanding of risk management mechanisms, and the integrity of oversight over their activities while respecting their legal rights are crucial matters that a comprehensive security system addresses, particularly in a work environment based on computer systems and databases.

---

What Are the Main Information Processes Related to Information Security?

The processes related to information handling in the environment of systems, processing technologies, communication, and data exchange are numerous. However, the following main processes can generally be identified:

Information Classification: This is a fundamental process in building any system or in any activity related to information. Classifications may vary depending on the organization in question. For instance, information may be classified as accessible, reliable, confidential, or highly confidential, or it may consist of information that is publicly accessible versus information that is prohibited from access.

Documentation: Information processes fundamentally require a systematic approach to linear documentation of system construction and all means of processing, exchanges, and their components. Generally, documentation is necessary for identification and authorization systems, information classification, and application systems. Within the framework of security, documentation requires that strategies or security policies be recorded in writing, including complete documentation of their procedures and components, as well as plans for managing risks and incidents, responsible parties and their responsibilities, recovery plans, crisis management plans, and emergency plans related to the system during an incident.

Administrative and Personnel Responsibilities: The tasks of those connected to the information security system begin with the careful selection of qualified individuals who possess deep theoretical and practical knowledge. It is critical that practical qualifications involve continuous training and do not merely rely on the existing knowledge and experience at the time of hiring. Broadly speaking, administrative or organizational responsibilities consist of five main elements or groups: risk analysis, establishing policy or strategy, developing security plans, technical security framework – employing devices, and finally, executing plans and policies. Importantly, the success of administrative or collective duties within an organization relies on the understanding of all management personnel (regarding their technical, administrative, and financial tasks) of the strategies, plans, and responsibilities concerning security, making security issues well known and manageable by all relevant actors. At the personal or user level, institutions must provide sufficient guidelines to ensure a comprehensive and accurate awareness of security issues. Additionally, it is essential to cultivate a security culture among employees that balances ethical use of technology with expectations for immediate action upon noticing any discrepancy. Institutions should clearly specify what users are required to do and, crucially, what they are prohibited from doing while using various technological means.

Identification and Authorization: Access to computer systems, databases, and information sites can be restricted through various means of user identity verification and usage scope determination, known as Identification and Authorization systems. Identification or identity involves two steps: the first is the method of identifying the user, and the second is the acceptance of that identification method, referred to as verification of the provided identity’s authenticity. Identification methods vary according to the technology used, and they are also security means for accessing information or services across various sectors of systems, networks, or e-businesses. Generally, these methods fall into three categories:

1. Something the person possesses, such as a plastic card.
2. Something the person knows, such as passwords, codes, or PINs.
3. Something inherent to the individual, such as fingerprints, retina scans, voice recognition, etc.

The strongest means of identification and verification combine all these methods in a way that doesn’t compromise the ease and effectiveness of identification. Regardless of the identification method followed by system authentication, it must comply with a security framework and guidelines that must be observed. For example, passwords, being the most common method, require a well-thought-out policy regarding their length, complexity, the avoidance of easily guessable words, and adherence to rules against disclosure and unauthorized access. Once suitable identification methods are implemented to enable system access, and once verification and matching of identity have been confirmed, the next stage is determining the scope of use, known as Authorization, which pertains to the permissions granted for accessing certain segments of information within the system. This matter relates to access control systems (See Item 5).

Logging: Different types of computers maintain logs that reveal the device’s and software’s usage, known as performance logs or access logs. These performance logs are exceptionally important in scenarios with multiple users, particularly in networks where the components may be utilized by more than one person. In such user networks, multiple types of performance and usage documentation logs exist, which differ by type, nature, and purpose. Performance logs can be historical, temporary, exchange logs, system logs, security logs, database and application logs, maintenance logs, or technical matters. Generally, performance logs should specify the user’s identity, the time of usage, location, nature of usage (content), and any additional information relevant to the activity.

Back-up Processes: Back-up procedures involve creating additional copies of stored materials on one of the storage media, whether within or outside the system. Back-up processes must adhere to predetermined, documented, and written rules, ensuring consistency in storage standards and protection of back-up copies. Key issues for consideration include back-up timing, safe storage of copies, numbering and indexing systems, retrieval and usage methods, security of storage locations, and encryption of copies containing sensitive or confidential data.

Technical Security Means and Intrusion Prevention Systems: The technical means of security that should be employed in computer and internet environments are numerous, as are their purposes and scopes. Previously, we covered identification and authorization matters, specifically regarding passwords and other identification methods. Firewalls, in addition to cryptography, access control systems, intrusion detection systems (IDS), and antivirus software exhibit increasing importance. However, they do not encompass all the security measures available; rather, they complement the earlier-discussed identification and advanced authentication methods, representing some of the most significant contemporary technical security approaches. We will discuss these means as much as possible, noting their key issues based on internationally acknowledged security guidelines and prevailing standards in Item 1-5 of this chapter.

Incident Handling System: Regardless of the extent of the technical security means used, security standards, and procedures implemented, there must exist a comprehensive system for managing risks, incidents, and attacks, which is essential for organizations, especially banks and financial institutions. The first point to recognize in this context is that handling incidents is a process, not merely a project or a single step. This means it is an integrated process that connects continuous performance subject to predetermined rules strictly followed with discipline. When incidents are treated as mere occurrences that arise during events, it reflects a failing that embodies a weakness in the security system. The components, stages, and steps of an incident handling system vary from one organization to another, depending on various factors related to the nature of the risks identified through risk analysis and what the established security strategy has revealed. This also depends on the system in question, whether we are talking about closed or open computer systems, databases, networks, or a combination thereof. Additionally, it can vary depending on whether we are discussing a particular service system or public services via the network, whether local or international, and according to the application function in question. For instance, the steps and contents of incident handling plans for internet banks differ from those for informational websites. However, incident handling systems generally comprise six steps in a sequential manner: preparation, investigation and monitoring, containment and eradication, recovery and restoration to a normal state, and follow-up.

3. What are the risks, threats, vulnerabilities, types of attacks, and their technical methods? 3-1 In Concepts and Terminology:

The boundaries between crime and immoral acts seem unclear in the computer and internet environment. Distinguishing and regulating these boundaries is essential for determining when an act can be considered a crime among computer and internet crimes or merely abuse without criminal intent. This issue sparked widespread debate from the early 1960s to the mid-1970s, coinciding with the rise of computer crimes. This debate has resurfaced due to the proliferation of the internet and the new activities it has introduced, with ongoing disagreements over whether these activities are crimes or merely unethical practices that do not rise to the level of crime.

For example, there is considerable debate today about whether unsolicited bulk email advertisements sent to users can be classified as a wrongful practice or an act warranting accountability. As this phenomenon has grown, it has been exploited in numerous instances to send thousands of messages to a specific system at a given time, intending to disrupt its operations and achieve a denial-of-service attack, then claiming that the act is merely an error in resending previously sent advertisement messages. With many associated issues that threaten privacy and the integrity of system use, legislative bodies in various countries have found themselves compelled to reassess their stance on email and spam. This reevaluation has led to a series of legislative measures being proposed in Western countries, including the U.S. and the European Union, to regulate email-related issues and counter negative manifestations and illicit activities tied to this phenomenon. Nonetheless, there remains debate over whether these activities constitute crimes or whether they are behaviors that, while not ethically or professionally acceptable, do not amount to criminal acts.

The purpose of this introduction is to attempt to provide a precise definition of the terms used in the world of computer and internet crimes, distinguishing between various terms that are often confused. There is a difference between cybercrime, cyber terrorism, information warfare, risks, incidents, vulnerabilities, errors, breaches, information warfare, and others.

Threats: Refers to a potential danger that a system may face, which can include individuals (such as spies, professional criminals, or hackers), something threatening devices, software, or data, or events such as fires, power outages, or natural disasters.

Vulnerabilities: Refers to an element, point, or location in a system that may be exploited by an attacker, allowing for a breach. For instance, individuals using the system could be a vulnerability if their training to use and protect the system is inadequate. An internet connection could also be a vulnerability, particularly if it is not encrypted. Additionally, the physical location of a system could be a weakness if it lacks safety and protection measures. Generally, vulnerabilities are the driving forces behind threats or risks. This term is linked to the concept of countermeasures: which refers to techniques used to protect the system, like passwords, locks, monitoring tools, firewalls, etc.

Risks: This term is often used interchangeably with “threat,” although it actually pertains to the impact of threats when they occur. A successful information security strategy is based on risk analysis; this process is ongoing and not a limited plan. It begins with inquiries about threats, then vulnerabilities, and finally appropriate countermeasures to address those threats and prevent vulnerabilities.

Incidents: This term encompasses risks and errors, referring to both intentional and unintentional actions as used in technical information security studies. It includes attacks and technical errors. However, the precise definition of this concept within performance-management and legal frameworks must include unintentional incidents, which could stem from natural risks without intentional factors, or unintentional technical errors.

Attacks: This term describes assaults based on their outcomes or targeted locations. For instance, we speak of denial-of-service attacks, terrorist attacks, software attacks, malicious employee attacks, or spoofing attacks. The term “breaches” is often used interchangeably with attacks, describing various forms of technical assaults, thereby making it synonymous with assaults.

Within the legal terminology framework—which we will discuss in detail in Chapter Two—it is important, at this point, to specify the difference between three terms used in legal studies. The first is cybercrime, which refers to various computer and internet crimes today, although its initial use was limited to internet-related crimes. We will address its content in detail later when discussing legal terminology related to computer crimes.

The second term is cyber terrorism, referring to attacks targeting computer systems and data for religious, political, ideological, or ethnic purposes. Essentially, this is a subset of cybercrime, as it involves crimes that damage systems and data or disable websites and operations. However, it is characterized by several features, primarily its practice of acts considered terrorist actions in a computer and internet context, utilizing high skills from the so-called “crackers” (malicious computer criminals) and exhibiting similar traits found in organized crime groups.

The third term is information warfare, which emerged in the internet environment to denote attacks targeting website disruptions, denial of service, and data breaches. As the term suggests, attacks and counterattacks indicate the presence of an actual war—one characterized by conflicting interests and positions among parties involved, often manifesting as politically motivated attacks or hostile competition in business sectors. This makes it synonymous here with cyber terrorism. For example, the attacks by Yugoslav hackers on NATO sites during NATO bombings were termed information warfare, as were American hackers’ attacks on Chinese sites in a government-supported U.S. campaign under the guise of human rights issues, labeled as information warfare. One of the most notable ongoing information wars, as of this guide’s preparation, is the intense battle between Arab and Muslim youth—specifically Lebanese resistance youth supported by Arab and Muslim hacking experts—and technological entities in Israel, aiming to demonstrate capabilities in hacking websites and disrupting or seizing data from these sites. This term is essentially more of a media term than an academic one. It is often used interchangeably in many reports with “electronic terrorist attacks” and is broadly utilized by many to encompass all forms of risks, threats, assaults, and crimes in the electronic environment. However, it is primarily applied to attacks and counterattacks amid ideological and belief wars to distinguish it from other forms of website disruptions that do not stem from such motives.

Determining Risks, Vulnerabilities, and Patterns of Technical Assaults: Therefore, after outlining points of attack in the electronic environment (Section 1-3) and clarifying some concepts related to risks and assaults, the question arises: What are the risks, security vulnerabilities, and patterns of assaults facing information technology? Are these risks uniform, or do they differ based on technology, uses, and purposes?

Before addressing these questions, it’s important to highlight several facts:

Fact 1: We must initially understand that a completely secure computer is merely a computer that has not yet been connected to a power source, remains inside its box, and has not yet been used. Once a computer is put to use, risks emerge, ranging from the traditional dangers faced by any movable property to specific risks associated with the nature and functions of this device, which can also entail risks where the device itself becomes a source of danger to the interests and rights of others.

Fact 2: Discussing risks, security vulnerabilities, and patterns of technical assaults is not a description of computer and internet crime patterns (see Chapter 2). For instance, the crime of data destruction inherently involves multiple types of risks and is linked to different patterns of technical assaults arising from various security vulnerabilities. While viruses are a common means of attacking data, data destruction can also occur through numerous other means and various techniques that achieve the same goal or could even be physically achieved through destructive activities. Hence, discussions of risks often intersect when we talk about crimes and seek to define and identify them. This intersection should not lead us to confusion. For example, an unauthorized access or intrusion crime involves many types of risk and assault, often bearing the same name, such as unauthorized access to a network or unauthorized access to a computer system, and so on. Therefore, in Chapter 2, we will address patterns of computer and internet crimes, their realities, the scale of the phenomenon, and the trends of losses and damages resulting from them. However, here, we will focus on types of attacks, their technical methods, risks, and technical vulnerabilities. By reading about these risks and methods alongside crime patterns, we form a complete picture regarding the identification of information security risks, vulnerabilities, and the nature of assaults.

Fact 3: With each new day, there are new threats in the field of security vulnerabilities. We face new technologies, software, and protocols daily. Each day, a programmer innovates in the realm of computers and the internet, resulting in either positive innovations that benefit humanity under positive applications of intellectual creativity or negative innovations that are exploited to achieve unlawful ends, commit criminal acts, or engage in morally objectionable behavior. Thus, identifying risks, vulnerabilities, and assaults is an ongoing process, evolving day after day, distinguishing various security plans from one another.

Fact 4: There is a definition of risks based on the means, the nature of information, and the use case. Likewise, a definition of security vulnerabilities exists based on the environment and technology under consideration. The primary truth is that no author, researcher, or reference provides a comprehensive list of risks, assaults, and protective vulnerabilities, as that would require thorough knowledge of every technological means and its uses, not to mention imagining what cannot be conceived of in terms of motives and driving forces behind attacks encompassing a wide range of individuals from highly skilled criminals to novices, including amateurs, experts, and those with malintent as well as well-meaning individuals and spies ostracized by society alongside others masquerading as popular heroes like Robin Hood.

Accordingly, based on the aforementioned facts and concepts, theories and mechanisms for identifying lists of risks and assaults vary according to classification theory and its basis. These are different theories and criteria that can cause the list of risks to differ in breadth and scope, sometimes differing only in terminology while covering the same risks.

3-2-1 Classifying Attacks Based on Areas and Points of Protection:

In the technical field, we need to protect—and must protect—the physical environment surrounding devices and systems, known as physical security. This environment is targeted by certain types of assaults and risks. Organizations must protect themselves from risks associated with employees; thus, there are assaults related to employee matters and individuals, assaults concerning the data itself and systems accessing it, and finally, assaults related to the system’s operations. This classification, endorsed by a broad sector of technical experts or researchers in the field of information security, does not represent a precise definition, though it is notably inclusive since a single assault may find its place in one or more of these classifications. Generally, risks and assaults are classified according to this vision as follows:

First: Physical Security Breaches:

• Dumpster Diving: Refers to attackers scouring an organization’s trash and leftover materials for anything that can assist in breaching the system, such as papers with passwords, computer outputs that may contain useful information, discarded hard drives, or any written materials, disks, notes, or anything that reveals information aiding the breach. To understand the risks associated with technological waste, it’s worth noting that the U.S. Department of Justice once sold technical device waste after deciding to dispose of it, which included a computer system with a hard drive containing all addresses related to a witness protection program. Although this information was not actually exploited, the risk of revealing these addresses necessitated the relocation of all witnesses and changing their places of residence and identities, incurring massive costs simply due to a failure to dispose of the disks properly.
• Wiretapping: This simply refers to physical access to the network or system connections for eavesdropping or stealing data transmitted via wires, carried out by straightforward or complex methods depending on the type of network and physical connections.
• Eavesdropping on Emanations: Achieved using technical devices to capture emitted waves from various types of systems, such as capturing optical waves from computer screens or audio waves from communication devices.
• Denial or Degradation of Service: Refers to physically damaging the system to prevent service provision. For example, in the realm of the internet, this may involve diverse techniques such as flooding the system with electronic mail messages to disable it.

Second: Personnel Security Breaches:

Risks concerning personnel and employees, particularly internal risks, are a major area of interest for information security entities, as individuals from within have the potential to achieve what cannot theoretically be accomplished from outside. The challenge of detecting such individuals remains without a system of performance and authorization allowing for monitoring. In general, there are various names and categories for these risks, which we will review here. It’s important to note that these risks encompass both internal and external threats. Before discussing this in detail, it may be beneficial to provide a list of notable websites and effective measures addressing internal risks.

Masquerading: Refers to unauthorized access to the system by using identification credentials belonging to an authorized user, such as exploiting a user’s password and name, or leveraging an authorized user’s privileges. Although this type of breach is common in both internal organization environments and external contexts, its classification under personnel-related breaches stems from its frequent occurrence in internal environments due to employee mistakes in sharing passwords and identification methods. It can also result from observing these credentials through techniques present in the internal workplace that allow for acquiring passwords or identifiers.

Social Engineering: This method sometimes falls under physical security protections and involves securing information essential for breaching through social interactions by manipulating a system individual—often a person—into providing a password or information aiding the attack. A simple example is a person contacting an employee and requesting a system password under the pretense of being from maintenance, development, or other departments. The personal nature of obtaining the information has led to this being classified as social engineering.

Harassment: Includes various forms of threats and actions directed towards individuals, often involving sending harassing or threatening messages, potentially leading to blackmail or annoying pranks. This behavior is not limited to emails but also encompasses interactions in chat rooms, online news, and electronic bulletins. It’s not confined to a workplace but is present in various online interactions. Importantly, it is often seen as a more individual problem rather than an organizational one, thereby categorizing it under this classification.

Software Piracy: This involves copying software without permission or using it materially without authorization, or imitating it in a way that infringes on the creators’ rights. This activity falls under assaultsAgainst software in general and has become its separate sector within computer crimes, discussed in detail in the third volume of this series. However, placing it within the classification regarding personnel concerns arises from actions involving copying software by individuals or employees—generally based on those on independent media or devices—to share with friends and family or utilize in other work environments.

Third: Breaches of Communication and Data Security

This category refers to activities that target data and software, encompassing two groups:

Data Attacks

• Unauthorized Copying of Data: This common process involves unauthorized access to the system, enabling the appropriation of all types of data through copying, including information, commands, software, etc.
• Traffic Analysis: The idea here is that the attack focuses on studying the system performance during interactions and monitoring communications to identify user behaviors, weaknesses, timing for attacks, and other issues. This falls under the concept of monitoring system movements to facilitate attacks.
• Covert Channels: Practically a form of storage violations, where the attacker hides appropriated data, software, or information (like credit card numbers) in specific locations within the system. The purposes may vary, including preparation for a future attack, covering a previous breach, or merely storing illicit data.

Software Attacks

• Trap Doors: A backdoor is a vulnerability or access point in software that allows an attacker to reach the system unobtrusively, much like a back door in a house that a burglar could use to enter.
• Session Hijacking: This does not imply the use of advanced technical methods to seize data. Instead, it refers to exploiting a legitimate user’s session to observe or manipulate the system when the user is distracted, aiming to seize data or obtain information for future breaches or disruptive activities.
• Tunneling Attacks: Tunneling originally refers to a legitimate technical method of transferring data over incompatible networks, but it becomes a violation when legitimate data packets are used to transport illicit data.
• Timing Attacks: These are complex technical methods for unauthorized access to software or data, exploiting the timing of executing an attack in relation to the operation intervals within the system. They encompass various techniques to execute attacks, such as race conditions and asynchronous attacks.
• Malicious Code (e.g., Viruses, Trojan Horses, Worms, Logic Bombs): These harmful software types exploit systems for destruction, theft, or unlawful tasks. They differ in their structures, methods of causing damage, and attack strategies. Viruses represent a prevalent form of attacks today, escalated by the internet’s role in spreading malware globally and causing massive losses.

Fourth: Breaches of Operations Security:

When describing risks associated with security operations, we may actually confront all types of risks, attacks, and violations. However, from a narrow technical perspective, five categories of methods are referenced here: some targeting system login strategies, some targeting data entry and processing systems, and others classified as preliminary acts aimed at unauthorized access to various network types. A brief mention of these methods and violations is needed, emphasizing other related activities and manners connected especially to network breaches, clarifying critical vulnerabilities as determined by specialized information security studies.

• Data Diddling: This attack targets altering data or creating fictitious data during input or output phases, carried out through various technical methods that undermine the security of data entry or extraction stages.
• IP Spoofing: Contrary to its common use, “spoofing” refers more to deception and imitation rather than hiding. It is associated with internet virus attacks, where an attacker pretends to be an authorized user, manipulating the data packet’s address to make it appear legitimate within a network.
• Password Sniffing: Previously, password violations were often carried out by guessing easy-to-remember passwords, but now software can capture passwords as they traverse network segments.
• Scanning: This method utilizes software (such as dialers) to randomly generate possible passwords or phone numbers, increasing the chances of unauthorized access.
• Excess Privileges: This concept relates to a crucial security strategy where system users have defined usage scopes. However, in practice, privileges may be extended without awareness, leading to significant security breaches.

Risk Classification Based on Data Position within the System and the Technical Medium

Information faces various risks during collection, processing, retrieval (reading, printing, or downloading), transmission, and storage stages. Each stage has its associated risks and specific protective measures. Most risk classification lists operate on the basis of data position within the system. For example, INTERPOL’s classification organizes risks into three categories:

1. Risks during the creation, retrieval, modification, and deletion of information: Referring to information present within the system.
2. Risks during transportation: Related to data exchanged between computer systems.
3. Risks during storage: Associated with information saved on external media.

Risks also vary depending on the technical medium considered; for example, the dangers associated with networked computers differ from those of standalone machines. The threats to e-commerce sites diverge from those of simple informational profiles.

This serves as the second criterion, along with the data position criterion, in the lists of threats and methods of technical violations established by various law enforcement bodies, including INTERPOL.

Classification of Risk and Technical Methods of Violation Based on Common Attack Techniques, Purposes, and Data Value

From a third perspective, many risk classification lists are not consistently defined; their classification criteria vary, influencing how violation methods and risks are characterized. Different actors engage in violations based on the prevalence of specific types of attacks. For instance, in the year 2000, denial-of-service attacks on websites rose significantly, alongside global virus strikes, whereas current discussions center around attacks on e-commerce sites for financial gain via various internet fraud schemes.

Violations and risks could also be classified based on the type of information targeted for protection. Military databases attract interest from various professional spies or state-sponsored actors, while other breaches aim simply to demonstrate hacking skill without ill intent.

Cybersecurity risks are increasingly focused on server security, which hosts websites or provides online services. Risk registers often list prevalent threats at a given time, detailing issues like technical errors, fraud, disgruntled employees, physical and infrastructure risks, malicious attacks, industrial espionage, and malware.

Are there specific legal risks in the field of information technology projects?

One of the most important recent activities in building information projects, particularly in creating websites for marketing, e-commerce, and electronic financial services, is to develop a comprehensive view of the legal risks that the website is likely to face and to identify legal mechanisms to address them. This process is very similar to the technical risk analysis process and is undertaken by qualified legal authorities in the field of information technology law. It is not an exaggeration to say that Arab Internet sites and Arabic information investment projects lack a clear vision and understanding in this field. While the risk of overlooking legal risks affects all sites and institutions, it becomes a multiplied threat in the realms of electronic commerce and electronic business, especially in wireless banking and online banking.

Legal risk analysis is a continuous process that begins the moment a project is initiated and prepared. It identifies all the legal needs of the project, in addition to analyzing the technical, marketing, operational, and performance-related processes associated with the project from the perspective of legal relationships and liabilities, as well as defining legal protection requirements and addressing anticipated liabilities.

4. What are technical security measures?

4-1 Scope of security measures and their foundations

What we are discussing here is not a specification of security products, as a new product emerges daily, and there is constant reevaluation of security measures. These measures and products range from physical protection means to software and protection solutions, as well as theories and protection protocols. It would not be an exaggeration to say that the market for security measures has advanced in terms of the number of products available compared to the market for devices and solutions themselves, because each product and new program requires a certain amount of technical protection measures.

This guide does not assess existing security measures; for example, it does not discuss the effectiveness of firewalls or the ability of virtual private networks to provide security and trust. Rather, it only presents common categories of information security measures, each encompassing thousands of tools that vary according to needs and the specific nature of the protected subject.

Therefore, when discussing any measures, there is a main premise and specific evidence:

• The premise: Each system has its own needs, and the mistake of replication and disregard for the real need is akin to failing to provide protection.
• The prevailing error lies in the belief that computer systems and networks share similar security needs. Even within the same category of computer systems that use the same operating software or rely on the same networking measures and solutions, a divergence in protection requirements persists due to the variance in operational nature and the nature of the data itself, the means of usage, and finally, the necessary balance between security measures and the system’s performance and efficiency.

Building effective security measures requires starting from the specific needs of the institution and its security purposes, as previously explained and as will be further elucidated in section 1-5. This is based on understanding internal needs: what we protect differs from what others protect; the sources of risk facing a financial institution, for instance, differ from those facing a military institution or an individual user’s computer system. The requirements for protecting a computer’s software and the data stored within vary widely from the needs for protecting an internal network or ensuring secure links to a global network.

Thus, security technologies are tied to specific needs based on accurate criteria and facts, and also rely on the balance between protection requirements and performance speed, as well as balancing protection needs with the budget allocated for security measures. The rationale behind using technologies from a particular company merely because they are global or distinguished does not align with the security strategy itself. It would not be an exaggeration to say that hundreds of institutions—particularly in finance—have used bundles of technologies, including firewalls and encryption software that were effective in other contexts, but failed to resolve their security issues. Simultaneously, if they did manage to address them, they negatively impacted performance efficiency and system effectiveness.

Technical Evidence – Each type of security measure has its institutions and technical evidence, and there is a growing specialization in each of these areas. The market for technical measures once consisted merely of products and services added to the offerings of various technology companies, often serving as tools for other products and services. While technology companies still dedicate units to security products, the market has moved towards specialization, leading to the emergence of large companies operating in the field of information security, its measures, and solutions. Research and strategic studies, as well as legal studies, have shifted towards dealing with security measures independently. Comprehensive evidence and studies exist in areas such as viruses and their countermeasures, encryption and its solutions, and identification and access control measures, among others.

4-2 Common Security Measures

Information security measures comprise a collection of mechanisms, procedures, tools, and products used to prevent or reduce the risks and threats faced by computers, networks, and systems in general, including databases.

As previously mentioned, security measures are diverse in nature and purpose, but we can primarily classify these measures based on their protective goals into the following categories:

1. User Identification and Authentication Measures: These measures aim to ensure that the system or network is accessed only by authorized individuals. This category includes various types of passwords, smart cards used for identification, biometric recognition methods based on specific biological traits of users, various products that provide temporary or electronically variable passwords, encrypted keys, and electronic locks that define access areas.
2. Access Control Measures: These measures help ensure that the network and its resources are used legitimately. They include methods that establish user rights, user lists, usage privileges, and other arrangements that allow for controlling the legitimacy of network access from the outset.
3. Data and Message Confidentiality Measures: These measures aim to prevent the disclosure of information to unauthorized parties, ensuring the confidentiality of the information through data encryption techniques, protection for backup copies, physical protection of devices and network components, and the use of filters and routers.
4. Data and Message Integrity Measures: These are measures that ensure that the content of the data is not modified by unauthorized parties, including techniques such as encoding, electronic signatures, and antivirus software.
5. Non-repudiation Measures: These measures aim to ensure that a user cannot deny the actions they have taken. This is crucial in electronic business environments and online contracts and currently relies on electronic signature technologies and certificates issued by third parties.
6. Logging and Monitoring Measures: These are technologies used to monitor system users to identify individuals who performed specific actions at specific times, encompassing all types of software and electronic logs that record usage.

A Brief Clarification of the Most Common Security Measures in Information Systems:

• Antivirus Software: Although antivirus technologies are widespread and among the most recognized security measures, the extent of their application and strategies reveals significant gaps and misunderstandings about their roles. In general, there are five basic mechanisms through which these antivirus products detect viruses that may infect the system, and there are fundamental rules that ensure the effectiveness of these measures, relying fundamentally on balancing the necessities of these technologies to protect the system with the potential impacts of their misuse on performance and effectiveness.
• Firewalls and Virtual Private Networks (VPNs): Firewalls have evolved significantly since their inception when they merely filtered data traffic based on simple rules. Modern firewall software, while still using filtering methods, does much more, such as establishing virtual private networks, monitoring content, preventing viruses, and managing quality of service. All these services rely fundamentally on firewalls being placed at the network edge. Over the past decade, firewalls have simply been basic tools acting as gateways to the Internet—essentially, guards at the network’s edge—regulating data traffic and maintaining network security. The first firewalls for networks appeared in 1980 as routers employed to segment these networks into small local area networks (LANs). Such firewalls were deployed to limit the spread of issues encountered by one part of the network to other sections. The first firewalls were used for security in the early 1990s and were IP protocol routers with filtering rules that might look like this: “allow this user access to this file” or “block this user (or program) from entering this area (or these areas).” While these firewalls were effective, they were limited—often, it was difficult to master the establishment of filtering rules, and sometimes it was challenging to identify which application components needed to be restricted from network access. In other instances, network elements, such as employees working within them, would change, necessitating rule changes. Hence, the next generation of firewalls became more capable and flexible for modifications.

Firewalls were deployed on what are known as Bastion Hosts. The first firewall of this kind, utilizing filters and application gateways (proxy servers), was from Digital Equipment Corporation (DEC), which relied on the firewall from DEC as its network labs developed the first firewalls produced by the company. In June 1991, DEC launched its first firewall, and in the months that followed, a person named Marcus Ranum at Digital created proxy software and rewrote part of the firewall code, leading to the introduction of the DEC seal product, which initially consisted of an external system known as the Gatekeeper, the only system capable of communicating with the Internet. There was also a filtering gateway and an internal email proxy.

From these simple beginnings, fierce competition among providers for a market share of firewalls drove more innovation, not only in speeding up firewall performance and enhancing services but also in embedding capabilities that exceeded those available at that time. These capabilities included:

• User Authentication: The first significant addition that developers made to early firewalls was robust identity verification capabilities. If an organization’s security policies permit access to the network from an external network, such as the Internet, some form of user identity verification must be used. Authentication simply means ensuring the validity of the user’s claim to identity beyond just verifying a username and password, which are not, in themselves, strong means of user identification. Over an unsecured connection, such as an unencrypted link over the Internet, usernames and passwords can be copied and reused in replay attacks. Strong methods of verifying user identity employ encryption techniques like digital certificates or private key calculations. Through digital certificates, replay attacks can be avoided since the username and passwords copied would not enable access to the network.
• Virtual Private Networks: The second addition to Internet firewalls was inter-firewall encryption—initially represented by the product “ans interlock”—which we now refer to as virtual private networks (VPNs). These networks are considered private because they utilize encryption, and they are “virtual” as they use the Internet and public networks to transmit private information. While VPNs were available before firewall software, using modems or routers for encryption, they later became integrated into firewall software. With VPN technology, organizations can replace leased communication facilities and encrypted channels over public networks, like the Internet.
• Content Screening: Over the past two years, it has become common for firewalls to be utilized as tools to monitor incoming content to the network. Some additions incorporated into firewall software include virus scanning, monitoring web addresses, restricting Java scripts, and password monitoring and oversight.
• Firewall Appliances: This is a new generation of firewalls that providers began introducing in the past year. This generation includes several technologies, including turnkey firewall solutions that require no user setup and can be used immediately upon acquisition without the need for specific modifications to the operating system or existing infrastructure.

Internet security measures have transitioned from individual or one-way protective levels, relying on placing protection measures—including firewalls—at the boundary separating the private network from the routers connecting to the global network (the Internet), to multi-level security that provides additional layers of defense for specific types of information or information systems within the private network. Multi-directional and multi-purpose security measures use different mechanisms to provide comprehensive system security, comprising three primary areas: 1) Security management steps including strategies and purposes, products, production rules, research, and analysis; 2) Security types covering prevention or protection, investigation, detection, and action; and 3) Protection measures including safeguarding systems, servers, and infrastructure networks.

Encryption

Encryption techniques and policies currently receive exceptional attention in the field of information security because encryption protection represents the most critical means of achieving the three security functions: confidentiality, integrity, and availability of information. Encryption technologies are integrated into various technical means aimed at safeguarding these elements. Ensuring the confidentiality of information now relies among other methods on encrypting files and data, encrypting authentication mechanisms and passwords. The mechanism for protecting content integrity is based on encrypting exchanged data and ensuring that upon decryption, the electronic message has not been subjected to any modifications or changes. Encryption is generally the almost sole means of ensuring non-repudiation of actions across electronic networks. Therefore, encryption represents a holistic strategy for achieving security goals on one hand and is a critical component of other security technologies and measures, especially in the environment of electronic businesses, e-commerce, electronic messaging, and generally data exchanged through electronic media.

In terms of its concept, encryption undergoes two main stages: the first involves transforming plaintext into unreadable codes, and the second entails decrypting the coded text back into its original, readable form. This process is executed by encryption software, which varies in type and function. Regarding encryption methods, there are symmetric encryption and key-based encryption that can be public, private, or a combination. To address the main purposes, elements, and techniques of encryption, we provide selected materials on these issues along with their sources.

5. What is an information security strategy, and how is it constructed?

5-1 Initial Concepts and Determinants

What is an Information Security Strategy? An information security strategy, or security policy, is a set of rules that individuals apply when dealing with technology and information within an organization. It pertains to the management and access of information systems.

What are the Objectives of the Information Security Strategy? The information security strategy aims to:

1. Define users’ and administrators’ obligations and responsibilities for protecting computer systems and networks as well as safeguarding information in all its forms, throughout its input, processing, storage, transmission, and retrieval stages.
2. Determine the electronic mechanisms through which the specified duties are realized and implemented by those involved with the information and its systems, including defining responsibilities in case of danger.
3. Outline the procedures for exceeding threats and risks and dealing with them, including the parties responsible for executing these procedures.

Who Develops Information Security Strategies? When preparing any strategy regarding information security, for it to be effective, productive, and purposeful, it must involve the participation, understanding, acceptance, and implementation of various operational levels within the organization along with a noted need for full cooperation and support from all. Hence, those concerned with preparing the information security policy are distributed across numerous ranks and entities within the organization. However, in general, they include site security officers, network managers, computer unit staff, heads of various organizational units such as business, marketing, research, etc., as well as the incident response team, representatives of user groups, senior management, and the legal department.

When is an Information Security Strategy Described as Successful? In terms of effective use: For an information security strategy to be considered fundamentally successful, it should be comprehensively applied across all management sectors and be practically accepted by those responsible for its implementation alongside the availability of guiding tools and guidelines to ensure the sustainability of execution without slackening. Implementation here refers to the actual use of technical protection tools on one side and the practical application of rules for working with data and its systems on the other side. The strategy does not achieve success if there is any ambiguity; thus, it must be clear, precise in its content, and comprehensible to all stakeholders.

Regarding content: fundamental aspects of information security extend to various facets connected to information systems, their management, and their interaction, along with issues concerning the information itself and how others deal with the organization’s information. Thus, the strategy should encompass a clear policy regarding acquiring and purchasing technical devices and tools, software, operational solutions, and system management solutions. It should also include an information privacy strategy, defining types of information, their values and descriptions regarding confidentiality, and detailing exceptions that the strategy adopts concerning employees’ privacy rights along with justifications for these exceptions, such as monitoring email or supervising access within the organization or controlling access to users’ files within the organization. Access strategies to networks and information must clearly define the rights and privileges of each individual in the organization to access specific files or areas in the system, alongside policies for dealing with external communications, devices and means of communication used, newly introduced programs, and messaging strategies with others.

The information strategy also encompasses subscription strategies which define the organization’s policy regarding external entities’ subscriptions to its network or systems, along with strategies for dealing with risks and errors, delineating the nature of risks and the procedures for reporting and managing them, and the parties responsible for addressing these risks.

5-2 What are the Foundations and Principles of the Information Security Strategy?

The principles of information security must begin with identifying risks, protection purposes, security venues, necessary protection patterns, and precautions against risks. The foundations upon which information security strategies are built based on the varied needs of each organization revolve around answering three main questions: What do I want to protect? From what do I want to protect this information? How do I protect this information?

Main Goals of Data Protection:

1. Confidentiality: Ensuring that information is not disclosed or accessed by unauthorized individuals.
2. Integrity: Ensuring that the content of information remains accurate and unaltered, specifically confirming that content is not destroyed or altered through unauthorized intervention.
3. Availability of Information or Service: Ensuring that information users do not experience denial of access to or use of it.

Areas of Information Security:

1. Communication Security: It refers to protecting information during data exchange from one system to another.
2. Computer Security: It involves protecting all types and patterns of information within the system, such as protecting operating systems, application software, data management programs, and various types of databases.

Information security cannot be achieved without providing integrated protection across both sectors through security standards that ensure such protection, employing various levels of security corresponding to their nature.

Patterns and Levels of Information Security:

1. Physical Protection: This includes all means that prevent access to information systems and databases, such as locks, barriers, secure rooms, and other physical security measures.
2. Personal Security: This relates to employees working within the relevant technical system, involving the provision of personal identification measures for each and ensuring training and qualification for those handling security measures along with awareness of security issues and the risks of information breaches.
3. Administrative Security: This is about management control over information systems and databases, such as controlling external or foreign software outside the organization, investigating security breaches, and overseeing monitoring activities, including administrative oversight of external subscriptions.
4. Media and Knowledge Security: This involves controlling the reproduction of information and the destruction of sensitive information sources when deciding not to use them.

Risks

Various risks can threaten information systems, including e-commerce systems. The most notable of these risks are:

1. System Intrusions: This occurs when an unauthorized person breaks into a computer system and engages in unauthorized activities, such as modifying application software, stealing confidential data, or destroying files, software, or the system itself for illicit use. Traditional breaches can occur through actions like impersonation and disguise, where the intruder poses as someone authorized. Alternatively, vulnerabilities in the system may be exploited by bypassing control and protection measures or through information gathered physically or morally, such as rummaging through an organization’s trash for passwords or system information or social engineering, where an individual accesses sensitive information sites within the system such as passwords or telephone calls.
2. Authorization Abuse: This occurs when an authorized person uses the system for purposes other than what they were granted permission for. This risk is considered an internal danger within the scope of misuse by the organization’s employees but can also be an external risk, such as an intruder using the account of someone authorized by guessing their password or exploiting a vulnerability in the system to gain access legitimately or through legitimate parts before engaging in illicit activities.
3. Vulnerability Planting: This risk often results from an intrusion by an unauthorized individual or through legitimate users crossing their granted permissions, thus planting an entry point that later enables a breach. One of the most known examples of vulnerability planting is a Trojan horse, a program that ostensibly serves a legitimate purpose but can be used secretly for illicit activities, for example, using a word processing program to edit and format text while its true purpose is to print all system files and save them to a hidden file, allowing the intruder to print this file and obtain the system’s content.
4. Communication Monitoring: Without breaking into the victim’s computer, the perpetrator can obtain confidential information that often facilitates future system breaches simply by monitoring communications from one of the network points or links.
5. Communication Interception: Similarly, without breaking the system, in this case, an intruder intercepts the transmitted data during the transmission process and modifies it to suit their malicious purposes. Interception could involve creating a fake intermediary system that users must pass through and willingly provide sensitive information to.
6. Denial of Service: This occurs through activities that prevent a legitimate user from accessing information or obtaining a service. One of the most prominent denial-of-service types is sending a large volume of emails simultaneously to a certain site, leading to system crashes due to its inability to handle the overload, or redirecting many IP addresses such that packet fragmentation cannot occur, resulting in server congestion.
7. Denial of Action: This risk manifests when the recipient or the sender fails to acknowledge the action they performed, denying that they personally issued a purchase request through the internet.

Effective strategies stem from the ability to establish a continuous system for risk analysis and protection needs assessment. Risk analysis is essentially a comprehensive institutional framework for behavior and action safety that begins with thorough preparation based on understanding, identifying system elements, processes, and risks, followed by identifying threat standards and the necessary level of protection and related security measures, concluding with specifying an acceptable loss criterion envisioned despite the protection level and preparedness to confront risks.

Preventing Information Breach Risks

In the realm of communication protection and computer security, preventive measures are expressed through security services. This term does not refer to services in the usual sense but emerged due to the rise of specialized companies in information security that provide these services. In general, there are five essential types of security services aimed at protecting five primary elements in the field of information:

1. Identification and Authentication Services: These services aim to verify identity specifically when an individual identifies themselves. They protect against concealment and impersonation activities. Thus, there are two types of identification services: personal identity, the most well-known of which is passwords, and information origin verification.
2. Access Control Services: These services are utilized to protect against unauthorized access to system resources and information, including unauthorized access for security purposes, unauthorized disclosure, unauthorized modification, unauthorized destruction, and unauthorized issuance of information and commands, making access control services vital for realization and verification of authorization.
3. Data and Message Confidentiality Services: These services protect information from unauthorized disclosure to unauthorized entities. Confidentiality generally implies concealing information, possibly through encryption or other means, such as preventing the identification of its scale, quantity, or destination.
4. Data and Message Integrity Services: These services aim to protect against risks of data alteration during input, processing, or transmission. The notion of change in security refers to cancellation, alteration, or re-recording of parts, and these services also seek to protect against unauthorized total destruction or deletion of data.
5. Non-repudiation Services: These services aim to prevent the entity performing an action from denying that data transmission or activity occurred.

These five advanced services represent the core protection areas in the field of information; protection must extend to identification, access activities, confidentiality, content integrity, and non-repudiation.

What about Internet Security Strategy?

The fundamental aspects of information security, in achieving Internet security, focus on three areas: network security, application security, and system security. Each of these encompasses rules and requirements that differ from one another, and security systems in these three areas must be integrated to provide the necessary preventive measures, as they are also interconnected with general levels of security such as physical security, personal security, administrative security, and media security. previously, we discussed elements related to systems, software, and data; now, we must address network security:

The protection afforded by network security is that of the communication and exchange between one computer on the network (either a client system or a server) and another computer within the network. If the client system connects directly to the Internet without any security measures in place between this system and the network, any transmitted data packet may be subjected to the following:

• A. It may be altered during transmission.
• B. Its source may not appear as the entity that sent it.
• C. It may be a part of an attack targeting the system.
• D. It may fail to reach its intended destination.
• E. It may be read and disclosed by unauthorized parties.

Furthermore, network security aims to protect the network itself while instilling confidence among users of the final system regarding the security measures available during their interaction with the network and additionally showcasing that the network itself contains security measures such that the user’s computer does not need special measures.

Network security measures include:

1. Identity and Integrity Assurance: This ensures that the receiving system is confident in the protection of information packets and confirms that the information received has not been altered.
2. Confidentiality: This protects the content of information packets from being disclosed except to specified recipients.
3. Access Control: This limits communications strictly between the sender and receiver systems.

5-3 Review and Audit Checklists – Sustainability of Review and Framework for Building Security Plans and Strategies

There are many checklists and audits concerning information security matters and requirements for security policies and strategies for information systems and communications. They mainly serve to supply a type of audit guide that aids organizations or individuals in building their security fundamentals and defining a general framework for the duties of staff members, consultants, and parties involved in the management of information systems and communication applications. Simultaneously, these checklists or audit guides provide organizations and individuals with a general framework for understanding the elements and requirements for building specific computer and network security systems.

Among the matters typically addressed by these checklists are:

• The duties of management to ensure the existence of a documented security policy and to verify the presence of risk analysis processes, security plans, technical security establishment, and policies for managing external communications. They also assess the extent of employee awareness about the security policy and their understanding of their responsibilities, and whether new employees undergo training and orientation about the plan outlined.
• Organizational aspects of security management, which relate to the existence of a specialized authority within the institution and whether there is a written guide, plans, and responsibilities to deal with execution processes, identification, incident management, and emergency plans.
• Employee matters concerning qualifications and competencies, assessing compliance with security standards at personal levels or concerning work duties, including security-related aims upon hiring, during employment, and upon termination for any reason, along with the availability of contractual provisions in employees’ contracts and an accurate description of their duties relating to information management.
• Matters of service or consulting providers, such as consultants and auditors, focusing on the security provisions in their contracts.
• Information classification matters regarding availability and standards.
• Software matters concerning purchasing, usage, download policies, licensing, handling internally developed software, and rights to access and use it, including protection matters associated with technical and legal software.
• Hardware and equipment matters concerning the adequacy of needs assessment and criteria for using equipment at work, their applications, decommissioning, and maintenance auditing.
• Documentation matters regarding the availability of a documentation strategy for all elements of the system and all fundamentals and processes of security plans and policies.
• External system storage media issues concerning identifying used storage media, categorization, preservation, accessibility, and disposal.
• Identification and user verification issues concerning verifying the identity and authorized limits and delegations, making sure that policies governing these elements and the means applied in identifying and verifying users are present.
• System security matters concerning the availability of verification methods relating to when and which users are involved.
• Communication matters concerning controlling internal and external communication means and applications, documenting communication movements, protecting communication processes, technical standards used in this, along with confidentiality strategies, monitoring, tracking, and using email.
• File management and performance record issues concerning adequate documentation, archiving, and verifying creation and modification sources while handling files, databases, and application software.
• Backup data matters regarding backup performance times and storage protocols, categorization, documentation, and encryption when applicable.
• Physical protection matters concerning verifying that equipment and infrastructure are provided with protection measures and corrective procedures in terms of energy and connections, evaluating available precautions against natural disasters or intentional incidents, in addition to securing where the equipment and media are stored and written evidence of security measures.
• Issues dealing with incidents and breaches, involving the availability of a dedicated team for this purpose and the team’s objectives concerning their role, alongside maintaining contact with official investigation entities, law enforcement, and specialized expertise in complex matters or those that lack competency in the institution.
• Emergency and recovery plans to mitigate damage and return to normalcy.
• Information disclosure matters regarding what must be accessible to everyone or specific sectors, checking clarity in the media treatment strategy concerning incidents and breaches.

While these checklists may differ from one organization to another, and from one individual to another, depending on context, needs, and the types of systems and information in practices, many of them constitute a suitable general framework and reference in creating these lists and guides, notably those provided by a group of experts in the field of information security endorsed by Interpol.

Conclusion

Understanding these classifications helps frame a more comprehensive view of cybersecurity threats. It emphasizes the need for strategic defenses tailored to the complexities of organizational data management and the evolving landscape of cyber threats. Recognizing potential weaknesses and establishing robust security practices are essential for mitigating these risks.