Information Assurance; Small Business and the Basics

Business is increasingly dependent on information systems to allow decision makers to gather process and disseminate information. As the information landscape becomes more interconnected, the threats to computing resources also increase. While the Internet has allowed information to flow, it has also exposed businesses to vulnerabilities. Whereas large businesses have information technology (IT) departments to support their security, small businesses are at risk because they lack personnel dedicated to addressing, controlling and evaluating their information security efforts. Further complicating this situation, most small businesses IT capabilities have evolved in an ad hoc fashion where few employees understand the scope of the network and fewer if any sat down and envisioned a secure architecture as capabilities were added. This paper examines the problem from the perspective that IT professionals struggle to bring adequate Information Assurance (IA) to smaller organizations where the tools are well known, but the organizational intent of the information security stance lacks a cohesive structure for system development and enforcement. This paper focuses on a process that will allow IT professionals to rapidly improve their organizations\u27 security stance with few changes using tools already in place or available at little or no cost. Starting with an initial risk assessment research provides the groundwork for the introduction of a secure system development life cycle (SSLDC) where continual evaluation improves the security stance and operation of a networked computer system

A DEFINITIVE INTEROPERABILITY TEST METHODOLOGY FOR THE MALICIOUS ACTIVITY SIMULATION TOOL (MAST)

The threat of degradation or disruption from cyber infiltration, espionage, and theft to militarily and nationally critical information and network systems poses a significant challenge to DoD and DON. To mitigate this challenge, network administrators must be trained to properly recognize and defend against malicious activity. The Malicious Activity Simulation Tool (MAST), a software program under development at NPS, mimics the behavior and impact of network-based malware in an effort to train the administrators of operational DoD networks both to respond to the threats such materials present to their networks and to assess their competence in recognizing and responding to such threats. In order for MAST to achieve its potential as an acceptable assessment and training tool, it must first be shown to present no new threat to the environment for which it was designed. This thesis develops a step-by-step testing procedure, the execution of which will demonstrate that MAST can perform at a level commensurate with current criteria for operating securely on DoD networks. Additionally, this thesis discusses the quantitative testing environment and current testing and implementation methods and criteria for new cyber hardware and software programs of record in the DoD.http://archive.org/details/adefinitiveinter1094532834Lieutenant, United States NavyApproved for public release; distribution is unlimited

Web Engineering Security (WES) Methodology

The impact of the World Wide Web on basic operational economical components in global information-rich civilizations is significant. The repercussions force organizations to provide justification for security from a business-case perspective and to focus on security from a Web application development environment standpoint. The need for clarity promoted an investigation through the acquisition of empirical evidence from a high level Web survey and a more detailed industry survey to analyze security in the Web application development environment ultimately contributing to the proposal of the Essential Elements (EE) and the Security Criteria for Web Application Development (SCWAD). The synthesis of information provided was used to develop the Web Engineering Security (WES) methodology. WES is a proactive, flexible, process neutral security methodology with customizable components that is based on empirical evidence and used to explicitly integrate security throughout an organization’s chosen application development process

Organisations as complex adaptive systems : implications for the design of information systems

Today a paradigm shift in the field of organisation and management theories is no longer disputed and the need to switch from the Command-and-Control to the Leaming Organisation Paradigm (LOP) in the area of organisational theory is well understood. However, it is less well appreciated that learning organisations cannot operate effectively if supported by centralised databases and tailor-made application programs. LOP emphasises adaptability, flexibility, participation and learning. It is important to understand that the changes in organisational and management strategies will not on their own be able to produce the desired effects unless they are supported by appropriate changes in organisational culture, and by effective information systems. This research demonstrates that conventional information system strategies and development methods are no longer adequate. Information system strategies must respond to these needs of the LOP and incorporate new information systems that are capable of evolving, adapting and responding to the constantly changing business environment. The desired adaptability, flexibility and agility in information systems for LOP can be achieved by exploiting the technologies of the Internet, World Wide Web, intelligent agents and intranets. This research establishes that there is a need for synergy between organisational structures and organisational information systems. To obtain this desired synergy it is essential that new information systems be designed as an integral part of the learning organisational structure itself. Complexity theory provides a new set of metaphors and a host of concepts for the understanding of organisations as complex adaptive systems. This research introduces the principles of Complex Adaptive Systems and draws on their significance for designing the information systems needed to support the new generation of learning organisations. The search for new models of information system strategies for today's dynamic world of business points to the 'swarm models' observed in Nature