Information Security Training for Economists

Serghei Ohrimenco¹, Serghiu Tutunaru¹, Constantin Sclifos¹

¹Academy of Economic Studies of Moldova, Laboratory of Information Security, Banulescu Bodoni str., 59, Chisinau, MD-2005, Republic of Moldova, Tel:(3732) 402888; E-mail: osa@ase.md, Site: http://www.security.ase.md

ABSTRACT

The presented report the analysis the experience which has been accumulated in the Laboratory of Information Security at Academy of Economic Studies from of the Republic of Moldova accumulated in specialists training and preparation in field of information security.

Keywords: Information System, Information System Security, Education in Information Security

Introduction

Information and communication development has radically changed the daily life, has turned to the dominant factor of a sustainable social development of the XXI-st century. New technology ensures collection, processing and storage of huge and diversified information (technology, scientific, hospital, etc.) . All this leads to necessity to construct an informational security system because existing informational systems are unsafe not because of their engineering and technological imperfections, but because of errors at usage of production engineering. It means, that security procedures should be integrated not only into technological operations, but also in activity of informational systems. Thus problems of informational security have got basic significance not only for company and the state, but also for the person. In the majority of the countries informational security is considered as the constituent part of national security, on a level with such components as energetic, food, etc., it require a security control of the technological, social and economic systems formed by society.

In this connection special attention is attracted by a problem of frame support of informational security. Besides, necessity of quantity increasing number of professionals in the produced subject domain on the base of continuous perfecting of educational process as the theory and practice of informational guard resources continuously and intensively developing.

In practice of specialists preparation on informational security two main routes could be notable. First, academic, provides higher education provided in the applicable forms - the bachelor, the master, the doctor, and guesses study of diverse disciplines, familiarizaiton with technological reachings and, eventually, creation of the specialist high-level theoretic knowledge and practical skills.

Second – courses of the leading companies specialising in information technologies field which one assumes acquisition of sufficient knowledge and their perfecting with the purposes of satisfying the requirements of information development level technologies and the applicable standards.

1. Foundational concepts

Unfortunately, in Republic of Moldova in the property identification of trades there is a direction «Informational security» thus the state and commercial information systems need such specialists, capable properly to protect informational resources from unauthorized access and usage.

In the Moldavian Academy of Economic Studies the informational security Laboratory, called to solve a complex of tasks, based on activation of research and development activity of students, post-graduate students and young scientists in the field of informational security, selection of young specialists for informational systems of the state and trade structures.

For students of specialities "Economic cybernetics" the specialisation course «Informational security», providing realisation of lectures and laboratory researches is tendered. For students of economical trades study is stipulated studying special subject in which is included some problems analyzes .

Annually the informational security Laboratory spends international conference and competition of the student's jobs devoted to problems of informational security. Within that actions the following subjects are considered:

• legal platforms of informational security;

• creation of a policy of security of informational systems;

• intellectual property guard;

• organizational measures in the informational security field;

• testing and certification of products and services in the informational security field;

• cryptography means of information protection;

• an appraisal and handle with risks of informational systems;

• the analyzes of informational threats and bucking resources;

• security audit of informational systems;

• economic efficiency of informational security system.

In bridge with conference are organised some competition which ultimate goal is checking informational knowledge level and communication production engineering will be organised. The informational sponsor of competition grants gives a protecting server on which the information is placed and which is necessary for Organizing committee to search and introduce.

The technological base for laboratory researches realisation selects ramp Moodle which allows:

• To identify and authentificate users;

• To work remotely in a user's regime;

• To use the diverse information;

• To create a prototype of electron document circulation system.

Besides, produced ramp ensures possibility of referential substances allocation, architecture of a users forum, and also knowledge monitoring.

Discovery of certification centre of clues for the electron numeral signature which students will use in the practical operation course is in the long term provided.

The main activity objective of informational security laboratory is to study modern legal, organizational, technical, program and other methods and information means of protection. In turn, the primal problems of specialists preparation is the following:

• Creation of the modern approach to informational security as systematic is scientific-practical activities, having application nature;

• Creation of the idealised fundamentals underlying handle by an informational system and resources, and also informational security;

• To produce submission ABT modern methods and information means of protection;

• To learn to usage of wide-spread software products and services in the informational security field.

As a result of specialisation study course the specialist should:

• To know privacy legal platforms, to possess organizational, technical, privacy programmable methods in modern informational systems and nets, standards and security sample pieces, methods of users identifying, methods of resources guard from program abusing, an infrastructure of the systems built with usage public and private keys;

• To know how to put in practice the gained knowledge of known methods and resources of informational security, to carry out their comparative Analysis and sampling of the applicable resources and methods, to evaluate a security clearance of informational resources;

• To know about main routes and prospects for the development of methods and resources of informational security.

The preparation program should include following main sections:

• Legal support of informational security;

• Architecture of informational security system;

• The Analysis of threats and an estimated risk;

• Informational security standards and metrics;

• Development of the organizational-administrative documentation on a privacy.

2. Applications

Legal support advances and regulates the relations arising at collection, transmission, machining, accumulation, storage, actualisation, the purchase and sale the informations arising under formation, implantations and exploitations of informational systems, other systems of machining and a communication of information.

First of all, in-depth examination is come under by the international and national acts regulating the ratios in the field of informational and communication production engineering.

At study of the fundamentals constructing and operation of informational security system the main notice should be routed on following dodges:

• A policy - a kit of the formal regulations regulating operation of the dodge of informational security;

• Identifying - definition of each participant of informational interacting;

• Authentification - support of reliance that the participant of process of information exchange is identified correctly;

• Access control - making and keeping up of a kit of the regulations, defining to each participant of process of informational interchanging the permission to access to resources;

• Authorisation - creation of the profile of the rights for the concrete participant of process of informational interchanging;

• Audit and monitoring - observation of the events which are originating in the course of information exchange (audit guesses the Analysis of events a post factum, and monitoring is realised real time);

• A response on incidents - assemblage of routines or the provisions executable at violation or suspicion on violation of informational security;

• Configuration control - making and keeping up of the environment of informational interchanging in an up state and according to requests of informational security;

• Handle of users - support of working conditions of users in the environment of informational interchanging according to requests of informational security;

• Handle of marks - support of correspondence of possible loss from violation of informational security;

• Stabilisation - keeping up the environment of informational interchanging in is minimum efficient admissible state.

The Analysis of threats is one of the cores and the information defining classifying of threats of informational security, by geting such tags, as: intentional and casual, by compound and aftereffects, by type, by the purposes, by nature and an appearance place, by the effect object, because of appearance and many other things. But we should pay attention, in our opinions on massing on deliberate threats. All spectrum of threats should be viewed through a risk prism (technical and programming) with output on identifying and managing risk, simulation of distresses, preparation and solutions support. The risk analysis should be under construction with allowance for sample pieces of the possible infringer and its operations, and also potential loss.

Study of the substance defining standards and metrics of informational security guesses the following:

• Definition of the support purposes of informational security of the integrated microcircuit;

• Making an effective system of handle by informational security;

• Account of assemblage presented details not only qualitative, but also quantity indicators for an appraisal of informational security correspondence to the stated purposes;

• Application of tooling of support of informational security and an appraisal of its current state;

• Usage of methods of application of handle by security with reasonable system of metrics and measures of informational security support, allowing objectively to evaluate hardening of informational assets and to control informational security.

The succession of consideration of the produced section can base on International standard of security ISO/IEC17799, BSI, COBIT and to include following questions:

• Organizational security measures;

• Classifying and resource management;

• Security of the personnel;

• Physical security;

• Handle of communications and processes;

• Access control;

• Development and technical support of computer systems;

• A security policy;

• Handle of continuum of business;

• Correspondence of system to the main requests.

Development of the organizational-administrative documentation is completing section, and in him idealised knowledge and the practical skills gained at study of prior sections are integrated. First of all, it is a question of security control concept development of the concrete integrated microcircuit information in which the common principles and approaches to a security control of the information and informational resources are presented. The contents of the produced deed constitutes the fundamentals of constructing of integrated system of informational security.

Concludions

Thus, the following should be main principles of training of personnel in the field of informational security:

• Level of idealised knowledge should come nearer to international and conform the requirements of today;

• Preparation should be oriented to mastering by idealised knowledge and the practical skills used for overcoming of crisis situations, informational systems arising in the course of operation.

REFERENCES

1. Council C. Implication for the Future of CobiT Systems in Higher Education: Putting Critical Research and Theory Into Practice.//Information Systems Control. Vol. 1, 2007, p. 33-35.

2. ISO/IEC FDIS 27001. Information technology-Security techniques-Information security management systems-Requirements. 2005-05-14.

3. ISO/IEC TR 13335-1. Information technology - Guidelines for the management of IT Security

4. ISO/IEC 10746-2: 1996. Information Technology – Open Distributed Processing – Reference Model: Foundation.

5. ISO/IEC 7498-1: 1994. Information Technology – Open Systems Interconnection – Basic Reference Model: The Basic Model.

6. Risk Analysis: Concepts and Tools.// Datapro Reports of Information Security. – September 1991.

7. Dymek W. Managing Network Security.// Datapro Reports of Information Security. – February 1996.

8. Anderson R. Cryptography and Competition Policy – Issues with ‘Trusted Computing’ ”, Second Workshop on Economics and Information Security (2003)

9. B Schneier, “The Psychology of Security”, RSA 2007.

10. Gordon, L. A., M. P. Loeb, and W. Lucyshyn, “Information Security Expenditures and Real Options: A Wait and See Approach.” Computer Security Journal, Vol. 19, No. 2, Spring 2003a, pp. 1-7.