e-learning: an information security perspective dr. mohd faiz hilmi school of distance education...
Post on 12-Jan-2016
216 Views
Preview:
TRANSCRIPT
E-Learning: An Information Security Perspective
Dr. Mohd Faiz HilmiSchool of Distance EducationUniversiti Sains Malaysia
Yanti MustaphaUniversiti Teknologi MARA
Shahrier PawanchikSchool of Distance EducationUniversiti Sains Malaysia
IntroductionIntroductionAdvancement in information technology
◦changes the education landscape. ◦Various new method of delivery has
emerged (Salleh, 1997; Sakamoto, 1997). ◦made E-Learning possible and available in a
large scale. E-Learning relies upon the internet
which is open to threats (Kritzinger, 2006). ◦but neglected the issue of information
security.
2
IntroductionIntroductionA review of information security
in E-Learning environment◦explains the important of information
security. ◦ten domains of information security
are explained within the E-Learning context.
3
Information Security Risk Information Security Risk (Kritzinger & Solms, 2006)(Kritzinger & Solms, 2006)
1. Alteration of material by unauthorized people.
2. Bogus course material.
3. Submitted assignments copied by unauthorized parties.
4. Submitted assignment changed by unauthorized parties.
5. Marks changed/deleted.
6. Access to test papers, test content changed.
7. People masquerade as student, write tests on behalf of such students.
8. Students get unauthorized help during exam.
9. Denial of service attempts against course websites.
10. Logon information of lecturers and students can be intercepted and misused.
4
Literature ReviewLiterature Review Three most important pillars are confidentiality, integrity
and availability (Stamp, 2006) Three important services are identification and
authentication, authorization and non-repudiation (Eibl, Solms & Schubert, 2006)
Four pillars are governance, policy and procedures, implementation counter measures and monitoring counter measure (Kritzinger & Solms, 2006)
Alwi & Ip-Shing (2009) discussed the required security elements in an E-Learning environment.
Kritzinger (2006) identified technical and procedural countermeasures to enhance the security of information.
Eibl, Solms & Schubert (2006) proposed an information security rating system for E-Learning environment. ◦ Determine the capabilities of an E-Learning system
5
Literature ReviewLiterature Review Doherty, Anastasakis & Fulford (2009) examined the
structure and content of information security policies of several higher education institutions ◦ existing policy are not comprehensive enough
◦ did not play an effective role for its respective institution.
Chang & Uden (2008) looks at the E-Learning governance practices.
Arkhipov & Ovodkov (2004) suggests collaboration between E-Learning education providers to enhance information security.
E-Learning system must consider the privacy and security needs of the E-Learning participants (El-Khatib, Korba, Xu & Yee, 2003)
Feedback and control rights of online learning participants are also important and must be given a proper attention in an E-Learning system (Tsiantis, Stergiou & Margariti, 2007).
6
Focus of selected research Focus of selected research on information security of E-on information security of E-LearningLearningAuthor Focus
Alwi & Ip-Shing (2009)
Security elements in E-Learning.
Arkhipov & Ovodkov (2004)
Information security collaboration between education providers.
Eibl, Solms & Schubert (2006)
Information security rating of E-Learning system.
Chang & Uden (2008) Information security governance.
Doherty, Anastasakis & Fulford (2009)
Information security policy in higher education institution.
El-Khatib, Korba, Xu & Yee (2003)
Security and privacy issues in E-Learning.
Kritzinger (2006) Technical and procedural information security countermeasures.
Kritzinger & Solms (2006)
Countermeasures and information security pillars in E-Learning environment.
Tsiantis, Stergiou & Margariti (2007)
Feedback and control rights of online learning participants.
7
CIA FrameworkCIA Framework
Confidentiality
Integrity Availability
8
Extended CIA FrameworkExtended CIA Framework
Confidentiality
Integrity Availability
9
Non-repudiation
AuthorizationIdentification & Authentication
Major School of Thought in Major School of Thought in Information SecurityInformation SecurityTwo main school of thought;the International Information
Systems Security Certification Consortium ((ISC)2)
the SysAdmin, Audit, Network, Security Institute (SANS Institute).
10
International Information Systems Security Certification Consortium ((ISC)2)created the information security industry’s
common body of knowledge (CBK). compendium of industry best practices, a
framework and collection of information◦ guides the understanding of terms and concepts in
information security knowledge area (Theoharidou and Gritzalis, 2007).
◦ the foundation for Certified Information Systems Security Professional (CISSP) certification. CISSP certification is considered as the gold standard in the information
security industry ((ISC)2, 2010).
11
SysAdmin, Audit, Network, SysAdmin, Audit, Network, Security Institute (SANS Security Institute (SANS Institute)Institute)claimed to be the largest source for
information security training and security certification in the world (SANS Institute, 2010).
provides hundreds of course and certification related to information security.
12
Ten Domains of (ISC)Ten Domains of (ISC)22 Information Security Common Information Security Common Body of Knowledge (CBK)Body of Knowledge (CBK)a taxonomy that contains collection
of topics related to information security (Tipton and Henry, 2007, p. xv).
Information security professional has been using the (ISC)2’s CBK as a source of reliable information on information security.
Currently there are ten domains that make up the CBK.
13
The application of the ten The application of the ten domains within an E-Learning domains within an E-Learning system system The application of the ten domains
within an E-Learning system is relatively scarce.
E-Learning system focuses more on the content.
information security is increasingly becoming more important ◦especially in today’s connected and
borderless world. ◦E-Learning system should incorporate the
ten domains CBK of information security.
14
the Ten Domains…the Ten Domains…1. Information Security and Risk Management2. Access Control3. Cryptography4. Physical (Environmental) Security5. Security Architecture and Design6. Business Continuity and Disaster Recovery
Planning7. Telecommunication and Network Security8. Application Security9. Operations Security10. Legal, Regulations, Compliance and
Investigations15
Domain 1: Domain 1: Information Information Security and Risk Security and Risk ManagementManagementPurpose Investigates and
analyzes the current state of security of information
finding loopholes in the systems then applying the proper amount of counter-measures.
E-learning focusPolicy, procedures,
standards & guidelines of E-Learning institutions.
Audit framework for E-Learning institutions.
Awareness and training for staffs and students.
16
Domain 1: Domain 1: Information Information Security and Risk ManagementSecurity and Risk Management Focuses on the need of having a comprehensive
policy, procedures, standards & guidelines for E-Learning institutions. ◦ must have a comprehensive information security policy in place
(Bakari et al. , 2005).
◦ policy, procedures, standards and guidelines must be comprehensive and not just superficial documents (Doherty, Anastasakis & Fulford, 2009).
E-Learning institutions must also have an audit framework, awareness programs and training for staffs and students.
Collaborative leadership will improve practice of e-learning (Jameson et al., 2006).
17
Domain 2: Domain 2: Access ControlAccess Control
PurposeProtect information
and resources from unauthorized logical access to the information.
E-learning focusAccess control to E-
Learning system. Intrusion detection
and prevention system.
18
Domain 2: Domain 2: Access ControlAccess Control Beyond accessibility, quality of service is also a factor
that must be considered◦ students will only benefits access from location conducive for
studying (Harris, 1999).
Access control to E-Learning system must be based on an approved policy of the governing institution.
E-Learning system must also have the mechanism to handle intrusion detection and prevention system.
Also within the purview of domain two, E-Learning systems are the placeholder for copyrighted contents. ◦ proper digital right management system and processes is
necessary (Liu, Safavi-Naini & Sheppard, 2003).
19
Domain 3: Domain 3: CryptographyCryptography
PurposeProtect CIA using
mathematical means such as cryptography, hashing etc.
E-learning focusSecurity of data
transmission.
20
Domain 3: Domain 3: CryptographyCryptographyThe need to ensure that data are only
understandable to the intended audiences. ◦ Information must be encrypted especially before
being transmitted through public domain. Several existing technologies that can be
considered are encryption algorithms, smartcard technologies and certification schemes (Furnell et al., 1998; Margi et al., 2000).
Whatever technology chosen ◦ must remain user friendly and non-intrusive to the
students (Furnell et al., 1998).
21
Domain 4: Domain 4: Physical Physical (Environmental) Security(Environmental) SecurityPurposeAddresses physical,
environmental and procedural risk.
E-learning focusPhysical security of
E-Learning institutions.
Building access. Information
protection and management services.
22
Domain 4: Domain 4: Physical Physical (Environmental) Security(Environmental) Security May & Lane (2006) proposed a Security Practitioner’s
Management Model which consisted of five layers. ◦ One of the layers is physical security
◦ actual physical security including infrastructure, devices, hardware and software.
Physical security of E-Learning institutions must have sufficient protection from intruders. ◦ building access system
◦ control the movement in and out of any building that houses the E-Learning institution.
Provide information protection and management services of its E-Learning system.
Without proper infrastructure supporting the E-Learning system, the flexibility and benefits of such system will short lived (Bakari et al., 2005).
23
Domain 5: Domain 5: Security Security Architecture and DesignArchitecture and DesignPurposeProtect information
models and architectural network methods from unauthorized disclosure, modifications, and destruction
E-learning focusSecurity
framework.Hardware and
software design.
24
Domain 5: Domain 5: Security Security Architecture and DesignArchitecture and DesignEvery E-Learning institution must have
a solid security framework that provides the foundation for the E-Learning system.
Proper hardware and software design or selection must also be part of the framework of an E-Learning institution.
25
Domain 6: Domain 6: Business Business Continuity and Disaster Continuity and Disaster Recovery PlanningRecovery PlanningPurposeDisaster Recovery
Plan (DRP) contains procedures to reduce damage during and after a tragic event.
Business Continuity Plan
(BCP) is a long-term plan to keep business functional following a disaster.
E-learning focusAvailability
(uninterrupted) access to E-Learning system.
Assessment, development, implementation and management of continuity planning.
26
Domain 6: Domain 6: Business Continuity Business Continuity and Disaster Recovery Planningand Disaster Recovery PlanningAvailability is an important aspect of an E-
Learning system. ◦ Students and staff are dependent on the system for
their learning and teaching. ◦ System outages will interrupt students learning.
Continuous available (uninterrupted) access to E-Learning system is paramount to the success of an E-Learning system (Crisp, 2002). ◦ must have a solid assessment, development,
implementation and management of continuity planning.
27
Domain 7: Domain 7: Telecommunication and Telecommunication and Network SecurityNetwork SecurityPurposeSegregate non-
trusted networks using devices, architectures, and protocols to protect the trusted network.
E-learning focusSecured
transmission of voice, data & multimedia.
Perimeter defence (through firewall etc) of the E-Learning system.
28
Domain 7: Domain 7: Telecommunication Telecommunication and Network Securityand Network Security Ensures secured transmission of voice, data &
multimedia between E-Learning institution and students.
Ease of access to the Internet has been identified as one of the critical success factor for e-learning acceptance (Selim, 2007).
Floor control security◦ required especially for synchronized communication
activities in the online distance learning environment (Lin et al., 2004).
The centre of the E-Learning system must be protected by a perimeter defence (through firewall).
29
Domain 8: Domain 8: Application Application SecuritySecurityPurposeApply security
through the life cycle of software use.
E-learning focusSecured E-Learning
application.Usage of open
source codes must ensure to be viruses free.
30
Domain 8: Domain 8: Application Application SecuritySecurityInternet is not secure source of
transmitting information◦ especially for the online methods. ◦ Web application must provide security to
transmitted data (Jalal & Zeb, 2008). E-Learning institution must use a
secured E-Learning application. Any usage of open source codes must
be verified thoroughly to ensure the codes or software to be viruses free.
31
Domain 9: Domain 9: Operations Operations SecuritySecurityPurposeKeeping the
organization system running securely ensuring a secure the day-to-day operation
E-learning focusPrivilege entity
controls of staffs and students accessing the E-Learning system.
Resource protection.Proper and well
documented change control management for any changes, modification or upgrades to the E-Learning system.
32
Domain 9: Domain 9: Operations Operations SecuritySecurityPrivilege entity
◦ to controls staffs and students accessing the E-Learning system.
Resource must be protected from unauthorized access.
Proper and well documented change control management ◦ for any changes, modification or upgrades to the E-
Learning system ◦ to ensure an uninterrupted access to the E-Learning
system. A secured operations has been identified as one
of the critical success factor for an E-Learning system (Jacobfeuerborn & Muraszkiewicz, 2010).
33
Domain 10: Domain 10: Legal, Legal, Regulations, Compliance Regulations, Compliance and Investigationsand InvestigationsPurposeAddresses general
computer crime legislation and regulations, investigative measures and techniques.
E-learning focusUnderstanding of
laws & regulations governing the E-Learning institution.
Security incidents handling for the E-Learning system.
34
Domain 10: Domain 10: Legal, Legal, Regulations, Compliance and Regulations, Compliance and InvestigationsInvestigations Various legal issues being reconsidered within
the E-Learning perspectives (Levy, 2010). ◦ copyright, fair use, and work for hire
All administrators (Dean, deputy dean etc) must have a good understanding of laws & regulations governing the E-Learning institution. ◦ ensure that their institution strictly follows all the rules
and regulations. ◦ must also be a proper security incidents handling for the
E-Learning system.
With proper security handling system◦ E-Learning institution is capable to face any unexpected
issues.
35
ConclusionConclusionOnline distance learning major
evolution ◦advancement in information
technology.New threats.
◦Hackers, viruses and spam…Standards and procedures must
be in place ◦To keep online distance learning safe
from these threats. 36
ConclusionConclusionHow?
◦incorporate the information security common body of knowledge as part of the online distance learning system.
◦provides comprehensive baseline knowledge and best practices on information security.
E-Learning institution should adhere to all the ten domains within the information security CBK. ◦provide an E-Learning system with high
confidentiality, integrity and availability.
37
Thank YouThank You
38
top related