Security Framework for Information Systems
José Martins1, Henrique dos Santos2 and Paulo Nunes3
1
Academia Militar - Cinamil, Lisboa, Portugal
2
University of Minho - Department of Information Systems, Guimarães,
Portugal
3
Academia Militar - Cinamil, Lisboa, Portugal
jose.carloslm@gmail.com
hsantos@dsi.uminho.pt
pfvnunesam@gmail.com
Abstract: Nowadays, information is one of the most important resources in an organization, supporting most of
the business processes. So, organizations must try to guarantee at all times information’s fundamental
properties: confidentiality, integrity, and availability. Information Systems are a determining factor for the
organization’s capability, consisting of a tool that stimulates its productivity, indispensable in the decision making
process at the various levels of management. The current network society supported primarily through Internet,
presents new threats to information networks that support organizational Information Systems, independently of
their dimension, nature, organization and technological resources. This scenario requires the utilization of a
Security Framework in order to guarantee the information security, and also to integrate a set of different
organizational views: a scientific community (conceptual model); decider’s perception (behavioural model); and a
technological model, as support for business processes. An established security policy and operational
identification and evaluation methodology of risk must be distinguished in order to protect an organization from
threats towards its information systems or information resources which it is responsible for. In this paper we
propose a Security Framework for organizational Information Systems, to guarantee the security of the major
information actives and to serve as a possible model of security information management, to supporting the
decision making process on information security and management. We search to minimize the possible actions
of Information Warfare / Competitive Intelligence, outlining in this framework the various standards of good
information security practises. We have as an objective to guarantee the protection of Information Systems from
the various methods of attack in use and types of weapons utilized.
Keywords: Information systems, information warfare, information security management and analysis and
evaluation of risk
1. Introduction
Organizations as “complex entities” integrated within a networking society mostly operate based on
formal or ad-hoc processes, supported by information flows which are handled by people and
supported in a technological infrastructure connected to the Internet. Consequently, in view of
Information Warfare / Competitive Intelligence, there is the need for effective information security,
based on a risk analysis of the systems utilized in the organizations, in order to identify the threats
these are subjected to.
The identification and evaluation of risks should correspond to a dynamic process, to be performed
periodically so as to keep the multiple indicator of any possible Security Framework updated. This
should reflect the organization’s external and internal changes, keeping information security always
as a main goal, but having the care of not drastically interfering with the main objectives of the
business.
There exist diverse international standards for good practices in information security, some containing
a strict methodology for identifying and assessing risks, presenting the organization’s decision-makers
with a macroscopic vision of information security. However, the great majority is based on models of
generic threats, of technological questions and therefore minimally integrated with the organization’s
reality.
The main question we intend to answer in this article is the following: Is it possible to build an
Information Security Framework for an organization based on the concepts and principles that
ensures the security of the Information Systems (IS) and their information, faced with the actions of
the Information Warfare / Competitive Intelligence? To answer this question we explore the possibility
of approaching Information Security with four security dimensions shown in Figure 1: Organizational,
Physical, Personal, and Technological.
.
164
José Martins et al
Figure 1: Information security dimensions
The security of the Organizational, Physical, Personal, and Technological dimensions aims at
blocking the major methods used for attacking the organization. A correct analysis of the
organizational IS structure and dynamics is fundamental to ensure the Security Framework’s efficient
planning and implementation.
The indicated dimensions (organizational, physical, personal and technological), will result from the
deciders’ perceptions of the probability of attacks to the computers’ networks (technological
dimension), particularly vulnerable to denial of service and malware.
Due to the possibility of physical destruction (physic level) as its own name indicates, consists in the
physical destruction, through electronic or physical means from the target and by the management of
perceptions (personal dimension) or rather actions that have as an objective influencing specific
audiences, in which combinations of other capabilities in an orderly form (physiological, propaganda,
deception operations), control the adversary’s will.
From the various levels of international norms, codes of good practice, certifications for information
security we could encounter from approaches that are more focused in technologies or in business
personal. Fundamentally dualism: NATO security directives, norm ISO/IEC 27001: 2005, the National
Institute of Standards and Technology of the United States of America Recommendations (NIST SP
800 – 26, 800 – 42), norms ISO/IEC 13335 – 4 and 13335 – 5, OCTAVE methodology (Alberts and
Donofre, 2001). However, in accordance to the specificity of the actions of the threats and in the
Information War, the construction of a framework of Information Security was chosen.
Its construction is made throughout the article. In the second section we analysed the general
environment and the task which the organizations actually are interested in. In third and fourth, we
present a possible approach to the threats and methods of attack conceptually framed in the concepts
of War Information and in the possible levels of action. In Section 5 the components and indicators
are identified in our opinion for information security. The conclusions and future possibilities are
presented in Section 6.
165
José Martins et al
2. Organizations, surrounding systems and information systems
For an effective information security it is necessary to analyze the systems interacting with the
organization and the multiple agents and their relations (see Figure 2), in order to identify the threats it
is under and put them into perspective.
Figure 2: The organization and the surrounding environment, source: (1998, p.19)
Following the organization’s external analysis, it is necessary to integrate the internal, which mainly
includes identifying the principle vulnerabilities to the IS components.
In this context it is fundamental to analyze the organization’s recognized levels (Strategic,
Management and Operational) and activities, identifying the existing information on each
organizational level and the supporting human and technological resources. This activity generates an
initial draft of the information flows running through the organizations, identifying the fundamental
processes where information is essential to achieve the business goals.
An extensive analysis of the IS supporting the management levels above, according to the
components shown in Figure 3, will provide an in-depth description of the vulnerabilities they are
subjected to and the measures implemented or planned to confront them. This vulnerability analysis
forcibly has to include the technological, physical, human (decisions are built in terms of individual
reasoning), and organizational (operating processes) dimensions. This stage essentially consists of
describing the organization’s internal structure and dynamics.
166
José Martins et al
Figure 3: Information system based on computers (Source: Turban et al. (2003, p.19)
The information Security Framework should consider the organizational IS components. These
fundamentally use computers (hardware and software) and communication technologies (networks),
supported by procedures and the people working with the system itself or using its outlet (Turban et
al., 2003).
3. Information warfare
As we can see in Figure 4, based on one of the possible models for Information Operations (IO) which
we will follow in this article, these are the targets likely to be explored in possible attacks to cause
direct or indirect effects on the physical, information and cognitive levels. We should therefore seek to
cancel or minimize its effects by implementing a proper set of controls (e.g. policies, procedures and
technology).
Figure 4: Information operations operating model: (Source) Adapted from Waltz (1998, p.149)
The actions or possible attack methods the IS may be under are framed within the IO, and consist of a
set of activities and capacities used to affect the opponent’s information and IS (FM 100-06, 1996).
Within the context of Information Warfare, these actions are developed to obtain information
superiority, which consists of achieving an operating advantage from the ability to gather, process and
disseminate a steady flow of information while exploring or denying the opponent with that same
ability (FM 3-13, 2003).
167
José Martins et al
The enforcement of an information security model essentially mainly requires the positive
identification of threats and vulnerabilities, and the simulation of the attacks to which the information
resource is subjected to, in order to determine the impact of a possible attack.
Actually, an attack consists of a set of actions that, by exploring one or more IS vulnerabilities, violate
its own security properties, causing some sort of impact on the resources. Therefore, with known
attacks, it is possible to act on the explored vulnerabilities by blocking the threats they generate.
The previously shown analysis lead us to stress the importance of building a concept model for
information security that represents the dimensions, components and indicators to bear in mind when
setting in motion an integrated organizational IS security system, simultaneously providing decisionmakers with an Information Security Management Model.
4. Classification of threats, attack methods and weapons
In view of the prior theoretical considerations, only given a comprehensive list of the threats and ways
to materialize them into system attacks is it possible to develop an IS Security Framework. This threat
list is achieved through a set of iterations that supply a global vision of the organization’s possible
external and internal threats.
In the first iteration, and due to the need to separate the threat classification from the type of
organization (Civil & Military), its size, public or private nature and IT resources, we choose to present
a strategic vision that easily contextualizes the evolution of a strategic attack, with all its possible
developments on the operational and tactical level. We consider, however, that a tactical threat may –
through an attack method – explore an infrastructure’s vulnerabilities and cause a strategic impact.
Conforming to the US guidelines (FM 3 – 13, 2003), which we shall consider in this article for
supporting the Security Framework, the treats operating in the information environment are classified
according to their capacities in the following manner:
First Level – Amateurs, isolated or in small groups, using common hacking tools and techniques,
in an unsophisticated and non significantly supported manner.
Second Level – Individuals or small groups supported by corporate entities, terrorists, or other
transnational groups, using common hacking tools in a somewhat sophisticated manner. Their
activities include espionage, data collection, network tracking and scanning, and data theft.
Third Level – Individuals or small groups supported by state institutions (civilian or military) and
significant resources, using sophisticated tools. Their activities are identical to the third level’s.
Fourth Level – Information Operations enforced by States, especially through Computer Network
Attacks, using the most advanced tools and deception techniques in coordination with military
operations.
In a second iteration for threat analysis, we focus on organizational management, which is supplied
with dozens of models to reduce complexity and uncertainties, and solve organizational problems. We
use two models, considered by managers worldwide as the most useful in daily tasks, which may be
used to run the organization’s strategic analysis from the threat identification and analysis standpoint:
the SWOT analysis method (Strengths, Weaknesses, Opportunities and Threats) and PORTER’s five
forces model.
Porter’s five forces competitive analysis model puts the emphasis on the external competitive forces
associated with our organization. Therefore, the indicators to keep an eye on are: the existing
competitors, new participants, buyers, suppliers, and possible substitutes from the information
conflictuality’s point of view (the competition is guaranteed). The SWOT analysis method allows us to
combine an analysis of the external environment with the internal component.
The third iteration lets us classify some of the internal threats to the IS components themselves by
using the taxonomy presented by Pfleerger and Pfleerger (2006), consisting of:
By discontinuing the service, reaching availability through destruction, damage, or contamination;
refusing or delaying, in accessing and displacing, or obscuring.
168
José Martins et al
By changing, reaching integrity by means of false data input or generation; replacing, removing,
separating, or reordering; representing or encoding and repudiating.
By intercepting, reaching confidentiality by means of illicit copy, observation, monitoring, or
deduction; control transfer or custody, and broadcasting (particularly through legitimate users by
negligence or fraud).
Natural catastrophes are also included in the threats, as they assume a set of natural risks over a
given component or components in organizational IS that may have an impact on their business
processes and physical structure.
As for the attack methods 1 used by the threats to attack the Military Command and Control
infrastructures and systems (i.e. the IS), we use FM 3 – 13 (2003) classification, maintaining a
conceptual coherence with the types of threats we classify in the following manner: forcing
unauthorized access, malicious software engineering, electronic deception, electronic attack,
computer network attacks, physical destruction and perception management.
For the attack methods more focused on technology, such as malicious software engineering and
computer network attacks, we add the classification suggested by Kurose and Ross (2008), which
consists of the following taxonomy: using Malware (e.g. Virus, worms and trojans); Denial of service
(DoS); Packet Sniffer; Masquerade (e.g. IP spoofing) and man-in-the-middle.
In view of the attack methods described above, we may consider the usage of physical destruction
weapons, syntax weapons (e.g. virus), aimed at attacking an information system’s operating logic,
and semantics weapons, which seek to manipulate, modify or destroy decision-making support
models, thus affecting the perception and representation of reality by the users (Nunes, 1999).
5. Information systems security framework
A conceptual model for information security requires the identification, management and control of the
several security dimension’s components and indicators, facilitating the decision-makers perception of
the IS security’s reality.
We consider a top-down approach to reference each dimension’s major components. Actually, we
intend to identify the organization’s critical and vital functions from the IS security’s perspective, the
critical side being to ensure the organization’s business continuity. Simultaneously, we carry out a
bottom-top approach, in which we set out to group the main information security indicators by
administration functionalities and technical similarities.
5.1 Information security organizational dimension
The purpose of this dimension is to run an analysis of the organization, its management, and IS and
information security control. A management structure must be established to initiate and control the
application of the information security within the organization. The organization’s correct overview is
fundamental to ensure the Security Framework’s proper planning and application. Table 1 identifies
what we believe to be its main components and indicators, major concerns being to identify the real
and potential threats to the organization and the critical assets to protect.
Table 1: Information Security Organizational Dimension
COMPONENTS
1. Quality Management System
2. Information Systems
PROBABLE INDICATORS
Mission, policy and vision
Business requirements
Business processes
Process managers
Operating areas and activities
IT service management
Operating managers
1
Attack methods materialize (accomplish) the action or set of actions used by a threat (they have the potential) to explore one
or more vulnerabilities in a given asset of the organizational IS.
169
José Martins et al
COMPONENTS
3. Interfaces
4.Laws and Regulations
5. Management Systems
6. Strategic Analysis
7. Security Infrastructure
8. Others
PROBABLE INDICATORS
Specialists
IS analysis and design failures
Value chain
Subsystems
Information exchanges
National and international
Legal IT requirements
Client requirements
Ethical structure
Capacity planning
Project management
Change management
Knowledge management
Communication management
Project managers
SWOT analysis
Porter’s five forces analysis
Threat identification and analysis
Security committee (plan and approve)
Management committee (coordinate the application)
Process / asset executives (execute)
…
We view the Strategic Analysis component as the dimension’s main driver due to the importance of a
proper threat identification and analysis to the entire application methodology. This threat
identification will provide strictly detailed scenarios of possible attacks to explore vulnerabilities of the
critical assets identified in organizational IS.
5.2 Information security planning dimension
This dimension integrates planning and managing all information security controls (indicators),
considering every support resource and implemented measure to ensure its security in the different
dimensions presented in the Framework. Table 2 identifies what we believe to be its main security
components and indicators.
Tabe 2: Information Security Planning Dimension
COMPONENTS
1.Risk Identification and Assessment
2.Security Policy
3.Security Policies, Standards and Procedures
4. Global Security Plan
PROBABLE INDICATORS
Reference methodology
Report (classified)
Asset inventory (includes the information)
Document
Published and reported
Signed revisions
Human resource policy
Security standards
Information classification and management
Procedures for using passwords
Procedures for using equipments
Procedures for using storage devices
Procedures for accessing the Web
Procedures for using e-mail
Continuity management policy
Integrated access control policy
Information communication / broadcast policy
Backup policy
Log retention policy
Clear desk / clear screen policy
Mobile computing policy
Software use policy
Acquisitions policy
Goals
Current status
Strategy
Action plan
Benefits
The team’s functional structure
170
José Martins et al
COMPONENTS
PROBABLE INDICATORS
Budget and necessary resources
Technical terminology
Internal and external reports
Intrusion testing (e.g. simulating attacks)
Vulnerability detection and auto correction
Incident reports
Dissuasive measures (difficulting attacks)
Detection measures (tracking down attacks)
Diversion measures (eluding attacks)
Entities to monitor and contact (e.g. CERT)
Disaster recovery plan
Identified and analyzed risk scenarios
Disaster recovery architecture
Alternative site
Recovery team
Plan rehearsals
Relation with IT management
Specific training
Plan maintenance and revision
Responsible entity
Procedures for obtaining evidence
Reports
Criminal and disciplinary consequences
…
5.Security Auditing
6.Attack Monitoring, Detection and Response
7.Business Continuity
8.Offences and Forensic Analysis
9. Others
The planning dimension fundamentally has ISO / IEC 27001 (2005) as a reference for the
international standard for good practices in information security in 10 key areas.
We consider the Security Policies, Standards and Procedures component the dimension’s main
driver, reflecting the information security risk identification and assessment previously conducted by
the organization.
5.3 Information security physical dimension
Its main goal is to ensure the IS physical protection in general, and the protection of all its
components (e.g. hardware, software, documents and magnetic devices) in particular, where we
essentially consider the components and indicators pointed out in Table 3.
Table 3: Information Security Physical Dimension
COMPONENTS
PROBABLE INDICATORS (LEVEL OF EXPOSURE)
Internal emergency plan
1. Internal Emergency
2.Critical Infrastructure
3.Facilities
4.Equipments
5.Critical Areas
Fire detecting and fighting
Flood detecting and fighting
Gas leak detecting
Protecting dangerous sites
Main power supply
Telecommunications
Plans of the organization
Access types (e.g. controlled)
Area typology
Physical structure
Equipment catalogue
Storage device catalogue
Equipment identification
Contact persons
Access type
Physical disposition and protection
Network access sites
Maintenance service record
Location
Classification
Structure
Illumination and visual indicators
Storage and cleaning
Uninterrupted power source (UPS)
171
José Martins et al
COMPONENTS
PROBABLE INDICATORS (LEVEL OF EXPOSURE)
6.Access Physical Control
7. Disposal / Reuse
8.Listening, Observation and Electromagnetic
Radiation Protection
9.Service and Maintenance
10. Others
Backup generators
Surveillance systems
Cables
Air conditioning systems
Access control
Fire detecting and fighting
Monitoring
Emergency procedures
Local grounding
Flood detection and draining
Physical security perimeter
Video surveillance systems
Alarm systems
Access points
Control and record systems
Equipments and documents
Acoustic insulation
Tempest specifications
Internal and external
Reports
Maintenance contracts
…
We consider the Internal Emergency component this dimension’s main driver because, after
identifying and analyzing the threats, we can see in this component the main physical vulnerabilities
that may be explored in the organization.
5.4 Information security personal dimension
The personal security dimension seeks to reduce the risk of intentional or negligent human error over
the IS components, particularly avoiding Social Engineering attacks that are set to explore one of
security’s weakest links – the human element. We are fundamentally considering the security
components and indicators pointed out in Table 4.
Tabe 4: Information Security Personal Dimension
COMPONENTS
1.Recruiting and Releasing
2.Task Performance
3.Training
4.Social Engineering
5. Others
PROBABLE INDICATORS (LEVEL OF EXPOSURE)
Security philosophy
Code of ethics
Confidentiality agreement
Background check
Releasing procedures
Quitting procedures
Accreditation
Job and employee profile
Outsourcing
Personnel record
Internal and external
Training seminars
Reference methodology
Good practices
…
In conclusion, we consider the Task Performance component as this dimension’s main driver. This
dimension should essentially prevent Social Engineering attacks, avoiding user manipulation in a way
that persuades them to perform certain actions with the intent of changing information security’s main
properties.
5.5 Information security technological dimension
The purpose of this dimension is to ensure the correct data and information processing, transmission
and storage, indispensable to guarantee information security. As a conceptual model for an easier
perception by the decision-maker, we divide this dimension into three: an application (processing)
172
José Martins et al
dimension, a logic (identification and storage) dimension, and finally, a network (transmission)
dimension. Each dimension is particularly oriented towards the aforementioned purposes, without
prejudice of isolating dimensions.
5.5.1 Information Security Application Dimension
In this dimension, we essentially explore the security components and indicators pointed out in Table
5, matching the concern with the organization’s installed software acquisition or development,
implementing, maintenance, and correct use, paying particular attention to the separation between
development, testing and production environments so as to prevent security risks.
In this dimension, we consider the Control and Maintenance component as the main driver;
crucial to acknowledge that most organizations are absolutely dependent of the Information
Communication Technology infrastructure, and of the quantity, quality and availability of
information such infrastructure supplies and supports, hence the possible adoption of the
(MacFarlane and Rudd, 2003).
it is
and
the
ITIL
Table 5: Information Security Application Dimension
COMPONENTS
1.Usage
2.Control and Maintenance
3. Acquisition and Development
4. Others
PROBABLE INDICATORS (LEVEL OF EXPOSURE)
Software catalogue
Distribution by IS levels
Responsible users
Licensing
Settings
Reviews
Versions
Incidents and problems
Application outsourcing
Source code analysis
Software development process
Software quality features
Quality requirements and software testing
…
5.5.2 Information Security Logic Dimension
This dimension holds as indispensable to entrust users with authorized access to information and its
correct storage and security. We consider Identification and Authentication as the main driver, which
validates the entrusted agent and, consequently, one of the main logic access control operations.
Tabe 6: Information Security Logic Dimension
COMPONENTS
1.Identification
Authentication
PROBABLE INDICATORS (LEVEL OF EXPOSURE)
and
Validation (e.g. operating system)
2.Access Logic Control
Information access control matrix
3.Storage Systems
Document and workflow management systems
Databases
File Server
Mail Server
Web Server
Application Server
Business applications
Information media and standard format
Entrust data reading devices
Redundancy systems
Encrypted information and data
Clients, servers, assets, and security technologies
4. Log Management
Real time retention and copy
5. Others
Content analysis
NTP protocol
…
173
José Martins et al
5.5.3 Information Security Network Dimension
Regarding the network as a set of autonomous and interconnected computers, the main concerns are
the communication security and the network management supporting the operating systems of the
technologies implemented in the IS.
We view the implemented Security Technologies as this dimension’s main driver, since they perform
their internal security and the Internet’s as well. This is the main technological interface with the
organizational IS but, simultaneously, the main means for Cyber warfare.
Table 7: Information Security Network Dimension
COMPONENTS
1.Servers
2.Clients
3.Internet
4. Security Technologies
5.Network management
6. Assets
7. Telecommunications
8. NAS or SAN
9. Others
PROBABLE INDICATORS (LEVEL OF EXPOSURE)
Administrators
Implementing services
Settings
Network authentication
Operating systems
Administrators
Settings
Mobile clients
Network authentication
Operating systems
System utilities usage
Access and management types
TCP/IP protocol
Intranets and Extranets
Firewalls
Intrusion Detection Systems (or IPS)
Antivirus
VPN
Encrypting and authentication
File integrity checkers
Honey pots
Network type (LAN, MAN, WAN)
Administrators
Network topology (e.g. Ethernet)
Network monitoring and management
Network access control
Network separation
Implementing services
Administrators
Settings
Forwarding protocols
Inter-communicators
Telephones
Cellular phones
Fax
Network attached storage
Storage area network
…
We can gather that IS security has to be seen as a process that allows the integration of all its
dimensions due to the multiple interdependencies between component and indicators. Which lead us
to adopt the UML to facilitate communication with the organizations (e.g. audited), providing for a strict
description of the Security Framework’s analysis, design, implementing and management stages. It is
represented by the Class Diagram in Figure 5, the main idea being to identify the most relevant
aspects that take part in the IS under analysis, and therefore, visualize it as a whole through its
classes and relations.
We use the class diagram to describe the information structure used in the system, seeking to
describe its status (attributes) and behavior (methods). It represents an abstraction over a set of
objects that share the same structure and behavior since, in reality, an object is a particular case
within a class, also known as a class instance.
174
José Martins et al
The featured class diagram intends to provide a static perspective to support the information security
requirements of the IS under analysis. Through the components and indicators shown for the security
dimensions, the Framework implicitly lists the technical or non technical controls – existing or planned
– in the organizational IS to reduce or eliminate the probability of one or more vulnerabilities being
explored by a threat.
Figure 5: Information Security Framework
In this article we present the dimensions, components and indicators that ensure the information
security of an organizational IS facing the featured possible Information Warfare actions. We stress
that the connection between dimensions is established through the centralized planning of the
implemented controls after analyzing the organizational processes.
175
José Martins et al
6. Conclusions and future work
The presented Security Framework has information security facing Information Warfare / Competitive
Intelligence as a main goal. It provides the integration and interconnection of the featured dimensions,
thus ensuring that the presented component indicators are efficiently implemented.
The threat of a Strategic Information Warfare totally eliminates the distinction between military and
civil systems (Nunes, 1999), whereby the article proposes a methodology for identifying and analyzing
threats that would represent the Strategic, Management, and Operational Level.
The advantages we believe to achieve with the featured Framework and its application methodology
against others under review (ISO 27001, 2005; OCTAVE, 2001) to ensure Information Security
Management in the IS are the following:
The threat identification and analysis methodology is global due to the integration of possible
military actions, whereby we consider that attack methods are no more than actions developed by
certain threats (e.g. in a strategic level, the States), using physical, syntax or semantical weapons
in order to explore particular vulnerabilities and thus cause an impact in the organization.
The possibility to integrate several management and security methodologies used by the
organizations, avoiding analytic repetitions and providing a more suitable vision to the decisionmaker’s perception for the security of the business.
Facilitates the operations of organizational IS security due to the interconnection of the multiple
dimensions, and to the fact that, in its early stage, it is not focused on identifying and assessing
each asset’s individual risk, but on ensuring, on a later stage, a more refined analysis for each of
the organization’s critical process and assets concerning its mission.
As a window for possible studies, we consider the possibility of validating the indicators featured in
the security dimensions components, considering that without measurable indicators to support an
information security management methodology it is not possible to ensure a proper information
security level, and that any investment in security can always be questioned (Santos, 2006).
In conclusion, we see information security as a management process, not a technological process
(ISO 27001, 2005), where there should be a balance between Organizational, Physical, Personal, and
Technological security.
References
Alberts, Christopher J. and Dorfofee, Audrey J. (2001). OCTAVE SM – Method Implementation Guide Version 2.0,
Carnegie Mellon, Software Engineering Institute, Pittsburgh, USA.
FM 100 - 06 (1996). Information Operations, Headquarters, Department of the Army, Washington, USA.
FM 3-13 (2003). Information Operations: Doctrine, Tactics, Techniques, and Procedures, Headquarters,
Department of the Army, Washington, USA.
ISO / IEC: 27001(2005). Information technology – Security techniques – Information Security Management
Systems - Requirements.
JP 3 – 13 (2006). Information Operations, USA.
th
Kurose, James F. and ROSS, Keith W. (2008). Computer Networking, Person Education - Addison Wesley, 4
Edition, Boston, USA.
Macfarlane, Ivor and Rudd, Colin (2003). Gestão de Serviços de TI, The IT Service Management Forum, UK.
Martins, José Carlos L. (2008). Framework de Segurança para um Sistema de Informação, Tese de Mestrado,
Escola de Engenharia, Universidade do Minho.
Nunes, Paulo Viegas (1999). “Impacto das Novas Tecnologias no Meio Militar: A Guerra de Informação”, in
Vários, Revista Militar, p. 1721-1745, Lisboa.
th
Pfleeger, C. P. and Pfleeger, S. L (2007). Security in Computing, 4 Edition, Prentice Hall.
Santos, Henrique D. (2006). ISO / IEC – A norma das normas em Segurança da Informação, Publicação da
Associação Portuguesa para a Qualidade, pp 11-1, Ano XXXV, Nº1, ISSN 0870-6743, Lisboa.
Turban et al. (2003). Administração de Tecnologia de Informação, Editora Campus, Rio de Janeiro.
Varajao, João Eduardo Q. (1998). A Arquitectura da Gestão de Sistemas de Informação, FCA – Editora de
Informática, Lisboa.
Walz, Edward (1998). Information Warfare: Principles and Operations, Artech House, USA.
176
Copyright of Proceedings of the European Conference on Informations Warfare & Security is the property of
Academic Conferences, Ltd. and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print, download, or
email articles for individual use.
Purchase answer to see full
attachment