Layered information security framework

Abstract

This project has developed a framework which is layered. The framework can be used by any organization to rate their security "goodness" by being able to know what they have been able to implement and what is lacking. All the layers are equally important, they need to be secure This framework consists of nine layers and all the nine layers are not physical but logical layers. Since information flow through a network from one computer to another can be looked at as layered, flowing from the application layer to the physical layer, security can also be implemented layer wise. The security deals with more than the seven logical layers of information flow and therefore two more layers have been incorporated. These are the User Administrative layer and the security policy layer. The security policy guides the users on what they are supposed to do and what not. The users interact with the application layer. After developing the framework it was tested using several organizations. These organizations are a representation of all the networked organizations. The testing was done using questionnaires and the questionnaires are in three sets. One set for the system administrator, another for members of staff and another for students. The students and staff questionnaire was only used in educational institutions. For the other organizations used only the system administrator questionnaire. It will be easy for an organization to know if their network has a weakness and to know also what to put to overcome the weakness. An organization can also compare its security level in each layer and see what it has emphasized and what has been ignored. This will also increase the awareness of the organizations to improve their security. The framework has been used on several organizations and the analysis of the results done and displayed in a presentation format The results show security implementation varied from one organization to another, with some organizations having keen interest in their network implementations and others not very keen. In general private organizations were noted to be keener to protect their networks. Other organizations kept a good average for each layer and therefore they never performed very poorly in any of the layers neither extremely well in any of the layers. The results give evidence of some organizations, which really emphasized on some layers forgetting others and this could be the source of their network security problems. Generally speaking, layer six and seven were the most insecure with their security fulling below 40%. Layer three and eight were the most secure with their security about 75%