E-Learning: An Information Security Perspective Dr. Mohd Faiz Hilmi School of Distance Education Universiti Sains Malaysia Yanti Mustapha Universiti Teknologi.

E-Learning: An Information Security Perspective

Dr. Mohd Faiz HilmiSchool of Distance EducationUniversiti Sains Malaysia

Yanti MustaphaUniversiti Teknologi MARA

Shahrier PawanchikSchool of Distance EducationUniversiti Sains Malaysia

IntroductionIntroductionAdvancement in information technology

◦changes the education landscape. ◦Various new method of delivery has

emerged (Salleh, 1997; Sakamoto, 1997). ◦made E-Learning possible and available in a

large scale. E-Learning relies upon the internet

which is open to threats (Kritzinger, 2006). ◦but neglected the issue of information

security.

2

IntroductionIntroductionA review of information security

in E-Learning environment◦explains the important of information

security. ◦ten domains of information security

are explained within the E-Learning context.

3

Information Security Risk Information Security Risk (Kritzinger & Solms, 2006)(Kritzinger & Solms, 2006)

1. Alteration of material by unauthorized people.

2. Bogus course material.

3. Submitted assignments copied by unauthorized parties.

4. Submitted assignment changed by unauthorized parties.

5. Marks changed/deleted.

6. Access to test papers, test content changed.

7. People masquerade as student, write tests on behalf of such students.

8. Students get unauthorized help during exam.

9. Denial of service attempts against course websites.

10. Logon information of lecturers and students can be intercepted and misused.

4

Literature ReviewLiterature Review Three most important pillars are confidentiality, integrity

and availability (Stamp, 2006) Three important services are identification and

authentication, authorization and non-repudiation (Eibl, Solms & Schubert, 2006)

Four pillars are governance, policy and procedures, implementation counter measures and monitoring counter measure (Kritzinger & Solms, 2006)

Alwi & Ip-Shing (2009) discussed the required security elements in an E-Learning environment.

Kritzinger (2006) identified technical and procedural countermeasures to enhance the security of information.

Eibl, Solms & Schubert (2006) proposed an information security rating system for E-Learning environment. ◦ Determine the capabilities of an E-Learning system

5

Literature ReviewLiterature Review Doherty, Anastasakis & Fulford (2009) examined the

structure and content of information security policies of several higher education institutions ◦ existing policy are not comprehensive enough

◦ did not play an effective role for its respective institution.

Chang & Uden (2008) looks at the E-Learning governance practices.

Arkhipov & Ovodkov (2004) suggests collaboration between E-Learning education providers to enhance information security.

E-Learning system must consider the privacy and security needs of the E-Learning participants (El-Khatib, Korba, Xu & Yee, 2003)

Feedback and control rights of online learning participants are also important and must be given a proper attention in an E-Learning system (Tsiantis, Stergiou & Margariti, 2007).

6

Focus of selected research Focus of selected research on information security of E-on information security of E-LearningLearningAuthor Focus

Alwi & Ip-Shing (2009)

Security elements in E-Learning.

Arkhipov & Ovodkov (2004)

Information security collaboration between education providers.

Eibl, Solms & Schubert (2006)

Information security rating of E-Learning system.

Chang & Uden (2008) Information security governance.

Doherty, Anastasakis & Fulford (2009)

Information security policy in higher education institution.

El-Khatib, Korba, Xu & Yee (2003)

Security and privacy issues in E-Learning.

Kritzinger (2006) Technical and procedural information security countermeasures.

Kritzinger & Solms (2006)

Countermeasures and information security pillars in E-Learning environment.

Tsiantis, Stergiou & Margariti (2007)

Feedback and control rights of online learning participants.

7

CIA FrameworkCIA Framework

Confidentiality

Integrity Availability

8

Extended CIA FrameworkExtended CIA Framework

Confidentiality

Integrity Availability

9

Non-repudiation

AuthorizationIdentification & Authentication

Major School of Thought in Major School of Thought in Information SecurityInformation SecurityTwo main school of thought;the International Information

Systems Security Certification Consortium ((ISC)2)

the SysAdmin, Audit, Network, Security Institute (SANS Institute).

10

International Information Systems Security Certification Consortium ((ISC)2)created the information security industry’s

common body of knowledge (CBK). compendium of industry best practices, a

framework and collection of information◦ guides the understanding of terms and concepts in

information security knowledge area (Theoharidou and Gritzalis, 2007).

◦ the foundation for Certified Information Systems Security Professional (CISSP) certification. CISSP certification is considered as the gold standard in the information

security industry ((ISC)2, 2010).

11

SysAdmin, Audit, Network, SysAdmin, Audit, Network, Security Institute (SANS Security Institute (SANS Institute)Institute)claimed to be the largest source for

information security training and security certification in the world (SANS Institute, 2010).

provides hundreds of course and certification related to information security.

12

Ten Domains of (ISC)Ten Domains of (ISC)22 Information Security Common Information Security Common Body of Knowledge (CBK)Body of Knowledge (CBK)a taxonomy that contains collection

of topics related to information security (Tipton and Henry, 2007, p. xv).

Information security professional has been using the (ISC)2’s CBK as a source of reliable information on information security.

Currently there are ten domains that make up the CBK.

13

The application of the ten The application of the ten domains within an E-Learning domains within an E-Learning system system The application of the ten domains

within an E-Learning system is relatively scarce.

E-Learning system focuses more on the content.

information security is increasingly becoming more important ◦especially in today’s connected and

borderless world. ◦E-Learning system should incorporate the

ten domains CBK of information security.

14

the Ten Domains…the Ten Domains…1. Information Security and Risk Management2. Access Control3. Cryptography4. Physical (Environmental) Security5. Security Architecture and Design6. Business Continuity and Disaster Recovery

Planning7. Telecommunication and Network Security8. Application Security9. Operations Security10. Legal, Regulations, Compliance and

Investigations15

Domain 1: Domain 1: Information Information Security and Risk Security and Risk ManagementManagementPurpose Investigates and

analyzes the current state of security of information

finding loopholes in the systems then applying the proper amount of counter-measures.

E-learning focusPolicy, procedures,

standards & guidelines of E-Learning institutions.

Audit framework for E-Learning institutions.

Awareness and training for staffs and students.

16

Domain 1: Domain 1: Information Information Security and Risk ManagementSecurity and Risk Management Focuses on the need of having a comprehensive

policy, procedures, standards & guidelines for E-Learning institutions. ◦ must have a comprehensive information security policy in place

(Bakari et al. , 2005).

◦ policy, procedures, standards and guidelines must be comprehensive and not just superficial documents (Doherty, Anastasakis & Fulford, 2009).

E-Learning institutions must also have an audit framework, awareness programs and training for staffs and students.

Collaborative leadership will improve practice of e-learning (Jameson et al., 2006).

17

Domain 2: Domain 2: Access ControlAccess Control

PurposeProtect information

and resources from unauthorized logical access to the information.

E-learning focusAccess control to E-

Learning system. Intrusion detection

and prevention system.

18

Domain 2: Domain 2: Access ControlAccess Control Beyond accessibility, quality of service is also a factor

that must be considered◦ students will only benefits access from location conducive for

studying (Harris, 1999).

Access control to E-Learning system must be based on an approved policy of the governing institution.

E-Learning system must also have the mechanism to handle intrusion detection and prevention system.

Also within the purview of domain two, E-Learning systems are the placeholder for copyrighted contents. ◦ proper digital right management system and processes is

necessary (Liu, Safavi-Naini & Sheppard, 2003).

19

Domain 3: Domain 3: CryptographyCryptography

PurposeProtect CIA using

mathematical means such as cryptography, hashing etc.

E-learning focusSecurity of data

transmission.

20

Domain 3: Domain 3: CryptographyCryptographyThe need to ensure that data are only

understandable to the intended audiences. ◦ Information must be encrypted especially before

being transmitted through public domain. Several existing technologies that can be

considered are encryption algorithms, smartcard technologies and certification schemes (Furnell et al., 1998; Margi et al., 2000).

Whatever technology chosen ◦ must remain user friendly and non-intrusive to the

students (Furnell et al., 1998).

21

Domain 4: Domain 4: Physical Physical (Environmental) Security(Environmental) SecurityPurposeAddresses physical,

environmental and procedural risk.

E-learning focusPhysical security of

E-Learning institutions.

Building access. Information

protection and management services.

22

Domain 4: Domain 4: Physical Physical (Environmental) Security(Environmental) Security May & Lane (2006) proposed a Security Practitioner’s

Management Model which consisted of five layers. ◦ One of the layers is physical security

◦ actual physical security including infrastructure, devices, hardware and software.

Physical security of E-Learning institutions must have sufficient protection from intruders. ◦ building access system

◦ control the movement in and out of any building that houses the E-Learning institution.

Provide information protection and management services of its E-Learning system.

Without proper infrastructure supporting the E-Learning system, the flexibility and benefits of such system will short lived (Bakari et al., 2005).

23

Domain 5: Domain 5: Security Security Architecture and DesignArchitecture and DesignPurposeProtect information

models and architectural network methods from unauthorized disclosure, modifications, and destruction

E-learning focusSecurity

framework.Hardware and

software design.

24

Domain 5: Domain 5: Security Security Architecture and DesignArchitecture and DesignEvery E-Learning institution must have

a solid security framework that provides the foundation for the E-Learning system.

Proper hardware and software design or selection must also be part of the framework of an E-Learning institution.

25

Domain 6: Domain 6: Business Business Continuity and Disaster Continuity and Disaster Recovery PlanningRecovery PlanningPurposeDisaster Recovery

Plan (DRP) contains procedures to reduce damage during and after a tragic event.

Business Continuity Plan

(BCP) is a long-term plan to keep business functional following a disaster.

E-learning focusAvailability

(uninterrupted) access to E-Learning system.

Assessment, development, implementation and management of continuity planning.

26

Domain 6: Domain 6: Business Continuity Business Continuity and Disaster Recovery Planningand Disaster Recovery PlanningAvailability is an important aspect of an E-

Learning system. ◦ Students and staff are dependent on the system for

their learning and teaching. ◦ System outages will interrupt students learning.

Continuous available (uninterrupted) access to E-Learning system is paramount to the success of an E-Learning system (Crisp, 2002). ◦ must have a solid assessment, development,

implementation and management of continuity planning.

27

Domain 7: Domain 7: Telecommunication and Telecommunication and Network SecurityNetwork SecurityPurposeSegregate non-

trusted networks using devices, architectures, and protocols to protect the trusted network.

E-learning focusSecured

transmission of voice, data & multimedia.

Perimeter defence (through firewall etc) of the E-Learning system.

28

Domain 7: Domain 7: Telecommunication Telecommunication and Network Securityand Network Security Ensures secured transmission of voice, data &

multimedia between E-Learning institution and students.

Ease of access to the Internet has been identified as one of the critical success factor for e-learning acceptance (Selim, 2007).

Floor control security◦ required especially for synchronized communication

activities in the online distance learning environment (Lin et al., 2004).

The centre of the E-Learning system must be protected by a perimeter defence (through firewall).

29

Domain 8: Domain 8: Application Application SecuritySecurityPurposeApply security

through the life cycle of software use.

E-learning focusSecured E-Learning

application.Usage of open

source codes must ensure to be viruses free.

30

Domain 8: Domain 8: Application Application SecuritySecurityInternet is not secure source of

transmitting information◦ especially for the online methods. ◦ Web application must provide security to

transmitted data (Jalal & Zeb, 2008). E-Learning institution must use a

secured E-Learning application. Any usage of open source codes must

be verified thoroughly to ensure the codes or software to be viruses free.

31

Domain 9: Domain 9: Operations Operations SecuritySecurityPurposeKeeping the

organization system running securely ensuring a secure the day-to-day operation

E-learning focusPrivilege entity

controls of staffs and students accessing the E-Learning system.

Resource protection.Proper and well

documented change control management for any changes, modification or upgrades to the E-Learning system.

32

Domain 9: Domain 9: Operations Operations SecuritySecurityPrivilege entity

◦ to controls staffs and students accessing the E-Learning system.

Resource must be protected from unauthorized access.

Proper and well documented change control management ◦ for any changes, modification or upgrades to the E-

Learning system ◦ to ensure an uninterrupted access to the E-Learning

system. A secured operations has been identified as one

of the critical success factor for an E-Learning system (Jacobfeuerborn & Muraszkiewicz, 2010).

33

Domain 10: Domain 10: Legal, Legal, Regulations, Compliance Regulations, Compliance and Investigationsand InvestigationsPurposeAddresses general

computer crime legislation and regulations, investigative measures and techniques.

E-learning focusUnderstanding of

laws & regulations governing the E-Learning institution.

Security incidents handling for the E-Learning system.

34

Domain 10: Domain 10: Legal, Legal, Regulations, Compliance and Regulations, Compliance and InvestigationsInvestigations Various legal issues being reconsidered within

the E-Learning perspectives (Levy, 2010). ◦ copyright, fair use, and work for hire

All administrators (Dean, deputy dean etc) must have a good understanding of laws & regulations governing the E-Learning institution. ◦ ensure that their institution strictly follows all the rules

and regulations. ◦ must also be a proper security incidents handling for the

E-Learning system.

With proper security handling system◦ E-Learning institution is capable to face any unexpected

issues.

35

ConclusionConclusionOnline distance learning major

evolution ◦advancement in information

technology.New threats.

◦Hackers, viruses and spam…Standards and procedures must

be in place ◦To keep online distance learning safe

from these threats. 36

ConclusionConclusionHow?

◦incorporate the information security common body of knowledge as part of the online distance learning system.

◦provides comprehensive baseline knowledge and best practices on information security.

E-Learning institution should adhere to all the ten domains within the information security CBK. ◦provide an E-Learning system with high

confidentiality, integrity and availability.

37

Thank YouThank You

38