CHAPTER ONE

INTRODUCTION
1.0 Preamble
This chapter gives an overall review of the project, it show details of what the project is

all about and how it will be implemented. It works upon the principle of introducing the

topic of research and setting it into a broad context, gradually narrowing down to

a research problem. This chapter involves the introduction to this project expressly the

background of the study, motivation, scope of the problem, purpose of the study,

methodology and definition of terms.

1.1 Background of the Study

Information system occupies a vital and unique position in any organization by virtue of

the data and information, which it contains. Security of information is of great

importance to any given organization this makes the information reliable since

information stored can be referenced whenever necessary access by unauthorized

persons. This project analysis the activities and importance of securing information in

any organizations and to see that the information is accurately maintained to help the

management in decision making and control of the diverse activities of the organization.

Therefore, for effective administration and management, the provision of computer based

information security for every source station is certainly inevitable, since it will take care

of all the problems and inadequacies of the manual system.

1.2 Motivation
Security information system has always played a vital role in the stability of any

organization, institution and the nation at large. Keeping security information manually
 can hinder some defense program and delay passage of security information to the

appropriate body. Manual documentation of security information can lead to exposure of

the information thereby creating threat to the nation at large. Hence, there is need for an

automated security information system to guaranty safety of information.

1.3 Purpose of the Study

The main purpose of this project is to design and implement an online computerized

security information tracking system for Kaduna polytechnic. Other objectives include:

i. To develop a software for managing security information for Kaduna

polytechnic security.

ii. To provide a unique tracking id for easy information tracking.

iii. To provide a system for higher security efficiency of information and

quicker access to individual data.

1.4 Methodology
Methodology is the systematic, theoretical analysis of the methods applied to a field of

study. It comprises the theoretical analysis of the body of methods and principles

associated with a branch of knowledge. The research methodology used in this research

work include the following; interview, the internet, textbooks and direct observation from

people. These methods used provide reliable information of the required knowledge of

this research and proper guidance; HTML, CSS, Jscript as the front-end, PHP will be

employed as the back-end and MySQL as the database for the design of the system.

1.5 The Scope of Project

The scope of this project depends on the available facilities and resources both human

and material. The project will cover two broad aspects, those of staff and security
 information within the limit of available facilities and information given by the Kaduna

polytechnic staff.

1.6 Definition of Terms

On-line processing - This is a method of processing that provides direct access to

information files used by user’s and so enables updating.

Operations – The action carried out on an activity or process.

Crime record sheet – This contains pertinent information on staff and services as input

to the computer system via the standard input device keyboard.

Data entry – This is the standard input device through which the system gets most of the

instructions and commands.

Processing unit – This is where all data are processed and commands from the user

carried out.

Password – This is being employed to restrict unauthorized access to information

contained in the system; in others it is a security check technique

Witness – This is a person who has actually present at an event and should for these

reason be able to describe it.

Accused – This is a person who has done wrong by breaking the law.

Information or informers – This is a person who detects offenders and informs the

authorities of their offences.

Suspect – This is when one has a feeling that someone is guilty.

Databases: A systematically arranged collection of computer data, structured so that it

can be automatically retrieved or manipulated. It is also called a databank.

Information Security: means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, perusal, inspection,

recording, or destruction.
 CHAPTER TWO
LITERATURE REVIEW
2.0 Preamble
Literature Review entails to examine the critical points of past and current knowledge in

a particular field of study. This is an objective, through summary and critical analysis of a

relevant research available, which includes findings and contribution to the topic Design

and implementation of an online security information system.

Review of Related Literature

2.1 Security Information System

System is the degree of protection against danger, damage, loss and crime. Security as a

form of protection is structures and processes that provide or improve security as a

condition. The Institution for Security and Open Methodologies (ISECOM) in the

OSSTMM 3 defines security as a “form of protection where a separation is created

between the assets and the threat”. This includes but is not limited to the elimination of

either the asset or the threat. Security as a national condition was defined in a United

Nations study (2017) so that countries can develop and progress safely.

Security has to compare to related concepts: safety, continuity, and reliability, the key

difference between security and reliability is that security must take into account the

actions of people attempting to cause destruction. Different scenarios also give rise to the

context in which security is maintained. With respect to classified matter, the condition

that prevents unauthorized persons from having access to official information that is

safeguarding in the interest of the national security.

Measures taken by a police unit, an activity or installation to protect itself against all acts

designed to, or which may, impair its effectiveness.

Perception of security may be poorly mapped to measurable objective security. For

example, the fear of earthquakes has been reported to be more common than the fear of

slipping on the bathroom floor although the latter kills more people than the former.

Similarly, the perceived effectiveness of security measures is sometimes different from

the actual security provided by those measures. The presence of security protection may

even be taken for security itself. For example, two computer security programs could be

interfering with each other and even cancelling each other’s effect while the owner

believes he/she is getting double of the protection.

Security Theater is a critical form for the deployment of measures primarily aimed at

raising subjective security in a population without a genuine commensurate concern for

the effects of that measure on- and possibly decreasing- objective security.

Perception of security can also increase objective security when it affects or deters

malicious behavior, such with the vital signs of security protections, such as video

surveillance, alarm systems in a home, or an anti-theft system in a car such as Lojack,

signs.

For example, approach a car, break the window, and flee in response to an alarm being

triggered. Either way, perhaps the car itself or the objects inside aren’t stolen, but with

perceived security even windows of the car has a lower chance of being damaged,

increasing the financial security of the owner(s).

However, the non-profit, security research group, ISECOM, has determined that such

signs may actually increase the violence, daring, and desperation of the intruder. This

claim shows that perceived security works mostly on the provider and not the security at

all. It is important, however, for signs advertising security not to give clues as to how to
subvert that security, for example in the case whereby a home burglar might be more

likely to break into a certain home if he or she is able to learn beforehand which company

makes the security system.

Private security and public provide some of the same services and sometimes they even

mirror each other, but there are distinct differences among the similarities. The scopes of

their duties are different and each has advantages and disadvantages.

America’s law enforcement root can be traced back to English police models that were

colonial times up until (1800’s). in 1800 America experienced economic and social

changes-industrialization, urbanization and immigration that forced changes in law

enforcement making not just a local responsibility, but also a country, state and federal

responsibility. This brought about forming the police department and jurisdictions, with

New York being the first city to establish police force in 1844. Other social changes

again forced changes in law enforcement-(1960s), civil right and the 1980s drug

trafficking.

Public police are part of the government entity-local, country state or federal. All public

police are based on a paramilitary model and have strict requirement, training and

certification. Public police are controlled by politics and government establishments, and

restrained by laws and rules, but their role is the safety and welfare of the public.

Private security and public police have their advantages and disadvantages. Private

security companies have less restrictions placed upon them, thus they can focus and

effectively carry out their contracted duties. Private security also gets paid by

performance and can negotiate salary. Also private security has more technical equipment

available to them depending on the employer. The main disadvantage of private security
personnel is lack of training or updated training and job retention, since they are salary

employees they have less negotiation power than security and they do not get extra

compensation for exceptional performance like security does. Police are also hampered

by restrictions, legal and political; they are understaffed and outnumbered by security 10-

1 and not accessible to newer technology due to budget restraints and hiring limits. Police

does not have advantage in training/advanced training and in job retention. Security on

the other hand does not work off a budget and can buy whatever they want, update their

technology any time they wish. Security can also pull its training from any source from

government to private agencies.

In the corporate world, various aspects of security were historically addressed separately

– notably by distinct and often non-communicating departments for IT security, physical

security and fraud prevention. Today there is a greater recognition of the interconnected

nature of security requirements, an approach variously known as holistic security, all

hazards management and other terms.

Inciting factors in the convergence of security disciplines include the development of

digital video surveillance technologies and the digitization and networking of physical

control systems. Greater interdisciplinary cooperation is further evidenced by the

February

2017 creation of the Alliance for Enterprise Security Risk Management, a joint venture

including leading associations in security (ASIS), information security (ISSA, the

Information Systems Security Association), and IT audit (ISACA, the Information

Systems Audit and Control Association).

 In (2018) the International Organization for Standardization (ISO) released ISO 28000-

Security Management Systems for the supply chain.

Although the title supply chain is included, this standard specifies the requirements for a

security management system, including those aspects critical to security assurance for

any organization or enterprise wishing to management the security of the organization

and its activities. ISO 28000 is the foremost risk based system and is suitable for

managing both public and private regulatory security, customs and industry based

security schemes and requirements.

2.2 Information Security

Information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, perusal, inspection,

recording or destruction (Julia, 2018).

The terms information security, computer security and information assurance are

frequently incorrectly used interchangeably. These fields are interrelated often and share

the common goals of protecting the confidentiality, integrity and availability of

information; however, there are some subtle differences between them.

These differences lie primarily in the approach to the subject, the methodologies used,

and the areas of concentration. Information security is concerned with the confidentiality,

integrity and availability and correct operation of a computer system without concern for

the information stored or processed by the computer.

Government, police, corporations, financial institutions, hospitals, and private businesses

amass a great deal of confidential information about their employees, customers,

products, research and financial status. Most of this information is now collected,
 processed and stored on electronic computers and transmitted across networks to other

computers.

2.3 Risk Management in Information Security

A comprehensive treatment of the topic of risk management will be provided as well as

some basic terminology and a commonly used process for risk management.

The CISA Review manual provides the following definition of risk management. “Risk

management is the process of identifying vulnerabilities and threats to the information

resources used by an organization in achieving business objectives and deciding what

countermeasures, if any, to take in reducing risk to an acceptable level, based on the

value of the information resources to the organization” (Vines, 2019). There are two

things in this definition that may need some clarification. First, the process of risk

management is an ongoing iterative process. It must be repeated indefinitely. The

business environment is constantly changing and new threats and vulnerability emerge

every day. Second, the choice of countermeasure (computer) (controls) used to manage

risks must strike a balance between productivity, cost, effectiveness of the

countermeasure, and the value of the informational asset being protected.

Risk is the likelihood that something bad will happen that causes harm to an

informational asset (or the loss of the asset). Vulnerability is a weakness that could be

used to endanger or cause harm to an informational asset. A threat is anything (manmade

or act of nature) that has the potential to cause harm.

The likelihood that a threat will use a vulnerability to inflict harm, it has an impact. In the

context of information security, the impact is a loss of availability, integrity, and

confidentiality, and possibly other losses (lost income, loss of life, loss of real property).

It should be pointed out that it is not possible to identify all risks, nor is it possible to

eliminate all risk. The remaining risk is called residual risk.

A risk assessment is carried out by a team of people who have knowledge of specific

areas of the business. Membership of the team may vary over time as different parts of

the business are assessed. The assessment may use some qualitative analysis based on

informed opinion, or where reliable dollar figure and historical information is available,

the analysis may use quantitative analysis. When management chooses to mitigate a risk,

they will do so by implementing one or more of three different types of controls.

Administrative controls (also called procedural controls) consist of approved written

policies, procedures, standards and guidelines. Administrative controls form the

framework for running the business and managing people. They inform people on how

the business is to be run and how day to day operations are to be conducted. Laws and

regulations created by government bodies are also a type of administrative control

because they inform the business. Some industry sectors have policies, procedure,

standard and guidelines that must be followed – the payment card industry (PCI) Data

Security Standard required by Visa and Master Card is such an example. Other examples

of administrative controls include the corporate security policy, password policy, hiring

policies, and disciplinary policies. Administrative controls form the basis for the selection

and implementation of logical and physical controls. Logical and physical controls are

manifestation of administrative control. Administrative controls are used for paramount

importance. Logical controls are (also called technical controls) use software and data to

monitor and control access to information and computing systems. For example,
password, network and host based firewalls; network intrusion detection systems, access

control lists, and data encryption are logical controls.

An important aspect of information security and risk management is recognizing the

value of information and defining appropriate procedure and protection requirements for

the information. Not all information is equal and so not information requires the same

degree of protection. This requires information to be assigned a security classification.

The first step in information classification is to identify a member of senior management

as the owner of the particular information to be classified. Next, developed a

classification policy, the policy should describe the different classification labels, define

the criteria for information to be assigned a particular label, and list the required security

control for each classification. Some factors that influence which classification

information should be assigned include how much value that information has to the

organization, how old the information is and whether or not the information has become

obsolete. Laws and other regulatory requirements are also important consideration when

classifying information.

There are three different types of information that can be used for authentication:

something you know, something you have, or something you are. Examples of something

you know include such things as a PIN, a password, or your mother’s maiden name.

Examples of something you have include a driver’s license or a magnetic swipe card.

Something you are refers to biometrics. Examples of biometrics include palm prints,

finger prints, voice prints and retina (eye) scans. Authentication requires providing

information from two of three different types of authentication information. For example,

something you know or something you have. This is called two factor authentications. On
 computer system in use today, the Username is the most common form of identification

and the password is the most common form of authentication. Username and password

has served their purpose but in our modern world they are no longer adequate. Username

and password are slowly being replaced with more sophisticated authentication

mechanisms.

To be effective, policies and other security controls must be enforceable and upheld.

Effective policies ensure that people are held accountable for their actions. All failed and

successful authentication attempts must be logged and all access to information must

leave some type of audit trail.

2.4 The Relevance of Cryptography to Security Information

Information security uses cryptography to transform usable information into a form that

renders it unusable by anyone other than an authorized user; this process is called

encryption. Information that has been encrypted (rendered unusable) can be transformed

back into its original usable form by an authorized user, who possesses the cryptography

key, through the process of decryption. Cryptography is used in information security to

protect information from unauthorized or accidental disclosure while the information is in

transit (either electronically or physically) and while information is in storage.

Cryptography provides information security with other useful applications as well

including improved authentication methods, message digests, digital signature, non-

repudiation, and encrypted network communications. Older less secure applications such

as telnet and ftp are slowly being replaced with more applications such as that use

encrypted network communications. Wireless communications can be encrypted using

protocols such as WPA/WPA2 or the older (and less secure) WEP. Wired
 communications (such as ITU-T G.hn) are secured using AES for encryption and X.1035

for authentication and key exchange. Software applications such as GnuPG or PGP can

be used to encrypt data files and Email. Cryptography solutions need to be implemented

using industry accepted solutions that have undergone rigorous peer review by

independent experts in cryptography. The length and strength of the encryption key is

also an important consideration. A key that is weak or too short will produce weak

encryption. The keys used for encryption and decryption must be protected with the same

degree of rigor as any other confidential information. They must be protected from

unauthorized disclosure and destruction and they must be available when needed. PKI

solutions address many of the problems that surround key management.

2.5 The Concept of “Due Care” in Security Information

In the field of information security, Harris S. (2017) offers the following definitions of

due care and due diligence:

“Due care are steps that are taken to show that a company has taken responsibility for the

activities that takes place within the corporation and has taken the necessary steps to help

protect the company, its resources and employees.” And [Due diligence are the]

“continual activities that make sure the protection mechanisms are continually maintained

and operational.”

Attention should be made to two important points in these definitions. First, in due care,

steps are taken to show – this means that steps can be verified, measured, or even produce

tangible artifacts. Second, in due care, there are continual activities – this means that

people are actually doing things to monitor and maintain the protection mechanisms, and

these activities are ongoing.

Preparing food with heat or fire is an activity unique to humans. It may have started

around 2 million years ago, though archaeological evidence for it reaches no more than 1

million years Ago. The expansion of agriculture, commerce, trade, and transportation

between civilizations in different regions offered cooks many new ingredients. New

inventions and technologies, such as the invention of pottery for holding and boiling

water, expanded cooking techniques. Some modern cooks apply advanced scientific

techniques to food preparation to further enhance the flavor of the dish served (Chris,

2018).
 CHAPTER THREE
METHODOLOGY AND DESIGN
3.1 Preamble

Research methodology is a careful study or investigation, especially in order to discover

new fact or information, that is, the method used by the researcher to collect data or

information; hence, research methodology should be sound enough to make attainment of

the set objectives possible with specific components such as phases, tasks, methods.

Techniques and tools can also be defined as the analysis of the principle of methods, rules

and postulates employed by a discipline. This chapter entails the method of data

collection, system modelling, database design, input and output specification for the

design and implementation of an online security information as well as the system

requirement etc.

3.2 Method of Data Collection

There are different methods of data collection but the method of data collection used in

this project work is Documentation Method.

Documentation method is a secondary method of data collection. This method involves

the use of journals, handbooks, newspapers and projects. This method of data collection

was used because it serves as a basis of reference to existing research work. This

includes: Internet, Past Projects and text books.

3.3 System Modeling

 System Modeling can be done using several Modeling Language, but in this project

work, we are using the Unified Modeling Language (UML).

3.3.1 Use Case Diagram

Use Cases are services or functions provided by the system to its users and to identify the

primary elements and processes that form the system. The primary elements are termed

as “actors” and the processes are called “Use cases”. The Use Case diagram shows which

actors interact with each use case and the purpose of a Use Case diagram is to provide a

graphical view of the functionality provided by the system in terms of actors, goals of

actors (represented as Use cases) and dependencies between Use cases.

 Fig. 3.1 System Use Case Diagram

3.3.2 Activity Diagram

An activity diagram illustrates the dynamic nature of a system by modeling the flow of control

from activity to activity. An activity represents an operation on some class in the system that

results in a change in the state of the system. Typically, activity diagrams are used to model

workflow or business processes and internal operations. Because an activity diagram is a special

kind of state chart diagram, it uses some of the same modeling conventions.
 Figure 3.3: Add Record Activity Diagram

Open Database

Accept ID

Invalid?
Display Error Message
Valid

Display Details

Accept Entries

Save Editing Cancel Editing

Save

Close Database

Figure 3.4: Edit Record Activity Diagram

 Open Database

Invalid
Accept ID

Valid

Display Details

Cancel Deletion

Proceed with deletion

Delete Record

Close Database

Figure 3.5: Delete Record Activity Diagram

3.3.3 Class Diagrams

Class diagrams are visual representations of the static structure and composition of a particular

system using the conventions set by the Unified Modeling Language (UML). Out of all the UML

diagrams types, it is one of the most used ones. System designers use class diagrams as a way of

simplifying how objects in a system interact with each other. Using class diagrams, it is easier to

describe all the classes, packages, and interfaces that constitute a system and how these

components are interrelated.

i. The top partition contains the name of the class.

ii. The middle part contains the class’s attributes.

iii. The bottom partition shows the possible operations that are associated with the

class.
 Figure 3.9: System Class Diagram

3.4 Database Design

A database is a collection of information that is organized so that it can be easily

accessed, managed and updated.
Table 3.1 Name: Login

FIELD NAME DATA TYPE LENGTH DESCRIPTION

Username Character 10 Username
Password Character 15 Password
Primary key: password

Table 3.2 Name: Personnel

Field Name Data Type Size Field Name
ID Integer 20 ID
 NAME Character 40 NAME
ADDRESS Character 100 ADDRESS
DATE OF BIRTH Date\Time 8 DATE OF BIRTH
SEX Character 10 SEX
AGE Integer 2 AGE
STATUS Character 20 STATUS
HEIGHT Character 10 HEIGHT
DATE RECRUITED Date\Time 8 DATE RECRUITED
QUALIFICATION Character 50 QUALIFICATION
Primary Key = ID

3.3 Table: Posting

Field name Data type Size Description
POST_ID Integer 8 LESSON NO
PERSONNEL_NAM Character 30 PERSONNEL NAME
E
DUTY_POST Character 30 DUTY POST
INSTRUCTIONS Character 6 INSTRUCTION
TIME Character 7 TIME
DATE Date 6 DATE
Primary Key = POST_ID

3.5 Output Design

This declares and show the result obtained from the input specified. The output product by the

automated system depends on the input. Below is the output specification.

USERNAME

PASSWORD

Login Clear

Figure 3.5.1: Login

 PERSONNEL INFORMATION X

FIRSTNAME:
LASTNAME

PHOTO
:
PHONE
NO:
MARITAL
STATUS:
QUALIFICATI RAN
ON: K
DATE OF Browse
BIRTH
GENDER

EMAIL ADD

Figure 3.5.2: Staff Registration

X

POSTING

NAME
Post

DUTY POST

TIME

DATE

Figure 3.5.4: Posting

3.6 System Requirements

System requirement is a combination of hardware and software components that makes

work to be carried out. The system requirement for this research work is subdivided into

Hardware and Software requirements.

3.6.1 Hardware Requirements

Hardware is the computer equipment and devices that are involved in the function of a computer

system together with the software components. Hardware are the physical components of the

computer system assembled together to interact with the software in order to form a composite

system.

The minimum hardware requirements are:

i. CPU Core i3 processor

ii. 100MB available disks space

iii. RAM (1 GB)

iv. Keyboard

v. Mouse

vi. 14’SVGA Colored Monitor

vii. U.P.S 650va (uninterrupted power supply)

viii. Hard Disk Drive (HDD) of 60GB

3.6.2 Software Requirement

The software requirements are:

i. Minimum of Window 7 (Remote standalone system)

3.7 Choice of programming Language

PHP is a server scripting language, and a powerful tool for making dynamic and

interactive Web pages, is a widely-used, free, and efficient alternative to competitors such

as Microsoft's ASP. Client computers accessing the PHP scripts require web browser only.