06 IT Security

7/28/2019 06 IT Security

1/26

3 June 20131

IT Security


2/26

Overview

3 June 20132

Information held in IT systems is increasinglya critical resource in enabling organisations

to achieve their goals

Expectation of privacy and protection fromharm

Expectation that the systems will perform

their functions efficiently whilst exercisingproper control of the information


3/26

Managements Concern about IT Security

3 June 20133

Dependence on IT systems Information systems which can provide accurate

services when and where they are required are thekey to the survival of most modern businesses

Exposure of IT systems IT systems need a stable environment Organisations rely upon the accuracy of information

provided by their systems

Investment in IT systems Information systems are costly both to develop and

maintain, and management should protect theirinvestment like any other valuable asset


4/26

Balance of Protecting IT Assets

3 June 20134

Appropriate to an organisations businessneeds yet comprehensive in its coverage

Justified to the extent that it will reduce

perceived risks to the level that managementare willing to accept

Effective against actual threats


5/26

Objective of IT Security

3 June 20135

Information is accessible only to thoseauthorised to have access (confidentiality)

Safeguarding the accuracy and

completeness of information and processingmethods (integrity)

Ensuring that authorised users have access

to information and associated assets whenrequired (availability)


6/26

IT Security Standards & Frameworks

3 June 20136

ISO/IEC 17799

COBIT

etc


7/26

ISO/IEC 17799

3 June 20137

1. Risk assessment and treatment2. Security policy

3. Organisation of information security

4. Asset management

5. Human resources security

6. Physical and environmental security

7. Communications and operations management

8. Access control

9. Information systems acquisition, development and maintenance

10. Information security incident management11. Business continuity management

12. Compliance


8/26

COBIT

3 June 20138

Control Objectives for Information and RelatedTechnology

Newest: COBIT 5

Widely used: COBIT 4.1

Framework

Control Objectives

Management Guidelines

Maturity Models


9/26

IT Risk Analysis

3 June 20139

Objective identify the various ways inwhich data, the information system, and

network which support it, are exposed to risk

Involves assessing the possibility that each ofa wide range of threats

End resultsecur i ty requ irementfor each

type of threat that could affect the system


10/26

Risk

3 June 201310

Risk in IT combination of threat,vulnerability, and impact

Threat an unwanted that could remove,disable, damage, or destroy an IT asset

Vulnerability a weakness that could beexploited by a threat

Impact the consequences of a vulnerabilityin a system being exploited by a threat


11/26

Risk Analysis & Risk Management

3 June 201311


12/26

Risk Analysis Principles

3 June 201312

Business modelling to determine which informationsystems support which business functions

Impact analysis to determine the sensitivity of keybusiness functions to a breach of confidentiality,

integrity or availability Dependency analysis to determine points of access

to information systems and assets that must be inplace to deliver a service to a business function

Threat and vulnerability analysis to determinepoints of weakness in the system configuration andthe likelihood of events


13/26

Components of IT Risk

3 June 201313


14/26

Reviewing IT risks

3 June 201314

IT risk analysis involves identifying IT assets thatare at risk:

What type of threats do they face?

What are their likely causes and their probableimpact(s)?

What is the likelihood of the threat succeeding?

How would we know if the threat did succeed?

What can we do to prevent the impact?

What can we do to recover if the threat doessucceed?


15/26

Risk Management

3 June 201315

Involves the identification, selection, andimplementation of countermeasures that are

designed to reduce the identified levels of risk

to acceptable levels It is impossible to reduce all risks to zero (by

term of cost-effective RM)


16/26

Types of Countermeasures

3 June 201316

Reduce the threat

Reduce the vulnerability

Reduce the impact

Detect an incident

Recover from the impact


17/26

Risk Management Process

3 June 201317

Prioritize actions Based on the risk levels presented in the risk assessment

report, the implementation actions are prioritized.

Evaluate recommended control actions The technical feasibility and effectiveness of all identified

controls should be evaluated so that the most appropriatecontrol is chosen.

Conduct cost-benefit analysis To allocate resources and implement cost-effective solutions,

organisations should conduct a cost-benefit analysis for each

proposed control. Select control

On the basis of the results of the cost-benefit analysis,management selects the cost-effective controls for reducingrisks.


18/26

Risk Management Process

3 June 201318

Assign responsibility Responsibility should be assigned to in-house experts

or an outside agency which have the appropriate skillset and expertise to implement the selected control.

Develop safeguard implementation plan The safeguard implementation plan prioritizes theimplementation actions and projects the start datesand the target completion dates.

Implement selected controls The selected controls should be implemented so that

the risks are brought down within the acceptablelevels.


19/26

Organisation of Information Security

3 June 201319

Information security structure

Security of third party access

Outsourcing


20/26

1. Information Security Structure

3 June 201320

The objective is to deal with management ofinformation security within the organisation.

A management framework should be

established to initiate and control theimplementation of information security within

the organisation

Review to IS Management course


21/26

2. Security of 3rd Party Access

3 June 201321

The objective is to maintain security oforganisational information processing

facilities accessed by third parties.

Access to organisations informationprocessing facilities by third parties should be

controlled


22/26

3. Outsourcing

3 June 201322

The objective is to maintain security ofinformation when responsibility for processing

is outsourced


23/26

Types of Information Systems Assets

3 June 201323

Information assets databases and data files,system documentation, user manuals, trainingmaterial, operational or support procedures, continuityplans, fallback arrangements, archived information

Software assets application software, systemsoftware, development tools and utilities

Physical assets computer equipment (processors,monitors, laptops, modems), communicationequipment (routers, PABX, fax machines), magnetic

media (tapes and disks) Services computing and communication services,

general utilities, e.g. heating, lighting, power, air-conditioning


24/26

(Networking & Communication) New

Threats and Risks

3 June 201324

Data loss Data may be deleted or lost in transmission

Data corruption Data errors can occur during transmission

System unavailability Network links may be easily damaged

A loss of a hub can affect the processing ability of

many users Communications lines often extend beyond the

boundaries of control of the client, e.g. the client mayrely on the local telephone company for ISDN lines


25/26

3 June 201325


26/26

Tugas

3 June 201326

Buatlah makalah mengenai isu-isu auditkeamanan informasi

Tugas kelompok (gunakan kelompok yang

sudah ada) Delivery:

Presentasi tgl 26 Maret

Laporan dalam bentuk hard copydikumpulkanketika UTS

06 IT Security

Documents

Transcript of 06 IT Security