A General Overview of Information Security Senior advisor Mona Naomi Lintvedt 221008.
-
Upload
noah-holmes -
Category
Documents
-
view
213 -
download
0
Transcript of A General Overview of Information Security Senior advisor Mona Naomi Lintvedt 221008.
A General Overview of Information Security
Senior advisor Mona Naomi Lintvedt
221008
Agenda
• Why information security?
• Legal sources for information security
• OECD guidelines
• International standards
• Computer Emergency Report Team
• Norwegian National Security Authority
• NorCERT
• SERTIT
• International bodies
Why information security? (1)
• Security = Risk management
• Protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction
• Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print or other forms
• Necessary for trust
• Privacy – protection of personal data
Why information security? (2)
• Confidentiality– Preventing disclosure of information to unauthorised individuals or systems
• Integrity– Correct and unaltered information: Data cannot be modified without
authorisation
• Availabilty– For any information system to serve its purpose, the information must be
available when it is needed: The computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly
• Authentication– Validate that both parties involved are who they claim they are. Ensure that
the data, transactions, communications or documents (electronic or physical) are genuine.
Some legal sources for information security
• OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security:
– a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks
• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
• European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR)
• EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
• EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
OECD Guidelines – nine principles (1)
• Awareness. Participants should be aware of the need for security information system and networks and what they can do to enhance security.
• Responsibility. Participants are responsible for the security of information systems and networks.
• Response. Participants should act in a timely and cooperative manner to prevent, detect, and respond to security incidents.
• Ethics. Participants should respect the legitimate interests of others and recognize that their action or inaction may harm others.
• Democracy. The security of information systems and networks should be compatible with essential values of a democratic society.
OECD Guidelines – nine principles (2)
• Risk Assessment. Participants should conduct risk assessments to identify threats and vulnerabilities to their information systems
• Security Design and Implementation. Participants should incorporate security as an essential element of information systems and networks.
• Security Management. Participants should adopt a comprehensive approach to security management.
• Reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures, and practices.
International standards
• ISO/IEC 27002 Information technology - Security techniques - Code of practice for information security management– lists security control objectives and recommends a range of specific
security controls
• ISO/IEC 27001 Information Technology - Security techniques - Information security management systems - Requirements– covers all types of organizations (e.g. commercial enterprises,
government agencies, not-for profit organizations)
– specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System
– designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties
– adopting the "Plan-Do-Check-Act" (PDCA) model
Computer Emergency Response Team
• Almost everything in both the public and private sectors depend on Internet access today.
• The amount of vulnerabilities in these sectors have therefore increased considerably in recent years.
• Well-organised ICT attacks intended to disable, damage or make benefit of computerized functions in society may harm a country’s vital infrastructure.
• CERT (Computer Emergency Response Team)
• 187 CERT-groups from 37 countries
• One Norwegian group: NorCERT (Norwegian CERT), a department of the Norwegian National Security Authority
Norwegian National Security Authority
• Established 1 Jan 2003 as a directorate (NSM)
• Reports to the Minister of Defence (military sector) and the Minister of Justice (civil sector)– Cross-sectoral professional and supervisory authority within the
protective security services in Norway
– Security Act, Defence Secrets Act, Defence Inventions Act, Protective Security Services Act
• The purpose of protective security is to counter threats to the independence and security of the realm and other vital national security interests, primarily espionage, sabotage or acts of terrorism.
• Protective security measures shall not be more intrusive than strictly necessary, and shall serve to promote a robust and safe society.
NorCERT
• Norwegian Computer Emergency Response Team– Formally Established 1 January 2006
• NorCERT is an operational department in NSM consisting of two integrated sections:– VDI: The Norwegian Alert and Early Warning System for Digital
Infrastructure - identifying, classifying and issuing warnings about IT attacks against Norway.
– Incident Handling: Norway’s national centre coordinating the handling of attacks against vital Norwegian ICT security.
• Together both sections operate the Operation Centre where they maintain an up-to-date view of the ICT threat assessment.– Available 24/7
– Approximately 20 IT-security specialists
NorCERT’s tasks
• Coordinating responses to serious IT security breaches against vital infrastructure and information
• Gathering information related to serious IT security threatening incidents
• Coordinating early patching of serious vulnerabilities in vital computer systems in our society
• Sharing information with other response teams regarding new threats
• Having an up-to-date view of IT related threats
• Assisting other response teams and aiding national readiness measures
• Being Norway’s point of contact for similar organizations abroad
SERTIT• The public Certification Authority for IT Security in Norway
• Primary task: – Issue Certificates and Certification Reports
– Formulation of framework and to make sure that the rules are followed by all the parties involved
– Representing Norway as a member of the international community Arrangement on the Recognition of the Common Criteria Certificates in the field of Information Technology Security (CCRA).
• Companies that want to join the Certification Scheme as an IT Security Evaluation Facility (ITSEF) has to be approved by SERTIT
• The purpose of the Certification Scheme is to meet the need of the authorities and of industry for a cost-effective and efficient security evaluation and certification of IT-products and systems.
• Responsible for approving IT Security Evaluation Facilities (ITSEF) who carry out evaluations in accordance with more detailed Scheme criteria
• The Norwegian Certification Scheme Sd001E
International Organisations - cooperation
• European Government CERT Group (EGC)
• Forum of Incident Response and Security Teams (FIRST)
• International Watch and Warning Network (IWWN)
• NATO Computer Incident Response Capability (NATO CIRC)
• European Network and Information Security Agency (ENISA)