Information Security
-
Upload
chenpingling -
Category
Technology
-
view
2.220 -
download
4
Transcript of Information Security
![Page 1: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/1.jpg)
Information Security
prepared by Mark Chen November 2008
![Page 2: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/2.jpg)
definition
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
![Page 3: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/3.jpg)
![Page 4: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/4.jpg)
CIA
Confidentiality Integrity Availability
![Page 5: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/5.jpg)
Confidentiality Confidentiality is the property of preve
nting disclosure of information to unauthorized individuals or systems
a credit card transaction on the Internet
someone looking over your shoulder at your computer screen
a laptop computer containing sensitive information is stolen or sold
![Page 6: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/6.jpg)
Integrity Integrity means that data cannot be
modified without authorization an employee (accidentally or with mal
icious intent) deletes important data files
a computer virus infects a computer
![Page 7: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/7.jpg)
Availability For any information system to serve it
s purpose, the information must be available when it is needed
computing systems, security controls and the communication channels must be functioning correctly
High availability systems aim to remain available at all times
![Page 8: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/8.jpg)
Risk Management
Vulnerability A vulnerability is a weakness that could
be used to endanger or cause harm to an informational asset Threat
Threat A threat is anything (man made or act of
nature) that has the potential to cause harm.
![Page 9: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/9.jpg)
Risk Management process 123 Identification of assets and estimating their
value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies.
Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.
Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security.
![Page 10: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/10.jpg)
Risk Management process 456 Calculate the impact that each threat woul
d have on each asset. Use qualitative analysis or quantitative analysis.
Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.
Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
![Page 11: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/11.jpg)
Executive Management For any given risk
to accept the risk the relative low value of the asset, low
frequency of occurrence, or low impact on the business
to mitigate the risk to implement controls
to deny the risk This is itself a potential risk
![Page 12: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/12.jpg)
Controls
Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines
Logical and Physical
![Page 13: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/13.jpg)
Logical controls Logical controls (also called technical
controls) use software and data to monitor and control access to information and computing systems. For example:
passwords, firewalls, data encryption,…
principle of least privilege
![Page 14: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/14.jpg)
Physical controls Physical controls monitor and control
the environment of the work place and computing facilities, including access to and from such facilities.
doors, locks, cameras,… Separating the network and work plac
e into functional areas separation of duties
![Page 15: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/15.jpg)
Security Classification to recognize the value of information to definite appropriate procedures an
d protection requirements for the information.
![Page 16: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/16.jpg)
Security Classification Labels Common information security classification
labels used by the business sector are: Public, Sensitive, Private, Confidential
Common information security classification labels used by government are: Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret, Top Secret and their non-English equivalents.
![Page 17: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/17.jpg)
Change Management Change management is a formal proc
ess for directing and controlling alterations to the information processing environment.
including alterations to desktop computers, the network, servers and software
![Page 18: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/18.jpg)
Change Management Process (1) Requested (2) Approved: (3) Planned (4) Tested (5) Scheduled (6) Communicated (7) Implemented (8) Documented (9) Post change review
![Page 19: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/19.jpg)
Security Governance (1) An Enterprise-wide Issue. (2) Leaders are Accountable. (3) Viewed as a Business Requirement. (4) Risk-based. (5) Roles, Responsibilities, and Segrega
tion of Duties Defined. (6) Addressed and Enforced in Policy.
![Page 20: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/20.jpg)
Security Governance (7) Adequate Resources Committed. (8) Staff Aware and Trained. (9) A Development Life Cycle Require
ment. (10) Planned, Managed, Measurable,
and Measured. (11) Reviewed and Audited.
![Page 21: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/21.jpg)
Incident Response Plans (1) Selecting team members (2) Define roles, responsibilities and lines of authori
ty (3) Define a security incident (4) Define a reportable incident (5) Training (6) Detection (7) Classification (8) Escalation (9) Containment (10) Eradication (11) Documentation
![Page 22: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/22.jpg)
Laws and regulations Sarbanes-Oxley Act of 2002 (SOX). Section 404 of th
e act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments
![Page 23: Information Security](https://reader036.fdocuments.in/reader036/viewer/2022081603/5575bd02d8b42a312a8b472e/html5/thumbnails/23.jpg)
Conclusion Information security is the ongoing process
of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution.
The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review