INTRODUCTION TO INFORMATION SECURITY MANAGEMENT
-
Upload
dexter-rios -
Category
Documents
-
view
93 -
download
1
description
Transcript of INTRODUCTION TO INFORMATION SECURITY MANAGEMENT
![Page 1: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/1.jpg)
INTRODUCTION TO
INFORMATION SECURITYMANAGEMENT
Information Security Management (INFS 5055) &
Information Security Management (INFS 3070)
Study Period 2, 2010
Today’s Reference:
Whitman & Mattord, 2008, Management of Information Security, 2nd editionChapter 1(alternatively, 3rd edition is fine)
![Page 2: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/2.jpg)
What is Security?
• “a well-informed sense of assurance that the information risks and controls are in balance.” —Jim Anderson, Inovant (2002)
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of security in place: – Physical security– Personal security – Operations security – Communications security – Network security– Information security
![Page 3: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/3.jpg)
Physical Security
• commonly thought of as “building” security
• guns, dogs, guards, locks, infrared sensors, cameras, access card systems
• physical access systems
![Page 4: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/4.jpg)
Personnel Security
• the most important asset (?)
• core of many security problems
• examples are:– pre-employment screening– security awareness training– exit interviews– employee contract– anti-fraud initiatives
![Page 5: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/5.jpg)
What is Information Security?
• An Information System consists of:– hardware– software– IS people– data & information (in various forms)– procedures, processes, policies
• IS Security relates to all of these components
• Previously referred to as ‘Computer Security’
• Commonly referred to as ‘Information Security’
![Page 6: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/6.jpg)
HARDWARE
SOFTWARE
PEOPLE DATA
DOCUMENTATION
PROCEDURES
VIRUSES
THEFT
FIRE
SOFTWARE BUGS
PHYSICALSABOTAGE
LOSS OF PEOPLE
FRAUD
HACKERS
INPUT ERROR
HARDWAREMALFUNCTION
UNAUTH.ACCESS
LOSS OFELECTRICITY
User ID’s &passwords
Pre-employmentscreening
Encryption
Powersupply
Segreg- ationof duties
Firedoors
Backup
Guns, dogs& guards
Policymanual
Softwarevalidation
Maintenancecontract
Locks
TELECOMMUNICATIONS
Information Security
![Page 7: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/7.jpg)
Why is it important?
• Business survival could be at stake
• Management attitude is (still) “It won’t happen to me” – this needs to change
• Vulnerabilities are greater with advent of complex networks
• New threats are emerging as technology is embraced
• Attacks on systems are more prevalent
![Page 8: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/8.jpg)
Security Breaches & Impacts
![Page 9: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/9.jpg)
Critical Characteristics of Information
• The value of information comes from the characteristics it possesses: – Confidentiality
– Integrity
– Availability
– Privacy
– Identification
– Authentication
– Authorisation
– Accountability
![Page 10: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/10.jpg)
Scope of Information Security
• IS Security relates to minimising the threats to the Availability, Integrity and Confidentiality of information (and the Authenticity)
• Availability– disruptions
• Environmental (e.g. airconditioning or power failure)
• hardware breakdowns
– disasters• natural disasters (flood, fire,
earthquake)• other disasters (war, terrorism)• software bugs
– catastrophic failure• human safety compromised
– logical or physical– accidental or deliberate
![Page 11: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/11.jpg)
• Integrity– errors & omissions– computer crime – hackers
• Confidentiality– loss of print-out report
(physical/accidental)– loss of message, misdirected
message (logical/accidental)– theft of PC, screen snooping
(physical/deliberate)– wiretapping, hacking, electro
magnetic radiation (logical/deliberate)
![Page 12: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/12.jpg)
Principles Of Information Security Management
• The extended characteristics of information security are known as the six Ps:– Planning– Policy– Programs– Protection– People– Project Management
![Page 13: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/13.jpg)
Planning
• Several types of InfoSec plans exist:– Incident response– Business continuity– Disaster recovery– Policy– Personnel– Technology rollout – Risk management – Security program including
education, training, and awareness
![Page 14: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/14.jpg)
Policy
• The set of organizational guidelines that dictates certain behavior within the organization is called policy
• In InfoSec, there are three general categories of policy: – General program policy
(Enterprise Security Policy)– An issue-specific security policy
(ISSP) – System-specific policies (SSSPs)
![Page 15: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/15.jpg)
Programs
• Specific entities managed in the information security domain
• A security education training and awareness (SETA) program is one such entity
• Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on
![Page 16: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/16.jpg)
Protection
• Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools
• Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan
![Page 17: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/17.jpg)
People
• People are the most critical link in the information security program
• It is imperative that managers continuously recognize the crucial role that people play
• Including information security personnel and the security of personnel
![Page 18: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/18.jpg)
Project Management
• Project management discipline should be present throughout all elements of the information security program
• This effort involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal
![Page 19: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/19.jpg)
THREATS
ASSETS
RISKS
CONTROLS
The Sequence
threaten
which create
Which require
Vulnerability? Risk Exposure?Countermeasures?
![Page 20: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/20.jpg)
“Health & Safety” of a person
• Threats– Heart attack, stroke, car accident– Work accident, sporting injury,
assault– Disease
• Assets– Tissue, brain, heart, mind, limbs– Organs, eyes, skin, self-esteem
• Risks– Death, injury, loss of limb, sickness– Brain damage, loss of eyesight
• Controls– Regular exercise, proper food – OH & S procedures at work– Safe sports, safe driving, – Regular doctor check-ups– Minimal stress, adequate sleep
![Page 21: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/21.jpg)
Threats
• Something that has the potential to cause harm or loss
• 4 classes– interruption
• hardware breakdown, software bug, operators on strike
– interception• wiretapping, hacking
– modification and fabrication• Hackers tampering with &
changing data
• adding records or transactions
![Page 22: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/22.jpg)
• 1. Errors & omissions• 2. Data network breakdowns• 3. Software errors & omissions• 4. Computer-based fraud• 5. Accidental & natural disasters• 6. Equipment failure• 7. Unauthorised access• 8. Deliberate destruction of
equipment• 9. Misuse of computing
equipment• 10. Theft of computers
Top 10 Threats in IS
![Page 23: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/23.jpg)
Risks
• Risk of going out of business
• Risk of losing competitive advantage
• Risk of unauthorised access
• Risk of being sued
• Risk of embarrassment
• Risk of losing money
• Risk of losing customers
![Page 24: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/24.jpg)
Vulnerabilities
• A weakness in the security of the system which might be exploited to cause loss or harm
![Page 25: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/25.jpg)
Controls/ Countermeasures
• 4 categories– Management– Hardware– Software– Authentication
![Page 26: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/26.jpg)
Management Controls
• Security policies
• Segregation of duties
• Awareness training
• Physical security procedures
• Operational controls and procedures
• Exit Interviews
• New employee screening
• Personnel security
![Page 27: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/27.jpg)
Hardware Controls
• Environmental conditions
• O/S controls
• Silicone, plastic, tin
![Page 28: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/28.jpg)
Software Controls
• Access control software (RACF, ACF2, etc)
• Programming standards– range checks– check digits– modular programs
• Change control procedures
• Authorisation controls
![Page 29: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/29.jpg)
Authentication Controls
• passwords
• PINs
• smart cards
• biometric devices
• something user knows
• something user has
• something user is
• something user can do
• someplace user is
![Page 30: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/30.jpg)
• 1. IS security policy document• 2. Allocation of security responsibilities• 3. IS security education & training• 4. Reporting of security incidents• 5. Virus control• 6. Business continuity planning• 7. Control of proprietary copying• 8. Safeguarding of company records• 9. Compliance with data protection
legislation• 10. Compliance with security policy
Top 10 Controls
![Page 31: INTRODUCTION TO INFORMATION SECURITY MANAGEMENT](https://reader036.fdocuments.in/reader036/viewer/2022082216/56812c07550346895d9076d4/html5/thumbnails/31.jpg)
What you need to know!
• What is InfoSec and why it’s important
• Scope of InfoSec
• Principles of InfoSec Management
• A general idea of Threats, Risks and Controls