Published on

• Introduction to information security.
What is information security, threat, risks, vulnerabilities, basic terms and definition?

• Building blocks of information security strategy, policies and standards.
Identify and establish country wide information security strategy, establish policies standards and procedures, implementation of different types of control objectives: managerial, technologies, business processes. Introduction to main domains of information security management system depending on international information security standard (ISO 2700x).

• Actions, roles and responsibilities.
What kind of actions is needed for information security risk treatment. Roles and responsibilities of information security professionals.

By Vasil Tsvimitidze

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Georgia NATO FROM STRATEGY TO ACTION Turkey, Ankara 2012 Vasil Tsvimitidze
  2. 2. Introduction 2Introduction to information security.What is information security, threat, risks, vulnerabilities, basic terms and definition? Building blocks of information security strategy, policies and standards.Identify and establish country wide information security strategy, establish policiesstandards and procedures, implementation of different types of control objectives:managerial, technologies, business processes. Introduction to main domains ofinformation security management system depending on international informationsecurity standard (ISO 2700x). Actions, roles and responsibilities.What kind of actions is needed for information security risk treatment. Roles andresponsibilities of information security professionals.
  3. 3. First sections 3 Introduction to information security. What is Information? What is Information Security? What is RISK?
  4. 4. Information 4Information Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’Information can be  Created  Stolen  Stored  Printed or written on paper  Destroyed  Stored electronically  Processed Transmitted by post or using  Transmitted electronics means  Used – (For proper &  Shown on corporate videos improper purposes)  Corrupted  Displayed / published on web  Lost  Verbal – spoken in conversations‘…Whatever form the information takes, or means by which it isshared or stored, it should always be appropriately protected’
  5. 5. Information Security 5 What Is Information Security  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect vital processes and the systems that provide those processes  Security is not something you buy, it is something you do  The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together  Monitored 24x7  Having People, Processes, Technology, policies, procedures,  Security is for PPT and not only for appliances or devices
  6. 6. Information Security vs IT Security 6 Information Security is preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non- repudiation and reliability can also be involved regardless of the form the information may take - electronic, printed, or other forms. IT Security is protection of the information technology assets such as computers and peripheral equipment, communications equipment, computing and communication premises, supplies and data storage media, operating system and application software.
  7. 7. Information Security components 7 PEOPLE PROCESSES TECHNOLOGY
  8. 8. People 8People “Who we are” People who use or interact with the Information include:  Share Holders / Owners  Management  Employees  Business Partners  Service providers  Contractors  Customers / Clients  Regulators etc…
  9. 9. Process 9Process “what we do”The processes refer to "work practices" or workflow. Processes are the repeatablesteps to accomplish business objectives. Typical process in our IT Infrastructure couldinclude:  Helpdesk / Service management  Incident Reporting and Management  Change Requests process  Request fulfillment  Access management  Identity management Sar  Service Level / Third-party Services Management oj  IT procurement process etc...
  10. 10. 10 Technology “what we use to improve what we do” Network Infrastructure:  Application software: Cabling, Data/Voice Networks and equipment  Finance and assets systems, including Telecommunications services (PABX), including Accounting packages, Inventory management, VoIP services , ISDN , Video Conferencing HR systems, Assessment and reporting systems Server computers and associated storage  Software as a service (Sass) - instead of devices software as a packaged or custom-made product. Etc.. Operating software for server computers  Physical Security components: Communications equipment and related hardware.  CCTV Cameras Intranet and Internet connections  Clock in systems / Biometrics VPNs and Virtual environments  Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Remote access services Control systems Wireless connectivity  Electricity / Power backup Access devices: Desktop computers, Thin client computing. Laptops, ultra-mobile laptops and PDAs Digital cameras, Printers, Scanners, Photocopier etc.
  11. 11. Information Security 11 INFORMATION SECURITY 1. Protects information from a range of threats 2. Ensures business continuity 3. Minimizes financial loss 4. Optimizes return on investments 5. Increases business opportunities Business survival depends on information security.
  12. 12. Information Attributes 12ISO 27002:2005 defines Information Security as the preservation of: Ensuring that information is accessible only to  Confidentiality those authorized to have access Safeguarding the accuracy and completeness of information and processing methods  Integrity Ensuring that authorized users have access to  vailability information and associated assets when required
  13. 13. Information Attributes 13 Security breaches leads to…  Reputation loss  Financial loss  Intellectual property loss  Legislative Breaches leading to legal actions (Cyber Law)  Loss of customer confidence  Business interruption costs LOSS OF GOODWILL
  14. 14. SURVEY 14  Information Security is “Organizational Problem”  rather than “IT Problem”  More than 70% of Threats are Internal  More than 60% culprits are First Time fraudsters  Biggest Risk : People  Biggest Asset : People  Social Engineering is major threat  More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
  15. 15. Risk 15What is Risk?Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset.Threat: Something that can potentially cause damage to the organization, IT Systems or network.Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
  16. 16. 16Risk, Threats, and Vulnerabilities Relationship between Risk, Threats, and Vulnerabilities exploit Threats Vulnerabilities reduce Information Controls * Risk assets Protection Asset values Requirements
  17. 17. Threat Identification 17 Threat Identification Elements of threats Agent : The catalyst that performs the threat. Human Machine Nature Motive : Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human Results : The outcome of the applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability
  18. 18. Threats 18  Employees  External Parties  Low awareness of security issues  Growth in networking and distributed computing  Growth in complexity and effectiveness of hacking tools and viruses  Natural Disasters  fire,  flood,  Earthquake etc.
  19. 19. Threat Sources 19 Threat Sources Source Motivation Threat Challenge Ego Game System hacking Social engineering External Hackers Playing Dumpster diving Deadline Financial problems Backdoors Fraud Internal Hackers Disenchantment Poor documentation System attack Social engineering Revenge Letter bombs Viruses Denial of Terrorist Political service Corruption of data Unintentional errors Malicious code introduction Programming errors System bugs Poorly trained employees Data entry errors Unauthorized access
  20. 20. Threat Categories and Examples 20 No Categories of Threat Example 1 Human Errors or failures Accidents, Employee mistakes 2 Compromise to Intellectual Property Piracy, Copyright infringements 3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection 4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure 5 Deliberate Acts of sabotage / vandalism Destruction of systems / information 6 Deliberate Acts of theft Illegal confiscation of equipment or information 7 Deliberate software attacks Viruses, worms, macros Denial of service 8 Deviations in quality of service from service Power and WAN issues provider 9 Forces of nature Fire, flood, earthquake, lightening 10 Technical hardware failures or errors Equipment failures / errors 11 Technical software failures or errors Bugs, code problems, unknown loopholes 12 Technological Obsolence Antiquated or outdated technologies
  21. 21. Information Attributes 21 High User Virus Knowledge of IT Theft, Attacks Systems Sabotage, Misuse Systems & Lapse in Natural Network Lack Of Calamitie Physical Failure Documen s & Fire Security tation
  23. 23. Second section 23Building blocks of information security strategy, policies and standards. Building blocks of information security strategy, policies and standards. Identify and establish country wide information security strategy, establish policies standards and procedures, implementation of different types of control objectives: managerial, technologies, business processes. Introduction to main domains of information security management system depending on international information security standard (ISO 2700x).
  24. 24. PDCA 24 Answer is: (Plan, Do, Check, Act) Learning international best practices Identify metrics and criterias Selecting basic standards Building capacity Management system implemetation core standard for information security is ISO 27001
  25. 25. Standard History 25 History Early 1990 • DTI (UK) established a working group • Information Security Management Code of Practice produced as BSI-DISC publication 1995 • BS 7799 published as UK Standard 1999 • BS 7799 - 1:1999 second revision published 2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published • BS 7799-2:2002 published ISO 27001:2005 Information technology — Security techniques — Information security management systems — Requirements ISO 27002:2005 Information technology — Security techniques — Code of practice for information security management
  26. 26. ISO 27001 Features 26 ISO 27001ISO 27001: This International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). ThisInternational Standard specifies the requirements for establishing; implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.The ISMS is designed to ensure the selection of adequate and proportionate security controls that protectinformation assets and give confidence to interested parties Features Features of ISO 27001 Plan, Do, Check, Act (PDCA) Process Model Process Based Approach Stress on Continual Process Improvements Scope covers Information Security not only IT Security Covers People, Process and Technology 5600 plus organizations worldwide have been certified 11 Domains, 39 Control objectives, 133 controls
  27. 27. Second section 27 PDCA Process ISMS PROCESS Interested Interested Parties Parties Management Responsibility PLAN Establish ISMS DO ACT Implement & Maintain & Operate the Improve Information ISMS Security Managed Requirements CHECK Monitor & Information & Review ISMS Security Expectations
  28. 28. Main directions 28
  29. 29. Information Attributes 29 Information Security Policy - To provide management direction and support for Information security. Organisation Of Information Security - Management framework for implementation Asset Management - To ensure the security of valuable organisational IT and its related assets Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities. Physical & Environmental Security -To prevent unauthorised access, theft, compromise , damage, information and information processing facilities. Communications & Operations Management - To ensure the correct and secure operation of information processing facilities.
  30. 30. Information Attributes 30 Access Control - To control access to information and information processing facilities on ‘need to know’ and ‘need to do’ basis. Information Systems Acquisition, Development & Maintenance - To ensure security built into information system Information Security Incident Management - To ensure information security events and weaknesses associated with information systems are communicated. Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level. Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
  31. 31. Implementation Process 31
  32. 32. 32Information Security Governance On State Level Parliament Security council Low draft for Personal Data protection Law of State secret Crime code information Security Cyber security Strategy Regulation for Information Security Government Government agencies ministries and critical Data Exchange agency infrastructure Information security strategy Normative and templates Information Internal Info Information Security implementation plans Info Sec comity Security Officer Sec Audit reviewing and Analyzing •Risk management (standard, procedures, guidelines) Providing Trainings •Information asset management •Incident Management Info Sec incident Handling •End user standards and guidelines Audit reports reviewing and analyzing •Internal audit/ asurance •…. Providing recommendations depending on •…. existing global situation
  33. 33. Roles And Resposibilties Information security strategy(policy) Information security committee Information security officer Information Security audit Information security specialists
  34. 34. Thank YouQuestions…