Why?• Initially majority of businesses operated closedprocessing environments(Glass House).• Networks and a distributed client/serverprocessing environment.• Decentralized processing.• Increase the exposure of sensitive information.• We require:– Confidentiality– Integrity– Availability
Confidentiality• Confidentiality relates to the protection ofinformation from unauthorized access,regardless of where the information resides orhow it is stored.• Are only the appropriate personnel viewing orusing the organization’s information assets?• Authentication and authorization• Framework for classifying the confidentiality
Integrity• Integrity is the protection of information,applications, systems, and networks fromintentional, unauthorized, or accidentalchanges.• Is the information correct and are theapplications processing the appropriate files?
Availability• Availability is the assurance that informationand resources are accessible by authorizedusers as needed.– Denial of services caused by a lack of securitycontrols– Loss of services from information resources due tonatural disasters• Are the network resources, applications, anddata accessible when needed?
Five components of the ISA• Security Organization / Infrastructure• Security policies, standards, and procedures• Security baselines/risk assessments• Security awareness and training programs• Compliance
Policies, standards, and procedures• Who is permitted to use the application• What types of services will be provided by the system• How users will request access to the system• Who will grant access to the system• How often access logs will be reviewed• What procedures will be taken for inappropriate use ofthe system• How security incidences will be reported, recorded,and handled• Who will be responsible for investigating suspiciousactivity
Security baselines/risk assessments• Once the configuration is complete, anattempt to thwart the system should beperformed so that both the capabilities andweaknesses are known, documented, andimproved.• Automated vulnerability testing software• Testing softwares must be updated frequently
Security awareness and trainingprograms• All users of the system must be made aware ofwhat they can and cannot do.• Proper knowledge of policies.• Personal business are restricted onorganization infrastructure.• It needs to be made clear what theconsequences will be if the policies related tothe Internet are not followed.
Compliance• Procedures need to be established to ensurethat all parties responsible for the Internetaccess and firewall configuration are incompliance with the security policy, standards,and procedures that have been developed,and that the programs developed to enforcethe policies are effective.• Regular, depends on risk level.
Piecemealing• As an organization grows, the tendency is toadd to the existing environment to meetcurrent requirements without planning forfuture growth.• This can occur due to lack of knowledge onavailable technology, lack of communicationbetween departments, or nonexistenttechnology standards within the organization.
The Threat• A threat is an act of coercion wherein an act isproposed to elicit a negative response.• Corporate information can be easily accessed,compromised, or destroyed by intentional,unintentional, or natural threats.
Intentional threats• Unauthorized users who inappropriatelyaccess data and information that they are notgranted permission to view or use.• Can be external or internal.
Unintentional threats• Caused by untrained or careless employees.• Also include programmers or data processingpersonnel
Natural threats• Equipment failures, or disasters such as fire,floods, and earthquakes that can result in theloss of equipment and data
The Risks• There are many events that can result if abreach of confidentiality, integrity, oravailability occurs.
Overview of Security Controls• To apply appropriate controls to an operatingenvironment, it is necessary to understandwho or what poses a threat to the processingenvironment and then to understand whatcould happen (risk or danger) from thatthreat.
The Controls• Control requirements are not uniform for allsystems.– Administrative controls• Security policies and procedures– Physical controls• Direct physical access to equipment– Technical controls• Logical controls– Access controls• Non-repudiation
Strategic IT Plan should be broken intosix parts• Introduction• Description of the IT Organization• Scope, Viability, and Modification of the Plan• Relationship to the Organization’s StrategicBusiness Plan• Strategic Goals for Information Technology• Summary and Conclusion
Introduction• Introduction is an overview or executivesummary that describes the background,origination, and intent of the document.
Description of the IT Organization• Description of the IT Organization, shouldinclude a definition of the roles andresponsibilities of individuals within the ISdepartment, an organization chart anddescription of supporting staff, and a vision forthe use of IT.
Scope, Viability, and Modification ofthe Plan• Scope, Viability, and Modification of the Plan,defines the scope of the document.
Relationship to the Organization’sStrategic Business Plan• Relationship to the Organization’s StrategicBusiness Plan, refers back to the business planand provides a discussion of how the plan isintegrated with and supports the StrategicBusiness Plan.
Strategic Goals for InformationTechnology• Strategic Goals for Information Technology,lists the specific objectives from the businessplan that relate to IT.
Strategic IT Plan: Sample Table ofContentsTable of Contents1. Introduction2. Information Technology at XXXX Organization (MissionStatement)2.1 The CIO and Information Systems & Technology Roles2.2 The Information Systems & Technology Institutional-Level Organization2.3 Local Information Technology Support Staff2.4 The Evolving Information Technology Support Role2.5 A Vision for Information Technology Effectiveness
3. Scope, Viability, and Modification of This Plan4. Relationship to the XXXX Corporation’s StrategicPlan5. Strategic Goals for Information Technology5.1 A Corporate Goal: Information Accessibility5.1.1 Enhance and Extend the NetworkInfrastructure5.1.2 Ensure Appropriate Off-Site Network Access5.1.3 Ensure Effective Delivery of InformationTechnology Support5.1.4 Evaluate Services and Customer Satisfaction
5.1.5 Establish Corporate wide Standards5.1.6 Effectively Manage and Distribute Servers5.1.7 Enhance Support of Library Initiatives5.1.8 Enhance Internal and ExternalCommunications5.2 A Corporate Goal: Technology-EnabledManagement, Staff, and Business Partners5.2.1 Ensure Management and StaffDevelopment in Technology
5.2.2 Provide Appropriate Workstation Supportfor Management and Staff5.2.3 Promote Effective Research Computing5.2.4 Foster Technology Experimentation5.2.5 Provide Effective Information TechnologyServices for Clients5.3 A Corporate Goal: Technology-EnhancedBusiness5.3.1 Establish Appropriate Levels of Technologyin Business Operations
5.3.2 Ensure Availability of InformationTechnology Resources for Employees5.3.3 Engage the Corporate Community in theUse of Technology5.4 A Corporate Goal: Business ProcessEffectiveness5.4.1 Improve Efficiency of Operations5.4.2 Establish an Effective Data WarehouseSystem5.4.3 Replace Business-Process SoftwareSystems
5.5 A Corporate Goal: Information Security Architecture5.5.1 Establish an Organization that Supports the SecurityFunction5.5.2 Establish Security Policies and Procedures5.5.3 Conduct Baseline Risk Assessments for EachComponent of theOperating Environment5.5.4 Develop a User Awareness Program and ConductTraining for Employeesand Individuals with Security Responsibility5.5.5 Develop a Comprehensive Compliance Program6. Summary and Conclusion