Welingkar’s Distance Learning Division
I.T. for Management
CHAPTER-18
Information Security
We Learn – A Continuous Learnin...
Welingkar’s Distance Learning Division
Information Security
IT Security, Control, Audit & governance
Information is Power ...
Welingkar’s Distance Learning Division
Information Security
Objectives of IT Security Management
The purpose of IT Securit...
Welingkar’s Distance Learning Division
Information Security
In almost every large enterprise, the physical and IT
security...
Welingkar’s Distance Learning Division
Information Security
Physical Security and IT Security
Physical security focuses on...
Welingkar’s Distance Learning Division
Information Security
Physical Security and IT Security a Management Issue
The quest...
Welingkar’s Distance Learning Division
Information Security
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
While it is true that many of the physical and IT security
pro...
Welingkar’s Distance Learning Division
Information Security
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
We Learn – A Continuous Learning Forum
Types of control Exampl...
Welingkar’s Distance Learning Division
Information Security Standards
BS 7799 Standard
The subject of IT security is there...
Welingkar’s Distance Learning Division
Information Security Standards
BS 7799 Standard
The BS7799 is a British standard wh...
Welingkar’s Distance Learning Division
Information Security Standards
BS 7799 Standard
To implement the BS7799 standard an...
Welingkar’s Distance Learning Division
Information Security Standards
BS 7799 Standard
• Based on the strategy decided for...
Welingkar’s Distance Learning Division
Information Security Standards
Business Continuity Planning (BCP)
Availability is o...
Welingkar’s Distance Learning Division
Information Security Standards
Business Continuity Planning (BCP)
The BCP ensures t...
Welingkar’s Distance Learning Division
Information Security Standards
Business Continuity Planning (BCP)
Disaster Recovery...
Welingkar’s Distance Learning Division
Information Security Standards
Business Continuity Planning (BCP)
The choice of sol...
Welingkar’s Distance Learning Division
Information Security
End of Chapter 18
We Learn – A Continuous Learning Forum
Upcoming SlideShare
Loading in …5
×

Information Security - I.T Project Management

1,085 views

Published on

what is information security? Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security. 

For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc

Join us on Facebook: http://www.facebook.com/welearnindia
Follow us on Twitter: https://twitter.com/WeLearnIndia
Read our latest blog at: http://welearnindia.wordpress.com
Subscribe to our Slideshare Channel: http://www.slideshare.net/welingkarDLP

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,085
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
59
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Information Security - I.T Project Management

  1. 1. Welingkar’s Distance Learning Division I.T. for Management CHAPTER-18 Information Security We Learn – A Continuous Learning Forum
  2. 2. Welingkar’s Distance Learning Division Information Security IT Security, Control, Audit & governance Information is Power is a very old adage in the IT sector. In today’s world information is being increasingly viewed as an Asset which has real value & is to be protected Accumulating information was once done more for Statutory purposes. Today sophisticated data warehouses are hold what may be considered as “gold mine” of knowledge & data mining tools are available to extract the right information at right time We Learn – A Continuous Learning Forum
  3. 3. Welingkar’s Distance Learning Division Information Security Objectives of IT Security Management The purpose of IT Security Management is to ensure: • Confidentiality: Restricting access to right people for the right purpose • Integrity: Correctness& validity of information stored or processed • Availability: Ensuring information is available to authorized persons We Learn – A Continuous Learning Forum
  4. 4. Welingkar’s Distance Learning Division Information Security In almost every large enterprise, the physical and IT security departments operate independently of each other. They are generally unaware of the strengths and weaknesses of one another's practices, the liabilities of operating independently, and the benefits of integrated security management. We Learn – A Continuous Learning Forum
  5. 5. Welingkar’s Distance Learning Division Information Security Physical Security and IT Security Physical security focuses on the protection of physical assets, personnel and facility structures. This involves managing the flow of individuals and assets into, out of, and within a facility. IT security focuses on the protection of information resources, primarily computer and telephone systems and their data networks. This involves managing the flow of information into, out of, and within a facility’s IT systems, including human access to information systems and their networks. Clearly these two are separate domains. Why should they be integrated? We Learn – A Continuous Learning Forum
  6. 6. Welingkar’s Distance Learning Division Information Security Physical Security and IT Security a Management Issue The question above accurately reflects the thoughts of most security practitioners as they approach this subject. How is the question misleading? To lean on a common idiom, it focuses on the trees rather than the forest. It is the management of physical and IT security that must be integrated. No one is going to integrate a brick wall and a database. However, the management of who is allowed inside the wall and inside the database must be integrated, or there will be gaps in the organization’s security. Figure 1 below illustrates the concept of integrated security management. Whenever you hear or read the phrase “integration of physical and IT security,” think “integration of physical and IT security management” and you’ll be on the right track. We Learn – A Continuous Learning Forum
  7. 7. Welingkar’s Distance Learning Division Information Security We Learn – A Continuous Learning Forum
  8. 8. Welingkar’s Distance Learning Division Information Security While it is true that many of the physical and IT security processes and procedures must be integrated at the technology level, it is not the technology that defines the integration. The business processes and procedures define it; the technology implements it. That's why the first step in integrating physical and IT security is an examination of security-related business requirements and the physical and IT security processes that support them. The integration of the business processes will determine where integration of physical security and IT technology is required We Learn – A Continuous Learning Forum
  9. 9. Welingkar’s Distance Learning Division Information Security We Learn – A Continuous Learning Forum
  10. 10. Welingkar’s Distance Learning Division Information Security We Learn – A Continuous Learning Forum Types of control Examples Physical control Doors & Lock, Security gates, raised floors, double doors, ups system IT related Password, Directory services, Firewall, antivirus Application server, Hot standby server, backup of software Document related Correct labeling, version control, copies of key documents Application Specific Data validation so that correct data only accepted Length, Range, Code checked Process related checks Output controls
  11. 11. Welingkar’s Distance Learning Division Information Security Standards BS 7799 Standard The subject of IT security is therefore not one of merely putting appropriate control measures A process approach whereby the information security has • Defined organizational policy • Backed by management commitment • Necessary resources, Defined procedures • Appropriate control objectives • Suitable control measures • Recording & reviewing incidences • Continuous improvement of security process We Learn – A Continuous Learning Forum
  12. 12. Welingkar’s Distance Learning Division Information Security Standards BS 7799 Standard The BS7799 is a British standard which addresses precisely this aspect. It provides a comprehensive framework within which an organization can set up an effective Information Security Management System(ISMS) More specifically some of controls objectives which it describes include following • Management of ISMS • Physical security • Information processing • Access to information to IT employees, outsourced vendors • Access from remote location We Learn – A Continuous Learning Forum
  13. 13. Welingkar’s Distance Learning Division Information Security Standards BS 7799 Standard To implement the BS7799 standard an organization must take following steps. Define Information security policy Organization & its management must demonstrate its commitment to information There must be formal reviews related with security incidents Risk assessment. The organization must conduct risk assessment. This will help to identify the more important sources of risk. It would select from the following strategies Risk avoidance, Migration, Insurance or transfer Assumption of risk Cont….. We Learn – A Continuous Learning Forum
  14. 14. Welingkar’s Distance Learning Division Information Security Standards BS 7799 Standard • Based on the strategy decided for each risk asset combination it will select appropriate control to manage the risk. • For instance to prevent unauthorized entry it may provide smart card or biometric entry • The organization would have also identified detailed procedure for implementing and monitoring ,defined roles various controls, Dos & don’t to all employees • Finally process needs to be sustained & continuously evaluated We Learn – A Continuous Learning Forum
  15. 15. Welingkar’s Distance Learning Division Information Security Standards Business Continuity Planning (BCP) Availability is one of the key elements in the information security. Failure in IT for e.g incidents like power failure, Virus attack can be disastrous Organizations such as the stock exchange or a bank works on a Central data center. BCP outlines: The Objective of plan in event of disaster The resources Priorities assigned for Business continuity Procedures to follow in the event of disaster Communication to outsider We Learn – A Continuous Learning Forum
  16. 16. Welingkar’s Distance Learning Division Information Security Standards Business Continuity Planning (BCP) The BCP ensures that certain critical business functions continue despite a disaster The BCP also can be viewed from point of 3 stages • Pre-disaster • During the disaster • Post disaster Thus each procedure should cover these three stages Disaster Recovery is a set of plans to enable an organization to come back to normalcy We Learn – A Continuous Learning Forum
  17. 17. Welingkar’s Distance Learning Division Information Security Standards Business Continuity Planning (BCP) Disaster Recovery The time frame within which the recovery must happen is a matter of practicality & organizations policy. Solutions used for BCP We Learn – A Continuous Learning Forum Hard disk crash RAID Arrays Mirror disk SAN/NAS solution Complete data center crippled Hot remote site e.g. NSE has a hot site at Pune, which take over if Mumbai center fails Telecom/ISP crashes Have a leased line from more than one ISP
  18. 18. Welingkar’s Distance Learning Division Information Security Standards Business Continuity Planning (BCP) The choice of solution depends upon the perceived impact of the disaster on business continuity Most of the times the BCP/DR misses out on Mock Drills This can be best done thru simulation by generating a disaster conditions thereby enabling & training people to understand individual role at the time of disaster & specific actions to be taken We Learn – A Continuous Learning Forum
  19. 19. Welingkar’s Distance Learning Division Information Security End of Chapter 18 We Learn – A Continuous Learning Forum

×