Overview• What is Information Security ?• Key component• Security controls• Classification of security• Laws and regulations
What is information security ? The protection of information and its criticalelements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology
Information security: a “well-informed sense of assurance that the information risks and controls are in balance.”— Jim Anderson, Inovant (2002)
Why Information Security ?The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimizing the impact of security incidents.
According to Organization of Economic Co-operation and development:9 generally accepted principles are1. Awareness2. Responsibility3. Response4. Ethics5. Democracy6. Risk Assessment7. Security Design and Implementation8. Security management9. Reassessment
Confidentiality Confidentiality is the term used to prevent thedisclosure of information to unauthorized individuals or systems.Example: Password hacking in online money transaction systemsPrevention: by encrypting the data and by limiting the placeswhere it might appear.
Integrity In information security, integrity means that data cannot be modified undetectably. Example:Prevention: message authentication & integrity codes(MAC/MIC), and message digests such as MD5 or SHA-1 hashes.
Availability Ability of the infrastructure to function according to business expectations during its specified time of operationPrevention: Backup systems
Utility Utility means usefulnessExample: Encrypted data stored in hard disk and the decryption keyis lost. Prevention: Use a specific computer architecture for a specific purpose ( MS word file can’t be open in Notepad)
Risk management “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to anacceptable level, based on the value of the information resource to the organization.” Certified Information System Auditor (CSIA)
The Risk management Process consist of:• Identification of assets and estimating their value.• Conduct a threat assessment.• Conduct a vulnerability assessment.• Calculate the impact that each threat would have on each asset.• Identify, select and implement appropriate controls.• Evaluate the effectiveness of the control measures.
Threats to Information System • Human Errors • Environmental ErrorsUnintentional • System Failure Threats • Information Extortion • Theft Intentional • Identify theft Threats • Software Attack
ControlsThree different main types of controls are:1. Administrative2. Logical3. Physical
Administrative Controls• Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines.• Administrative controls form the framework for running the business and managing people.• Laws and regulations created by government bodies are also a type of administrative control because they inform the business.• Example: corporate security policy, password policy, hiring policies, and disciplinary policies.
Logical Controls• Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. Example: Firewall network instruction detection system• An important logical control that is frequently overlooked is the principle of least privilege. Example where this principle fails: logging windows as administrator
Physical Controls• Physical controls monitor and control the environment of the work place and computing facilities. Example: Fire alarms, fire suppression systems, cameras,security guards, cable locks etc.• An important physical control that is frequently overlooked is the separation of duties. Example: An application programmer should not also be theserver administrator or the database administrator.
Access control Access to protected information must be restricted to people who are authorized to access the information.Main Elements:• Identification• Authentication• Cryptography
Defense in depth Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information.To fully protect the information during its lifetime, each component ofthe information processing system must have its own protectionmechanisms.
Balancing Information Security and Access• Impossible to obtain perfect security—it is a process, not an absolute• Security should be considered balance between protection and availability• To achieve balance, level of security must allow reasonable access, yet protect against threats
Security classification of Information• In the business sector Public Sensitive Private Confidential• In Government Sector Unclassified Sensitive but unclassified Restricted Confidential Secret Top Secret And Their non English equivalent
Laws and regulationsThe original Information Technology Act (section 43and 66)• Passed in 2000• Deals with computer misuse• Does not have any express provision for data security.The IT (Amendment ) Act 2008 (“Amendment Act”)(section 43A and section 72A)• Under Section 43A, “bodies corporate” can be liable if they are negligent in implementing and maintaining “reasonable security practices and procedures” to protect “sensitive personal data or information”.
New data security regulations , 2011 (“sensitive personal data rules”) The Sensitive Personal Data Rules defines “sensitive personal data or information” of a person to include information about:• Passwords;• Financial information such as bank accounts, credit and debit card details;• Physiological and mental health condition, medical records;• Biometric information;• Information received by body corporate under lawful contract or otherwise;• User details as provided at the time of registration or thereafter; and• Call data records.Information that is freely available in the public domain or accessibleunder the Right to Information Act, 2005 or any other law will not beregarded as sensitive personal data or information.
Summary• Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”• Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.• Security should be considered a balance between protection and availability
Types of IT Threats1. Computer virus2. Trojan Horses3. DNS poisoning4. Password grabbers5. Network worms6. Logic Bombs7. Hijacked home page8. Password cracker Types of Attacks1. SQL Injection2. Dictionary attack3. Phishing4. Cross site scripting (XSS)5. UI redressing