Your SlideShare is downloading. ×
0
Information Security
Management
Threats to Information
Security and what we
can do about it
Before we start our Conversation…
Ordering a Pizza?
What are the threats to information security?
• In order to adequately
protect information
resources, managers must
be awa...
• Human error and mistakes stem from
employees and nonemployees.
– They may misunderstand operating procedures and
inadver...
Human Threats
• Malicious human
activity results from
employees, former
employees, and hackers
who intentionally
destroy d...
Natural Events and Disasters
• The last source of threats to information security are
those caused by natural events and d...
 This chart shows some of the security problems a company may
experience and the possible sources of the problems.
What are unauthorized data disclosure
threats?
• For example, a new university dept.
administrator posts student names, nu...
Malicious unauthorized data disclosure threats
• Pre-texting: when
someone deceives by
pretending to be someone
else
• Phi...
• Sniffing: is a technique for intercepting computer
communications.
• With wireless networks, drive-by sniffers simply
ta...
• There are three components of a sound
organizational security program:
1. Senior management must establish a security po...
Security Safeguards as They Relate to the Five
Components
What is senior management’s security role?
 The NIST Handbook of Security Elements lists the necessary elements of
an eff...
• Senior managers should ensure their
organization has an effective security policy that
includes these elements:
1. A gen...
• Senior managers must also manage risks
associated with information systems security
1. Risk is the likelihood of an adve...
Senior Managements Security Role
 When you’re
assessing risks to
an information
system you must
first determine:
 What t...
Fig 12-4 Risk Assessment Factors
 When you’re assessing risks to an information system you must first determine:
 What t...
What technical safeguards are
available?
 You can establish five technical
safeguards for the hardware and
software compo...
Security Layers We’ll Discuss!
What’s Encryption?
• The process of changing original text to a
secret message using cryptography
• Cryptography is the sc...
Firewalls
• Firewalls, the third technical safeguard, should
be installed and used with every computer
that’s connected to...
Perimeter & Internal Firewalls
– The diagram shows how
perimeter and internal
firewalls are special
devices that help prot...
Malware Protection
• Malware Protection is
the fourth technical
safeguard. We’ll
concentrate on spyware
and adware here.
–...
• If your computer displays
any of the symptoms in this
figure, you may have one of
these types of malware on
your compute...
safeguard your computer against
malware:
– Install antivirus and antispyware programs.
– Scan your computer frequently for...
What data safeguards are available?
 To protect databases and other data sources, an organization should
follow the safeg...
What human safeguards are available?
• Human safeguards
for employees are
some of the most
important safeguards
an organiz...
• An organization needs human safeguards for
nonemployees whether they are temporary employees,
vendors, business partners...
Account Administration
• Account administration is the third type of
human safeguard and has three components
—account man...
More Human Safeguards
 Password management
requires that users
 Immediately change newly
created passwords
 Change pass...
– Help-desks have been a source of problems for
account administration because of the inherent
nature of their work.
• It ...
• Effective system procedures can help increase security and reduce
the likelihood of computer crime. As this figure shows...
How should organizations respond to security
incidents?
• No system is fail-proof. Every organization must have
an effecti...
What is the extent of computer crime?
• The full extent of computer crime is unknown.
There is no national census because ...
Upcoming SlideShare
Loading in...5
×

Information security management

6,059

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,059
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
332
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Information security management"

  1. 1. Information Security Management Threats to Information Security and what we can do about it
  2. 2. Before we start our Conversation… Ordering a Pizza?
  3. 3. What are the threats to information security? • In order to adequately protect information resources, managers must be aware of the sources of threats to those resources, the types of security problems the threats present, and how to safeguard against both. The three most common sources of threats are: – Human error and mistakes – Malicious human activity – Natural events and disasters.
  4. 4. • Human error and mistakes stem from employees and nonemployees. – They may misunderstand operating procedures and inadvertently cause data to be deleted. – Poorly written application programs and poorly designed procedures may allow employees to enter data incorrectly or misuse the system. – Employees may make physical mistakes like unplugging a piece of hardware that causes the system to crash.
  5. 5. Human Threats • Malicious human activity results from employees, former employees, and hackers who intentionally destroy data or system components. These actions include: • Breaking into systems with the intent of stealing, altering or destroying data. • Introducing viruses and worms into a system. • Acts of terrorism.
  6. 6. Natural Events and Disasters • The last source of threats to information security are those caused by natural events and disasters. These threats pose problems stemming not just from the initial loss of capability and service but also problems a company may experience as it recovers from the initial problem. They include: • Fires • Floods • Hurricanes • Earthquakes and • Other acts of nature
  7. 7.  This chart shows some of the security problems a company may experience and the possible sources of the problems.
  8. 8. What are unauthorized data disclosure threats? • For example, a new university dept. administrator posts student names, numbers, and grades in a public place. • Or, an employee unknowingly posts restricted data on a company website that can be reached by search engines over the Web.
  9. 9. Malicious unauthorized data disclosure threats • Pre-texting: when someone deceives by pretending to be someone else • Phishing: the phisher pretends to be a legitimate company and sends an email requesting confidential data such as account numbers, social security numbers, passwords, and so forth. • Spoofing: is pretending to be someone else. Email spoofing is a synonym for phishing
  10. 10. • Sniffing: is a technique for intercepting computer communications. • With wireless networks, drive-by sniffers simply take computers with wireless connections through an area and search for unprotected wireless networks. • They can monitor and intercept wireless traffic at will.
  11. 11. • There are three components of a sound organizational security program: 1. Senior management must establish a security policy and manage risks. 2. Safeguards of various kinds must be established for all five components of an IS as the figure on the next slide demonstrates. 3. The organization must plan its incident response before any problems occur.
  12. 12. Security Safeguards as They Relate to the Five Components
  13. 13. What is senior management’s security role?  The NIST Handbook of Security Elements lists the necessary elements of an effective security program as this figure shows. *National Institute of Standards and technology
  14. 14. • Senior managers should ensure their organization has an effective security policy that includes these elements: 1. A general statement of the organization’s security program 2. Issue-specific policies like personal use of email and the Internet 3. System-specific policies that ensure the company is complying with laws and regulations.
  15. 15. • Senior managers must also manage risks associated with information systems security 1. Risk is the likelihood of an adverse occurrence. 2. You can reduce risk but always at a cost. The amount of money you spend on security influences the amount of risk you must assume. 3. Uncertainty is defined as the things we do not know that we do not know
  16. 16. Senior Managements Security Role  When you’re assessing risks to an information system you must first determine:  What the threats are  How likely they are to occur  The consequences if they occur
  17. 17. Fig 12-4 Risk Assessment Factors  When you’re assessing risks to an information system you must first determine:  What the threats are.  How likely they are to occur.  The consequences if they occur.  The figure below lists the factors you should include in a risk assessment.  Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. Each decision carries consequences.  Some risk is easy and inexpensive.  Some risk is expensive and difficult.  Managers have a fiduciary responsibility to the organization to adequately manage risk.
  18. 18. What technical safeguards are available?  You can establish five technical safeguards for the hardware and software components of an information system as the figure on the next slide shows. – Identification and authentication includes – passwords (what you know), – smart cards (what you have), and – biometric authentication (what you are).  Since users must access many different systems, it’s often more secure, and easier, to establish a single sign-on for multiple systems.
  19. 19. Security Layers We’ll Discuss!
  20. 20. What’s Encryption? • The process of changing original text to a secret message using cryptography • Cryptography is the science of transforming information so that it is secure while it is being transmitted or stored
  21. 21. Firewalls • Firewalls, the third technical safeguard, should be installed and used with every computer that’s connected to any network, especially the Internet. • Firewalls can be hardware or software, used independently of each other or used together
  22. 22. Perimeter & Internal Firewalls – The diagram shows how perimeter and internal firewalls are special devices that help protect a network. – Packet-filtering firewalls are programs on general-purpose computers or on routers that examine each packet entering the network Act as a gateway to the network
  23. 23. Malware Protection • Malware Protection is the fourth technical safeguard. We’ll concentrate on spyware and adware here. – Spyware are programs that may be installed on your computer without your knowledge or permission. – Adware is a benign program that’s also installed without your permission. It resides in your computer’s background and observes your behavior.
  24. 24. • If your computer displays any of the symptoms in this figure, you may have one of these types of malware on your computer.
  25. 25. safeguard your computer against malware: – Install antivirus and antispyware programs. – Scan your computer frequently for malware. – Update malware definitions often or use an automatic update process. – Open email attachments only from known sources and even then be wary. – Promptly install software updates from legitimate sources like Microsoft for your operating system or McAfee for your spyware programs. – Browse only in reputable Internet neighborhoods. Malware is often associated with rogue Web sites.
  26. 26. What data safeguards are available?  To protect databases and other data sources, an organization should follow the safeguards listed in this figure.  Remember, data and the information from it are one of the most important resources an organization has.
  27. 27. What human safeguards are available? • Human safeguards for employees are some of the most important safeguards an organization can deploy. • They should be coupled with effective procedures to help protect information systems.
  28. 28. • An organization needs human safeguards for nonemployees whether they are temporary employees, vendors, business partners, or the public. Here are a few suggestions: – Ensure any contracts between the organization and other workers include security policies. Third-party employees should be screened and trained the same as direct employees. – Web sites used by third-party employees and the public should be hardened against misuse or abuse. – Protect outside users from internal security problems. If your system gets infected with a virus, you should not pass it on to others.
  29. 29. Account Administration • Account administration is the third type of human safeguard and has three components —account management, password management, and help-desk policies. – Account management focuses on • Establishing new accounts • Modifying existing accounts • Terminating unnecessary accounts.
  30. 30. More Human Safeguards  Password management requires that users  Immediately change newly created passwords  Change passwords periodically  Sign an account acknowledgment form like the one in this figure. Fig 12-13 Sample Account Acknowledgement Form
  31. 31. – Help-desks have been a source of problems for account administration because of the inherent nature of their work. • It is difficult for the help-desk to determine exactly with whom they’re speaking. Users call up for a new password without the help-desk having a method of definitively identifying who is on the other end of the line. • There must be policies in place to provide ways of authenticating users like asking questions only the user would know the answers to. • Users have a responsibility to help the help-desk by responsibly controlling their passwords.
  32. 32. • Effective system procedures can help increase security and reduce the likelihood of computer crime. As this figure shows, procedures should exist for both system users and operations personnel that cover normal, backup, and recovery procedures. Fig 12-14 Systems Procedures Security monitoring is the last human safeguard. It includes:  Activity log analyses  Security testing  Investigating and learning from security incidents.
  33. 33. How should organizations respond to security incidents? • No system is fail-proof. Every organization must have an effective plan for dealing with a loss of computing systems. This figure describes disaster preparedness tasks for every organization, large and small. The last item that suggests an organization train and rehearse its disaster preparedness plans is very important.
  34. 34. What is the extent of computer crime? • The full extent of computer crime is unknown. There is no national census because many organizations are reluctant to report losses for fear of alienating customers, suppliers, and business partners. dollar loss.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×