1
Fundamental Principles of Security
Three Control Objectives
• Confidentiality
• Integrity
• Availability
These three fun...
2
Three Control Objectives
Confidentiality principle
Protection of sensitive information from unauthorized disclosure;
pre...
3
Three Control Objectives
Integrity principle
Detection or prevention of inappropriate and unauthorized
data transformati...
4
Three Control Objectives
Availability principle
Ensuring systems resources are available to sustain
critical business ac...
5
Three Control Objectives
Three Control Objectives (“CIA”)
 Confidentiality
 Integrity
 Availability
These three funda...
6
Information Security Definition
The protection of information assets from unauthorized disclosure,
modification, or dest...
7
Risk Management
The following terms are routinely used during information
security projects; they are often used interch...
8
Risk Management Terminology
Threat
An Event or Action that can have a Negative
Impact upon an Organization
or
A Potentia...
9
Examples of Threats
• Unauthorized access
– Hackers
– Mishandled password
• Misuse of authorized access
• Interception o...
10
Risk Management Terminology
Vulnerability
A Condition Which Allows a Threat to Occur
Or
A Software, Hardware or Procedu...
11
Examples of Threat/Vulnerability Pairing
Threats
Bomb
Water
Disgruntled employee
Severed network cables
Vulnerabilities...
12
Risk Management Terminology
Threat Agent
The Entity that Takes Advantage of a Vulnerability
Examples:
• Intruder
• Empl...
13
Risk Management Terminology
Exposure
The Negative Effect or Loss that Results after a Threat Occurs
• Monetary Loss
– D...
14
Risk Management Terminology
Risk
The Likelihood of a Threat Agent Taking
Advantage of a Vulnerability
There are two app...
15
Risk Management Terminology
Control
Mechanisms or Procedures Used to
Prevent, Detect Or Limit Exposures
or
A Countermea...
16
Prevent Detect Limit
Administrative
Physical
Technical
Controls Cube
Risk Management Terminology
This simple graphic
Sh...
17
Risk Management Terminology
P D L
A
P
T
Examples of Controls
Administrative/Prevention Controls
• Segregation of duties...
18
Controls-Another Perspective
Information
Assets
Network
Controls
Computer
Controls
Audit
Programs
Physical
Controls
Oth...
19
Risk Management Terminology Summary
Threat An event or action that can have a negative impact
upon an organization
Vuln...
20
Risk Management Terminology
From: CISSP Exam Guide
Shon Harris
McGraw Hill
Threat
Agent
Threat
Vulner-
ability
Risk
Ass...
21
Information Security Definition
The protection of information assets from unauthorized disclosure,
modification, or des...
Upcoming SlideShare
Loading in...5
×

Information Security Discussion for GM667 Saint Mary's University of MN

697

Published on

Information security basics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
697
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Security Discussion for GM667 Saint Mary's University of MN

  1. 1. 1 Fundamental Principles of Security Three Control Objectives • Confidentiality • Integrity • Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls
  2. 2. 2 Three Control Objectives Confidentiality principle Protection of sensitive information from unauthorized disclosure; prevention of inappropriate reading or copying • Examples of confidential information – Medical records – Payroll lists – Client lists – Trade secrets
  3. 3. 3 Three Control Objectives Integrity principle Detection or prevention of inappropriate and unauthorized data transformations • Threats to integrity may be classified as either accidental or intentional: – Errors – Omissions – Modification – Deletion – Replay and Insertion • Accidental integrity violations are actually data reliability problems
  4. 4. 4 Three Control Objectives Availability principle Ensuring systems resources are available to sustain critical business activities • Preparation for an unforeseen event • It has many names: Contingency Planning; Disaster Recovery Planning; Business Continuance Planning • Two Primary Objectives – Disaster Avoidance or Mitigation Strategies – Disaster Recovery Procedures
  5. 5. 5 Three Control Objectives Three Control Objectives (“CIA”)  Confidentiality  Integrity  Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls Which one is the most important to your organization?
  6. 6. 6 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction; or the inability to process that information Confidentiality principle Integrity principle Availability principle Embedded within the basic definition of information security are the three fundamental principles of information security:
  7. 7. 7 Risk Management The following terms are routinely used during information security projects; they are often used interchangeably and incorrectly. • Threat • Vulnerability • Threat Agent • Exposure • Control • Risk
  8. 8. 8 Risk Management Terminology Threat An Event or Action that can have a Negative Impact upon an Organization or A Potential Danger to an Information System
  9. 9. 9 Examples of Threats • Unauthorized access – Hackers – Mishandled password • Misuse of authorized access • Interception of information – Wiretap – Document left at a copier • Introduction of malicious software – Virus – Worms – Trojan Horses • Denial of Service Attacks • Accidental alteration or deletion of data • Social Engineering • Undetected software errors • Natural disasters • A bomb • A fire • Disgruntled employee
  10. 10. 10 Risk Management Terminology Vulnerability A Condition Which Allows a Threat to Occur Or A Software, Hardware or Procedural Weakness • Threats considered alone do not provide very meaningful information • Threats and vulnerabilities are best considered in pairs • Threats describe the environment; external considerations – Your organization may have little control or influence over these • Vulnerabilities describe the internal environment – Vulnerabilities are your responsibility; you can take action to correct these
  11. 11. 11 Examples of Threat/Vulnerability Pairing Threats Bomb Water Disgruntled employee Severed network cables Vulnerabilities An operations center with signage A data center below ground level No exit or termination procedures Unlocked telecom cables closets We have little or no control over these Things you can change
  12. 12. 12 Risk Management Terminology Threat Agent The Entity that Takes Advantage of a Vulnerability Examples: • Intruder • Employee • Software
  13. 13. 13 Risk Management Terminology Exposure The Negative Effect or Loss that Results after a Threat Occurs • Monetary Loss – Direct: Destruction or Theft of Assets – Indirect: Replacement Costs, Customer Bad Will • Loss of Business • Loss of Public Trust or Confidence • Negative Publicity • Loss of New Business Opportunities
  14. 14. 14 Risk Management Terminology Risk The Likelihood of a Threat Agent Taking Advantage of a Vulnerability There are two approaches are used to measure risk: • Quantitative Methods • Qualitative Methods
  15. 15. 15 Risk Management Terminology Control Mechanisms or Procedures Used to Prevent, Detect Or Limit Exposures or A Countermeasure or Safeguard that Mitigates Risk There Are Three Basic Types of Controls: • Administrative • Physical • Technical
  16. 16. 16 Prevent Detect Limit Administrative Physical Technical Controls Cube Risk Management Terminology This simple graphic Shows the types of controls available. All types must be used To form a complete and effective system of controls
  17. 17. 17 Risk Management Terminology P D L A P T Examples of Controls Administrative/Prevention Controls • Segregation of duties • Security checks on new personnel • Authorization process for changes Physical/Detection Controls: • Cameras • Door intrusion alarms Technical/Limiting Controls: • Transaction limits on ATM cards • Access privileges on user accounts
  18. 18. 18 Controls-Another Perspective Information Assets Network Controls Computer Controls Audit Programs Physical Controls Other controls...
  19. 19. 19 Risk Management Terminology Summary Threat An event or action that can have a negative impact upon an organization Vulnerability A condition that allows a threat to occur Threat Agent The entity that takes advantage of a vulnerability Exposure The negative effect or loss that results after a threat occurs Control Mechanisms or procedures used to prevent, detect or limit exposures
  20. 20. 20 Risk Management Terminology From: CISSP Exam Guide Shon Harris McGraw Hill Threat Agent Threat Vulner- ability Risk Asset Exposure Control Gives rise to a Which exploits a and creates Can damage And cause an May be Countered with…
  21. 21. 21 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction or the inability to process that information Remember, our basic definition of security is to protect information. This information may be moving (through a network), at rest (in storage), or is being manipulated (processed by a computer or human). Keep your eye on the information, no matter where it is.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×