Your SlideShare is downloading. ×
  • Like
Information Security Discussion for GM667 Saint Mary's University of MN
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Information Security Discussion for GM667 Saint Mary's University of MN

  • 587 views
Published

Information security basics …

Information security basics

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
587
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
15
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1 Fundamental Principles of Security Three Control Objectives • Confidentiality • Integrity • Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls
  • 2. 2 Three Control Objectives Confidentiality principle Protection of sensitive information from unauthorized disclosure; prevention of inappropriate reading or copying • Examples of confidential information – Medical records – Payroll lists – Client lists – Trade secrets
  • 3. 3 Three Control Objectives Integrity principle Detection or prevention of inappropriate and unauthorized data transformations • Threats to integrity may be classified as either accidental or intentional: – Errors – Omissions – Modification – Deletion – Replay and Insertion • Accidental integrity violations are actually data reliability problems
  • 4. 4 Three Control Objectives Availability principle Ensuring systems resources are available to sustain critical business activities • Preparation for an unforeseen event • It has many names: Contingency Planning; Disaster Recovery Planning; Business Continuance Planning • Two Primary Objectives – Disaster Avoidance or Mitigation Strategies – Disaster Recovery Procedures
  • 5. 5 Three Control Objectives Three Control Objectives (“CIA”)  Confidentiality  Integrity  Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls Which one is the most important to your organization?
  • 6. 6 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction; or the inability to process that information Confidentiality principle Integrity principle Availability principle Embedded within the basic definition of information security are the three fundamental principles of information security:
  • 7. 7 Risk Management The following terms are routinely used during information security projects; they are often used interchangeably and incorrectly. • Threat • Vulnerability • Threat Agent • Exposure • Control • Risk
  • 8. 8 Risk Management Terminology Threat An Event or Action that can have a Negative Impact upon an Organization or A Potential Danger to an Information System
  • 9. 9 Examples of Threats • Unauthorized access – Hackers – Mishandled password • Misuse of authorized access • Interception of information – Wiretap – Document left at a copier • Introduction of malicious software – Virus – Worms – Trojan Horses • Denial of Service Attacks • Accidental alteration or deletion of data • Social Engineering • Undetected software errors • Natural disasters • A bomb • A fire • Disgruntled employee
  • 10. 10 Risk Management Terminology Vulnerability A Condition Which Allows a Threat to Occur Or A Software, Hardware or Procedural Weakness • Threats considered alone do not provide very meaningful information • Threats and vulnerabilities are best considered in pairs • Threats describe the environment; external considerations – Your organization may have little control or influence over these • Vulnerabilities describe the internal environment – Vulnerabilities are your responsibility; you can take action to correct these
  • 11. 11 Examples of Threat/Vulnerability Pairing Threats Bomb Water Disgruntled employee Severed network cables Vulnerabilities An operations center with signage A data center below ground level No exit or termination procedures Unlocked telecom cables closets We have little or no control over these Things you can change
  • 12. 12 Risk Management Terminology Threat Agent The Entity that Takes Advantage of a Vulnerability Examples: • Intruder • Employee • Software
  • 13. 13 Risk Management Terminology Exposure The Negative Effect or Loss that Results after a Threat Occurs • Monetary Loss – Direct: Destruction or Theft of Assets – Indirect: Replacement Costs, Customer Bad Will • Loss of Business • Loss of Public Trust or Confidence • Negative Publicity • Loss of New Business Opportunities
  • 14. 14 Risk Management Terminology Risk The Likelihood of a Threat Agent Taking Advantage of a Vulnerability There are two approaches are used to measure risk: • Quantitative Methods • Qualitative Methods
  • 15. 15 Risk Management Terminology Control Mechanisms or Procedures Used to Prevent, Detect Or Limit Exposures or A Countermeasure or Safeguard that Mitigates Risk There Are Three Basic Types of Controls: • Administrative • Physical • Technical
  • 16. 16 Prevent Detect Limit Administrative Physical Technical Controls Cube Risk Management Terminology This simple graphic Shows the types of controls available. All types must be used To form a complete and effective system of controls
  • 17. 17 Risk Management Terminology P D L A P T Examples of Controls Administrative/Prevention Controls • Segregation of duties • Security checks on new personnel • Authorization process for changes Physical/Detection Controls: • Cameras • Door intrusion alarms Technical/Limiting Controls: • Transaction limits on ATM cards • Access privileges on user accounts
  • 18. 18 Controls-Another Perspective Information Assets Network Controls Computer Controls Audit Programs Physical Controls Other controls...
  • 19. 19 Risk Management Terminology Summary Threat An event or action that can have a negative impact upon an organization Vulnerability A condition that allows a threat to occur Threat Agent The entity that takes advantage of a vulnerability Exposure The negative effect or loss that results after a threat occurs Control Mechanisms or procedures used to prevent, detect or limit exposures
  • 20. 20 Risk Management Terminology From: CISSP Exam Guide Shon Harris McGraw Hill Threat Agent Threat Vulner- ability Risk Asset Exposure Control Gives rise to a Which exploits a and creates Can damage And cause an May be Countered with…
  • 21. 21 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction or the inability to process that information Remember, our basic definition of security is to protect information. This information may be moving (through a network), at rest (in storage), or is being manipulated (processed by a computer or human). Keep your eye on the information, no matter where it is.