• Introduction to information security.
What is information security, threat, risks, vulnerabilities, basic terms and definition?
• Building blocks of information security strategy, policies and standards.
Identify and establish country wide information security strategy, establish policies standards and procedures, implementation of different types of control objectives: managerial, technologies, business processes. Introduction to main domains of information security management system depending on international information security standard (ISO 2700x).
• Actions, roles and responsibilities.
What kind of actions is needed for information security risk treatment. Roles and responsibilities of information security professionals.
By Vasil Tsvimitidze
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Information Security Basics
1. Georgia NATO
FROM STRATEGY TO ACTION
Turkey, Ankara 2012
Vasil Tsvimitidze
2. Introduction 2
Introduction to information security.
What is information security, threat, risks, vulnerabilities, basic terms and definition?
Building blocks of information security strategy, policies and standards.
Identify and establish country wide information security strategy, establish policies
standards and procedures, implementation of different types of control objectives:
managerial, technologies, business processes. Introduction to main domains of
information security management system depending on international information
security standard (ISO 2700x).
Actions, roles and responsibilities.
What kind of actions is needed for information security risk treatment. Roles and
responsibilities of information security professionals.
3. First sections 3
Introduction to information security.
What is Information?
What is Information Security?
What is RISK?
4. Information 4
Information
'Information is an asset which, like other important business
assets, has value to an organization and consequently needs to be
suitably protected’
Information can be
Created Stolen
Stored
Printed or written on paper
Destroyed
Stored electronically
Processed
Transmitted by post or using
Transmitted
electronics means
Used – (For proper &
Shown on corporate videos
improper purposes)
Corrupted Displayed / published on web
Lost Verbal – spoken in
conversations
‘…Whatever form the information takes, or means by which it is
shared or stored, it should always be appropriately protected’
5. Information Security 5
What Is Information Security
The quality or state of being secure to be free from danger
Security is achieved using several strategies
Security is achieved using several strategies simultaneously or used in
combination with one another
Security is recognized as essential to protect vital processes and the systems
that provide those processes
Security is not something you buy, it is something you do
The architecture where an integrated combination of appliances, systems
and solutions, software, alarms, and vulnerability scans working together
Monitored 24x7
Having People, Processes, Technology, policies, procedures,
Security is for PPT and not only for appliances or devices
6. Information Security vs IT Security 6
Information Security is preservation of confidentiality, integrity and availability of
information; in addition, other properties such as authenticity, accountability, non-
repudiation and reliability can also be involved regardless of the form the information
may take - electronic, printed, or other forms.
IT Security is protection of the information technology assets such as computers and
peripheral equipment, communications equipment, computing and communication
premises, supplies and data storage media, operating system and application software.
8. People 8
People “Who we are”
People who use or interact with the
Information include:
Share Holders / Owners
Management
Employees
Business Partners
Service providers
Contractors
Customers / Clients
Regulators etc…
9. Process 9
Process “what we do”
The processes refer to "work practices" or workflow. Processes are the repeatable
steps to accomplish business objectives. Typical process in our IT Infrastructure could
include:
Helpdesk / Service management
Incident Reporting and Management
Change Requests process
Request fulfillment
Access management
Identity management
Sar
Service Level / Third-party Services Management
oj
IT procurement process etc...
10. 10
Technology “what we use to improve what we do”
Network Infrastructure: Application software:
Cabling, Data/Voice Networks and equipment Finance and assets systems, including
Telecommunications services (PABX), including Accounting packages, Inventory management,
VoIP services , ISDN , Video Conferencing HR systems, Assessment and reporting systems
Server computers and associated storage Software as a service (Sass) - instead of
devices software as a packaged or custom-made
product. Etc..
Operating software for server computers
Physical Security components:
Communications equipment and related
hardware. CCTV Cameras
Intranet and Internet connections Clock in systems / Biometrics
VPNs and Virtual environments Environmental management Systems: Humidity
Control, Ventilation , Air Conditioning, Fire
Remote access services Control systems
Wireless connectivity Electricity / Power backup
Access devices:
Desktop computers, Thin client computing.
Laptops, ultra-mobile laptops and PDAs
Digital cameras, Printers, Scanners, Photocopier etc.
11. Information Security 11
INFORMATION SECURITY
1. Protects information from a range of threats
2. Ensures business continuity
3. Minimizes financial loss
4. Optimizes return on investments
5. Increases business opportunities
Business survival depends on information security.
12. Information Attributes 12
ISO 27002:2005 defines Information Security as the preservation of:
Ensuring that information is accessible only to
Confidentiality those authorized to have access
Safeguarding the accuracy and completeness of
information and processing methods
Integrity
Ensuring that authorized users have access to
vailability information and associated assets when
required
13. Information Attributes 13
Security breaches leads to…
Reputation loss
Financial loss
Intellectual property loss
Legislative Breaches leading to legal actions
(Cyber Law)
Loss of customer confidence
Business interruption costs
LOSS OF GOODWILL
14. SURVEY 14
Information Security is “Organizational Problem”
rather than “IT Problem”
More than 70% of Threats are Internal
More than 60% culprits are First Time fraudsters
Biggest Risk : People
Biggest Asset : People
Social Engineering is major threat
More than 2/3rd express their inability to determine “Whether my systems
are currently compromised?”
15. Risk 15
What is Risk?
Risk: A possibility that a threat exploits a vulnerability in an asset and
causes damage or loss to the asset.
Threat: Something that can potentially cause damage to the organization,
IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network
that can be exploited by a threat.
16. 16
Risk, Threats, and Vulnerabilities
Relationship between Risk, Threats,
and Vulnerabilities
exploit
Threats Vulnerabilities
reduce Information
Controls * Risk
assets
Protection Asset values
Requirements
17. Threat Identification 17
Threat Identification
Elements of threats
Agent : The catalyst that performs the threat.
Human
Machine
Nature
Motive : Something that causes the agent to act.
Accidental
Intentional
Only motivating factor that can be both accidental and intentional is human
Results : The outcome of the applied threat. The results normally lead to the loss of CIA
Confidentiality
Integrity
Availability
18. Threats 18
Employees
External Parties
Low awareness of security issues
Growth in networking and distributed computing
Growth in complexity and effectiveness of
hacking tools and viruses
Natural Disasters
fire,
flood,
Earthquake etc.
19. Threat Sources 19
Threat Sources
Source Motivation Threat
Challenge Ego Game System hacking Social engineering
External Hackers Playing Dumpster diving
Deadline Financial
problems Backdoors Fraud
Internal Hackers Disenchantment Poor documentation
System attack Social engineering
Revenge Letter bombs Viruses Denial of
Terrorist Political service
Corruption of data
Unintentional errors Malicious code introduction
Programming errors System bugs
Poorly trained employees Data entry errors Unauthorized access
20. Threat Categories and Examples 20
No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection
4 Deliberate Acts of Information extortion Blackmail of information exposure / disclosure
5 Deliberate Acts of sabotage / vandalism Destruction of systems / information
6 Deliberate Acts of theft Illegal confiscation of equipment or information
7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from service Power and WAN issues
provider
9 Forces of nature Fire, flood, earthquake, lightening
10 Technical hardware failures or errors Equipment failures / errors
11 Technical software failures or errors Bugs, code problems, unknown loopholes
12 Technological Obsolence Antiquated or outdated technologies
21. Information Attributes 21
High User Virus
Knowledge of IT Theft, Attacks
Systems Sabotage,
Misuse
Systems & Lapse in Natural
Network Lack Of Calamitie
Physical
Failure Documen s & Fire
Security
tation
22. 22
??????
SO HOW
DO WE
OVERCOME
THESE
PROBLEMS
?
23. Second section 23
Building blocks of information security strategy, policies and standards.
Building blocks of information security strategy, policies and standards.
Identify and establish country wide information security strategy,
establish policies standards and procedures, implementation of different
types of control objectives: managerial, technologies, business processes.
Introduction to main domains of information security management
system depending on international information security standard (ISO
2700x).
24. PDCA 24
Answer is: (Plan, Do, Check, Act)
Learning international best practices
Identify metrics and criteria's
Selecting basic standards
Building capacity
Management system implemetation
core standard for information security is
ISO 27001
25. Standard History 25
History
Early 1990
• DTI (UK) established a working group
• Information Security Management Code of Practice produced as BSI-DISC publication
1995
• BS 7799 published as UK Standard
1999
• BS 7799 - 1:1999 second revision published
2000
• BS 7799 - 1 accepted by ISO as ISO - 17799 published
• BS 7799-2:2002 published
ISO 27001:2005
Information technology — Security techniques — Information security management
systems — Requirements
ISO 27002:2005
Information technology — Security techniques — Code of practice for information
security management
26. ISO 27001 Features 26
ISO 27001
ISO 27001: This International Standard covers all types of organizations (e.g. commercial enterprises,
government agencies, non-profit organizations). This
International Standard specifies the requirements for establishing; implementing, operating, monitoring,
reviewing, maintaining and improving documented ISMS within the context of the organization’s overall
business risks. It specifies requirements for the implementation of security controls customized to the
needs of individual organizations or parts thereof.
The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect
information assets and give confidence to interested parties
Features
Features of ISO 27001
Plan, Do, Check, Act (PDCA) Process Model
Process Based Approach
Stress on Continual Process Improvements
Scope covers Information Security not only IT Security
Covers People, Process and Technology
5600 plus organizations worldwide have been certified
11 Domains, 39 Control objectives, 133 controls
27. Second section 27
PDCA Process
ISMS PROCESS
Interested Interested
Parties Parties
Management Responsibility
PLAN
Establish
ISMS
DO
ACT
Implement &
Maintain &
Operate the
Improve
Information ISMS
Security
Managed
Requirements CHECK
Monitor &
Information
&
Review ISMS Security
Expectations
29. Information Attributes 29
Information Security Policy - To provide management direction and support for Information
security.
Organisation Of Information Security - Management framework for implementation
Asset Management - To ensure the security of valuable organisational IT and its related
assets
Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of
facilities.
Physical & Environmental Security -To prevent unauthorised access, theft, compromise ,
damage, information and information processing facilities.
Communications & Operations Management - To ensure the correct and secure operation of
information processing facilities.
30. Information Attributes 30
Access Control - To control access to information and information processing facilities
on ‘need to know’ and ‘need to do’ basis.
Information Systems Acquisition, Development & Maintenance - To ensure security
built into information system
Information Security Incident Management - To ensure information security events
and weaknesses associated with information systems are communicated.
Business Continuity Management - To reduce disruption caused by disasters and
security failures to an acceptable level.
Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or
contractual obligations and of any security requirements.
32. 32
Information Security Governance On State Level
Parliament
Security council
Low draft for
Personal Data protection Law of State secret Crime code
information Security
Cyber security Strategy
Regulation for Information Security Government
Government agencies ministries and critical
Data Exchange agency
infrastructure
Information security strategy Normative and templates
Information Internal Info Information Security implementation plans
Info Sec comity
Security Officer Sec Audit reviewing and Analyzing
•Risk management (standard, procedures, guidelines) Providing Trainings
•Information asset management
•Incident Management Info Sec incident Handling
•End user standards and guidelines
Audit reports reviewing and analyzing
•Internal audit/ asurance
•….
Providing recommendations depending on
•….
existing global situation
33. Roles And Resposibilties
Information security strategy(policy)
Information security committee
Information security officer
Information Security audit
Information security specialists