Dr_Kamal_ch01.pptx

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 1
Information Systems Security

Learning Objective(s)
Page 2Fundamentals of Information Systems Security www.jblearning.com
www.jblearning.com
Fundamentals of Information Systems Security Page 2
 Explain information systems security and
its effect on people and businesses.

Key Concepts
www.jblearning.com
 Information systems security concepts
 Confidentiality, integrity, and availability (CIA)
 The seven domains of an IT infrastructure
 The weakest link in the security of an IT
infrastructure
 IT security policy framework and data
classification standard

Information Systems Security
Internet
• Is a worldwide network with more than 2 billion users
• Includes governments, businesses, and
organizations
• Links communication networks to one another
World Wide Web
• A system that defines how documents and
resources are related across network machines
www.jblearning.com

Recent Data Breaches: Examples
Adobe Systems Incorporated, 2013
• Hackers published data for 150 million accounts
• Stole encrypted customer credit card data
• Compromised login credentials
U.S. Office of Personnel Management, 2015
• Data breach impacted 22 million people
• Stole SSNs, names, places of birth, addresses
• Millions must be monitored for identity theft for years
www.jblearning.com

Cyberspace: The New Frontier
www.jblearning.com

Internet of Things (IoT)
www.jblearning.com

Risks, Threats, and Vulnerabilities
Likelihood that something bad will
happen to an asset
Risk
Any action that could damage an asset
Threat
A weakness that allows a threat to be
realized or to have an effect on an asset
Vulnerability
www.jblearning.com

What Is Information Systems
Security?
Hardware, operating system, and
application software that work together
to collect, process, and store data for
individuals and organizations
Information
system
The collection of activities that protect
the information system and the data
stored in it.
Information
system
security
www.jblearning.com

U.S. Compliance Laws Drive Need
for Information Systems Security
www.jblearning.com

Tenets of Information Systems
Security
www.jblearning.com

Tenets of Information Systems
Security
www.jblearning.com
Confidentiality: Only authorized
users can view information.
Integrity: Only authorized users can
change information.
Availability: Information is
accessible by authorized users
whenever they request the
information.

Confidentiality
Private data
of
individuals
Intellectual
property of
businesses
National
security for
countries
and
government
www.jblearning.com

Confidentiality (cont.)
Practice of hiding data and keeping
it away from unauthorized users
Cryptography
The process of transforming data
from cleartext into ciphertext
Encryption
The scrambled data that are the
result of encrypting cleartext
Ciphertext
www.jblearning.com

Encryption of Cleartext into
Ciphertext
www.jblearning.com

Integrity
Maintain valid, uncorrupted, and accurate
information
www.jblearning.com

Availability
www.jblearning.com
In the context of information security
• The amount of time users can use a system,
application, and data

Availability Time Measurements
Uptime
Downtime
Availability [A = (Total Uptime)/(Total Uptime + Total Downtime)]
Mean time to failure (MTTF)
Mean time to repair (MTTR)
Mean time between failures (MTBF)
Recovery time objective (RTO)
www.jblearning.com

Seven Domains of a Typical IT
Infrastructure
www.jblearning.com

Seven Domains of a Typical IT
Infrastructure
www.jblearning.com
1. User Domain: Defines the people who access an organization’s
information systems
2. Workstation Domain: Includes desktop computers, laptop computers,
special-purpose terminals, or any other device that connects to the
network
3. LAN Domain: A collection of computers connected to one another or to a
common connection medium
4. LAN-to-WAN Domain: Where the IT infrastructure links to a wide area
network and the Internet
5. WAN Domain: Connects remote locations
6. Remote Access Domain: Connects remote users to an organization’s IT
infrastructure
7. System/Application Domain: Holds all mission-critical systems,
applications, and data

User Domain
Roles and tasks
• Users can access systems, applications, and data
depending upon their defined access rights.
Responsibilities
• Employees are responsible for their use of IT assets.
Accountability
• HR department is accountable for implementing proper
employee background checks.
www.jblearning.com

Common Threats in the User Domain
www.jblearning.com
 Lack of user awareness
 User apathy toward policies
 User violating security policy
 User inserting CD/USB with personal files
 User downloading photos, music, or videos
 User destructing systems, applications, and data
 Disgruntled employee attacking organization or
committing sabotage
 Employee blackmail or extortion

Workstation Domain
Roles and tasks
• Configure hardware, harden systems, and verify
antivirus files.
Responsibilities
• Ensure the integrity of user workstations and data.
Accountability
• Director of IT security is generally in charge of ensuring
that the Workstation Domain conforms to policy.
www.jblearning.com

Common Threats in the Workstation
Domain
www.jblearning.com
 Unauthorized workstation access
 Unauthorized access to systems, applications,
and data
 Desktop or laptop operating system vulnerabilities
 Desktop or laptop application software
vulnerabilities or patches
 Viruses, malicious code, and other malware
 User inserting CD/DVD/USB with personal files
 User downloading photos, music, or videos

LAN Domain
Roles and tasks
• Includes both physical network components and logical
configuration of services for users.
Responsibilities
• LAN support group is in charge of physical components
and logical elements.
Accountability
• LAN manager’s duty is to maximize use and integrity of
data within the LAN Domain.
www.jblearning.com

Common Threats in the LAN Domain
www.jblearning.com
 Unauthorized physical access to LAN
 Unauthorized access to systems, applications,
and data
 LAN server operating system vulnerabilities
 LAN server application software vulnerabilities
and software patch updates
 Rogue users on WLANs
 Confidentiality of data on WLANs
 LAN server configuration guidelines and
standards

Weakest Link in the Security of an IT
Infrastructure
User is weakest link in security
Strategies for reducing risk
• Check background of job candidates carefully.
• Evaluate staff regularly.
• Rotate access to sensitive systems, applications, and
data among staff positions.
• Test applications and software and review for quality
• Regularly review security plans.
• Perform annual security control audits.
www.jblearning.com

Ethics and the Internet
www.jblearning.com
 Human behavior online is often less mature
than in normal social settings
 Demand for systems security professionals is
growing so rapidly
 U.S. government and Internet Architecture
Board (IAB) defined a policy regarding
acceptable use of Internet geared toward U.S.
citizens
• Policy is not a law or mandated

IT Security Policy Framework
Policy
• A short written statement that defines a course of
action that applies to entire organization
Standard
• A detailed written definition of how software and
hardware are to be used
Procedures
• Written instructions for how to use policies and
standards
Guidelines
• Suggested course of action for using policy,
standard, or procedure
www.jblearning.com

Hierarchical IT Security Policy
Framework
www.jblearning.com

Foundational IT Security Policies
www.jblearning.com
Acceptable use policy (AUP)
 Security awareness policy
 Asset classification policy
 Asset protection policy
 Asset management policy
 Vulnerability assessment/management
 Threat assessment and monitoring

Data about people that must be kept
private
Private data
Information or data owned by the
organization
Confidential
Information or data shared internally
by an organization
Information or data shared with the
public
Internal use
only
Public domain
data
www.jblearning.com
Data Classification Standards

Summary
www.jblearning.com
 Information systems security concepts
 Confidentiality, integrity, and availability (CIA)
 The seven domains of an IT infrastructure
 The weakest link in the security of an IT
infrastructure
 IT security policy framework and data
classification standard

Dr_Kamal_ch01.pptx

Recommended

Recommended

More Related Content

Similar to Dr_Kamal_ch01.pptx

Similar to Dr_Kamal_ch01.pptx (20)

Recently uploaded

Recently uploaded (20)

Dr_Kamal_ch01.pptx