Information Security


Published on

Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program:

Published in: Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security

  1. 1. I.T. for Management Section2 Chapter 18 Information Security
  2. 2. Information SecurityIT Security,Control,Audit & governance Information is Power is a very old adage in the ITsector. In today’s world information is beingincreasingly viewed as an Asset which has realvalue & is to be protectedAccumulating information was once done more forStatutory purposes.Today sophisticated datawarehouses are hold what may be considered as“gold mine” of knowledge & data mining tools areavailable to extract the right information at righttime
  3. 3. Information SecurityObjectives of IT Security ManagementThe purpose of IT Security Management is toensure: •Confidentiality :Restricting access to right people for the right purpose •Integrity: Correctness& validity of information stored or processed •Availability : Ensuring information is available to authorized persons
  4. 4. Information SecurityIn almost every large enterprise, thephysical and IT security departmentsoperate independently of each other.They are generally unaware of thestrengths and weaknesses of oneanothers practices, the liabilities ofoperating independently, and the benefitsof integrated security management.
  5. 5. Information Security Physical Security and IT SecurityPhysical security focuses on the protection of physicalassets, personnel and facility structures. This involvesmanaging the flow of individuals and assets into, outof, and within a facility. IT security focuses on theprotection of information resources, primarilycomputer and telephone systems and their datanetworks. This involves managing the flow ofinformation into, out of, and within a facilitys ITsystems, including human access to informationsystems and their networks. Clearly these two areseparate domains. Why should they be integrated?
  6. 6. Information SecurityPhysical Security and IT Security a Management Issue The question above accurately reflects the thoughts of most security practitioners as they approach this subject. How is the question misleading? To lean on a common idiom, it focuses on the trees rather than the forest. It is the management of physical and IT security that must be integrated. No one is going to integrate a brick wall and a database. However, the management of who is allowed inside the wall and inside the database must be integrated, or there will be gaps in the organizations security. Figure 1 below illustrates the concept of integrated security management. Whenever you hear or read the phrase “integration of physical and IT security,” think “integration of physical and IT security management” and youll be on the right track.
  7. 7. Information Security
  8. 8. Information SecurityWhile it is true that many of the physical and ITsecurity processes and procedures must be integratedat the technology level, it is not the technology thatdefines the integration. The business processes andprocedures define it; the technology implements it.Thats why the first step in integrating physical andIT security is an examination of security-relatedbusiness requirements and the physical and ITsecurity processes that support them. The integrationof the business processes will determine whereintegration of physical security and IT technology isrequired
  9. 9. Information SecurityIntegrating Security Management
  10. 10. Information SecurityTypes of Examplescontrol controlPhysical Doors & Lock,Security gates,raised floors,double doors,ups systemIT related Password, Directory services,Firewall,antivirus Application server,Hot standby server,backup of softwareDocument Correct labeling ,version control,copies of keyrelated documentsApplication Data validation so that correct data onlySpecific accepted Length,Range,Code checked Process related checks Output controls
  11. 11. Information Security Standards BS 7799 Standard The subject of IT security is therefore not one of merely putting appropriate control measures A process approach whereby the information security has •Defined organizational policy •Backed by management commitment •Necessary resources,Defined procedures •Appropriate control objectives •Suitable control measures •Recording & reviewing incidences •Continuous improvement of security process
  12. 12. Information Security Standards BS 7799 Standard The BS7799 is a British standard which addresses precisely this aspect. It provides a comprehensive framework within which an organization can set up an effective Information Security Management System(ISMS) More specifically some of controls objectives which it describes include following •Management of ISMS •Physical security •Information processing •Access to information to IT employees,outsourced vendors •Access from remote location
  13. 13. Information Security Standards BS 7799 Standard To implement the BS7799 standard an organization must take following steps. •Define Information security policy •Organization & its management must demonstrate its commitment to information There must be formal reviews related with security incidents •Risk assessment.The organization must conduct risk assessment.This will help to identify the more important sources of risk.It would select from the following strategies Risk avoidance,Migration,Insurance or transfer Assumption of risk Cont…..
  14. 14. Information Security Standards BS 7799 Standard • Based on the strategy decided for each risk asset combination it will select appropriate control to manage the risk. •For instance to prevent unauthorized entry it may provide smart card or biometric entry •The organization would have also identified detailed procedure for implementing and monitoring ,defined roles various controls,Dos &don’t to all employees •Finally process needs to be sustained & continuously evaluated
  15. 15. Information Security StandardsBusiness Continuity Planning (BCP) __ Availability is one of the key elements in the information security.Failure in IT for e.g incidents like power failure,Virus attack can be disastrous Organizations such as the stock exchange or a bank works on a Central data center. BCP outlines: The Objective of plan in event of disaster The resources Priorities assigned for Business continuity Procedures to follow in the event of disaster Communication to outsider
  16. 16. Information Security StandardsBusiness Continuity Planning (BCP) __ The BCP ensures that certain critical business functions continue despite a disaster The BCP also can be viewed from point of 3 stages •Pre-disaster •During the disaster •Post disaster Thus each procedure should cover these three stages Disaster Recovery is a set of plans to enable an organization to come back to normalcy
  17. 17. Information Security StandardsBusiness Continuity Planning (BCP) Disaster Recovery __ The time frame within which the recovery must happen is a matter of practicality & organizations policy. Solutions used for BCP Hard disk Crash RAID Arrays Mirror disk SAN/NAS solution Complete data center crippled Hot remote site .e.g NSE has a hot site at Pune,which take over if Mumbai center fails Telecom/ISP crashes Have a leased line from more than one ISP
  18. 18. Information Security StandardsBusiness Continuity Planning (BCP) __ The choice of solution depends upon the perceived impact of the disaster on business continuity Most of the times the BCP/DR misses out on Mock Drills This can be best done thru simulation by generating a disaster conditions thereby enabling & training people to understand individual role at the time of disaster & specific actions to be taken
  19. 19. Information Security End of Chapter 18