Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security


Published on

Published in: Technology

Information Security

  1. 1. Information S ecurity prepared by Mark Chen November 2008
  2. 2. definition <ul><li>Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction </li></ul>
  3. 4. CIA <ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Availability </li></ul>
  4. 5. Confidentiality <ul><li>Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems </li></ul><ul><li>a credit card transaction on the Internet </li></ul><ul><li>someone look ing over your shoulder at your computer screen </li></ul><ul><li>a laptop computer containing sensitive information is stolen or sold </li></ul>
  5. 6. Integrity <ul><li>I ntegrity means that data cannot be modified without authorization </li></ul><ul><li>an employee (accidentally or with malicious intent) deletes important data files </li></ul><ul><li>a computer virus infects a computer </li></ul>
  6. 7. Availability <ul><li>For any information system to serve its purpose, the information must be available when it is needed </li></ul><ul><li>computing systems, security controls and the communication channels must be functioning correctly </li></ul><ul><li>High availability systems aim to remain available at all times </li></ul>
  7. 8. Risk Management <ul><li>Vulnerability </li></ul><ul><ul><li>A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset Threat </li></ul></ul><ul><li>Threat </li></ul><ul><ul><li>A threat is anything (man made or act of nature) that has the potential to cause harm. </li></ul></ul>
  8. 9. R isk M anagement process 123 <ul><li>Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. </li></ul><ul><li>Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization. </li></ul><ul><li>Conduct a vulnerability assessment , and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security. </li></ul>
  9. 10. R isk M anagement process 456 <ul><li>Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. </li></ul><ul><li>Identify, select and implement appropriate controls . Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. </li></ul><ul><li>Evaluate the effectiveness of the control measures . Ensure the controls provide the required cost effective protection without discernible loss of productivity. </li></ul>
  10. 11. Executive Management <ul><li>For any given risk </li></ul><ul><ul><li>to accept the risk </li></ul></ul><ul><ul><ul><li>the relative low value of the asset, low frequency of occurrence, or low impact on the business </li></ul></ul></ul><ul><ul><li>to mitigate th e risk </li></ul></ul><ul><ul><ul><li>to implement controls </li></ul></ul></ul><ul><ul><li>to deny the risk </li></ul></ul><ul><ul><ul><li>This is itself a potential risk </li></ul></ul></ul>
  11. 12. Controls <ul><li>Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines </li></ul><ul><li>Logical and Physical </li></ul>
  12. 13. Logical controls <ul><li>Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: </li></ul><ul><li>passwords, firewalls, data encryption ,… </li></ul><ul><li>principle of least privilege </li></ul>
  13. 14. Physical controls <ul><li>Physical controls monitor and control the environment of the work place and computing facilities , including access to and from such facilities. </li></ul><ul><li>doors, locks, cameras ,… </li></ul><ul><li>Separating the network and work place into functional areas </li></ul><ul><li>separation of duties </li></ul>
  14. 15. Security C lassification <ul><li>to recogniz e the value of information </li></ul><ul><li>to definite appropriate procedures and protection requirements for the information. </li></ul>
  15. 16. S ecurity C lassification L abels <ul><li>Common information security classification labels used by the business sector are: Pu blic, S ensitive, P rivate, C onfidential </li></ul><ul><li>Common information security classification labels used by government are: Unclassified , Sensitive But Unclassified , Restricted , Confidential , Secret , Top Secret and their non-English equivalents. </li></ul>
  16. 17. Change M anagement <ul><li>Change management is a formal process for directing and controlling alterations to the information processing environment. </li></ul><ul><li>includ ing alterations to desktop computers, the network, servers and software </li></ul>
  17. 18. C hange M anagement P rocess <ul><li>(1) Requested </li></ul><ul><li>(2) Approved: </li></ul><ul><li>(3) Planned </li></ul><ul><li>(4) Tested </li></ul><ul><li>(5) Scheduled </li></ul><ul><li>(6) Communicated </li></ul><ul><li>(7) Implemented </li></ul><ul><li>(8) Documented </li></ul><ul><li>(9) Post change review </li></ul>
  18. 19. Security G overnance <ul><li>(1) An Enterprise-wide Issue. </li></ul><ul><li>(2) Leaders are Accountable. </li></ul><ul><li>(3) Viewed as a Business Requirement. </li></ul><ul><li>(4) Risk-based. </li></ul><ul><li>(5) Roles, Responsibilities, and Segregation of Duties Defined. </li></ul><ul><li>(6) Addressed and Enforced in Policy. </li></ul>
  19. 20. Security G overnance <ul><li>(7) Adequate Resources Committed. </li></ul><ul><li>(8) Staff Aware and Trained. </li></ul><ul><li>(9) A Development Life Cycle Requirement. </li></ul><ul><li>(10) Planned, Managed, Measurable, and Measured. </li></ul><ul><li>(11) Reviewed and Audited. </li></ul>
  20. 21. Incident R esponse P lans <ul><li>(1) Selecting team members </li></ul><ul><li>(2) Define roles, responsibilities and lines of authority </li></ul><ul><li>(3) Define a security incident </li></ul><ul><li>(4) Define a reportable incident </li></ul><ul><li>(5) Training </li></ul><ul><li>(6) Detection </li></ul><ul><li>(7) Classification </li></ul><ul><li>(8) Escalation </li></ul><ul><li>(9) Containment </li></ul><ul><li>(10) Eradication </li></ul><ul><li>(11) Documentation </li></ul>
  21. 22. Laws and regulations <ul><li>Sarbanes-Oxley Act of 2002 (SOX) . Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data . The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments </li></ul>
  22. 23. Conclusio n <ul><li>Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution. </li></ul><ul><li>The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review </li></ul>