SlideShare a Scribd company logo
INTRODUCTION TO
INFORMATION SECURITY
By Avinash Balakrishnan
ENBLISS IT SERVICES PVT LTD
OBJECTIVES
 Define Basic security concepts
 Begin to Assess Security Risks
 Outline a security policy
 Locate Information Security Resources
BASIC SECURITY CONCEPTS
 Information Security – Perception
 Information Security – Reality
 CIA (Confidentiality, Data Integrity and Availability)
 PPP (Physical Security, Privacy and Marketplace Security)
 What is Information?
 What is Information Security?
 What is Risk?
 An Introduction to ISO for information Technology.
Information is an asset, which, like other important business assets, has
the value to an organization and consequently needs to be suitably
protected.
BS ISO 27002:2005
INFORMATION CAN BE:
 Created
 Stored
 Destroyed
 Processed
 Transmitted
 Used – ( for proper and improper processes)
 Corrupted
 Lost
 Stolen
 Printed or Written on paper
 Stored electronically
 Transmitted by post or using electronic means
 Shown on completed videos
 Displayed / Published on web
 Verbal – spoken in conversations
‘ … Whatever form information takes, or means by which it is shared, or stored, it should always be appropriately
protected’ (BS ISO 27002:2005)
WHAT IS INFORMATION
SECURITY
 The quality or state of being secure to be free from danger
 Security is achieved using several strategies
 Security is achieved using several strategies simultaneously or used in
combination with one another
 Security is recognized as essential to protect viral processes and
systems that provide those processes
 Security is not something you buy, it is something you do
WHAT IS INFORMATION
SECURITY
 The architecture where an integrated combination of appliances,
systems and solutions, software, alarms and vulnerability scans working
together.
 Monitored 24*7
 Having People, Process, Technology, Policies and procedures
 Security is for PPT and not for appliances or devices
PEOPLE, PROCESS AND TECHNOLOGY:
PEOPLE “ WHO WE ARE”
 People who use or interact with the Information include:
• Shareholders/owners
• Management
• Employees
• Business Partners
• Service providers
• Contractors
• Customers / Clients
• Regulators etc…
PROCESS : “WHAT WE DO”
 The processes or “work practices” or workflow. Processes are the
repeatable steps to accomplish business objectives. Typical process in
our IT Infrastructure could include:
• Helpdesk / Service Management
• Incident Reporting and Management
• Change Requests Process
• Request fulfillment
• Access Management
• Identity Management
• Service Level / Third party Services Management
• IT Procurement process etc..
TECHNOLOGY: “ WHAT WE USE TO
IMPROVE WHAT WE DO”
 Network Infrastructure:
• Cabling, Data/ Voice Networks and equipment
• Telecommunication Services (PABX), including VOIP Services, ISDN, Video
Conferencing
• Server computers and associated storage devices
• Operating software for server computers
• Communications equipment and related hardware
• Intranet and Internet connections
• VPNS and virtual environments
• Remote access services
• Wireless Connectivity
TECHNOLOGY: “ WHAT WE USE TO
IMPROVE WHAT WE DO”
 Application Software:
• Finance and assets systems, including accounting packages, Inventory
management, HR systems, Assessments, and reporting systems
• Software as a service (SaaS) – Instead of software as a packaged or custom-
made-product. Etc.
 Physical Security components:
• CCTV cameras
• Clock in systems/ Biometrics
• Environmental management systems: Humidity control, ventilation, Air
conditioning, Firecontrol Systems
• Electricity / Power backup
 Access Devices:
• Desktop computers
• Laptops, Ultra-mobile laptops and PDAs.
• Thin client computing.
• Digital cameras, Printers, Scanners, and photocopier etc.
INFORMATION SECURITY
 Protects information from a range of threats
 Ensures business continuity
 Minimizes financial loss
 Optimizes return on investments
 Increases business opportunities
Business Survival depends on Information Security
ISO 27002:2005 DEFINES INFORMATION
SECURITY AS THE PRESERVATION OF:
- Confidentiality
- Integrity
- Availability
Ensuring that information is
accessible to only those authorized
to have access
Safeguarding the accuracy and
completeness of information and
processing methods
Ensuring that authorized users have
access to information and
associated assets when required
WHAT IS RISK?
 Risk : A Possiblity that a threat exploits a vulnerability in an asset and
causes damage or loss to asset
 Threat: Something that can potentially cause damage to the
organization, IT systems or network
 Vulnerability: A weakness in the organization, IT systems, or network
that can be exploited by a threat.
ISO 27001 SECURITY
THREAT IDENTIFICATION
Elements of Threats
Agent: The catalyst that performs the threat.
Human
Machine
Nature
Motive: Something that causes the agent to act.
Accidental
Intentional
Only motivating factor that can be both accidental and intentional is human
Results: The outcome of applied threat. The results normally lead to the loss of
CIA
Confidentiality
Integrity
Availability
THREATS
• Employees
• External parties
• Low Awareness of security issues
• Growth in networking and distributed computing
• Growith in complexity and effectiveness hacking tools and viruses
• Natural disasters e.g., fire, flood, earthquake
ISO27001 SECURITY
ISO27001 SECURITY
CYBER THREAT HISTORY
 Early 1990
• DTI(UK) established a working group
• Information Security Management code of practice produced as BSI- DISC publication
 1995
• BS7799 published as UK Standard
 1999
• BS 7799-1:1999 second revision published
 2000
• BS 7799-1 accepted by ISO as ISO-17799 published
• BS 7799-2:2002 published
HISTORY
 ISO 27001:2005
Information Technology – Security Techniques – Information Security
management systems - Requirements
 ISO 27002:2005
Information technology – Security techniques – code of practice for
information security management
ISO 27001
ISO 27001: This International standard covers all types of organizations
(e.g., commercial enterprises, government agencies, non-profit
organizations). This
International standard specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and
improving documented ISMS within the context of the organization’s
overall business risks. It specifies requirements for the implementation of
the security controls customized to the needs of the individual
organizations or parts thereof.
The ISMS is designated to ensure the selection of adequate and
proportionate security controls that protect Information assests and give
confidence to interested parties.
FEATURES
Features of ISO 27001
• Plan, Do, Check, Act (PCDA) process model
• Process based approach
• Stress on continual process improvements
• Scope covers information security not only IT security
• Covers people, process and technology.
• 5600 plus organizations worldwide have been certified
• 11 Domains, 39 control objectives, 133 controls
PDCA
CONTROL CLAUSES
CONTROL CLAUSES
• Information Security policy- To provide management direction and
support for information security.
• Organization of information security – management framework for
implementation
• Assest management – To ensure security of valuable organizational IT
and its related assets
• Human Resources security – To reduce risks of human error, theft,
fraud or misuse of facilities.
• Physical & Enivironmental Security – To prevent unauthorized access,
theft, compromise, damage, information and information processing
facilities.
 Communications & Operations management – To ensure the correct
and secure operation of information processing facilities.
 Access Control – To control access to information and information
processing facilities on ‘ need to know’ and ‘need to do’ basis
 Information systems acquisition, Development & Maintenance – To
ensure security built into information systems
 Information security incident management – To ensure information
security events and weaknesses associated with information systems
are communicated.
CONTROL CLAUSES
 Business continuity management – To reduce disruptions caused by
disasters and security failures to an acceptable level.
 Compliance – To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual obligations and of any security requirements.
IMPLEMETATION PROCESS CYCLE –
ISO 27001
BENEFITS
 At the organization level – commitment
 At the legal level – compliance
 At the operational level – Risk management
 At the commercial level – credibility and confidence
 At the financial level – Reduced costs
 At the human level – Improved employee awareness
USER RESPONSIBILITIES
USER RESPONSIBILITIES
USER RESPONSIBILITIES
USER RESPONSIBILITIES ISO:27001
Security Incidents
 Report security incidents ( IT and NON – IT) to Helpdesk through
• E-mail to info.sec@organization.com
• Telephone: xxxx-xxxx-xxxx
• Anonymous reporting through Drop boxes
e.g.:
IT Incidents: Mail spamming, Virus attack, Hacking etc.,
Non-IT incidents: Unsupervised visitor movement, Information leakage,
Bringing unauthorized media.
Do not discuss security incidents with any one outside organization
Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents.
USER RESPONSIBILITIES
 Ensure your desktops are having latest antivirus updates
 Ensure your system is locked when you are away
 Always store laptops / media in a lockable place
 Be alert while working on laptops during travel
 Ensure sensitive business information is under lock and key when
unattended
 Ensure backup of sensitive and critical information assets
 Understand compliance issues such as
• Cyber Law
• IPR, Copyrights, NDA
• Contractual obligations with customer
 Verify credentials, if the message is received from unknown sender
 Always keep switch off your computer before leaving for the day
 Keep yourself updated on information security aspects
BASIC SECURITY CONCEPTS
CIA
TRIADE
PPP
TRIADE
Integrity Availability
Confidentiality
Privacy
Physical
Security
Market
Place
• Confidentiality – Only individuals
can access data
• Integrity – data changes are
tracked and properly controlled
• Availability – Systems are
accessible for business needs
ASSESSING RISKS
ASSESSMENT CAN BE PERFORMED USING A
5-STEP PROCESS
 Check existing security policies and processes
 Analyze, prioritize and categorize resources
 Consider business concerns
 Evaluate existing security Controls
 Leverage existing management and control architecture.
ASSESSING RISKS
 Check existing security policies and processes
 Analyze, prioritize, and categorize resources by determining:
 Total cost of ownership, internal value, and external value.
- TCO refers to the total monetary and labor costs calculated over a specific
time period
- Internal value refers to the monetary assessment of the importance of a
particular asset to the internal working of a company
- External value refers to the money or another commodity that the asset
brings to the company from external sources.
ASSESSING RISK
 Consider the business concerns through the annualized loss
expectancy( ALE = SLE *ARO)
- Single loss expectancy (SLE) is equal to the asset’s value times the
exposure factor(EF)
• Asset value = TCO + internal value + external value
• EF is the percentage of asset loss that Is expected from a particular threat
- Annualized Rate of Occurance (ARO) is the estimated frequency with
which a particular threat may occur each year.
 Evaluate existing security controls to determine what controls are
deployed and effective
 Leverage existing management and control architecture to build a
persuasive business case for, against, implementing new security
controls.
ASSESSING RISK
SECURITY POLICY
 At a minimum, an organization’s security policy should cover the
following:
• Physical security
• Access Control
• Network Security
• System security
• Authorized security Tools
• Auditing procedures
BENEFITS OF A SECURITY POLICY
 A Security Policy has the following three important benefits:
 Communicates a common vision for security throughout a company
 Represents a single easy-to-use source of security requirements
 Exists as a flexible document that should be updated at less annually to
address new security threats
INPUTS FOR SECURITY POLICY
 Local Laws, regulations and business contracts
 Internal business goals, principles and guidelines
 Security measures deemed essential through risk assessment.
BUILDING A SECURITY POLICY
 An organization’s security policy should cover the following:
 Foreword: Purpose, Scope, Responsibilities, and Penalties for non-
compliance
 Physical Security: Controls to protect the people, equipment, facilites
and computer assets
 USER ID and rights management: Only authorized individuals have
access to the necessary systems and network devices
BUILDING A SECURITY POLICY
An organization’s security policy should cover the following:
• Network Security: Protect the network devices and data in transit
• System security: Necessary defenses to protect computer systems from
compromise
• Testing: Authorized security tools and testing
• Auditing: Procedures to periodically check security compliance
BUILDING A SECURITY POLICY
FOREWORD
• Purpose: Why is the policy being established?
• Scope: What people, systems, software, information and facilities are
covered?
• Responsibilties: Who is responsible for the various computing roles in a
company?
• Compliance: What are the penalties for noncompliance? Which
organization is responsible for auditing compliance?
BUILDING A SECURITY POLICY
PHYSICAL SECURITY
• Human threats: theft, vandalism, sabotage, and terrorism
• Building damage: fire, water damage, and toxic leaks
• Natural disasters: floods, hurricanes, and tornadoes
• Infrastructure disruption: loss of power, loss of HVAC, and downed
communication lines
• Equipment failure: computer system damage and network device failure
BUILDING A SECURITY POLICY
USER ID AND RIGHTS
Authentication:
• Authentication model
• Implementing technologies
• Implementation mechanism
Access controls – determine who gets what access to what
• Access control model
• Implementing mechanism
BUILDING A SECURITY POLICY
NETWORK SECURITY
• Specific timeframes for changing passwords on network devices
• Use of network protocols
• Firewalls of specific chokepoints in a network architecture
• Use of authentication servers to access network devices
BUILDING A SECURITY POLICY
SYSTEM SECURITY
• The systems section is used to outline the specific settings required to
secure a particular operating system or application
- For Example, for Windows NT 4.0, it may be a requirement that
every logical drive be installed with NTFS.
- For a particular UNIX flavor, shadow passwords may be required
to hide user IDS and passwords from general users.
BUILDING A SECURITY POLICY
TESTING AND AUDITING
• Specific requirements for vulnerability scanners, compliance checking
tools, and other security tools run within the environment
• Require auditing logs on specific devices, periodic self-audits
performed by the system administrators, and the use of security
compliance checking tools
• Specify corporate auditing requirements, frequencies and
organizations.
SECURITY RESOURCES AND
CERTIFICATIONS
• CISSP - Certified Information
Systems Security Professional.
• SSCP - Systems Security Certified Practitioner
• GIAC - Global Information Assurance Certification
• CISA - Certified Information Systems Auditor
• CIW - Certified Internet Web Professional
SUMMARY
• The CIA TRIAD categorizes aspect of information that must be protected
from attacks: confidentiality, integrity, and availability.
• The PPP TRIAD depicts security, privacy and market place perception as
three additional abstract concepts that should drive security efforts.
SUMMARY
• The first step in creating an effective security policy is to perform a risk assessment
within the environment. A risk assessment consists of five steps:
- Check for existing security policies and processes
- Analyze, prioritize and categorize resources
- Consider business concerns
- Evaluate existing security controls
- Leverage existing management and control architecture
• To estimate potential financial loss from security threats, the following formula
works well by accounting for the most important cost factors associated with
security: ALE = SLE * ARO
• A Security policy has three major benefits. IT:
- Communicates a common vision for security throughout a company
` - Represents a single easy-to-use source of security requirements
- Exists as a flexible document that should be updated at least annually to address
new security threats
SUMMARY
• An effective security policy includes security requirements in the following
areas:
- Physical security
- USERID rights and rights management
- Systems
- Network
- Security Tools
- Auditing
• There are a number of security related certifications to help security
professionals quantify their knowledge on a resume.
• Every security professional must stay current about the latest threats
through web resources, mailing lists, and printed materials.
THE END

More Related Content

What's hot

What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
Amos Oyoo
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
Shreedevi Tharanidharan
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
ANIKETKUMARSHARMA3
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Data security
Data securityData security
Data security
Tapan Khilar
 
Cyber security
Cyber security Cyber security
Cyber security
Sachith Lekamge
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
Strategic Insurance Software
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 

What's hot (20)

What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Data security
Data securityData security
Data security
 
Cyber security
Cyber security Cyber security
Cyber security
 
Information security management
Information security managementInformation security management
Information security management
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Cyber security
Cyber securityCyber security
Cyber security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
 
Cia security model
Cia security modelCia security model
Cia security model
 

Similar to Information security

ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
ISO 27001
ISO 27001ISO 27001
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
Napoleon NV
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
harigopala
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
Iskcon Ahmedabad
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
CSSRL PUNE
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
Syed Azher
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
comstarndt
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
ISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdfISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdf
Nepal Realistic Solution Pvt. Ltd.
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
Prime Infoserv
 

Similar to Information security (20)

ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
 
ISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdfISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdf
 
CCA study group
CCA study groupCCA study group
CCA study group
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 

Recently uploaded

Factorial Sales Deck - Example of a Sales Deck
Factorial Sales Deck - Example of a Sales DeckFactorial Sales Deck - Example of a Sales Deck
Factorial Sales Deck - Example of a Sales Deck
chris195775
 
Cold Call Campaigns: Strategies for Success
Cold Call Campaigns: Strategies for SuccessCold Call Campaigns: Strategies for Success
Cold Call Campaigns: Strategies for Success
leveluplinksteam
 
Credit Management Process step by step in SAP SD
Credit Management Process step by step in SAP SDCredit Management Process step by step in SAP SD
Credit Management Process step by step in SAP SD
SatyendraGupta59
 
Howdy.com Sales Deck - Find talent in LatAm
Howdy.com  Sales Deck - Find talent in LatAmHowdy.com  Sales Deck - Find talent in LatAm
Howdy.com Sales Deck - Find talent in LatAm
chris195775
 
8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...
8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...
8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...
➑➌➋➑➒➎➑➑➊➍
 
ChartMogul Sales Deck Example - SaaS payment analytics
ChartMogul Sales Deck Example - SaaS payment analyticsChartMogul Sales Deck Example - SaaS payment analytics
ChartMogul Sales Deck Example - SaaS payment analytics
chris195775
 
2024 Slides: Sales Productivity: A Deep Dive into Daily Success
2024 Slides: Sales Productivity: A Deep Dive into Daily Success2024 Slides: Sales Productivity: A Deep Dive into Daily Success
2024 Slides: Sales Productivity: A Deep Dive into Daily Success
JessieGoodrum1
 

Recently uploaded (7)

Factorial Sales Deck - Example of a Sales Deck
Factorial Sales Deck - Example of a Sales DeckFactorial Sales Deck - Example of a Sales Deck
Factorial Sales Deck - Example of a Sales Deck
 
Cold Call Campaigns: Strategies for Success
Cold Call Campaigns: Strategies for SuccessCold Call Campaigns: Strategies for Success
Cold Call Campaigns: Strategies for Success
 
Credit Management Process step by step in SAP SD
Credit Management Process step by step in SAP SDCredit Management Process step by step in SAP SD
Credit Management Process step by step in SAP SD
 
Howdy.com Sales Deck - Find talent in LatAm
Howdy.com  Sales Deck - Find talent in LatAmHowdy.com  Sales Deck - Find talent in LatAm
Howdy.com Sales Deck - Find talent in LatAm
 
8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...
8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...
8328958814SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA ...
 
ChartMogul Sales Deck Example - SaaS payment analytics
ChartMogul Sales Deck Example - SaaS payment analyticsChartMogul Sales Deck Example - SaaS payment analytics
ChartMogul Sales Deck Example - SaaS payment analytics
 
2024 Slides: Sales Productivity: A Deep Dive into Daily Success
2024 Slides: Sales Productivity: A Deep Dive into Daily Success2024 Slides: Sales Productivity: A Deep Dive into Daily Success
2024 Slides: Sales Productivity: A Deep Dive into Daily Success
 

Information security

  • 1. INTRODUCTION TO INFORMATION SECURITY By Avinash Balakrishnan ENBLISS IT SERVICES PVT LTD
  • 2. OBJECTIVES  Define Basic security concepts  Begin to Assess Security Risks  Outline a security policy  Locate Information Security Resources
  • 3. BASIC SECURITY CONCEPTS  Information Security – Perception  Information Security – Reality  CIA (Confidentiality, Data Integrity and Availability)  PPP (Physical Security, Privacy and Marketplace Security)
  • 4.  What is Information?  What is Information Security?  What is Risk?  An Introduction to ISO for information Technology.
  • 5. Information is an asset, which, like other important business assets, has the value to an organization and consequently needs to be suitably protected. BS ISO 27002:2005
  • 6. INFORMATION CAN BE:  Created  Stored  Destroyed  Processed  Transmitted  Used – ( for proper and improper processes)  Corrupted  Lost  Stolen  Printed or Written on paper  Stored electronically  Transmitted by post or using electronic means  Shown on completed videos  Displayed / Published on web  Verbal – spoken in conversations ‘ … Whatever form information takes, or means by which it is shared, or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
  • 7. WHAT IS INFORMATION SECURITY  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect viral processes and systems that provide those processes  Security is not something you buy, it is something you do
  • 8. WHAT IS INFORMATION SECURITY  The architecture where an integrated combination of appliances, systems and solutions, software, alarms and vulnerability scans working together.  Monitored 24*7  Having People, Process, Technology, Policies and procedures  Security is for PPT and not for appliances or devices
  • 9. PEOPLE, PROCESS AND TECHNOLOGY:
  • 10. PEOPLE “ WHO WE ARE”  People who use or interact with the Information include: • Shareholders/owners • Management • Employees • Business Partners • Service providers • Contractors • Customers / Clients • Regulators etc…
  • 11. PROCESS : “WHAT WE DO”  The processes or “work practices” or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: • Helpdesk / Service Management • Incident Reporting and Management • Change Requests Process • Request fulfillment • Access Management • Identity Management • Service Level / Third party Services Management • IT Procurement process etc..
  • 12. TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Network Infrastructure: • Cabling, Data/ Voice Networks and equipment • Telecommunication Services (PABX), including VOIP Services, ISDN, Video Conferencing • Server computers and associated storage devices • Operating software for server computers • Communications equipment and related hardware • Intranet and Internet connections • VPNS and virtual environments • Remote access services • Wireless Connectivity
  • 13. TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Application Software: • Finance and assets systems, including accounting packages, Inventory management, HR systems, Assessments, and reporting systems • Software as a service (SaaS) – Instead of software as a packaged or custom- made-product. Etc.  Physical Security components: • CCTV cameras • Clock in systems/ Biometrics • Environmental management systems: Humidity control, ventilation, Air conditioning, Firecontrol Systems • Electricity / Power backup  Access Devices: • Desktop computers • Laptops, Ultra-mobile laptops and PDAs. • Thin client computing. • Digital cameras, Printers, Scanners, and photocopier etc.
  • 14. INFORMATION SECURITY  Protects information from a range of threats  Ensures business continuity  Minimizes financial loss  Optimizes return on investments  Increases business opportunities Business Survival depends on Information Security
  • 15. ISO 27002:2005 DEFINES INFORMATION SECURITY AS THE PRESERVATION OF: - Confidentiality - Integrity - Availability Ensuring that information is accessible to only those authorized to have access Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorized users have access to information and associated assets when required
  • 16. WHAT IS RISK?  Risk : A Possiblity that a threat exploits a vulnerability in an asset and causes damage or loss to asset  Threat: Something that can potentially cause damage to the organization, IT systems or network  Vulnerability: A weakness in the organization, IT systems, or network that can be exploited by a threat.
  • 18. THREAT IDENTIFICATION Elements of Threats Agent: The catalyst that performs the threat. Human Machine Nature Motive: Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human Results: The outcome of applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability
  • 19. THREATS • Employees • External parties • Low Awareness of security issues • Growth in networking and distributed computing • Growith in complexity and effectiveness hacking tools and viruses • Natural disasters e.g., fire, flood, earthquake
  • 22. CYBER THREAT HISTORY  Early 1990 • DTI(UK) established a working group • Information Security Management code of practice produced as BSI- DISC publication  1995 • BS7799 published as UK Standard  1999 • BS 7799-1:1999 second revision published  2000 • BS 7799-1 accepted by ISO as ISO-17799 published • BS 7799-2:2002 published
  • 23. HISTORY  ISO 27001:2005 Information Technology – Security Techniques – Information Security management systems - Requirements  ISO 27002:2005 Information technology – Security techniques – code of practice for information security management
  • 24. ISO 27001 ISO 27001: This International standard covers all types of organizations (e.g., commercial enterprises, government agencies, non-profit organizations). This International standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of the security controls customized to the needs of the individual organizations or parts thereof. The ISMS is designated to ensure the selection of adequate and proportionate security controls that protect Information assests and give confidence to interested parties.
  • 25. FEATURES Features of ISO 27001 • Plan, Do, Check, Act (PCDA) process model • Process based approach • Stress on continual process improvements • Scope covers information security not only IT security • Covers people, process and technology. • 5600 plus organizations worldwide have been certified • 11 Domains, 39 control objectives, 133 controls
  • 26. PDCA
  • 28. CONTROL CLAUSES • Information Security policy- To provide management direction and support for information security. • Organization of information security – management framework for implementation • Assest management – To ensure security of valuable organizational IT and its related assets • Human Resources security – To reduce risks of human error, theft, fraud or misuse of facilities. • Physical & Enivironmental Security – To prevent unauthorized access, theft, compromise, damage, information and information processing facilities.
  • 29.  Communications & Operations management – To ensure the correct and secure operation of information processing facilities.  Access Control – To control access to information and information processing facilities on ‘ need to know’ and ‘need to do’ basis  Information systems acquisition, Development & Maintenance – To ensure security built into information systems  Information security incident management – To ensure information security events and weaknesses associated with information systems are communicated.
  • 30. CONTROL CLAUSES  Business continuity management – To reduce disruptions caused by disasters and security failures to an acceptable level.  Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
  • 32. BENEFITS  At the organization level – commitment  At the legal level – compliance  At the operational level – Risk management  At the commercial level – credibility and confidence  At the financial level – Reduced costs  At the human level – Improved employee awareness
  • 36. USER RESPONSIBILITIES ISO:27001 Security Incidents  Report security incidents ( IT and NON – IT) to Helpdesk through • E-mail to info.sec@organization.com • Telephone: xxxx-xxxx-xxxx • Anonymous reporting through Drop boxes e.g.: IT Incidents: Mail spamming, Virus attack, Hacking etc., Non-IT incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized media. Do not discuss security incidents with any one outside organization Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents.
  • 37. USER RESPONSIBILITIES  Ensure your desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops / media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure backup of sensitive and critical information assets  Understand compliance issues such as • Cyber Law • IPR, Copyrights, NDA • Contractual obligations with customer  Verify credentials, if the message is received from unknown sender  Always keep switch off your computer before leaving for the day  Keep yourself updated on information security aspects
  • 38. BASIC SECURITY CONCEPTS CIA TRIADE PPP TRIADE Integrity Availability Confidentiality Privacy Physical Security Market Place • Confidentiality – Only individuals can access data • Integrity – data changes are tracked and properly controlled • Availability – Systems are accessible for business needs
  • 39. ASSESSING RISKS ASSESSMENT CAN BE PERFORMED USING A 5-STEP PROCESS  Check existing security policies and processes  Analyze, prioritize and categorize resources  Consider business concerns  Evaluate existing security Controls  Leverage existing management and control architecture.
  • 40. ASSESSING RISKS  Check existing security policies and processes  Analyze, prioritize, and categorize resources by determining:  Total cost of ownership, internal value, and external value. - TCO refers to the total monetary and labor costs calculated over a specific time period - Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company - External value refers to the money or another commodity that the asset brings to the company from external sources.
  • 41. ASSESSING RISK  Consider the business concerns through the annualized loss expectancy( ALE = SLE *ARO) - Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor(EF) • Asset value = TCO + internal value + external value • EF is the percentage of asset loss that Is expected from a particular threat - Annualized Rate of Occurance (ARO) is the estimated frequency with which a particular threat may occur each year.
  • 42.  Evaluate existing security controls to determine what controls are deployed and effective  Leverage existing management and control architecture to build a persuasive business case for, against, implementing new security controls. ASSESSING RISK
  • 43. SECURITY POLICY  At a minimum, an organization’s security policy should cover the following: • Physical security • Access Control • Network Security • System security • Authorized security Tools • Auditing procedures
  • 44. BENEFITS OF A SECURITY POLICY  A Security Policy has the following three important benefits:  Communicates a common vision for security throughout a company  Represents a single easy-to-use source of security requirements  Exists as a flexible document that should be updated at less annually to address new security threats
  • 45. INPUTS FOR SECURITY POLICY  Local Laws, regulations and business contracts  Internal business goals, principles and guidelines  Security measures deemed essential through risk assessment.
  • 46. BUILDING A SECURITY POLICY  An organization’s security policy should cover the following:  Foreword: Purpose, Scope, Responsibilities, and Penalties for non- compliance  Physical Security: Controls to protect the people, equipment, facilites and computer assets  USER ID and rights management: Only authorized individuals have access to the necessary systems and network devices
  • 47. BUILDING A SECURITY POLICY An organization’s security policy should cover the following: • Network Security: Protect the network devices and data in transit • System security: Necessary defenses to protect computer systems from compromise • Testing: Authorized security tools and testing • Auditing: Procedures to periodically check security compliance
  • 48. BUILDING A SECURITY POLICY FOREWORD • Purpose: Why is the policy being established? • Scope: What people, systems, software, information and facilities are covered? • Responsibilties: Who is responsible for the various computing roles in a company? • Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance?
  • 49. BUILDING A SECURITY POLICY PHYSICAL SECURITY • Human threats: theft, vandalism, sabotage, and terrorism • Building damage: fire, water damage, and toxic leaks • Natural disasters: floods, hurricanes, and tornadoes • Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines • Equipment failure: computer system damage and network device failure
  • 50. BUILDING A SECURITY POLICY USER ID AND RIGHTS Authentication: • Authentication model • Implementing technologies • Implementation mechanism Access controls – determine who gets what access to what • Access control model • Implementing mechanism
  • 51. BUILDING A SECURITY POLICY NETWORK SECURITY • Specific timeframes for changing passwords on network devices • Use of network protocols • Firewalls of specific chokepoints in a network architecture • Use of authentication servers to access network devices
  • 52. BUILDING A SECURITY POLICY SYSTEM SECURITY • The systems section is used to outline the specific settings required to secure a particular operating system or application - For Example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS. - For a particular UNIX flavor, shadow passwords may be required to hide user IDS and passwords from general users.
  • 53. BUILDING A SECURITY POLICY TESTING AND AUDITING • Specific requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment • Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools • Specify corporate auditing requirements, frequencies and organizations.
  • 54. SECURITY RESOURCES AND CERTIFICATIONS • CISSP - Certified Information Systems Security Professional. • SSCP - Systems Security Certified Practitioner • GIAC - Global Information Assurance Certification • CISA - Certified Information Systems Auditor • CIW - Certified Internet Web Professional
  • 55.
  • 56. SUMMARY • The CIA TRIAD categorizes aspect of information that must be protected from attacks: confidentiality, integrity, and availability. • The PPP TRIAD depicts security, privacy and market place perception as three additional abstract concepts that should drive security efforts.
  • 57. SUMMARY • The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: - Check for existing security policies and processes - Analyze, prioritize and categorize resources - Consider business concerns - Evaluate existing security controls - Leverage existing management and control architecture • To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO • A Security policy has three major benefits. IT: - Communicates a common vision for security throughout a company ` - Represents a single easy-to-use source of security requirements - Exists as a flexible document that should be updated at least annually to address new security threats
  • 58. SUMMARY • An effective security policy includes security requirements in the following areas: - Physical security - USERID rights and rights management - Systems - Network - Security Tools - Auditing • There are a number of security related certifications to help security professionals quantify their knowledge on a resume. • Every security professional must stay current about the latest threats through web resources, mailing lists, and printed materials.