SlideShare a Scribd company logo

Information security - 360 Degree Approach

H
harsh arora

The document discusses implementing a comprehensive, multi-layered approach to information security. It recommends developing a risk management framework that involves categorizing systems based on impact, selecting baseline security controls, implementing controls, assessing controls, authorizing systems, and monitoring controls. It also discusses developing multi-tiered risk management at the organizational, mission, and system levels, as well as defining security control baselines, applying controls, assessing assurance and trustworthiness, defining privacy controls, and enhancing trustworthiness.

Presentations & Public Speaking
1 of 16
Download to read offline
You must have read a famous quote “A security system with several layers is difficult to hack. So, even if your data is targeted, getting through the many tiers of security will be a hassle. The simplest of programs, such as free online email accounts, have multi- layered security, too. Even if accessing your accounts takes a few extra steps, it is still worth the effort, certainly better than losing your data. Using a firewall, making sure your antivirus software is updated, running antivirus checks frequently and updating your programs regularly are all part of maintaining your personal data security.” – Doug Theis, Innovative Integration, Inc. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
IT Security in an organization requires multilayered, top to bottom, structured approach covering all systems and employees of the organization. All interaction points with the external environment including vendors, customers, third party systems etc need to be secured. IT Security must be reviewed and upgraded on continuous basis. Following slides describe an integrated and structured methodology to secure Organization’s IT Landscape INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Develop Risk Management Framework It involves - Categorization of Information Systems based on impact assessment - Select initial level of baseline Security Controls - Implement the Security Controls - Assess the security control implementation with respect to requirement - Authorize Information System Operation - Monitor the Security Controls INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Multi-tiered Risk Management Three Tier approach to address risk at - Organizational Level - Mission/Business Process Level - Information System Level INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Three Tiered Risk Management Approach INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Security Categorization It is the process of determining the security category for information or an information system. Organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by the Information Systems. The generalized format for expressing the security category (SC) of an information system is: INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
DEFINE SECURITY CONTROL BASELINES Baseline controls are the starting point for the security control selection process and are chosen based on the security category and associated impact level of information systems. The information systems are categorized as low-Impact, moderate-impact and high-impact. Organizations can use the recommended priority code designation associated with each security control in the baselines to assist in making sequencing decisions for control implementation INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
CREATING OVERLAYS An overlay is a fully specified set of security controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance. Overlays complement the initial security control baselines by: (i) providing the opportunity to add or eliminate controls; (ii) providing security control applicability and interpretations for specific information technologies, computing paradigms, environments of operation, types of information systems, types of missions/operations, operating modes, industry sectors, and statutory/regulatory requirements; (iii) establishing community-wide parameter values for assignment and/or selection statements in security controls and control enhancements; and (iv) extending the supplemental guidance for security controls, where necessary. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Applying Security Controls Security Control is a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. Security controls cover entire spectrum of an Organization including Access Control, Training, Audit, Configuration Management, Contingency Planning, Authentication, Incident Response, Media Protection, Physical and Environmental Protection etc INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
SECURITY CONTROL DESIGNATIONS Security Controls are designated in three distinct types: 1 Common Controls – These are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. 2 System Specific Controls – applicable for specific systems 3 Hybrid Controls - Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Assurance Level of Information System Assurance is the Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. Organizations can use the Risk Management Framework (RMF), to ensure that the appropriate assurance levels are achieved for the information systems and system components deployed to carry out core missions and business functions. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Trustworthiness of Information System Trustworthiness if the degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats. A trustworthy information system is a system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Enhancing the Trustworthiness of Information System There are a number of design, architectural, and implementation principles that, if used, can result in more trustworthy systems. These core security principles include, For example, simplicity, modularity, layering, domain isolation, least privilege, least functionality, and resource isolation/encapsulation. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Trustworthiness Model INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
Define Privacy Controls Governments have made laws and guidelines to ensure safety and confidentiality of private data The information systems must have capabilities & protections to safeguard privacy information of the stakeholders. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
About The Author Harsh Arora has more than 26 years of experience in Systems & Information Technology in Process & Manufacturing Industry He has done many certifications including Certified Information Security Professional, PMP, Six Sigma & SAP INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional

Recommended

E- Commerce and Amazon
E- Commerce and AmazonE- Commerce and Amazon
E- Commerce and Amazon
Sourav Patel
 
Business planning and entrepreneurial management presentation first cry.com
Business planning and entrepreneurial management presentation first cry.comBusiness planning and entrepreneurial management presentation first cry.com
Business planning and entrepreneurial management presentation first cry.com
SANA KALANIYA
 
Pest of flipkart
Pest of flipkartPest of flipkart
Pest of flipkart
Ruchita Jain
 
The Fully Automated Enterprise (RPA)
The Fully Automated Enterprise (RPA)The Fully Automated Enterprise (RPA)
The Fully Automated Enterprise (RPA)
Smart ERP Solutions, Inc.
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptxAmazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
CloudHesive
 
UBER
UBERUBER
UBER
Jaisha Jaikishan
 
Explore the TCS Ace Program
Explore the TCS Ace ProgramExplore the TCS Ace Program
Explore the TCS Ace Programguestc39c9b
 
Uber Corp
Uber CorpUber Corp
Uber Corp
HamdaAnees
 

Recommended

E- Commerce and Amazon
E- Commerce and AmazonE- Commerce and Amazon
E- Commerce and Amazon
Sourav Patel
 
Business planning and entrepreneurial management presentation first cry.com
Business planning and entrepreneurial management presentation first cry.comBusiness planning and entrepreneurial management presentation first cry.com
Business planning and entrepreneurial management presentation first cry.com
SANA KALANIYA
 
Pest of flipkart
Pest of flipkartPest of flipkart
Pest of flipkart
Ruchita Jain
 
The Fully Automated Enterprise (RPA)
The Fully Automated Enterprise (RPA)The Fully Automated Enterprise (RPA)
The Fully Automated Enterprise (RPA)
Smart ERP Solutions, Inc.
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptxAmazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
CloudHesive
 
UBER
UBERUBER
UBER
Jaisha Jaikishan
 
Explore the TCS Ace Program
Explore the TCS Ace ProgramExplore the TCS Ace Program
Explore the TCS Ace Programguestc39c9b
 
Uber Corp
Uber CorpUber Corp
Uber Corp
HamdaAnees
 
Online Cab Booking (EpicRide 24x7)
Online Cab Booking (EpicRide 24x7)Online Cab Booking (EpicRide 24x7)
Online Cab Booking (EpicRide 24x7)
Shadan Khan
 
Telecom Customer Self Care
Telecom Customer Self CareTelecom Customer Self Care
Telecom Customer Self Care
InomeraResearch
 
Online Cab Booking System Final Report
Online Cab Booking System Final ReportOnline Cab Booking System Final Report
Online Cab Booking System Final Report
PiyushPatil73
 
Balanced Scorecard for MBA institute
Balanced Scorecard for MBA instituteBalanced Scorecard for MBA institute
Balanced Scorecard for MBA institute
dr m m bagali, phd in hr
 
Business model-canvas-blablacar
Business model-canvas-blablacarBusiness model-canvas-blablacar
Business model-canvas-blablacar
MohammadSajjadKooshk
 
Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Robotics Process Automation for Banking, Financial Services and Insurance (BF...Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Datamatics Global Services Limited
 
360 Degree Customer View KPI
360 Degree Customer View KPI360 Degree Customer View KPI
360 Degree Customer View KPI
Sanjeev Sinha PMI-PBA®, CSM®
 
History of Google ppt
History of Google pptHistory of Google ppt
History of Google ppt
Sithi Nadesh Kumar Sakthivel
 
Intelligent automation appian sathya srinmivasan cwin18-utrecht
Intelligent automation appian sathya srinmivasan cwin18-utrechtIntelligent automation appian sathya srinmivasan cwin18-utrecht
Intelligent automation appian sathya srinmivasan cwin18-utrecht
Capgemini
 
Online parking
Online parkingOnline parking
Online parking
Sabaragamuwa University
 
Uber a modern age business strategy
Uber a modern age business strategyUber a modern age business strategy
Uber a modern age business strategy
Dhruvajyoti Roy
 
Flipkart marketing strategy
Flipkart marketing strategyFlipkart marketing strategy
Flipkart marketing strategy
Abhirup Lahiri
 
Robotic Process Automation for Financial Services
Robotic Process Automation for Financial ServicesRobotic Process Automation for Financial Services
Robotic Process Automation for Financial Services
Appian
 
Customer 360
Customer 360Customer 360
Customer 360
Dave Birckhead
 
Open Banking on AWS
Open Banking on AWSOpen Banking on AWS
Open Banking on AWS
Amazon Web Services
 
UBER CAB HISTORY AND SERVICE
UBER CAB HISTORY AND SERVICE UBER CAB HISTORY AND SERVICE
UBER CAB HISTORY AND SERVICE
DamodarDurgaPrasad
 
Integrating Communications into CRM
Integrating Communications into CRMIntegrating Communications into CRM
Integrating Communications into CRM
Twilio Inc
 
Amazon Integrated ERP by Group FiO
Amazon Integrated ERP by Group FiOAmazon Integrated ERP by Group FiO
Amazon Integrated ERP by Group FiO
Ravi Srinivasan
 
Web development company - Virginmind Technologies Company Profile
Web development company - Virginmind Technologies Company ProfileWeb development company - Virginmind Technologies Company Profile
Web development company - Virginmind Technologies Company Profile
Virginmind Technologies
 
IT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com | Best IT Service and Support Provider in DubaiIT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com
 
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptxESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
hamzaalkhairi802
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case studyashu6
 

More Related Content

What's hot

Online Cab Booking (EpicRide 24x7)
Online Cab Booking (EpicRide 24x7)Online Cab Booking (EpicRide 24x7)
Online Cab Booking (EpicRide 24x7)
Shadan Khan
 
Telecom Customer Self Care
Telecom Customer Self CareTelecom Customer Self Care
Telecom Customer Self Care
InomeraResearch
 
Online Cab Booking System Final Report
Online Cab Booking System Final ReportOnline Cab Booking System Final Report
Online Cab Booking System Final Report
PiyushPatil73
 
Balanced Scorecard for MBA institute
Balanced Scorecard for MBA instituteBalanced Scorecard for MBA institute
Balanced Scorecard for MBA institute
dr m m bagali, phd in hr
 
Business model-canvas-blablacar
Business model-canvas-blablacarBusiness model-canvas-blablacar
Business model-canvas-blablacar
MohammadSajjadKooshk
 
Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Robotics Process Automation for Banking, Financial Services and Insurance (BF...Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Datamatics Global Services Limited
 
360 Degree Customer View KPI
360 Degree Customer View KPI360 Degree Customer View KPI
360 Degree Customer View KPI
Sanjeev Sinha PMI-PBA®, CSM®
 
History of Google ppt
History of Google pptHistory of Google ppt
History of Google ppt
Sithi Nadesh Kumar Sakthivel
 
Intelligent automation appian sathya srinmivasan cwin18-utrecht
Intelligent automation appian sathya srinmivasan cwin18-utrechtIntelligent automation appian sathya srinmivasan cwin18-utrecht
Intelligent automation appian sathya srinmivasan cwin18-utrecht
Capgemini
 
Online parking
Online parkingOnline parking
Online parking
Sabaragamuwa University
 
Uber a modern age business strategy
Uber a modern age business strategyUber a modern age business strategy
Uber a modern age business strategy
Dhruvajyoti Roy
 
Flipkart marketing strategy
Flipkart marketing strategyFlipkart marketing strategy
Flipkart marketing strategy
Abhirup Lahiri
 
Robotic Process Automation for Financial Services
Robotic Process Automation for Financial ServicesRobotic Process Automation for Financial Services
Robotic Process Automation for Financial Services
Appian
 
Customer 360
Customer 360Customer 360
Customer 360
Dave Birckhead
 
Open Banking on AWS
Open Banking on AWSOpen Banking on AWS
Open Banking on AWS
Amazon Web Services
 
UBER CAB HISTORY AND SERVICE
UBER CAB HISTORY AND SERVICE UBER CAB HISTORY AND SERVICE
UBER CAB HISTORY AND SERVICE
DamodarDurgaPrasad
 
Integrating Communications into CRM
Integrating Communications into CRMIntegrating Communications into CRM
Integrating Communications into CRM
Twilio Inc
 
Amazon Integrated ERP by Group FiO
Amazon Integrated ERP by Group FiOAmazon Integrated ERP by Group FiO
Amazon Integrated ERP by Group FiO
Ravi Srinivasan
 
Web development company - Virginmind Technologies Company Profile
Web development company - Virginmind Technologies Company ProfileWeb development company - Virginmind Technologies Company Profile
Web development company - Virginmind Technologies Company Profile
Virginmind Technologies
 
IT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com | Best IT Service and Support Provider in DubaiIT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com
 

What's hot (20)

Online Cab Booking (EpicRide 24x7)
Online Cab Booking (EpicRide 24x7)Online Cab Booking (EpicRide 24x7)
Online Cab Booking (EpicRide 24x7)
 
Telecom Customer Self Care
Telecom Customer Self CareTelecom Customer Self Care
Telecom Customer Self Care
 
Online Cab Booking System Final Report
Online Cab Booking System Final ReportOnline Cab Booking System Final Report
Online Cab Booking System Final Report
 
Balanced Scorecard for MBA institute
Balanced Scorecard for MBA instituteBalanced Scorecard for MBA institute
Balanced Scorecard for MBA institute
 
Business model-canvas-blablacar
Business model-canvas-blablacarBusiness model-canvas-blablacar
Business model-canvas-blablacar
 
Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Robotics Process Automation for Banking, Financial Services and Insurance (BF...Robotics Process Automation for Banking, Financial Services and Insurance (BF...
Robotics Process Automation for Banking, Financial Services and Insurance (BF...
 
360 Degree Customer View KPI
360 Degree Customer View KPI360 Degree Customer View KPI
360 Degree Customer View KPI
 
History of Google ppt
History of Google pptHistory of Google ppt
History of Google ppt
 
Intelligent automation appian sathya srinmivasan cwin18-utrecht
Intelligent automation appian sathya srinmivasan cwin18-utrechtIntelligent automation appian sathya srinmivasan cwin18-utrecht
Intelligent automation appian sathya srinmivasan cwin18-utrecht
 
Online parking
Online parkingOnline parking
Online parking
 
Uber a modern age business strategy
Uber a modern age business strategyUber a modern age business strategy
Uber a modern age business strategy
 
Flipkart marketing strategy
Flipkart marketing strategyFlipkart marketing strategy
Flipkart marketing strategy
 
Robotic Process Automation for Financial Services
Robotic Process Automation for Financial ServicesRobotic Process Automation for Financial Services
Robotic Process Automation for Financial Services
 
Customer 360
Customer 360Customer 360
Customer 360
 
Open Banking on AWS
Open Banking on AWSOpen Banking on AWS
Open Banking on AWS
 
UBER CAB HISTORY AND SERVICE
UBER CAB HISTORY AND SERVICE UBER CAB HISTORY AND SERVICE
UBER CAB HISTORY AND SERVICE
 
Integrating Communications into CRM
Integrating Communications into CRMIntegrating Communications into CRM
Integrating Communications into CRM
 
Amazon Integrated ERP by Group FiO
Amazon Integrated ERP by Group FiOAmazon Integrated ERP by Group FiO
Amazon Integrated ERP by Group FiO
 
Web development company - Virginmind Technologies Company Profile
Web development company - Virginmind Technologies Company ProfileWeb development company - Virginmind Technologies Company Profile
Web development company - Virginmind Technologies Company Profile
 
IT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com | Best IT Service and Support Provider in DubaiIT-Serve.com | Best IT Service and Support Provider in Dubai
IT-Serve.com | Best IT Service and Support Provider in Dubai
 

Similar to Information security - 360 Degree Approach

ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptxESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
hamzaalkhairi802
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case studyashu6
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
AdityaMishra105898
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
Precise Testing Solution
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Application Data Security | Seclore
Application Data Security | SecloreApplication Data Security | Seclore
Application Data Security | Seclore
Seclore
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Data security
Data securityData security
Data security
AbdulBasit938
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
Secure Islands - Data Security Policy
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
Md Shaifullar Rabbi
 
link - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdf
link - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdflink - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdf
link - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdf
leenadavis3
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
StevenTharp2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
Infromation Assurance
Infromation AssuranceInfromation Assurance
Infromation Assurance
Akshay Pal
 

Similar to Information security - 360 Degree Approach (20)

ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptxESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
 
Security policy case study
Security policy case studySecurity policy case study
Security policy case study
 
DR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptxDR PANKAJ SIR (1).pptx
DR PANKAJ SIR (1).pptx
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Application Data Security | Seclore
Application Data Security | SecloreApplication Data Security | Seclore
Application Data Security | Seclore
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Information security
Information securityInformation security
Information security
 
Information security
Information securityInformation security
Information security
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Data security
Data securityData security
Data security
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
 
link - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdf
link - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdflink - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdf
link - Security In Cloud-Based HRMS_ Everything You Need To Know (1).pdf
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
Infromation Assurance
Infromation AssuranceInfromation Assurance
Infromation Assurance
 

Recently uploaded

Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
eCommerce Institute
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 

Recently uploaded (17)

Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 

Information security - 360 Degree Approach

  • 1. You must have read a famous quote “A security system with several layers is difficult to hack. So, even if your data is targeted, getting through the many tiers of security will be a hassle. The simplest of programs, such as free online email accounts, have multi- layered security, too. Even if accessing your accounts takes a few extra steps, it is still worth the effort, certainly better than losing your data. Using a firewall, making sure your antivirus software is updated, running antivirus checks frequently and updating your programs regularly are all part of maintaining your personal data security.” – Doug Theis, Innovative Integration, Inc. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 2. IT Security in an organization requires multilayered, top to bottom, structured approach covering all systems and employees of the organization. All interaction points with the external environment including vendors, customers, third party systems etc need to be secured. IT Security must be reviewed and upgraded on continuous basis. Following slides describe an integrated and structured methodology to secure Organization’s IT Landscape INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 3. Develop Risk Management Framework It involves - Categorization of Information Systems based on impact assessment - Select initial level of baseline Security Controls - Implement the Security Controls - Assess the security control implementation with respect to requirement - Authorize Information System Operation - Monitor the Security Controls INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 4. Multi-tiered Risk Management Three Tier approach to address risk at - Organizational Level - Mission/Business Process Level - Information System Level INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 5. Three Tiered Risk Management Approach INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 6. Security Categorization It is the process of determining the security category for information or an information system. Organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by the Information Systems. The generalized format for expressing the security category (SC) of an information system is: INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 7. DEFINE SECURITY CONTROL BASELINES Baseline controls are the starting point for the security control selection process and are chosen based on the security category and associated impact level of information systems. The information systems are categorized as low-Impact, moderate-impact and high-impact. Organizations can use the recommended priority code designation associated with each security control in the baselines to assist in making sequencing decisions for control implementation INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 8. CREATING OVERLAYS An overlay is a fully specified set of security controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance. Overlays complement the initial security control baselines by: (i) providing the opportunity to add or eliminate controls; (ii) providing security control applicability and interpretations for specific information technologies, computing paradigms, environments of operation, types of information systems, types of missions/operations, operating modes, industry sectors, and statutory/regulatory requirements; (iii) establishing community-wide parameter values for assignment and/or selection statements in security controls and control enhancements; and (iv) extending the supplemental guidance for security controls, where necessary. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 9. Applying Security Controls Security Control is a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. Security controls cover entire spectrum of an Organization including Access Control, Training, Audit, Configuration Management, Contingency Planning, Authentication, Incident Response, Media Protection, Physical and Environmental Protection etc INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 10. SECURITY CONTROL DESIGNATIONS Security Controls are designated in three distinct types: 1 Common Controls – These are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems. 2 System Specific Controls – applicable for specific systems 3 Hybrid Controls - Organizations assign a hybrid status to security controls when one part of the control is common and another part of the control is system-specific. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 11. Assurance Level of Information System Assurance is the Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. Organizations can use the Risk Management Framework (RMF), to ensure that the appropriate assurance levels are achieved for the information systems and system components deployed to carry out core missions and business functions. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 12. Trustworthiness of Information System Trustworthiness if the degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats. A trustworthy information system is a system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 13. Enhancing the Trustworthiness of Information System There are a number of design, architectural, and implementation principles that, if used, can result in more trustworthy systems. These core security principles include, For example, simplicity, modularity, layering, domain isolation, least privilege, least functionality, and resource isolation/encapsulation. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 14. Trustworthiness Model INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 15. Define Privacy Controls Governments have made laws and guidelines to ensure safety and confidentiality of private data The information systems must have capabilities & protections to safeguard privacy information of the stakeholders. INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional
  • 16. About The Author Harsh Arora has more than 26 years of experience in Systems & Information Technology in Process & Manufacturing Industry He has done many certifications including Certified Information Security Professional, PMP, Six Sigma & SAP INFORMATION SECURITY – 360°APPROACH Harsh Arora Certified Information Security Professional