SlideShare a Scribd company logo

Information Security Background

Download as PPT, PDF
Nicholas Davis
Nicholas Davis

This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.

1 of 29
Information Systems 365/765 Information Systems Security and Strategy Lecture 2 Introduction to Information Security
Information Security Defined Protecting information and information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
Why Study Information Security in the School of Business? • Businesses collect mass amounts of data about their customers, employees, and competitors • Most of this data is stored on computers and transmitted across networks • If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy • Protecting corporate data is no longer an option, it is a requirement
What Types of Jobs Do Information Security Professionals Hold? • Information Systems Auditor • Business Continuity and Disaster Recovery Planning and Implementation • Digital Forensics • Infrastructure Design • Business Integration
History of Information Security • Throughout history, confidentiality of information has always played a key role in military conflict • Confidentiality • Tampering • Authenticity • Physical protection • Background checks • Encryption
Key Concept of Information Security. The single most important slide in this course! Confidentiality, Integrity, Availability (CIA Triad)
Confidentiality Confidentiality is the process of preventing disclosure of information to unauthorized individuals or systems. Examples: Credit card, Shoulder Surfing, Laptop theft Confidentiality is necessary, but not sufficient to maintain privacy
Integrity Integrity means that data cannot be modified without Authorization Examples: Manual deletion or alteration of important data files, Virus infection, Employee altering their own salary, website vandalism, polling fraud In Information Security, the term “data integrity” should not be confused with Database referential integrity
Integrity For any information system to serve its purpose, The information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. Examples: Power outages, Hardware failures, System upgrades and Preventing denial-of-service attacks
Authenticity In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated.) Examples: Passport, Credit card Accounts, academic transcripts
Non-Repudiation Non-Repudiation is a complex term used to describe the lack of deniability of ownership of a message, piece of data, or Transaction Examples: Proof of an ATM transaction, a stock trade, or an email
Strong Information Security = Solid Risk Management Proper Risk Management involves understanding and controlling risks, vulnerabilities and threats Risk is the likelihood that something bad will happen that causes harm or loss of an Informational asset Vulnerability is a weakness that could be used to endanger or cause harm to an informational Asset Threat is anything deliberate or random and Unanticipated that has the potential to cause harm
Risk Management The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact I a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property) It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.
Risk Assessment A risk assessment is formal project carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis as well
Components of a Risk Assessment Security Policy Organization of information security, Asset management Human resources security, Physical and environmental security, Communications and operations management, Access control, logical and physical Information systems acquisition and lifecycle management Development and maintenance Information security incident management Business continuity management Regulatory compliance
Risk Management Process Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outsidethe organization. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control and technical security.
Risk Management Process Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
Risk Remedies For any given risk, you may choose to: Accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. Transfer the risk to another business by buying insurance or out-sourcing to another business. Deny the risk, which is obviously dangerous
Information Security Controls When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls • Administrative Controls • Logical/Technical Controls • Physical Controls
Administrative Controls Consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control, such as PCI, HIPAA, FERPA and SOX Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies.
Separation of Duties is the most important and often overlooked physical control Separation of duties ensures that an individual can not complete a critical task by themselves. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator These roles and responsibilities must be separated From one another
Logical Controls Logical controls (also called technical controls) consist of software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.
The Principle of Least Privilege is the most important and often overlooked logical control in IS The principle of least privilege requires that an individual, program or system process is not granted any more Access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an Individual: Collects additional access privileges over time Job duties change, promotion, new position, etc. They are promoted to a new position, or they transfer to another department. Examine and adjust access rights for ALL employees on a regular basis
Physical Controls Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls.
Security Classification of Information An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification
Security Classification of Information 1. Identify a member of senior management as the owner of the particular information to be classified 6. Develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification
Security Classification of Information Some factors that influence which classification information should be assigned include: 4. How much value that information has to the organization 2. How old the information is and whether or not the information has become obsolete. 9. Laws and other regulatory requirements are also important considerations when classifying information
Information Security Classification Labels Common information security classification labels used by the business sector are: Public Sensitive Private Confidential
Information Security Classification Labels All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification. The classification a particular information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.

Recommended

Cyber Security
Cyber SecurityCyber Security
Cyber Security
ADGP, Public Grivences, Bangalore
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
Noushad Hasan
 
Social engineering
Social engineering Social engineering
Social engineering
Abdelhamid Limami
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
damilolasunmola
 
Cyber security
Cyber securityCyber security
Cyber security
Bhavin Shah
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
AbhishekDas794104
 

Recommended

Cyber Security
Cyber SecurityCyber Security
Cyber Security
ADGP, Public Grivences, Bangalore
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
Noushad Hasan
 
Social engineering
Social engineering Social engineering
Social engineering
Abdelhamid Limami
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
damilolasunmola
 
Cyber security
Cyber securityCyber security
Cyber security
Bhavin Shah
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cyber Security PPT.pptx
Cyber Security PPT.pptxCyber Security PPT.pptx
Cyber Security PPT.pptx
AbhishekDas794104
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
SHERALI445
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
Manish Chaurasia
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye Solutions
Prime Infoserv
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
Information classification
Information classificationInformation classification
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesTam Nguyen
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
Happiest Minds Technologies
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
Priscila Bernardes
 
cyber security.pdf
cyber security.pdfcyber security.pdf
cyber security.pdf
Yashwanth Rm
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013Vidushi Singh
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Information Security Business Middle East 2011
Information Security Business Middle East 2011Information Security Business Middle East 2011
Information Security Business Middle East 2011
Arjun V
 

More Related Content

What's hot

TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
SHERALI445
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
Manish Chaurasia
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye Solutions
Prime Infoserv
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
Information classification
Information classificationInformation classification
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesTam Nguyen
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
Happiest Minds Technologies
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
Priscila Bernardes
 
cyber security.pdf
cyber security.pdfcyber security.pdf
cyber security.pdf
Yashwanth Rm
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013Vidushi Singh
 

What's hot (20)

TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
FireEye Solutions
FireEye SolutionsFireEye Solutions
FireEye Solutions
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
 
Data protection
Data protectionData protection
Data protection
 
Information classification
Information classificationInformation classification
Information classification
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Cybersecurity Issues and Challenges
Cybersecurity Issues and ChallengesCybersecurity Issues and Challenges
Cybersecurity Issues and Challenges
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
 
cyber security.pdf
cyber security.pdfcyber security.pdf
cyber security.pdf
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
 

Viewers also liked

Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Information Security Business Middle East 2011
Information Security Business Middle East 2011Information Security Business Middle East 2011
Information Security Business Middle East 2011
Arjun V
 
THE LEADERS AWARENESS OF INFORMATION SECURITY
THE LEADERS AWARENESS OF INFORMATION SECURITYTHE LEADERS AWARENESS OF INFORMATION SECURITY
THE LEADERS AWARENESS OF INFORMATION SECURITY
Csaba KOLLAR (Dr. PhD.)
 
SnapComms for Security Awareness
SnapComms for Security AwarenessSnapComms for Security Awareness
SnapComms for Security Awareness
SnapComms
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security controlCheng Olayvar
 
Security First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessSecurity First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your Business
Georgian
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 

Viewers also liked (9)

Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Information Security Business Middle East 2011
Information Security Business Middle East 2011Information Security Business Middle East 2011
Information Security Business Middle East 2011
 
THE LEADERS AWARENESS OF INFORMATION SECURITY
THE LEADERS AWARENESS OF INFORMATION SECURITYTHE LEADERS AWARENESS OF INFORMATION SECURITY
THE LEADERS AWARENESS OF INFORMATION SECURITY
 
SnapComms for Security Awareness
SnapComms for Security AwarenessSnapComms for Security Awareness
SnapComms for Security Awareness
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security control
 
Security First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your BusinessSecurity First: What it is and What it Means for Your Business
Security First: What it is and What it Means for Your Business
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Chapter 6-THEORETICAL & CONCEPTUAL FRAMEWORK
Chapter 6-THEORETICAL & CONCEPTUAL FRAMEWORKChapter 6-THEORETICAL & CONCEPTUAL FRAMEWORK
Chapter 6-THEORETICAL & CONCEPTUAL FRAMEWORK
 

Similar to Information Security Background

Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx
moggdede
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
Inderjeet Singh
 
Information Security
Information Security Information Security
Information Security
Alok Katiyar
 
Unit 5 v2
Unit 5 v2Unit 5 v2
Unit 5 v2
ShubhraGoyal4
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
Anne Starr
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 

Similar to Information Security Background (20)

Information security
Information securityInformation security
Information security
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Information Security
Information SecurityInformation Security
Information Security
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Information Security
Information Security Information Security
Information Security
 
Unit 5 v2
Unit 5 v2Unit 5 v2
Unit 5 v2
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 
Testing
TestingTesting
Testing
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
)k
)k)k
)k
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 

More from Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Nicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
Nicholas Davis
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
Nicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
Nicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
Nicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
Nicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
Nicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
Nicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
Nicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
Nicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
Nicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
Nicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Nicholas Davis
 

More from Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Information Security Background

  • 1. Information Systems 365/765 Information Systems Security and Strategy Lecture 2 Introduction to Information Security
  • 2. Information Security Defined Protecting information and information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
  • 3. Why Study Information Security in the School of Business? • Businesses collect mass amounts of data about their customers, employees, and competitors • Most of this data is stored on computers and transmitted across networks • If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy • Protecting corporate data is no longer an option, it is a requirement
  • 4. What Types of Jobs Do Information Security Professionals Hold? • Information Systems Auditor • Business Continuity and Disaster Recovery Planning and Implementation • Digital Forensics • Infrastructure Design • Business Integration
  • 5. History of Information Security • Throughout history, confidentiality of information has always played a key role in military conflict • Confidentiality • Tampering • Authenticity • Physical protection • Background checks • Encryption
  • 6. Key Concept of Information Security. The single most important slide in this course! Confidentiality, Integrity, Availability (CIA Triad)
  • 7. Confidentiality Confidentiality is the process of preventing disclosure of information to unauthorized individuals or systems. Examples: Credit card, Shoulder Surfing, Laptop theft Confidentiality is necessary, but not sufficient to maintain privacy
  • 8. Integrity Integrity means that data cannot be modified without Authorization Examples: Manual deletion or alteration of important data files, Virus infection, Employee altering their own salary, website vandalism, polling fraud In Information Security, the term “data integrity” should not be confused with Database referential integrity
  • 9. Integrity For any information system to serve its purpose, The information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. Examples: Power outages, Hardware failures, System upgrades and Preventing denial-of-service attacks
  • 10. Authenticity In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated.) Examples: Passport, Credit card Accounts, academic transcripts
  • 11. Non-Repudiation Non-Repudiation is a complex term used to describe the lack of deniability of ownership of a message, piece of data, or Transaction Examples: Proof of an ATM transaction, a stock trade, or an email
  • 12. Strong Information Security = Solid Risk Management Proper Risk Management involves understanding and controlling risks, vulnerabilities and threats Risk is the likelihood that something bad will happen that causes harm or loss of an Informational asset Vulnerability is a weakness that could be used to endanger or cause harm to an informational Asset Threat is anything deliberate or random and Unanticipated that has the potential to cause harm
  • 13. Risk Management The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact I a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property) It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.
  • 14. Risk Assessment A risk assessment is formal project carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis as well
  • 15. Components of a Risk Assessment Security Policy Organization of information security, Asset management Human resources security, Physical and environmental security, Communications and operations management, Access control, logical and physical Information systems acquisition and lifecycle management Development and maintenance Information security incident management Business continuity management Regulatory compliance
  • 16. Risk Management Process Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outsidethe organization. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control and technical security.
  • 17. Risk Management Process Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
  • 18. Risk Remedies For any given risk, you may choose to: Accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. Transfer the risk to another business by buying insurance or out-sourcing to another business. Deny the risk, which is obviously dangerous
  • 19. Information Security Controls When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls • Administrative Controls • Logical/Technical Controls • Physical Controls
  • 20. Administrative Controls Consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control, such as PCI, HIPAA, FERPA and SOX Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies.
  • 21. Separation of Duties is the most important and often overlooked physical control Separation of duties ensures that an individual can not complete a critical task by themselves. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator These roles and responsibilities must be separated From one another
  • 22. Logical Controls Logical controls (also called technical controls) consist of software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.
  • 23. The Principle of Least Privilege is the most important and often overlooked logical control in IS The principle of least privilege requires that an individual, program or system process is not granted any more Access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an Individual: Collects additional access privileges over time Job duties change, promotion, new position, etc. They are promoted to a new position, or they transfer to another department. Examine and adjust access rights for ALL employees on a regular basis
  • 24. Physical Controls Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls.
  • 25. Security Classification of Information An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification
  • 26. Security Classification of Information 1. Identify a member of senior management as the owner of the particular information to be classified 6. Develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification
  • 27. Security Classification of Information Some factors that influence which classification information should be assigned include: 4. How much value that information has to the organization 2. How old the information is and whether or not the information has become obsolete. 9. Laws and other regulatory requirements are also important considerations when classifying information
  • 28. Information Security Classification Labels Common information security classification labels used by the business sector are: Public Sensitive Private Confidential
  • 29. Information Security Classification Labels All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification. The classification a particular information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.