This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.
Cyber Security introduction. Cyber security definition. Vulnerabilities. Social engineering and human error. Financial cost of security breaches. Computer protection. The cyber security job market
The presentation explains about Data Security as an industrial concept. It addresses
its concern on Data Loss Prevention in detail, from what it is, its approach, the best practices and
common mistakes people make for the same. The presentation concludes with highlighting
Happiest Minds' expertise in the domain.
Learn more about Happiest Minds Data Security Service Offerings
http://www.happiestminds.com/IT-security-services/data-security-services/
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
The complete guide on how to prevent an IT security breach.
Some of the tips include:
♦ Why keeping a clean desk matters
♦ How to avoid email threats, including five ways to block phishing attack
♦ How your employees can secure their mobile devices
♦ Website browsing best practices.
Cyber Security introduction. Cyber security definition. Vulnerabilities. Social engineering and human error. Financial cost of security breaches. Computer protection. The cyber security job market
The presentation explains about Data Security as an industrial concept. It addresses
its concern on Data Loss Prevention in detail, from what it is, its approach, the best practices and
common mistakes people make for the same. The presentation concludes with highlighting
Happiest Minds' expertise in the domain.
Learn more about Happiest Minds Data Security Service Offerings
http://www.happiestminds.com/IT-security-services/data-security-services/
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
The complete guide on how to prevent an IT security breach.
Some of the tips include:
♦ Why keeping a clean desk matters
♦ How to avoid email threats, including five ways to block phishing attack
♦ How your employees can secure their mobile devices
♦ Website browsing best practices.
Csaba Kollár & József Poór: THE LEADERS’ AWARENESS OF INFORMATION SECURITY
VI International Symposium Engineering Management and Competitiveness 2016
(EMC 2016)
June 17-18, 2016, Kotor, Montenegro
Security First: What it is and What it Means for Your BusinessGeorgian
Software companies, and data-rich SaaS companies in particular, will go through a paradigm shift over the next few years in which security becomes a company-wide priority. Rather than an after-the-fact compliance activity the best companies will treat security and privacy as a strategic imperative, incorporating security thinking into all aspects of their business. This slideshare introduces the concept of Security First, why it is important and what it will mean for your organization.
11What is Security 1.1 Introduction The central role of co.docxmoggdede
1
1
What is Security? 1.1 Introduction
The central role of computer security for the working of the economy, the defense of the country, and the protection of our individual privacy is universally acknowledged today. This is a relatively recent development; it has resulted from the rapid deployment of Internet technologies in all fields of human endeavor and throughout the world that started at the beginning of the 1990s. Mainframe computers have handled secret military information and personal computers have stored private data from the very beginning of their existence in the mid-1940s and 1980s, respectively. However, security was not a crucial issue in either case: the information could mostly be protected in the old-fashioned way, by physically locking up the computer and checking the trustworthiness of the people who worked on it through background checks and screening procedures. What has radically changed and made the physical and administrative approaches to computer security insufficient is the interconnectedness of computers and information systems. Highly sensitive economic, financial, military, and personal information is stored and processed in a global network that spans countries, governments, businesses, organizations, and individuals. Securing this cyberspace is synonymous with securing the normal functioning of our daily lives.
Secure information systems must work reliably despite random errors, disturbances, and malicious attacks. Mechanisms incorporating security measures are not just hard to design and implement but can also backfire by decreasing efficiency, sometimes to the point of making the system unusable. This is why some programmers used to look at security mechanisms as an unfortunate nuisance; they require more work, do not add new functionality, and slow down the application and thus decrease usability. The situation is similar when adding security at the hardware, network, or organizational level: increased security makes the system clumsier and less fun to use; just think of the current airport security checks and contrast them to the happy (and now so distant) pre–September 11, 2001 memories of buying your ticket right before boarding the plane. Nonetheless, systems must work, and they must be secure; thus, there is a fine balance to maintain between the level of security on one side and the efficiency and usability of the system on the other. One can argue that there are three key attributes of information systems:
Processing capacity—speed
Convenience—user friendliness
Secure—reliable operation
The process of securing these systems is finding an acceptable balance of these attributes. 1.2 The Subject of Security
Security is a word used to refer to many things, so its use has become somewhat ambiguous. Here we will try to clarify just what security focuses on. Over the years, the subject of information security has been considered from a number of perspectives, as a concept, a function, and ...
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
2. Information Security Defined
Protecting information and information
Systems from unauthorized access, use,
disclosure, disruption, modification, or
destruction. Information security is
concerned with the confidentiality,
integrity and availability of data regardless
of the form the data may take: electronic,
print, or other forms.
3. Why Study Information Security
in the School of Business?
• Businesses collect mass amounts of data
about their customers, employees, and
competitors
• Most of this data is stored on computers
and transmitted across networks
• If this information should fall into the
hands of a competitor, the result could
be loss of business, lawsuits and
bankruptcy
• Protecting corporate data is no longer an
option, it is a requirement
4. What Types of Jobs Do
Information Security
Professionals Hold?
• Information Systems Auditor
• Business Continuity and
Disaster Recovery Planning
and Implementation
• Digital Forensics
• Infrastructure Design
• Business Integration
5. History of Information Security
• Throughout history, confidentiality
of information has always played a
key role in military conflict
• Confidentiality
• Tampering
• Authenticity
• Physical protection
• Background checks
• Encryption
6. Key Concept of Information
Security. The single most
important slide in this course!
Confidentiality, Integrity,
Availability (CIA Triad)
7. Confidentiality
Confidentiality is the process of
preventing disclosure of
information to unauthorized
individuals or systems.
Examples: Credit card, Shoulder
Surfing, Laptop theft
Confidentiality is necessary, but not
sufficient to maintain privacy
8. Integrity
Integrity means that data
cannot be modified without
Authorization
Examples: Manual deletion or
alteration of important data
files, Virus infection, Employee
altering their own salary,
website vandalism, polling fraud
In Information Security, the term “data
integrity” should not be confused with
Database referential integrity
9. Integrity
For any information system to serve its purpose,
The information must be available when it is
needed. This means that the computing systems
used to store and process the information, the
security controls used to protect it, and the
communication channels used to access it must be
functioning correctly.
Examples: Power outages, Hardware failures,
System upgrades and Preventing denial-of-service
attacks
10. Authenticity
In computing, e-Business and
information security it is necessary
to ensure that the data,
transactions, communications or
documents (electronic or physical)
are genuine (i.e. they have not been
forged or fabricated.)
Examples: Passport, Credit card
Accounts, academic transcripts
11. Non-Repudiation
Non-Repudiation is a complex
term used to describe the lack
of deniability of ownership of a
message, piece of data, or
Transaction
Examples: Proof of an ATM
transaction, a stock trade, or an
email
12. Strong Information Security =
Solid Risk Management
Proper Risk Management involves understanding and
controlling risks, vulnerabilities and threats
Risk is the likelihood that
something bad will happen that
causes harm or loss of an
Informational asset
Vulnerability is a weakness
that could be used to endanger or
cause harm to an informational
Asset
Threat is anything deliberate or random and
Unanticipated that has the potential to cause harm
13. Risk Management
The likelihood that a threat will use a
vulnerability to cause harm creates a risk.
When a threat does use a vulnerability to
inflict harm, it has an impact.
In the context of information security, the impact I
a loss of availability, integrity, and confidentiality,
and possibly other losses (lost income, loss of life,
loss of real property)
It should be pointed out that it is not possible to
identify all risks, nor is it possible to eliminate all
risk. The remaining risk is called residual risk.
14. Risk Assessment
A risk assessment is formal project carried out by a
team of people who have knowledge of specific
areas of the business. Membership of the team
may
vary over time as different parts of the business
are
assessed.
The assessment may use a subjective qualitative
analysis based on informed opinion, or where
reliable dollar figures and historical information is
available, the analysis may use quantitative
analysis as well
15. Components of a Risk
Assessment
Security Policy
Organization of information security,
Asset management
Human resources security,
Physical and environmental security,
Communications and operations management,
Access control, logical and physical
Information systems acquisition and lifecycle
management
Development and maintenance
Information security incident management
Business continuity management
Regulatory compliance
16. Risk Management Process
Identification of assets and estimating their value.
Include: people, buildings, hardware, software,
data (electronic, print, other), supplies.
Conduct a threat assessment. Include: Acts of
nature, acts of war, accidents, malicious acts
originating from inside or outsidethe organization.
Conduct a vulnerability assessment, and for each
vulnerability, calculate the probability that it will be
exploited. Evaluate policies, procedures, standards,
training, physical security, quality control and
technical security.
17. Risk Management Process
Calculate the impact that each threat
would have on each asset. Use qualitative
analysis or quantitative analysis.
Identify, select and implement
appropriate controls. Provide a
proportional response. Consider
productivity, cost effectiveness, and value
of the asset.
Evaluate the effectiveness of the control
measures. Ensure the controls provide the
required cost effective protection without
discernible loss of productivity.
18. Risk Remedies
For any given risk, you may choose to:
Accept the risk based upon the relative low value
of the asset, the relative low frequency of
occurrence, and the relative low impact on the
business.
Mitigate the risk by selecting and implementing
appropriate control measures to reduce the risk.
Transfer the risk to another business by buying
insurance or out-sourcing to another business.
Deny the risk, which is obviously dangerous
19. Information Security Controls
When Management chooses to
mitigate a risk, they will do so
by implementing one or more of
three different types of controls
• Administrative Controls
• Logical/Technical Controls
• Physical Controls
20. Administrative Controls
Consist of approved written policies, procedures,
standards and guidelines.
Administrative controls form the framework for
running the business and managing people.
They inform people on how the business is to be run and
how day to day operations are to be conducted.
Laws and regulations created by government bodies are
also a type of administrative control, such as PCI, HIPAA,
FERPA and SOX
Other examples of administrative controls include the
corporate security policy, password policy, hiring policies,
and disciplinary policies.
21. Separation of Duties is the most
important and often overlooked
physical control
Separation of duties ensures that an individual can
not complete a critical task by themselves.
For example: an employee who submits a request
for reimbursement should not also be able to
authorize payment or print the check.
An applications programmer should not also be the
server administrator or the database administrator
These roles and responsibilities must be separated
From one another
22. Logical Controls
Logical controls (also called technical
controls) consist of software and
data to monitor and control access
to information and computing
systems.
For example: passwords, network
and host based firewalls, network
intrusion detection systems, access
control lists, and data encryption are
logical controls.
23. The Principle of Least Privilege
is the most important and often
overlooked logical control in IS
The principle of least privilege requires that an individual,
program or system process is not granted any more
Access privileges than are necessary to perform the task.
A blatant example of the failure to adhere to the
principle of least privilege is logging into Windows as
user Administrator to read Email and surf the Web.
Violations of this principle can also occur when an
Individual:
Collects additional access privileges over time
Job duties change, promotion, new position, etc.
They are promoted to a new position, or they transfer to
another department.
Examine and adjust access rights for ALL employees on a
regular basis
24. Physical Controls
Physical controls monitor and control the
environment of the work place and computing
facilities. They also monitor and control access to
and from such facilities.
For example: doors, locks, heating and air
conditioning, smoke and fire alarms, fire
suppression systems, cameras, barricades,
fencing, security guards, cable locks, etc.
Separating the network and work place into
functional areas are also physical controls.
25. Security Classification
of Information
An important aspect of information
security and risk management is
recognizing the value of information
and defining appropriate procedures
and protection requirements for the
information. Not all information is
equal and so not all information
requires the same degree of
protection. This requires information
to be assigned a security
classification
26. Security Classification of
Information
1. Identify a member of senior
management as the owner of the
particular information to be
classified
6. Develop a classification policy.
The policy should describe the
different classification labels, define
the criteria for information to be
assigned a particular label, and list the
required security controls for each
classification
27. Security Classification of
Information
Some factors that influence which
classification information should be
assigned include:
4. How much value that information
has to the organization
2. How old the information is and
whether or not the information has
become obsolete.
9. Laws and other regulatory
requirements are also important
considerations when classifying
information
28. Information Security
Classification Labels
Common information security
classification labels used by the
business sector are:
Public
Sensitive
Private
Confidential
29. Information Security
Classification Labels
All employees in the organization, as well
as business partners, must be trained on
the classification schema and understand
the required security controls and handling
procedures for each classification.
The classification a particular information
asset has been assigned should be
reviewed periodically to ensure the
classification is still appropriate for the
information and to ensure the security
controls required by the classification are
in place.