SlideShare a Scribd company logo

Information security: importance of having defined policy & process

Information Technology Society Nepal
Information Technology Society Nepal

This document discusses the importance of information security policies and processes. It defines information and explains that information can take many forms and must be appropriately protected. It then discusses the importance of information, what constitutes information security, and why information security is needed to protect organizations. Key risks like data breaches are outlined. The document emphasizes that information security is an organizational issue, not just an IT issue, and stresses the importance of people, processes, and technology in an information security program. It provides an overview of some common information security standards and regulations like ISO 27001 and HIPAA.

Technology
1 of 47
Information Security Importance of having defined Policy & Process
What is Information? Data that is •Accurate and timely •Specific and organized for a purpose •Presented within a context that gives it meaning and relevance •Lead to an increase in understanding and decrease in uncertainty
Information can be  Created, Stored or Destroyed  Processed  Transmitted  Corrupted  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
What is the Importance of Information? Information is valuable because it can affect • Behavior • Decision • An outcome
What Is Information Security?  Information security is exactly what it says, the security of information. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”  Process by which digital information BS ISO assets are protected 27002:2005
Why is information security needed?  Ensure business continuity and reduce business damage  Prevent and minimize the impact of security incidents
Data Breach Trends Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates, seizing more than 15,000 fake cards with a potential value of $37.5 million. Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
• Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
The challenges before us  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization
Where do we start? “The framework within which an organization strives to meet its need for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” – US General Accounting Office (GAO)
What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: 1. Confidentiality: Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. 2. Integrity: Ensuring that information can be relied upon to be sufficiently accurate for its purpose. 3. Availability: Assurance that information is accessible when needed.
What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: 4. Accountability: Someone is personally accountable and responsible for the protection of information assets. 5. Audit-ability: Ability to explain changes to information “state” and ongoing audit tests.
Pillar of Information Security PEOPLE PROCESSES TECHNOLOGY
People “Who we are” People who use or interact with the Information include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc…
Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
Technology “what we use to improve what we do” Network Infrastructure: Application software: Cabling, Data/Voice Networks and equipment Finance and assets systems, including Accounting packages, Inventory management, HR Telecommunications services (PABX), including VoIP services , systems, Assessment and reporting systems Software , Video Conferencing software as a packaged or custom-made ISDN as a service (Sass) - instead of product. Etc.. Server computers and associated storage devices Physical Security components: Operating software for server computers CCTV Cameras Communications equipment and related hardware. Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Intranet and Internet connections Control systems Electricity / Power backupenvironments VPNs and Virtual Access devices: access services Remote Desktop computers Wireless connectivity and PDAs Laptops, ultra-mobile laptops Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
The Foundation of Information Security
The Information Security Functions
Managing Information Security
Policies
The Purpose Provide a framework for the management of security across the enterprise
Benefits: • A blue print for a company’s security program • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • An effective information security training and awareness effort cannot be initiated without writing information security policies
What are the Objectives & Goals?  Protect company & its assets against theft, abuse and other forms of harm and loss  Estimate possible damage and potential loss through Risk analysis  Comply with requirements for confidentiality, integrity and availability  Ensure service continuity even if major security incidents occur  Ensure compliance with current laws, regulations and guidelines  Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents
Definitions  Policies  High level statements that provide guidance to workers who must make present and future decision  Standards  Requirement statements that provide specific technical specifications  Guidelines  Optional but recommended specifications
Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwords should include one non-alpha and not found in dictionary
Basic Rules in Shaping a Policy • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered
Guidelines for making policy • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
Policies should…… Clearly identify and define the information security goals and the goals of the organization.
Type of InfoSec policies • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
Elements of Policies  Statement of Purpose  Establish roles and responsibility  Define asset classifications  Provide direction for decisions  Establish the scope of authority  Provide a basis for guidelines and procedures  Establish accountability  Describe appropriate use of assets  Establish relationships to legal requirements
Bull’s Eye Model • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
Bull’s Eye Model (Contd.)
Bull’s Eye Model Layers • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
The Ten-Step Approach
What Should Management Do? It is the responsibility of senior management to:  Clarify what data should be protected  Decide how sensitive this information is  Budget for the protection of different types of data  Determine how much risk the organization is willing to accept  Implement business processes to regular monitor and improve  Assign responsibility for this to appropriate senior staff
What Should IT Do? The IT department can then decide on the best way to provide the necessary security:  Work with management to inventory the corporate information assets & develop security policy  Stay informed of breaking issues  Develop and maintain security management capabilities (in- house or contract resources)  Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures:  Become aware of the information assets that cross your desk  Each time you forward corporate information to someone ask yourself if there are any security risks  Speak up if you see evidence of security breaches  Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
HIPAA Security Guidelines  Security Administration  Physical Safeguards  Technical Security Services and Mechanisms
Minimum HIPAA Requirements  Security Administration  Certification Policy ( .308(a)(1))  Chain of Trust Policy ( .308(a)(2))  Contingency Planning Policy ( .308(a)(3))  Data Classification Policy ( .308(a)(4))  Access Control Policy ( .308(a)(5))  Audit Trail Policy ( .308(a)(6))  Configuration Management Policy( .308(a)(8))  Incident Reporting Policy ( .308(a)(9))  Security Governance Policy ( .308(a)(10))  Access Termination Policy ( .308(a)(11))  Security Awareness & Training Policy( .308(a)(12))
Minimum HIPAA Requirements  Physical Safeguards  Security Plan (Security Roles and Responsibilities) ( .308(b)(1))  Media Control Policy ( .308(b)(2))  Physical Access Policy ( .308(b)(3))  Workstation Use Policy ( .308(b)(4))  Workstation Safeguard Policy ( .308(b)(5))  Security Awareness & Training Policy ( .308(b)(6))
Minimum HIPAA Requirements  Technical Security Services and Mechanisms  Mechanism for controlling system access ( .308(c)(1)(i))  “Need-to-know”  Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))  Mechanism to authorize the privileged use of PHI ( .308(c)(3))  Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.  Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner ( .308(c)(4))  checksums, double keying, message authentication codes, and digital signatures.  Users must be authenticated prior to accessing PHI ( .308(c)(5))  Uniquely identify each user and authenticate identity  Implement at least one of the following methods to authenticate a user:  Password;  Biometrics;  Physical token;  Call-back or strong authentication for dial-up remote access users.  Implement automatic log-offs to terminate sessions after set periods of inactivity.  Protection of PHI on networks with connections to external communication systems or public networks ( .308(d))  Intrusion detection  Encryption
Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001".  Published in 2005  Formally specifies a management system that is intended to bring information security under explicit management control.  Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant  Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;  Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer)  Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
Final Note  Policies are a countermeasure to protect assets from threats  Policies exist to inform employees of acceptable (unacceptable) behavior  Are meant to improve employee productivity and prevent potentially embarrassing situations  Communicate penalties for noncompliance
Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL
Information security: importance of having defined policy & process

Recommended

Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

Recommended

Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
Net at Work
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 

More Related Content

What's hot

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
Net at Work
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 

What's hot (20)

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Security policies
Security policiesSecurity policies
Security policies
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
Software security
Software securitySoftware security
Software security
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
information security management
information security managementinformation security management
information security management
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 

Viewers also liked

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Network security policies
Network security policiesNetwork security policies
Network security policiesUsman Mukhtar
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
Venkatesh Iyer
 
Email and web security
Email and web securityEmail and web security
Email and web securityshahhardik27
 
Graphics programming in Java
Graphics programming in JavaGraphics programming in Java
Graphics programming in Java
Tushar B Kute
 
Microsoft Hololens
Microsoft Hololens Microsoft Hololens
Microsoft Hololens
arun alfie
 
Packages and inbuilt classes of java
Packages and inbuilt classes of javaPackages and inbuilt classes of java
Packages and inbuilt classes of java
kamal kotecha
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
arun alfie
 
Email Security
Email SecurityEmail Security
Email Security
selvakumar_b1985
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
Chirag Patel
 
Java packages
Java packagesJava packages
Java packages
Raja Sekhar
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - Shimna
Chinnu Shimna
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking
Salman Memon
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
PriSim
 
Digital signature
Digital signatureDigital signature
Digital signature
Hossain Md Shakhawat
 

Viewers also liked (18)

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
Email and web security
Email and web securityEmail and web security
Email and web security
 
Graphics programming in Java
Graphics programming in JavaGraphics programming in Java
Graphics programming in Java
 
Microsoft Hololens
Microsoft Hololens Microsoft Hololens
Microsoft Hololens
 
Packages and inbuilt classes of java
Packages and inbuilt classes of javaPackages and inbuilt classes of java
Packages and inbuilt classes of java
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Email Security
Email SecurityEmail Security
Email Security
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
 
Java packages
Java packagesJava packages
Java packages
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - Shimna
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Digital signature
Digital signatureDigital signature
Digital signature
 

Similar to Information security: importance of having defined policy & process

Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
SecureCurve
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Innovators
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
SafeNet
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
RashidSahito1
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
comstarndt
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
Syed Azher
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
skumartarget
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
Meletis Belsis MPhil/MRes/BSc
 
Information Security
Information Security Information Security
Information Security
Alok Katiyar
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 

Similar to Information security: importance of having defined policy & process (20)

Information security
Information securityInformation security
Information security
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Data security
Data securityData security
Data security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Information Security
Information Security Information Security
Information Security
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 

More from Information Technology Society Nepal

Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
Information Technology Society Nepal
 
Information security
Information securityInformation security
Information security
Information Technology Society Nepal
 
Exploring web vulnerabilities
Exploring web vulnerabilitiesExploring web vulnerabilities
Exploring web vulnerabilities
Information Technology Society Nepal
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
Information Technology Society Nepal
 
Cyber law in nepal and implementation
Cyber law in nepal and implementationCyber law in nepal and implementation
Cyber law in nepal and implementation
Information Technology Society Nepal
 
Role of youth in cyber law
Role of youth in cyber lawRole of youth in cyber law
Role of youth in cyber law
Information Technology Society Nepal
 

More from Information Technology Society Nepal (6)

Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Information security
Information securityInformation security
Information security
 
Exploring web vulnerabilities
Exploring web vulnerabilitiesExploring web vulnerabilities
Exploring web vulnerabilities
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
Cyber law in nepal and implementation
Cyber law in nepal and implementationCyber law in nepal and implementation
Cyber law in nepal and implementation
 
Role of youth in cyber law
Role of youth in cyber lawRole of youth in cyber law
Role of youth in cyber law
 

Recently uploaded

How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 

Recently uploaded (20)

How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 

Information security: importance of having defined policy & process

  • 1. Information Security Importance of having defined Policy & Process
  • 2. What is Information? Data that is •Accurate and timely •Specific and organized for a purpose •Presented within a context that gives it meaning and relevance •Lead to an increase in understanding and decrease in uncertainty
  • 3. Information can be  Created, Stored or Destroyed  Processed  Transmitted  Corrupted  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
  • 4. What is the Importance of Information? Information is valuable because it can affect • Behavior • Decision • An outcome
  • 5. What Is Information Security?  Information security is exactly what it says, the security of information. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”  Process by which digital information BS ISO assets are protected 27002:2005
  • 6. Why is information security needed?  Ensure business continuity and reduce business damage  Prevent and minimize the impact of security incidents
  • 7. Data Breach Trends Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates, seizing more than 15,000 fake cards with a potential value of $37.5 million. Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
  • 8. Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
  • 9. Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
  • 10. What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
  • 11. The challenges before us  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization
  • 12. Where do we start? “The framework within which an organization strives to meet its need for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” – US General Accounting Office (GAO)
  • 13. What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: 1. Confidentiality: Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. 2. Integrity: Ensuring that information can be relied upon to be sufficiently accurate for its purpose. 3. Availability: Assurance that information is accessible when needed.
  • 14. What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: 4. Accountability: Someone is personally accountable and responsible for the protection of information assets. 5. Audit-ability: Ability to explain changes to information “state” and ongoing audit tests.
  • 15. Pillar of Information Security PEOPLE PROCESSES TECHNOLOGY
  • 16. People “Who we are” People who use or interact with the Information include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc…
  • 17. Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
  • 18. Technology “what we use to improve what we do” Network Infrastructure: Application software: Cabling, Data/Voice Networks and equipment Finance and assets systems, including Accounting packages, Inventory management, HR Telecommunications services (PABX), including VoIP services , systems, Assessment and reporting systems Software , Video Conferencing software as a packaged or custom-made ISDN as a service (Sass) - instead of product. Etc.. Server computers and associated storage devices Physical Security components: Operating software for server computers CCTV Cameras Communications equipment and related hardware. Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Intranet and Internet connections Control systems Electricity / Power backupenvironments VPNs and Virtual Access devices: access services Remote Desktop computers Wireless connectivity and PDAs Laptops, ultra-mobile laptops Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
  • 19. The Foundation of Information Security
  • 23. The Purpose Provide a framework for the management of security across the enterprise
  • 24. Benefits: • A blue print for a company’s security program • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • An effective information security training and awareness effort cannot be initiated without writing information security policies
  • 25. What are the Objectives & Goals?  Protect company & its assets against theft, abuse and other forms of harm and loss  Estimate possible damage and potential loss through Risk analysis  Comply with requirements for confidentiality, integrity and availability  Ensure service continuity even if major security incidents occur  Ensure compliance with current laws, regulations and guidelines  Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents
  • 26. Definitions  Policies  High level statements that provide guidance to workers who must make present and future decision  Standards  Requirement statements that provide specific technical specifications  Guidelines  Optional but recommended specifications
  • 27. Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwords should include one non-alpha and not found in dictionary
  • 28. Basic Rules in Shaping a Policy • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered
  • 29. Guidelines for making policy • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
  • 30. Policies should…… Clearly identify and define the information security goals and the goals of the organization.
  • 31. Type of InfoSec policies • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
  • 32. Elements of Policies  Statement of Purpose  Establish roles and responsibility  Define asset classifications  Provide direction for decisions  Establish the scope of authority  Provide a basis for guidelines and procedures  Establish accountability  Describe appropriate use of assets  Establish relationships to legal requirements
  • 33. Bull’s Eye Model • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
  • 34. Bull’s Eye Model (Contd.)
  • 35. Bull’s Eye Model Layers • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
  • 37. What Should Management Do? It is the responsibility of senior management to:  Clarify what data should be protected  Decide how sensitive this information is  Budget for the protection of different types of data  Determine how much risk the organization is willing to accept  Implement business processes to regular monitor and improve  Assign responsibility for this to appropriate senior staff
  • 38. What Should IT Do? The IT department can then decide on the best way to provide the necessary security:  Work with management to inventory the corporate information assets & develop security policy  Stay informed of breaking issues  Develop and maintain security management capabilities (in- house or contract resources)  Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
  • 39. What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures:  Become aware of the information assets that cross your desk  Each time you forward corporate information to someone ask yourself if there are any security risks  Speak up if you see evidence of security breaches  Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
  • 40. HIPAA Security Guidelines  Security Administration  Physical Safeguards  Technical Security Services and Mechanisms
  • 41. Minimum HIPAA Requirements  Security Administration  Certification Policy ( .308(a)(1))  Chain of Trust Policy ( .308(a)(2))  Contingency Planning Policy ( .308(a)(3))  Data Classification Policy ( .308(a)(4))  Access Control Policy ( .308(a)(5))  Audit Trail Policy ( .308(a)(6))  Configuration Management Policy( .308(a)(8))  Incident Reporting Policy ( .308(a)(9))  Security Governance Policy ( .308(a)(10))  Access Termination Policy ( .308(a)(11))  Security Awareness & Training Policy( .308(a)(12))
  • 42. Minimum HIPAA Requirements  Physical Safeguards  Security Plan (Security Roles and Responsibilities) ( .308(b)(1))  Media Control Policy ( .308(b)(2))  Physical Access Policy ( .308(b)(3))  Workstation Use Policy ( .308(b)(4))  Workstation Safeguard Policy ( .308(b)(5))  Security Awareness & Training Policy ( .308(b)(6))
  • 43. Minimum HIPAA Requirements  Technical Security Services and Mechanisms  Mechanism for controlling system access ( .308(c)(1)(i))  “Need-to-know”  Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))  Mechanism to authorize the privileged use of PHI ( .308(c)(3))  Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.  Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner ( .308(c)(4))  checksums, double keying, message authentication codes, and digital signatures.  Users must be authenticated prior to accessing PHI ( .308(c)(5))  Uniquely identify each user and authenticate identity  Implement at least one of the following methods to authenticate a user:  Password;  Biometrics;  Physical token;  Call-back or strong authentication for dial-up remote access users.  Implement automatic log-offs to terminate sessions after set periods of inactivity.  Protection of PHI on networks with connections to external communication systems or public networks ( .308(d))  Intrusion detection  Encryption
  • 44. Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001".  Published in 2005  Formally specifies a management system that is intended to bring information security under explicit management control.  Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant  Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;  Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer)  Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
  • 45. Final Note  Policies are a countermeasure to protect assets from threats  Policies exist to inform employees of acceptable (unacceptable) behavior  Are meant to improve employee productivity and prevent potentially embarrassing situations  Communicate penalties for noncompliance
  • 46. Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL