This document provides an overview of information security. It defines information security as protecting information systems, hardware, and data. It then describes different types of security including physical, personal, operations, communications, network, and information security. The document outlines several common threats to information systems such as unauthorized access, cyberespionage, malware, data leakage, mobile device attacks, social engineering, insiders, phishing, spam, and identity theft. It recommends various controls for protecting information systems, including data security plans, access controls, encryption, backups, and employee training.

1. WELCOME

3. WHATIS INFORMATIONSECURITY?
The protection of information and its
elements including systems, hardware that
use, store and transmit the information

4. SECURITYTYPES
• Physical Security : To protect Physical items, objects or areas
• Personal Security : To protect the individual or group of individuals who are authorized
• Operations Security : To protect the details of a particular operation or activities
• Communications Security : To protect communication media, technology and content
• Network Security :To protect networking components, connections and contents
• Information Security : To protect information assets

5. THREATSTOINFORMATIONSYSTEM
 There are many information security threats that
we need to be constantly aware of and protect
against in order to ensure our sensitive
information remains secure. Some of the threats
are as follows:

6. UNAUTHORIZEDACCESS–
• The attempted or successful access of information or systems,
without permission or rights to do so.
 Ensure you have a properly configured firewall, up to date
malware prevention software and all software has the latest
security updates.
 Protect all sensitive information, utilizing encryption where
appropriate, and use strong passwords that are changed
regularly.

7. CYBERESPIONAGE
• The act of spying through the use of computers, involving the
covert access or ‘hacking’of company or government networks
to obtain sensitive information.
 Be alert for social engineering attempts and
verify all requests for sensitive information.
 Ensure software has the latest security updates, your network
is secure and monitor for unusual network behavior.

8. MALWARE
• A collective term for malicious software, such as viruses,
worms and trojans; designed to infiltrate systems and
information for criminal, commercial or destructive purposes.
 Ensure you have a properly configured firewall, up to date
malware prevention and all software has the latest security
updates.
 Do not click links or open attachments in emails from
unknown senders, visit un-trusted websites or install dubious
software.

9. DATALEAKAGE
• The intentional or accidental loss, theft or exposure of
sensitive company or personal information
 Ensure all sensitive information stored on removable
storage media, mobile devices or laptops is encrypted
 Be mindful of what you post online, check email recipients
before pressing send, and never email sensitive company
information to personal email accounts

10. MOBILEDEVICEATTACK
• The malicious attack on, or unauthorized access of mobile
devices and the information stored or processed by them;
performed wirelessly or through physical possession.
 Keep devices with you at all times, encrypt all sensitive data
and removable storage media, and use strong passwords.
 Avoid connecting to insecure, un-trusted public wireless
networks and ensure Bluetooth is in ‘undiscoverable’mode.

11. SOCIALENGINEERING
• Tricking and manipulating others by phone, email, online or in-
person, into divulging sensitive information, in order to access
company information or systems.
 Verify all requests for sensitive information, no matter how
legitimate they may seem, and never share your passwords with
anyone – not even the helpdesk.
 Never part with sensitive information if in doubt, and report
suspected social engineering attempts immediately.

12. INSIDERS
• An employee or worker with malicious intent to steal
sensitive company information, commit fraud or cause
damage to company systems or information
 Ensure access to sensitive information is restricted to only
those that need it and revoke access when no longer
required
 Report all suspicious activity or workers immediately

13. PHISHING
• A form of social engineering, involving the sending of legitimate
looking emails aimed at fraudulently extracting sensitive information
from recipients, usually to gain access to systems or for identity theft.
• Look out for emails containing unexpected or unsolicited requests for
sensitive information, or contextually relevant emails from unknown
senders.
• Never click on suspicious looking links within emails, and report all
suspected phishing attempts immediately.

14. SPAM
• Unsolicited email sent in bulk to many individuals, usually
for commercial gain, but increasingly for spreading
malware.
 Only give your email to those you trust and never post
your address online for others to view.
 Use a spam filter and never reply to spam emails or click
links within them.

15. IDENTITYTHEFT
• The theft of an unknowing individual’s personal information, in order
to fraudulently assume that individual’s identity to commit a crime,
usually for financial gain.
• Never provide personal information to un-trusted individuals or
websites.
• Ensure personal information is protected when stored and securely
disposed of when no longer needed.

16. PROTECTINGINFORMATIONSYSTEM
1. Data security is fundamental
Data security is crucial to all academic, medical and
business operations.
 All existing and new business and data processes should
include a data security review to be sure data is safe from
loss and secured against unauthorized access.

17. 2. Plan ahead
Create a plan to review your data security status and
policies and create routine processes to access, handle and
store the data safely as well as archive unneeded data.
 Make sure you and your colleagues know how to respond if
you have a data loss or data breach incident.

18. 3. Know what data you have
The first step to secure computing is knowing what data you
have and what levels of protection are required to keep the
data both confidential and safe from loss.

19. 4. Scale down the data
Keep only the data you need for routine current business,
safely archive or destroy older data, and remove it from all
computers and other devices (smart phones, laptops, flash
drives, external hard disks).

20. 5. Lock up!
 Physical security is the key to safe and confidential computing.
 All the passwords in the world won't get your laptop back if the
computer itself is stolen.
 Back up the data to a safe place in the event of loss.

21. INFORMATIONSECURITYCONTROLS
Security is generally defined as the freedom from danger or
as the condition of safety.
 Computer security, specifically, is the protection of data in a
system against unauthorized disclosure, modification, or
destruction and protection of the computer system itself
against unauthorized use, modification, or denial of service.

22. PHYSICALCONTROLS
It is the use of locks, security guards, badges, alarms, and similar
measures to control access to computers, related equipment
(including utilities), and the processing facility itself.
In addition, measures are required for protecting computers,
related equipment, and their contents from espionage, theft, and
destruction or damage by accident, fire, or natural disaster (e.g.,
floods and earthquakes).

23. TECHNICALCONTROLS
Involves the use of safeguards incorporated in computer
hardware, operations or applications software,
communications hardware and software, and related devices.
 Technical controls are sometimes referred to as logical
controls.

24. TECHNICALCONTROLS
Preventive technical controls are used to prevent
unauthorized personnel or programs from gaining remote
access to computing resources. Examples of these controls
include:
o Access control software
o Antivirus software
o Library control systems
o Passwords
o Smart cards
o Encryption
o Dial-up access control and callback systems

25. ADMINISTRATIVECONTROLS
Consists of management constraints, operational
procedures, accountability procedures, and supplemental
administrative controls established to provide an acceptable
level of protection for computing resources.
 In addition, administrative controls include procedures
established to ensure that all personnel who have access to
computing resources have the required authorizations and
appropriate security clearances.

26. ADMINISTRATIVECONTROLS
 Preventive administrative controls are personnel-oriented techniques
for controlling people’s behavior to ensure the confidentiality,
integrity, and availability of computing data and programs. Examples
of preventive administrative controls include:
o Security awareness and technical training
o Separation of duties
o Procedures for recruiting and terminating employees
o Security policies and procedures
o Supervision.
o Disaster recovery, contingency, and emergency plans
o User registration for computer access

27. THANK YOU