SlideShare a Scribd company logo

Introduction to information security - by Ivan Nganda

Download as PPT, PDF
See You Rise Holdings
See You Rise Holdings

get an insiders look into the information security phenomena as i demystify the loops in the subject

Software
1 of 17
Introduction to Information Security HAND OUT 05
What is Security? • “The quality or state of being secure—to be free from danger” • A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security – Information security
What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
Critical Characteristics of Information • The value of information comes from the characteristics it possesses: – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession
Components of an Information System • Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
Securing Components • Computer can be subject of an attack and/or the object of an attack – When the subject of an attack, computer is used as an active tool to conduct attack – When the object of an attack, computer is the entity being attacked
Figure 1-5 – Subject and Object of Attack
Balancing Information Security and Access • Impossible to obtain perfect security—it is a process, not an absolute • Security should be considered balance between protection and availability • To achieve balance, level of security must allow reasonable access, yet protect against threats
Figure 1-6 – Balancing Security and Access
Approaches to Information Security Implementation: Bottom-Up Approach • Grassroots effort: systems administrators attempt to improve security of their systems • Key advantage: technical expertise of individual administrators • Seldom works, as it lacks a number of critical features: – Participant support – Organizational staying power
Investigation • What problem is the system being developed to solve? • Objectives, constraints and scope of project are specified • Preliminary cost-benefit analysis is developed • At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process
Analysis • Consists of assessments of the organization, status of current systems, and capability to support proposed systems • Analysts determine what new system is expected to do and how it will interact with existing systems • Ends with documentation of findings and update of feasibility analysis
Data Ownership • Data Owner: responsible for the security and use of a particular set of information • Data Custodian: responsible for storage, maintenance, and protection of information • Data Users: end users who work with information to perform their daily jobs supporting the mission of the organization
Communities Of Interest • Group of individuals united by similar interest/values in an organization – Information Security Management and Professionals – Information Technology Management and Professionals – Organizational Management and Professionals
Summary • Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” • Computer security began immediately after first mainframes were developed • Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.
Summary • Security should be considered a balance between protection and availability • Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC

Recommended

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Information security
Information security Information security
Information security
razendar79
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Computing safety
Computing safetyComputing safety
Computing safety
titoferrus
 

Recommended

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Information security
Information security Information security
Information security
razendar79
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Computing safety
Computing safetyComputing safety
Computing safety
titoferrus
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
MLG College of Learning, Inc
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-security
Al Balqa Applied University
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
Desmond Devendran
 
Information Security
Information Security Information Security
Information Security
Alok Katiyar
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
joevest
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
it160320737038
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 

More Related Content

What's hot

1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
Desmond Devendran
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 

What's hot (20)

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Information Security
Information SecurityInformation Security
Information Security
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-security
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Information Security
Information Security Information Security
Information Security
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 

Similar to Introduction to information security - by Ivan Nganda

Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 

Similar to Introduction to information security - by Ivan Nganda (20)

01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Information security
Information securityInformation security
Information security
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERINGIT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Introduction to Information Security CSE
Introduction to Information Security CSEIntroduction to Information Security CSE
Introduction to Information Security CSE
 
Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
 

Recently uploaded

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
Alluxio, Inc.
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
steffenkarlsson2
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 

Recently uploaded (20)

AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 

Introduction to information security - by Ivan Nganda

  • 2. What is Security? • “The quality or state of being secure—to be free from danger” • A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security – Information security
  • 3. What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
  • 4.
  • 5. Critical Characteristics of Information • The value of information comes from the characteristics it possesses: – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession
  • 6. Components of an Information System • Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization
  • 7. Securing Components • Computer can be subject of an attack and/or the object of an attack – When the subject of an attack, computer is used as an active tool to conduct attack – When the object of an attack, computer is the entity being attacked
  • 8. Figure 1-5 – Subject and Object of Attack
  • 9. Balancing Information Security and Access • Impossible to obtain perfect security—it is a process, not an absolute • Security should be considered balance between protection and availability • To achieve balance, level of security must allow reasonable access, yet protect against threats
  • 10. Figure 1-6 – Balancing Security and Access
  • 11. Approaches to Information Security Implementation: Bottom-Up Approach • Grassroots effort: systems administrators attempt to improve security of their systems • Key advantage: technical expertise of individual administrators • Seldom works, as it lacks a number of critical features: – Participant support – Organizational staying power
  • 12. Investigation • What problem is the system being developed to solve? • Objectives, constraints and scope of project are specified • Preliminary cost-benefit analysis is developed • At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process
  • 13. Analysis • Consists of assessments of the organization, status of current systems, and capability to support proposed systems • Analysts determine what new system is expected to do and how it will interact with existing systems • Ends with documentation of findings and update of feasibility analysis
  • 14. Data Ownership • Data Owner: responsible for the security and use of a particular set of information • Data Custodian: responsible for storage, maintenance, and protection of information • Data Users: end users who work with information to perform their daily jobs supporting the mission of the organization
  • 15. Communities Of Interest • Group of individuals united by similar interest/values in an organization – Information Security Management and Professionals – Information Technology Management and Professionals – Organizational Management and Professionals
  • 16. Summary • Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” • Computer security began immediately after first mainframes were developed • Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.
  • 17. Summary • Security should be considered a balance between protection and availability • Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC

Editor's Notes

  1. What Is Security? In general, security is “the quality or state of being secure--to be free from danger.” It means to be protected from adversaries--from those who would do harm, intentionally or otherwise. What Is Security? A successful organization should have the following multiple layers of security in place for the protection of its operations: Physical security - to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security – to protect the individual or group of individuals who are authorized to access the organization and its operations. Operations security – to protect the details of a particular operation or series of activities. Communications security – to protect an organization’s communications media, technology, and content. Network security – to protect networking components, connections, and contents.
  2. What Is Information Security? Information security, therefore, is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. But to protect the information and its related systems from danger, tools, such as policy, awareness, training, education, and technology are necessary. The C.I.A. triangle has been considered the industry standard for computer security since the development of the mainframe. It was solely based on three characteristics that described the utility of information: confidentiality, integrity, and availability. The C.I.A. triangle has expanded into a list of critical characteristics of information.
  3. Critical Characteristics Of Information The value of information comes from the characteristics it possesses. Availability - enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format. Accuracy- free from mistake or error and having the value that the end-user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Authenticity - the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred. Confidentiality - the quality or state of preventing disclosure or exposure to unauthorized individuals or systems. Integrity - the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Utility - the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end-user, it is not useful. Possession - the quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
  4. Components Of An Information System To fully understand the importance of information security, it is necessary to briefly review the elements of an information system. An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization.
  5. Securing The Components When considering the security of information systems components, it is important to understand the concept of the computer as the subject of an attack as opposed to the computer as the object of an attack. When a computer is the subject of an attack, it is used as an active tool to conduct the attack. When a computer is the object of an attack, it is the entity being attacked.
  6. It is important to note that the same computer can be both the subject and object of an attack, especially in multi-user systems.
  7. Security And Access Balancing When considering information security, it is important to realize that it is impossible to obtain perfect security. Security is not an absolute; it is a process not a goal. Security should be considered a balance between protection and availability. To achieve balance the level of security must allow reasonable access, yet protect against threats.
  8. This graphic intends to show that tradeoffs between security and access.
  9. Bottom Up Approach To Security Implementation Security can begin as a grass-roots effort when systems administrators attempt to improve the security of their systems. This is referred to as the bottom-up approach. The key advantage of the bottom-up approach is the technical expertise of the individual administrators. Unfortunately, this approach seldom works, as it lacks a number of critical features, such as participant support and organizational staying power.
  10. Investigation The first phase, investigation, is the most important. What is the problem the system is being developed to solve? This phase begins with an examination of the event or plan that initiates the process. The objectives, constraints and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits. A feasibility analysis is performed to assesses the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization’s time and effort.
  11. Analysis The analysis phase begins with the information learned during the investigation phase. This phase consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. Analysts begin to determine what the new system is expected to do, and how it will interact with existing systems. This phase ends with the documentation of the findings and a feasibility analysis update.
  12. Data Ownership Now that you understand the responsibilities of both senior management and the security project team, we can define the roles of those who own and safeguard the data. Data Owner - responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organization change. Data Custodian - responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. Data Users - the end systems users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.
  13. Communities Of Interest Each organization develops and maintains its own unique culture and values. Within that corporate culture, there are communities of interest. These include: Information Security Management and Professionals Information Technology Management and Professionals Organizational Management and Professionals