The document discusses various topics related to IT security and risk mitigation. It begins with an overview of basic IT security principles such as confidentiality, integrity, availability, authenticity, non-repudiation and accountability. It also discusses banking security standards and the importance of having policies, procedures, and standards to ensure security. Finally, it covers the different types of risk mitigation controls including administrative, logical, and physical controls that can be implemented to minimize security risks.
This document discusses security frameworks and tools for information systems. It begins by explaining why systems are vulnerable, such as accessibility of networks and software/hardware problems. It then describes organizational frameworks for security, including risk assessment, security policies, identity management, disaster recovery planning, and information systems audits. Finally, it discusses tools for safeguarding resources, such as identity management software. The document provides an overview of securing information systems from multiple perspectives.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
This document provides an introduction to cyber security. It defines cyber security as protecting cyberspace from attacks, and defines a cyber attack. It explains that cyberspace is where online communication occurs, via the internet. Cyber security is important because it affects everyone who uses computers and networks. Cyber security training is needed to establish human controls. Cyber attacks can target businesses, governments, institutions and individuals. Attackers include hackers, criminals, spies and nation-states who use methods like malware, social engineering, and network attacks. Defenders of cyber security include ICT teams, security vendors, manufacturers, and governments. Information systems and quality data are important assets to protect. Emerging cyber threats include cloud services, ransomware, spear ph
Developing an Information Security ProgramShauna_Cox
The document discusses the components and development of an effective information security program. It outlines that an information security program is needed due to factors like regulatory requirements, sophisticated attacks, and the strategic importance of security. The key components of an effective program include executive commitment, policies and procedures, monitoring processes and metrics, governance structure, and security awareness training. The document also describes standard methodologies and outlines the typical development process of plan, implement, operate and maintain, and monitor and evaluate.
This document provides an overview of access control, including identification, authentication, and authorization. It discusses different types of access controls like administrative, technical, and physical controls. It also covers specific access control methods like passwords, biometrics, smart cards, and tokens. Identification establishes a subject's identity, while authentication proves the identity. Authorization then controls the subject's access to resources based on their proven identity. The document categorizes access controls as preventive, detective, corrective, recovery, compensating, and directive. It provides examples of different administrative, technical, and physical controls that fall into each category.
This document discusses security frameworks and tools for information systems. It begins by explaining why systems are vulnerable, such as accessibility of networks and software/hardware problems. It then describes organizational frameworks for security, including risk assessment, security policies, identity management, disaster recovery planning, and information systems audits. Finally, it discusses tools for safeguarding resources, such as identity management software. The document provides an overview of securing information systems from multiple perspectives.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
This document provides an introduction to cyber security. It defines cyber security as protecting cyberspace from attacks, and defines a cyber attack. It explains that cyberspace is where online communication occurs, via the internet. Cyber security is important because it affects everyone who uses computers and networks. Cyber security training is needed to establish human controls. Cyber attacks can target businesses, governments, institutions and individuals. Attackers include hackers, criminals, spies and nation-states who use methods like malware, social engineering, and network attacks. Defenders of cyber security include ICT teams, security vendors, manufacturers, and governments. Information systems and quality data are important assets to protect. Emerging cyber threats include cloud services, ransomware, spear ph
Developing an Information Security ProgramShauna_Cox
The document discusses the components and development of an effective information security program. It outlines that an information security program is needed due to factors like regulatory requirements, sophisticated attacks, and the strategic importance of security. The key components of an effective program include executive commitment, policies and procedures, monitoring processes and metrics, governance structure, and security awareness training. The document also describes standard methodologies and outlines the typical development process of plan, implement, operate and maintain, and monitor and evaluate.
This document provides an overview of access control, including identification, authentication, and authorization. It discusses different types of access controls like administrative, technical, and physical controls. It also covers specific access control methods like passwords, biometrics, smart cards, and tokens. Identification establishes a subject's identity, while authentication proves the identity. Authorization then controls the subject's access to resources based on their proven identity. The document categorizes access controls as preventive, detective, corrective, recovery, compensating, and directive. It provides examples of different administrative, technical, and physical controls that fall into each category.
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
The document provides an overview of cybersecurity frameworks, fundamentals, and foundations. It discusses common cybersecurity terms like frameworks, controls, and standards. It also examines drivers for cybersecurity like laws, compliance, audits and data privacy. Key areas covered include asset inventory, risk assessment, threat modeling, security controls, frameworks like NIST CSF, and the importance of people/human factors. The document aims to help organizations strengthen their cybersecurity posture and navigation the complex landscape of improving security.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
Network security involves protecting network usability and integrity through hardware and software technologies. It addresses vulnerabilities that threats may exploit to launch attacks. Common vulnerabilities include issues with technologies, configurations, and security policies. Threats aim to take advantage of vulnerabilities and can be structured, unstructured, internal, or external. Common attacks include reconnaissance to gather information, unauthorized access attempts, denial-of-service to disrupt availability, and use of malicious code like worms, viruses, and Trojan horses.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
( Edureka Cybersecurity Course: https://www.edureka.co/cybersecurity-certification-training)
This Edureka video gives an introduction to Network Security and its nuances. Topics covered in this video are:
1. Need for Network Security
2. What is Network Security
3. Security in the Network, Transport and Application Layer
4. Network Security for Business
Access control is the process of granting or denying access to resources or services on a computer system or network. There are four main access control models: mandatory access control, discretionary access control, role-based access control, and rule-based access control. Access control can be implemented through logical methods like access control lists, group policies, account restrictions, and passwords or through physical methods such as locks, mantraps, video surveillance, and access logs. Strong access control policies and practices help ensure only authorized access and prevent security breaches.
This document discusses access control systems and methodologies. It covers security clearances used by the federal government, multifactor authentication/biometrics, and passwords. Specific access control methods like fingerprints, voiceprints, retina scanning, iris scanning, and face recognition are explained. The document also discusses password cracking techniques and applications used to crack passwords like John the Ripper, Rainbow Crack, and Cain & Abel.
Port of Visakhapatnam is known as the "Eastern Gateway of India". The document discusses cyber security awareness and defines key terms like computer, cyber security, data, electronic form, electronic record, digital signature, and intermediary. It explains why cyber security is important, defines privacy and security in the context of information, and outlines common cyber attacks like denial of service attacks, DNS attacks, router attacks, sniffers, firewalls, and vulnerability scanners. The document also discusses network-based attacks, web attacks like phishing and pharming, email attacks, social network attacks, and types of malware like spam, cookies, adware, and spyware.
The document discusses various cybersecurity attack vectors and how organizations can protect themselves. It outlines common attack methods like ransomware, malicious code delivery, social engineering, and phishing. It then recommends that organizations conduct regular security audits, establish governance policies, create an incident response plan, and provide cybersecurity education to employees. The document promotes cybersecurity services from Future Point of View including vulnerability testing, forensics, and training to help organizations enhance their protections.
The document provides an introduction and agenda for a 3-day security operations center fundamentals course. Day 1 will cover famous attacks and how to confront them, as well as an introduction to security operations centers. Day 2 will discuss the key features, modules, processes, and people involved in SOCs. Day 3 will focus on the technology used in SOCs, including network monitoring, investigation, and correlation tools. The instructor is introduced and the document provides an overview of common attacks such as eavesdropping, data modification, spoofing, password attacks, denial of service, man-in-the-middle, and application layer attacks.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
The United Nations uses a risk management process that involves assessing the criticality of programs to balance security risks. It uses a risk matrix to determine risk levels and requires a program criticality assessment for activities with high or very high residual risks. The assessment evaluates the contribution of activities to strategic results and their likelihood of implementation against criteria to designate them as Priority 1 activities that are lifesaving or directed by the Secretary-General. Risk level and program criticality are determined separately without consideration of each other.
The document provides an overview of information security concepts and threats. It discusses how security is difficult to implement due to costs, user resistance, and sophisticated criminals. The document then outlines various hacking techniques like information gathering, social engineering, sniffing, and denial of service attacks. It concludes by describing defensive security measures for organizations, including firewalls, intrusion detection, honeypots, antivirus software, user awareness training, and penetration testing.
This presentation introduces cybersecurity fundamentals including tools, roles, operating system security, compliance frameworks, network security, and databases. It defines cyber security, discusses security and privacy categories of cyber crimes. It also provides types of cyber attacks and crimes by percentage, advantages of cyber security, and safety tips to prevent cyber crimes. References are included from Wikipedia, antivirus testing organizations, and cybersecurity blogs and forums.
This document discusses information security, which involves defending information from unauthorized access, use, disclosure, disruption or destruction. It outlines two major aspects of information security - IT security, which involves securing technology and information systems, and information assurance, which ensures data is not lost due to issues like natural disasters. The document also discusses common threats to information systems like unauthorized access, malware and social engineering. It provides security controls to protect systems, including physical controls to restrict access, technical controls using software and hardware, and administrative controls like security policies.
The document discusses the Common Vulnerability Scoring System (CVSS). It provides a history of CVSS and describes the development of CVSS version 2. It outlines the base, temporal, and environmental metrics used in CVSS scoring. It notes some caveats in CVSS scoring, including subjective interpretations by vendors and a lack of representation from some groups. It also discusses politics around CVSS scoring and challenges in initial adoption.
This document discusses the importance of physical security to protect against attackers. It notes that while many companies focus on network security, physical theft or access can also compromise data. There are two types of attackers - those outside and inside an organization. Guidelines are provided to restrict physical access for outsiders through barriers, checkpoints, and patrols. For insiders, access controls like badge programs, guest monitoring, and equipment locking are recommended. Server rooms should have heightened security like cameras and limited authorized personnel to protect highly sensitive systems and data.
E-Commerce Privacy and Security SystemIJERA Editor
The Internet is a public networks consisting of thousand of private computer network connected together. Private computer network system is exposed to potential threats from anywhere on the public network. In physical world, crimes often leave evidence finger prints, footprints, witnesses, video on security comes and so on. Online a cyber –crimes, also leaves physical, electronic evidence, but unless good security measures are taken, it may be difficult to trace the source of cyber crime. In certain e-commerce-related areas, such as networking, data transfer and data storage, researchers applied scanning and testing methods, modeling analysis to detect potential risks .In the Security system ,Questions are related to online security in which given options are Satisfied, Unsatisfied ,Neutral, Yes, No. and weak password , Strong password. it is revealed that it is quite difficult, if not impossible, to suggest that which online security is best. Online security provide the flexibility, efficiency of work, provide the better security of net banking . The main feature of the research that the data is safe in banking management for long time and open any account after along time. The Future scope of the study of Security is use to reduce threats. Security is used in the long run results in the reduction of number of branches, saying rentals of related and properties. If the better Security operate than net banking and e-marketing will be increase.
E-Commerce Privacy and Security SystemIJERA Editor
The Internet is a public networks consisting of thousand of private computer network connected together. Private computer network system is exposed to potential threats from anywhere on the public network. In physical world, crimes often leave evidence finger prints, footprints, witnesses, video on security comes and so on. Online a cyber –crimes, also leaves physical, electronic evidence, but unless good security measures are taken, it may be difficult to trace the source of cyber crime. In certain e-commerce-related areas, such as networking, data transfer and data storage, researchers applied scanning and testing methods, modeling analysis to detect potential risks .In the Security system ,Questions are related to online security in which given options are Satisfied, Unsatisfied ,Neutral, Yes, No. and weak password , Strong password. it is revealed that it is quite difficult, if not impossible, to suggest that which online security is best. Online security provide the flexibility, efficiency of work, provide the better security of net banking . The main feature of the research that the data is safe in banking management for long time and open any account after along time. The Future scope of the study of Security is use to reduce threats. Security is used in the long run results in the reduction of number of branches, saying rentals of related and properties. If the better Security operate than net banking and e-marketing will be increase.
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
The document provides an overview of cybersecurity frameworks, fundamentals, and foundations. It discusses common cybersecurity terms like frameworks, controls, and standards. It also examines drivers for cybersecurity like laws, compliance, audits and data privacy. Key areas covered include asset inventory, risk assessment, threat modeling, security controls, frameworks like NIST CSF, and the importance of people/human factors. The document aims to help organizations strengthen their cybersecurity posture and navigation the complex landscape of improving security.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
Network security involves protecting network usability and integrity through hardware and software technologies. It addresses vulnerabilities that threats may exploit to launch attacks. Common vulnerabilities include issues with technologies, configurations, and security policies. Threats aim to take advantage of vulnerabilities and can be structured, unstructured, internal, or external. Common attacks include reconnaissance to gather information, unauthorized access attempts, denial-of-service to disrupt availability, and use of malicious code like worms, viruses, and Trojan horses.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
( Edureka Cybersecurity Course: https://www.edureka.co/cybersecurity-certification-training)
This Edureka video gives an introduction to Network Security and its nuances. Topics covered in this video are:
1. Need for Network Security
2. What is Network Security
3. Security in the Network, Transport and Application Layer
4. Network Security for Business
Access control is the process of granting or denying access to resources or services on a computer system or network. There are four main access control models: mandatory access control, discretionary access control, role-based access control, and rule-based access control. Access control can be implemented through logical methods like access control lists, group policies, account restrictions, and passwords or through physical methods such as locks, mantraps, video surveillance, and access logs. Strong access control policies and practices help ensure only authorized access and prevent security breaches.
This document discusses access control systems and methodologies. It covers security clearances used by the federal government, multifactor authentication/biometrics, and passwords. Specific access control methods like fingerprints, voiceprints, retina scanning, iris scanning, and face recognition are explained. The document also discusses password cracking techniques and applications used to crack passwords like John the Ripper, Rainbow Crack, and Cain & Abel.
Port of Visakhapatnam is known as the "Eastern Gateway of India". The document discusses cyber security awareness and defines key terms like computer, cyber security, data, electronic form, electronic record, digital signature, and intermediary. It explains why cyber security is important, defines privacy and security in the context of information, and outlines common cyber attacks like denial of service attacks, DNS attacks, router attacks, sniffers, firewalls, and vulnerability scanners. The document also discusses network-based attacks, web attacks like phishing and pharming, email attacks, social network attacks, and types of malware like spam, cookies, adware, and spyware.
The document discusses various cybersecurity attack vectors and how organizations can protect themselves. It outlines common attack methods like ransomware, malicious code delivery, social engineering, and phishing. It then recommends that organizations conduct regular security audits, establish governance policies, create an incident response plan, and provide cybersecurity education to employees. The document promotes cybersecurity services from Future Point of View including vulnerability testing, forensics, and training to help organizations enhance their protections.
The document provides an introduction and agenda for a 3-day security operations center fundamentals course. Day 1 will cover famous attacks and how to confront them, as well as an introduction to security operations centers. Day 2 will discuss the key features, modules, processes, and people involved in SOCs. Day 3 will focus on the technology used in SOCs, including network monitoring, investigation, and correlation tools. The instructor is introduced and the document provides an overview of common attacks such as eavesdropping, data modification, spoofing, password attacks, denial of service, man-in-the-middle, and application layer attacks.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
The United Nations uses a risk management process that involves assessing the criticality of programs to balance security risks. It uses a risk matrix to determine risk levels and requires a program criticality assessment for activities with high or very high residual risks. The assessment evaluates the contribution of activities to strategic results and their likelihood of implementation against criteria to designate them as Priority 1 activities that are lifesaving or directed by the Secretary-General. Risk level and program criticality are determined separately without consideration of each other.
The document provides an overview of information security concepts and threats. It discusses how security is difficult to implement due to costs, user resistance, and sophisticated criminals. The document then outlines various hacking techniques like information gathering, social engineering, sniffing, and denial of service attacks. It concludes by describing defensive security measures for organizations, including firewalls, intrusion detection, honeypots, antivirus software, user awareness training, and penetration testing.
This presentation introduces cybersecurity fundamentals including tools, roles, operating system security, compliance frameworks, network security, and databases. It defines cyber security, discusses security and privacy categories of cyber crimes. It also provides types of cyber attacks and crimes by percentage, advantages of cyber security, and safety tips to prevent cyber crimes. References are included from Wikipedia, antivirus testing organizations, and cybersecurity blogs and forums.
This document discusses information security, which involves defending information from unauthorized access, use, disclosure, disruption or destruction. It outlines two major aspects of information security - IT security, which involves securing technology and information systems, and information assurance, which ensures data is not lost due to issues like natural disasters. The document also discusses common threats to information systems like unauthorized access, malware and social engineering. It provides security controls to protect systems, including physical controls to restrict access, technical controls using software and hardware, and administrative controls like security policies.
The document discusses the Common Vulnerability Scoring System (CVSS). It provides a history of CVSS and describes the development of CVSS version 2. It outlines the base, temporal, and environmental metrics used in CVSS scoring. It notes some caveats in CVSS scoring, including subjective interpretations by vendors and a lack of representation from some groups. It also discusses politics around CVSS scoring and challenges in initial adoption.
This document discusses the importance of physical security to protect against attackers. It notes that while many companies focus on network security, physical theft or access can also compromise data. There are two types of attackers - those outside and inside an organization. Guidelines are provided to restrict physical access for outsiders through barriers, checkpoints, and patrols. For insiders, access controls like badge programs, guest monitoring, and equipment locking are recommended. Server rooms should have heightened security like cameras and limited authorized personnel to protect highly sensitive systems and data.
E-Commerce Privacy and Security SystemIJERA Editor
The Internet is a public networks consisting of thousand of private computer network connected together. Private computer network system is exposed to potential threats from anywhere on the public network. In physical world, crimes often leave evidence finger prints, footprints, witnesses, video on security comes and so on. Online a cyber –crimes, also leaves physical, electronic evidence, but unless good security measures are taken, it may be difficult to trace the source of cyber crime. In certain e-commerce-related areas, such as networking, data transfer and data storage, researchers applied scanning and testing methods, modeling analysis to detect potential risks .In the Security system ,Questions are related to online security in which given options are Satisfied, Unsatisfied ,Neutral, Yes, No. and weak password , Strong password. it is revealed that it is quite difficult, if not impossible, to suggest that which online security is best. Online security provide the flexibility, efficiency of work, provide the better security of net banking . The main feature of the research that the data is safe in banking management for long time and open any account after along time. The Future scope of the study of Security is use to reduce threats. Security is used in the long run results in the reduction of number of branches, saying rentals of related and properties. If the better Security operate than net banking and e-marketing will be increase.
E-Commerce Privacy and Security SystemIJERA Editor
The Internet is a public networks consisting of thousand of private computer network connected together. Private computer network system is exposed to potential threats from anywhere on the public network. In physical world, crimes often leave evidence finger prints, footprints, witnesses, video on security comes and so on. Online a cyber –crimes, also leaves physical, electronic evidence, but unless good security measures are taken, it may be difficult to trace the source of cyber crime. In certain e-commerce-related areas, such as networking, data transfer and data storage, researchers applied scanning and testing methods, modeling analysis to detect potential risks .In the Security system ,Questions are related to online security in which given options are Satisfied, Unsatisfied ,Neutral, Yes, No. and weak password , Strong password. it is revealed that it is quite difficult, if not impossible, to suggest that which online security is best. Online security provide the flexibility, efficiency of work, provide the better security of net banking . The main feature of the research that the data is safe in banking management for long time and open any account after along time. The Future scope of the study of Security is use to reduce threats. Security is used in the long run results in the reduction of number of branches, saying rentals of related and properties. If the better Security operate than net banking and e-marketing will be increase.
Tim Warren is the Lead Engineer and Vice President of Information Security at Neuberger Berman, a financial services company. His role involves managing the company's information security program, which aims to maintain the confidentiality, integrity and availability of information systems and data. Common information security roles include Chief Information Security Officer, Security Engineer, and Information Security Analyst. The field is growing due to increased demand to protect against cyber threats like ransomware, phishing, and identity theft.
This document discusses various aspects of information security. It begins by explaining how recent events show that commercial, personal, and sensitive information is difficult to keep secure. An estimated 80% of data breaches are caused by staff rather than technical issues. Effective information security requires a management approach rather than just technical solutions. The document then outlines key principles of information security including confidentiality, integrity, authentication, non-repudiation, access control, and availability. It provides examples to illustrate these principles and how losses can occur when they are compromised or violated. Finally, it discusses the importance of security policies and techniques such as cryptography and authentication to help control threats and restrict unauthorized access.
The document discusses information security and analyzes its importance. It describes key aspects of information security like confidentiality, integrity and availability. It also outlines some common threats to information security such as computer viruses, theft, sabotage and vandalism. The document then analyzes some challenges to effective information security, including employees being fooled by scams, issues with authentication, and the growing threat of phishing. It emphasizes the importance of addressing security concerns to build trust with customers and gain a competitive advantage.
This document provides an overview of key information technology security topics for executives, including cloud computing, cyber insurance, passwords, mobile security, and network security. It discusses the business reasons for protecting an organization's data, assesses data sensitivity levels, outlines considerations for using cloud services and drafting cloud contracts, reviews types of cyber insurance coverage, and recommends password, mobile device, and network security best practices. The goal is to help executives understand current IT security challenges and strategies.
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
Cyber security positions have considerably taken the top list in the job market. Candidates vying for elite positions in the field of cyber security certainly need a clear-cut and detailed guide to channeling their preparation for smooth career growth, beginning with getting a job. We have curated the top cyber security interview questions that will help candidates focus on the key areas. We have classified the regularly asked cyber security interview questions here, in this article into different levels starting from basic general questions to advanced technical ones.
Before we move on to the top cyber security interview questions, it is critical to reflect on the vitality of cyber security in our modern times and how cyber security professionals are catering to the needs of securing a safe cyber ecosystem.
The times we live in is defined by the digital transition, in which the internet, electronic devices, and computers have become an integral part of our daily life. Institutions that serve our daily needs, such as banks and hospitals, now rely on internet-connected equipment to give the best possible service. A portion of their data, such as financial and personal information, has become vulnerable to illegal access, posing serious risks. Intruders utilize this information to carry out immoral and criminal goals.
Cyber-attacks have jeopardized the computer system and its arrangements, which has now become a global concern. To safeguard data from security breaches, a comprehensive cyber security policy is needed now more than ever. The rising frequency of cyber-attacks has compelled corporations and organizations working with national security and sensitive data to implement stringent security procedures and restrictions.
Computers, mobile devices, servers, data, electronic systems, networks, and other systems connected to the internet must be protected from harmful attacks. Cybersecurity, which is a combination of the words "cyber" and "security," provides this protection. 'Cyber' imbibes the vast-ranging technology with systems, networks, programs, and data in the aforementioned procedure. The phrase "security" refers to the process of protecting data, networks, applications, and systems. In a nutshell,
cyber security is a combination of principles and approaches that assist prevent unwanted access to data, networks, programs, and devices by meeting the security needs of technological resources (computer-based) and online databases.
The document provides guidelines for IT security. It discusses how IT security is becoming increasingly important as organizations' business and work processes rely more on IT solutions. The guidelines provide a compact overview of the most important organizational, infrastructural, and technical IT security safeguards. They are aimed at helping small and medium-sized companies and public agencies establish a reliable level of IT security without needing a large IT budget. The guidelines illustrate security risks and necessary safeguards through practical examples and checklists.
Data is an important assets for an enterprise. Data must be protected against loss and destruction. In IT field huge data is being exchanged among multiple people at every moment. During sharing of the data, there are huge chances of data vulnerability, leakage or alteration. So, to prevent these problems, a survey on data leakage detection system has been done. This paper talks about the concept, causes and techniques to detect the data leakage. Businesses processes facts and figures to turn raw data into useful information. This information is used by businesses to generate and improve revenue at every mile stone. Thus, along with data availability and accessibility data security is also very important.
This document discusses the key concepts of cyber security. It begins by defining cyber security as the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. The document then explains the three key concepts that form the foundation of cyber security, known as the CIA Triad: confidentiality, integrity, and availability. It provides examples of how each concept is implemented. The document also distinguishes between cyber security and information security, and lists some common categories of cyber security like network security, application security, and information security. It concludes by discussing types of cyber threats, common cyber attacks, and elements of an effective cyber security checklist.
Presentation given by Dr K Subramanian, Director and Professor, Advance Centre for Informatic and Innovative Learning IGNOU on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
The 7 Colors provide a comprehensive approach to information security by covering various dimensions and considerations. Each color represents a specific aspect that organizations need to address to ensure robust protection of their information assets.
- The document discusses secure storage of authentication data, examining common industry standards and technologies for authentication such as biometrics, multifactor authentication, and smart cards.
- While these technologies improve authentication security, securely storing authentication data in databases remains a challenge, as data breaches can expose credentials. Best practices for secure storage like salting, hashing, and multiple iterations are often overlooked by organizations.
- A solution that improves secure storage of existing authentication data using standard technology could benefit organizations, protecting user accounts and systems at minimal cost and disruption.
This document provides an introduction to cyber security. It discusses key concepts like confidentiality, integrity, and availability that are the goals of cyber security. Methods to achieve these goals are described, including encryption, access control, authentication, and physical protections. Cyber security skills and technologies like backups, check-sums, and computational redundancies that ensure integrity are also outlined. Finally, the document discusses various career opportunities in cyber security and lists common roles and job titles.
The CIA triangle outlines the three primary goals of information security: confidentiality, integrity, and availability. Confidentiality ensures that information is only available to authorized users, integrity ensures the accuracy and trustworthiness of information, and availability ensures that information is accessible when needed. These three principles form the basis of information security practices and help define how organizations should protect information assets from various threats.
Some basic overview about cyber crime @ health industry and 10 cyber security technology controls advises from IT Security system integrator's point of view.
Cyber Security Matters a book by Hama David Bundohdbundo
This document provides an introduction to cyber security. It defines cyber security and lists some common cyber security threats such as social engineering, malware, phishing, SQL injection, man-in-the-middle attacks, and denial-of-service attacks. It then discusses key cyber security terminology and concepts including access authorization, anti-virus software, authentication techniques, backups, encryption, firewalls, hackers, honeypots, intrusion detection systems, and port scanning. The document aims to educate readers on cyber security risks and mitigation strategies.
E-commerce has presented a new way of doing business all over the world using internet. Organizations have changed their way of doing business from a traditional approach to embrace e-commerce processes. As individuals and businesses increase information sharing, a concern regarding the exchange of money securely and conveniently over the internet increases. Therefore, security is a necessity in an E-commerce transaction. The purpose of this paper is to present a token based Secure E-commerce Protocol. The purpose of this paper is to present a paradigm that is capable of satisfying security objectives by using token based security mechanism.
This document summarizes security challenges and recommendations for securing e-commerce systems for small businesses. It discusses common attacks such as port scanning, social engineering, malware and denial of service attacks. It recommends implementing standards like ISO 17799 for asset classification, access control and policies. Overall the document provides an overview of security threats faced by small businesses and low-cost methods to protect their networks and sensitive information.
The document discusses various security threats in e-commerce. It begins by defining a threat as any person, object, or entity that poses a constant danger to an asset. It then categorizes different types of threats including acts of human error, espionage/trespassing, and network security goals of confidentiality, integrity, authentication, and availability. The document also discusses encryption techniques like symmetric, asymmetric, and digital signatures. It provides examples of symmetric algorithms such as DES, AES, and RSA for asymmetric encryption. Finally, it summarizes various cryptography-based protocols and applications used for e-commerce security.
NORMALIZATION - BIS 1204: Data and Information Management I Mukalele Rogers
The document provides information about normalization during database design. It discusses:
1) Normalization is a technique used to design relational databases that minimizes data redundancy and ensures relations contain only necessary attributes with logical relationships.
2) Normalization can be used as both a bottom-up and validation technique during database design. The goal is to create well-designed relations that meet user requirements.
3) Functional dependencies describe relationships between attributes and are important for normalization. Normalization decomposes relations into smaller, less redundant relations through a multi-step process of normal forms.
Assignment 4,5,6 technological matrixing and types of computersMukalele Rogers
This document contains answers to the following assignments:
4.0 ASSIGNMENT FOUR 3
4 a) Define Technological Matrixing. 6
4 b) Identify the various technologies that ABZ has adopted in order to become a Technology-Form organization. How have these technologies impacted organizational productivity? 6
ABZ has adopted the following technologies: 6
The above technologies have impacted organizational productivity as follows: 7
5.0 ASSIGNMENT FIVE 8
Read about Other types of Computers e.g. Special purpose, General Purpose, Dedicated Computers, Business, Scientific and Studio Computers, etc. 8
5.1 Special purpose, 8
5.2 General Purpose, 8
5.3 Dedicated Computers, 8
5.4 Business computers, 8
5.5 Scientific Computer 9
5.6 Studio Computers 9
6.0 ASSIGNMENT SIX 10
6. 1 What is the difference between a Laptop and a PDA? 10
6. 2 What are Supercomputers and where are they used? 10
6.3 A Workstation is an exaggerated Microcomputer, discuss. 11
6.4 What factors should a user consider while choosing a type of Computer for a given Institution? 14
Assignments on adopting information technology in traditional organisationsMukalele Rogers
This document discusses how incorporating information technology into a business can improve customer service in 14 ways: 1) Improved communication 2) Better inventory management 3) Easier data management 4) Enhanced customer relationship management 5) Increased speed 6) Greater efficiency 7) Ability to multi-task 8) Cost efficiencies 9) Expanded networking 10) Faster product development 11) Improved marketing 12) Increased equality between large and small businesses 13) Better stakeholder integration 14) Facilitated globalization. Information technology allows businesses to communicate, manage information and customers, and conduct operations more quickly, efficiently and cost effectively, leading to enhanced customer service.
Internet search engines work by using automated software programs called spiders or crawlers to discover and index web pages across the internet. The search engines analyze the content of these pages and extract important words to store in an index database. When a user enters a search query, the engine examines its database and returns a list of relevant web pages that match the search terms, sometimes including a short summary. Search engines employ various techniques to improve results, such as caching pages, allowing date-based searches, and using Boolean operators. They also rank results to provide more relevant pages first based on factors like popularity. Many search engines are supported by advertising revenue.
Technology based distribution channels / networks in financial industryMukalele Rogers
Makerere University Jinja Campus Lecture Presentation for BIT 1208: Information Technology for Financial Services, on topic 3: Technology Based distribution channels / Networks in Financial Industry
Patterns of organization of speech, and how to lead discussions and seminarsMukalele Rogers
The document discusses different patterns of organization for speeches, including chronological, spatial, causal, problem-solution, and topical patterns. Examples are provided for each pattern type. It also discusses how to lead discussions, seminars, and tutorials, and how to effectively participate in discussions by acknowledging others, agreeing, observing, presenting alternative views, and using openers.
Input computer hardware notes for UCEand UACE ICTMukalele Rogers
This is a presentation containing comprehensive notes on Computer Hardware Unit 1: Input Computer Hardware. For more presentations of this type, please go to http://rmukalele.hpage.com
The document discusses abstinence and decision making for adolescents. It defines abstinence as voluntarily refraining from sexual activity and lists five steps to stay abstinent, including establishing priorities, setting limits on affection, engaging in other activities, discussing feelings with trusted adults, and avoiding pressure situations. The document also discusses refusal skills, consequences of sexual activity like STDs and pregnancy, and concludes by emphasizing the importance of abstinence for adolescents.
P I A S C Y G R O U P D I S C U S S I O N A B O U T A B S T A I N A N C E...Mukalele Rogers
The document discusses abstinence and decision making for adolescents. It defines abstinence as voluntarily refraining from sexual activity and lists five steps to stay abstinent, including establishing priorities, setting limits on affection, engaging in other activities, discussing feelings with trusted adults, and avoiding pressure situations. The document also discusses refusal skills, consequences of sexual activity like STDs and pregnancy, and concludes by emphasizing the importance of responsible decision making for adolescents.
Web designing and publishing computer studies theory lessonMukalele Rogers
A school should have a website for several important reasons:
1. It allows quick publication of information for students, parents, and the community like announcements and results.
2. It provides an avenue for feedback and engagement through features like comments.
3. Involving students in website development enhances skills like writing and design.
4. A website presents the school in a positive light and removes doubts by providing clear information on the school.
Factors which affect the speed of internet computer studies lessonMukalele Rogers
There are several factors that can affect the speed of an Internet connection, including computer processor speed, distance data must travel, network traffic levels, malware/viruses, modem speed, natural conditions, positioning of modems and routers, hardware and software problems, available memory, computer settings, technical issues, and cookies. Addressing these common factors can help optimize connection speed.
Over view of internet computer studies lessonMukalele Rogers
Over view of internet
What is internet?
Uses of internet
Advantages and disadvantages of internet
The difference between internet, intranet and extranet
Characteristics, advantages and disadvantages of intranets
Characteristics, advantages and disadvantages of extranets
The document analyzes Psalm 23 line by line, assigning each line a theme. It explains that the Psalm depicts God as a shepherd who provides his followers with relationship, supply, rest, refreshment, healing, guidance, purpose, protection, faithfulness, discipline, hope, consecration, abundance, blessing, security and eternity. It concludes by stating the most valuable thing is not what we have but who we have in our lives.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
The simplified electron and muon model, Oscillating Spacetime: The Foundation...RitikBhardwaj56
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
Assessment and Planning in Educational technology.pptxKavitha Krishnan
In an education system, it is understood that assessment is only for the students, but on the other hand, the Assessment of teachers is also an important aspect of the education system that ensures teachers are providing high-quality instruction to students. The assessment process can be used to provide feedback and support for professional development, to inform decisions about teacher retention or promotion, or to evaluate teacher effectiveness for accountability purposes.
How to Fix the Import Error in the Odoo 17Celine George
An import error occurs when a program fails to import a module or library, disrupting its execution. In languages like Python, this issue arises when the specified module cannot be found or accessed, hindering the program's functionality. Resolving import errors is crucial for maintaining smooth software operation and uninterrupted development processes.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Introduction to AI for Nonprofits with Tapp Network
IT Security and Risk Mitigation
1. CHAPTER 7: IT Security and
Risk Mitigation
MUKALELE Rogers SSEMUJJU Bernard MPEIRWE Nobles MUSANA Evans
13/U/21067/EVE 13/U/21338/EVE 13/U/21046/EVE 13/U/21078/EVE
213024992 213012016 213005087 213004582
Makerere University
By EVE Group G Members:
2. Slide 2/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
In this lecture, we look at the following chapter topics:
d) Business continuity (Disaster recovery planning)
c) Security governance and management
a) Basic principles and Banking security standards
b) Risk Mitigation controls: Admin, Logical & Physical
e) Professionalism and ethical standards
f) IT audit framework/ standardization
Learning Objectives
g) International certifications & standards in IT security
3. Slide 3/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Class Ground Rules
1. DO Give chance to the presenters to deliver their content
un-diverted.
(Lets keep focused, we have limited time.)
2. DO Openly participate in the class activities.
3. DON’T interrupt the progress of the presentation by raising
your hand to ask questions. Instead Note down your
questions on the pieces of paper provided. There will be a
general Q&A session towards the end of the presentation.
4. DO give precise supplements ONLY upon authorisation by
the presenter.
5. DO switch off your phones or put them in silent mode.
6. DO Settle. Avoid unnecessary movements.
4. Slide 4/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
List of icons used in this presentation
The description of Icons used in this presentation as follows:
This icon indicates that
the content being
looked at is a solution
to a question that
appeared in the MUELE
assignment, and so is a
likely Exam Qn.
This icon indicates a
caution or advice on a
concept being looked at
that is often mistaken or
confused with other
concepts.
This icon indicates a
that the concept being
looked at is a key
concept that will be
referred to or used later.
This icon is put against
a reference to a
resource on the world
wide web.
5. Slide 5/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic a)
Basic IT Security principles and
Banking security standards
Presented by Mukalele Rogers
i. IT Security Key concepts
ii. Authenticity
iii. Banking security standards
iv. Risk of password sharing
6. Slide 6/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Definitions: IT Security
Information security, sometimes shortened to InfoSec, is the practice
of defending information from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
Information security as applied to
computing devices, as well as
computer networks like the Internet
IT
security
7. Slide 7/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security
Information and the knowledge based on IT have increasingly become
recognized as ‘information assets’, which are vital enablers of business
operations. Hence, they require organizations to provide adequate levels
of protection.
For decades, information security has held Confidentiality, Integrity and
Availability (known as the CIA triad) to be the core principles.
There is continuous debate about extending this classic trio. Other
principles such as Authenticity, Non-repudiation and Accountability are
also now becoming key considerations for practical security systems.
8. Slide 8/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
For example, a credit card transaction on the Internet requires the credit
card number to be transmitted from the buyer to the merchant and from
the merchant to a transaction processing network.
The system attempts to enforce confidentiality by encrypting the card
number during transmission, and by restricting access to the places
where it is stored.
If an unauthorized party obtains the card number in any way, a breach of
confidentiality has occurred. Breaches of confidentiality take many forms
like Hacking, Phishing, Vishing, Email-spoofing, SMS spoofing, and
sending malicious code through email spam or Bot Networks.
Confidentiality is the prevention of disclosure of
information to unauthorized individuals or systems.
Confidentiality
9. Slide 9/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
For example, Integrity is violated when an employee accidentally or with
malicious intent deletes important data files, modifies his own salary in a
payroll database, uses programmes and deducts small amounts of
money from all customer accounts and adds it to his/her own account
(also called salami technique), when an unauthorized user vandalizes a
web site, and so on.
Bulk updates to a database could alter data in an incorrect way, leaving
the integrity of the data compromised (corrupted). Information security
professionals are tasked with finding ways to implement controls that
enforce integrity.
Integrity is the prevention of unauthorised
modification of information.
Integrity
10. Slide 10/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
For any information system to serve its purpose, the information must be
available when it is needed.
This means that the computing systems used to store and process the
information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly.
High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system
upgrades.
Ensuring availability also involves preventing denial-of-service (DoS)
attacks.
Availability is the prevention of unauthorised
withholding of information, to that it is accessible
when needed.
Availability
11. Slide 11/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
In IT security, it is necessary to ensure that the data, transactions,
communications or documents (electronic or physical) are genuine.
Authenticity is the property that ensures that the identity of a
subject or resource is the identity claimed.
Authenticity applies to individuals (users), but also to any other
entity (applications, processes, systems, etc.). It is an
identification, i.e. the recognition of a name indicating an entity
without the slightest doubt.
Authenticity is the verification to prove that all parties
involved in a transaction/matter are who they claim
they are.
Authenticity
12. Slide 12/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
1. User ID and password input is the most prevalent method of
authentication.
However, passwords can be stolen or forgotten. Cracking
passwords can be simple for hackers if the passwords aren't
complex enough.
Remembering dozens of passwords for dozens of applications can
be frustrating for home users and business users alike.
2. Multi-factor authentication is more common in the
enterprise for mission critical applications and systems. Multi-
factor authentication systems may use Key cards, smart cards,
or USB tokens.
Authenticity cont’d Ensuring authenticity
13. Slide 13/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
3. Public Key Infrastructure (PKI) Authentication uses digital
certificates issued by a central or 3rd party authority.
4. Secure Socket Layer (SSL) connections to web sites provide
not only encryption for the session, but also (usually) provide
verification that the web site is authentically the site it claims to
be.
5. Electronic Signatures and Digital Signature
can be used to enforce authenticity.
On the next slide, we look at the differences
between these two.
Authenticity cont’d Ensuring authenticity (cont’d)
14. Slide 14/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
Electronic Signatures Digital Signatures
An electronic signature, or eSignature, is an
electronic indication of intent to agree to or
approve the contents of a document.
They can be used for Signing electronic
contracts, invoices, and leases.
A digital signature is one form
of electronic signature that
uses asymmetric
cryptography specifically to
enable users to ensure the
authenticity of the signer and
to trust that a signature is
valid through the use of a
public and private key pair.
Differences between Electronic Signatures Digital Signatures
Though these terms are often used interchangeably, they are not
the same.
15. Slide 15/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
Non-repudiation: In law, non-repudiation implies one's
intention to fulfill one’s obligations under a contract /
transaction.
It also implies that a party to a transaction cannot deny having
received or having sent an electronic record.
Non Repudiation refers to the prevention of any party
to a transaction denying their involvement.
Non-
repudiation
16. Slide 16/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Basic Principles: Key Concepts of IT Security cont’d
In addition to the above principles, there are other security-
related concepts when designing a security policy and
deploying a security solution.
They include identification, authorization, accountability.
Accountability: Security can be maintained only if subjects
are held accountable for their actions.
Identification is the process by which a subject presents an
identity (such as a user name) and accountability is initiated.
The process of authorization ensures that the requested
activity or access to an object is possible given the rights and
privileges assigned to the authenticated identity.
17. Slide 17/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk of password sharing
How would you feel about being interviewed by the Police or
Internal Audit as a suspect in a crime?
If you happen to share your password with someone who
embezzles funds, you will be considered a suspect because
your name is associated with those transactions.
You are sharing your identity when you share your password.
Businesses and consumers alike find convenience in sharing
passwords but doing so is highly risky.
For example, in a recent incidence, Vodafone’s customer
database was compromised using login information that was
shared among employees.
18. Slide 18/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards
Standards are detailed statements containing what must be
done to comply with written policies.
A policy refers to a laid out plan or course of action
that influences & determines decisions.
Policies are important reference documents for internal audits
& for resolution of legal disputes. They can act as a clear
statement of management’s intent.
The policies need to be supported with relevant standards,
practices, guidelines and procedures.
Practices, procedures & guidelines explain exactly how
employees will comply with the standards.
19. Slide 19/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
20. Slide 20/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
Key components essential to an
organization wide IT policy
List of physical, logical, and network
assets to be protected
Specifications on how communications
across the firewall will be audited
Acceptable Use Policy that tells
employees what constitutes
acceptable use of company resources
Description of organization’s approach
to security and how it affects the
firewall
Essential Information
in a Security Policy
Date last updated
Name of office that
developed the policies
Clear list of policy
topics
Equal emphasis on
positive points (access
to information) and
negative points
(unacceptable policies)
21. Slide 21/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
Banks need standards and procedures indicating:
The detailed objectives and requirements of individual
information security-specific technology solutions,
Authorisation for individuals who would be handling the
technology,
Addressing segregation of duties issues,
Appropriate configurations of the devices that provide the
best possible security,
Regularly assessing their effectiveness and fine-tuning
them accordingly, and identification of any unauthorised
changes.
22. Slide 22/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
In order to consider information security from a bank-wide
perspective, a steering committee of executives should be formed.
An IT Security Steering Committee has representatives from the IT,
HR, legal and business sectors.
Among other functions, this committee carries out the following:
1. Consult and advice on the selection of technology within
standards, Verify compliance with technology standards and
guidelines
2. Reviewing the status of security awareness programmes, and
monitoring activities across the bank.
3. Assessing new developments or issues relating to information
security.
23. Slide 23/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
Functions of An IT Security Steering Committee cont’d
4. Reporting to the Board of Directors on information security
activities.
5. Educating employees. The bank’s employees need to be fully
aware of relevant security policies, procedures and standards to
which they are accountable.
6. Evaluating vendor managed processes or specific vendor
relationships as they relate to information systems and
technology. All outsourced information systems and operations
may be subject to risk management and security and privacy
policies that meet the Bank’s own standards.
24. Slide 24/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
Suppose you have been appointed to
be part of the IT Security Steering
Committee of Centenary bank Uganda.
In groups of two, Identify examples of
the critical policies and Banking security
standards that you would propose as
necessary in such an environment.
Class Activity 1!
25. Slide 25/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Banking security standards cont’d
Examples of Specific IT Security policies that
would be required in a banking environment
include, but not limited to the following:
i. Logical Access Control
ii. Asset Management
iii. Network Access Control
iv. Password management
v. E-mail security
vi. Remote access
vii. Mobile computing
viii. Network security
ix. Application security
x. Backup and archival
xi. Operating system security
xii. Database administration and security
xiii. Physical security
xiv. Capacity Management
xv. Incident response and management
xvi. Malicious software
xvii. IT asset/media management
xviii. Change Management
xix. Patch Management
xx. Internet security
xxi. Desktop
xxii. Encryption
xxiii. Security of electronic delivery channels
xxiv. Wireless security
xxv. Application/data migration, etc.
26. Slide 26/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic b)
Risk Mitigation controls
Presented by Musana Evans
i. Administrative
ii. Logical
iii. Physical
27. Slide 27/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Definitions: Risk Mitigation
Risk: The chance that an investment's actual return will be different than
expected.
The increasing dependencies of modern society on information and
computers networks has led to a new terms like IT risk and Cyber Risk.
IT risk, is a risk related to information technology.
Risk Mitigation is the process by which an organization introduces
specific measures to minimize or eliminate risks associated with its
operations.
Risk Mitigation controls are measures or actions taken to avoid, or
transfer risks within a project.
28. Slide 28/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls
There are three, commonly accepted forms of Controls:
(i) Administrative controls -
These are the laws, regulations, policies, practices and guidelines
that govern the overall requirements for an IT Security risk
mitigation program.
For example, a law or regulation may require merchants and
financial institutions to protect and implement controls for customer
account data to prevent identity theft.
The business, in order to comply with the law or regulation, may
adopt policies and procedures laying out the internal requirements
for protecting this data, which requirements are a form of control.
29. Slide 29/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
(ii) Logical controls -
These are the virtual or technical controls used to ensure that
processes are followed.
They include (systems and software), such as firewalls, anti
virus software, encryption and maker/checker application
routines.
A policy may require that significant processes have some
form of checker to ensure the integrity of the data and
minimize the possibility of unauthorized activity.
30. Slide 30/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
(ii) Logical controls - cont’d
To implement this policy, the business
may use logical controls such as a
function within an application that
requires that a manager indicate
review and approval of a check
request before the payment can be
processed.
31. Slide 31/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
(ii) Logical controls - Illustration
32. Slide 32/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
(iii) Physical Controls -
These are the physical controls, such as locks, security
cameras and guards, that are used to minimize the risk of loss.
For example, a physical control requirement could be met, in
part, by locking the check stock in a file cabinet and giving the
key to a person who is not part of the check request process.
That person would review the check request and indicate
approval by unlocking the cabinet and providing the check
book for processing.
33. Slide 33/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
(iii) Physical Controls cont’d
Whereas a firewall provides a "logical" key to obtain access to
a network, a "physical" key to a door can be used to gain
access to an office space or storage room.
Other examples of physical controls are video surveillance
systems, gates and barricades, the use of guards or other
personnel to govern access to an office, and remote backup
facilities.
34. Slide 34/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
(iii) Physical Controls - Illustration
35. Slide 35/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
A typical Security Risk Mitigation Process has 4 phases:
Implementing
Controls
3
Conducting
Decision Support
2
Measuring Program
Effectiveness
4 Assessing Risk1
36. Slide 36/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
Phases of the Security Risk Mitigation Process explained
Phase 1: Assessing Risk.
This includes planning, data gathering, and risk prioritization.
The output from the Assessing Risk phase is a list of
significant risks with detailed analysis that the team can use to
make business decisions during the next phase of the process.
Phase 2: Conducting Decision Support.
The list created during the risk assessment phase is used
during the decision support phase to propose and evaluate
potential control solutions, and the best ones for mitigating the
top risks are then recommended to the organization’s Security
Steering Committee.
37. Slide 37/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
Phases of the Security Risk Mitigation Process (cont’d)
Phase 3: Implementing Controls.
During this phase, the Security Steering Committee create and
execute plans based on the list of control solutions that
emerged during the decision support process and actually put
control solutions in place.
Phase 4: Measuring Program Effectiveness.
Organizations estimate their progress with regard to security
risk management as a whole.
They can use the concept of a "Security Risk Scorecard" to
assist in this effort.
38. Slide 38/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk Mitigation controls cont’d
Risk Mitigation Risk Assessment
Goal
Manage risks across
business to acceptable
level
Identify and
prioritize risks
Cycle
Overall program across
all four phases
Single phase of risk
management
program
Schedule Scheduled activity Continuous activity
Differences between Risk Mitigation and Risk
Assessment
39. Slide 39/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic c)
Security processes and
management
Presented by Semujju Bernard
i. Security governance
ii. Incident response
iii. Risk management and IT auditing
40. Slide 40/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Security governance
Governance is the set of responsibilities and practices exercised by
the board and executive management with the goal of providing
strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately and verifying that
the enterprise’s resources are used responsibly.
IT security governance is the process by which an organization
directs and controls IT security.
IT Governance Stakeholders include: Board of Directors, CEOs,
Business Executives, IT Steering Committees and Risk
Committees
41. Slide 41/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Security governance cont’d
IT security governance should not be confused with IT security
management:
IT security management is concerned with making decisions to
mitigate risks; governance determines who is authorized to make
decisions.
Governance specifies the accountability framework and provides
oversight to ensure that risks are adequately mitigated, while
management ensures that controls are implemented to mitigate
risks.
Management recommends security strategies. Governance
ensures that security strategies are aligned with business
objectives and consistent with regulations.
42. Slide 42/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Security governance cont’d
Security Governance Security Management
‘Doing the right thing.’ ‘Doing things right’
Oversight Implementation
Authorizes decision rights
Authorized to make
decisions
Enact policy Enforce policy
Strategic planning Project planning
Resource allocation Resource utilization
Differences between Security Governance and
Management
43. Slide 43/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Security governance cont’d
44. Slide 44/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Security governance cont’d
Characteristics of effective security governance
1. It is an institution-wide issue
2. Leaders are accountable
3. It is viewed as an institutional
requirement (cost of doing
business)
4. It is risk-based
5. Roles, responsibilities and
segregation of duties are
defined
6. It is addressed and enforced in
policy
7. Adequate resources are
committed
8. Staff are aware and
trained
9. A development life
cycle is required
10. It is planned, managed,
measureable and
measured
11. It is reviewed and
audited
45. Slide 45/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Security governance cont’d
Benefits of information security governance
Increased predictability and reduced uncertainty of business
operations
Protection from the potential for civil and legal liability
Structure to optimize the allocation of resources
Assurance of security policy compliance
Foundation for effective risk management.
A level of assurance that critical decisions are not based on
faulty information
Accountability for safeguarding information
46. Slide 46/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Incident response
An IT security incident, is defined as an event that impacts or
has the potential to impact the confidentiality, availability, or
integrity of IT resources.
Incident response is an organized approach to addressing and
managing the aftermath of a security breach or attack (also
known as an incident).
The goal is to handle the situation in a way that limits damage
and reduces recovery time and costs.
An incident response plan includes a policy that defines, in
specific terms, what constitutes an incident and provides a
step-by-step process that should be followed when an incident
occurs.
47. Slide 47/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Incident response cont’d
Procedures, and guidelines regarding IT security incident
response vary depending on the type of incident, but all
procedures include the following steps:
IT Security Incident Response steps
1. Discovery (maintaining systems to discover incidents
involving IT resources)
2. Documentation (documentation of IT incidents in a tracking
system)
3. Notification (sends notifications to unit IT workers identifying
the type of incident)
48. Slide 48/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Incident response cont’d
IT Security Incident Response steps cont’d
4. Acknowledgment (Unit must acknowledge the notification)
5. Containment (Unit must contain the incident as soon as
possible)
6. Investigation (investigation and update of the tracking system
with details of the investigation)
7. Resolution (The Incident Response Team, using details from
the investigation, determines incident severity)
8. Closure (reviews incidents in the tracking system and closes
tickets as appropriate)
49. Slide 49/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing
The objective of the IT Risk Management Audit is to provide senior
management with an understanding and assessment of the efficiency
and effectiveness of the IT risk management process, supporting
framework and policies and assurance that IT risk management is
aligned with the enterprise risk management process.
Risk Management involves analysis of IT Operation environment,
including technology, human resources and implemented processes, to
identify threats and vulnerabilities.
Financial institutions should conduct a periodic risk assessment which
should identify:
• Internal and external risks
• Risks associated with individual platforms, systems, or processes, as
well as automated processing units
50. Slide 50/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Categories of Threats Examples
1. Acts of human error or failure Accidents, employee mistakes
2. Compromises to intellectual property Piracy, copyright infringement
3. Deliberate acts of espionage or
trespass
Unauthorized access and/or
data collection
4. Deliberate acts of information
extortion
Blackmail of information
disclosure
5. Deliberate acts of sabotage or
vandalism
Destruction of systems or
information
6. Deliberate acts of theft Illegal confiscation of equipment
or information
51. Slide 51/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Categories of Threat (cont’d) Examples
7. Deliberate software attacks Viruses, worms, denial-of-service
8. Forces of nature Fire, flood, earthquake lightning
9. Deviations in quality of service
from service providers
Power and WAN service issues
10. Technical hardware failures or
errors
Equipment failure
11. Technical software failures or
errors
Bugs, code problems, unknown
loopholes
12. Technological obsolescence Antiquated or outdated technologies
52. Slide 52/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Why target financial institutions?
Financial institutions could be targeted for a variety of reasons:
-- in an effort to steal funds;
-- to gain access to information;
-- to disrupt normal business;
-- to create costly distractions;
-- to shake confidence and cause panic.
53. Slide 53/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Which measures have financial institutions put in
place to curb down attacks?
Categories of Attack Counter Measures
Theft or loss: Computers and laptops,
portable electronic devices, electronic
media, paper files
Ensure proper physical
security of electronic and
physical restricted data
wherever it lives.
Insecure storage or transmission of PII
and other sensitive information
Encryption
Password hacked or revealed: Use good, cryptic passwords
that are difficult to guess,
and keep them secure
54. Slide 54/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Which measures have financial institutions put in place to
curb down attacks?
Attack Counter Measures
Missing "patches"
and updates:
Make sure all systems that contain or access
Restricted Data have all necessary operating
system (OS)and third-party application security
“patches” and updates.
Computer infected
with a virus:
Install anti-virus and anti-spyware software
and make sure it is always up-to-date.
Improperly
configured or risky
software:
Don’t put sensitive information in places
where access permissions are too broad.
55. Slide 55/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
Different threats to IT security that financial institutions must be aware of
Which measures have financial institutions put in place to
curb down attacks?
Categories of Attack Counter Measures
Insecure disposal & re-use: Shred sensitive paper records before
disposing of them.
Application vulnerabilities and
mis-configuration
Make sure controls are in place to prevent
access to secure databases through
insecure databases.
Network attacks such as Denial of
Service Dos, DDoS, Man-in-the-
middle attack, packet sniffing, IP
spoofing, etc.
Use encrypted delivery protocol over a
Virtual Private Network (VPN), eg Secure
Sockets Layer (SSL)..
56. Slide 56/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Risk management and IT auditing cont’d
IT auditing
Information Technology Audit Services are used to identify
areas of technical risk including application, infrastructure,
systems, and process risks.
IT Audit Services can facilitate the selection of controls and
the identification of technical risk in order to allow
management to make strong strategic and tactical
decisions.
In addition to assessing current computer applications, IT
Audit consults on the development and implementation of
new systems to ensure that internal controls are
established and comply with industry standards.
57. Slide 57/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic d)
Business continuity
Presented by Mpeirwe Nobles
i. Introduction
ii. Disaster recovery planning
58. Slide 58/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Introduction
1-minute Introductory Dummies Video showing the need for
business continuity.
Please click on graphic below to play.
59. Slide 59/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Business Continuity
Business continuity includes a set of planning, and preparatory
activities which are intended to ensure that an organization's critical
business functions will either continue to operate despite serious
incidents or disasters that might otherwise have interrupted them, or will
be recovered to an operational state within a reasonably short period.
If there is no Business Continuity plan implemented, then the organization is
facing a rather severe threat or disruption that may lead to bankruptcy.
The foundation of business continuity are the standards, program development,
and supporting policies; guidelines, and procedures needed to ensure a firm to
continue without stoppage, irrespective of the adverse circumstances or events.
The management of business continuity falls largely within the sphere of risk
management, with some cross-over into related fields such as governance, and
IT security.
60. Slide 60/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Business Continuity
Types of business continuity plans
1. Resilience: critical business functions and the supporting
infrastructure are designed and engineered in such a way that they are
materially unaffected by most disruptions, for example through the use of
redundancy and spare capacity.
2. Recovery: arrangements are made to recover or restore critical and
less critical business functions that fail for some reason.
3. Contingency: the organization establishes a generalized capability
and readiness to cope effectively with whatever major incidents and
disasters occur, including those that were not, and perhaps could not,
have been foreseen. Contingency preparations constitute a last-resort
response if resilience and recovery arrangements should prove
inadequate in practice.
61. Slide 61/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Business Continuity
Main features of a good BCP
Identifies and Prioritises Critical Business Functions
Determines Recovery Time Objectives Critical Assets
Includes a Comprehensive Risk Assessment Conducted On Critical
Facilities
Contains Succession Plans for Key Employees or Consultants
Includes a Technology Backup Strategy that Exists and Is Tested
Regularly
Lists Multiple Sources Available for Critical Supplies and Processes
Tools and Training Are In Place to Provide Advanced Warning of
Incidents
All Projects Include a Disaster Recovery Component
62. Slide 62/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning
Disaster recovery is the process by which you resume
business after a disruptive event.
The event might be something huge-like an earthquake or the
terrorist attacks on the World Trade Center-or something small,
like malfunctioning software caused by a computer virus.
Disaster recovery planning suggests a more comprehensive
approach to making sure you can keep making money, not
only after a natural calamity but also in the event of smaller
disruptions including illness or departure of key staffers, supply
chain partner problems or other challenges that businesses
face from time to time.
63. Slide 63/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning cont’d
3 minute Video showing how QUEST
company plans for Disaster recovery.
Please click on graphic below to play.
64. Slide 64/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning cont’d
Examples of ideas in a good Disaster continuity plan.
1. Develop and practice a contingency (eventuality) plan that includes a
succession plan for the CEO.
2. Train backup employees to perform emergency tasks. The employees
you count on to lead in an emergency will not always be available.
3. Determine offsite crisis meeting places and crisis communication
plans for top executives. Practice crisis communication with
employees, customers and the outside world.
4. Invest in an alternate means of communication in case the phone
networks go down.
5. Make sure that all employees-as well as executives-are involved in
the exercises so that they get practice in responding to an emergency.
65. Slide 65/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning cont’d
Examples of ideas in a good Disaster continuity plan cont’d.
6. Make business continuity exercises realistic enough to tap into
employees' emotions so that you can see how they'll react when the
situation gets stressful.
7. Form partnerships with local emergency response groups—
firefighters, police and EMTs—to establish a good working
relationship. Let them become familiar with your company and site.
8. Evaluate your company's performance during each test, and work
toward constant improvement. Continuity exercises should reveal
weaknesses.
66. Slide 66/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning cont’d
In groups of two, outline at least 5
benefits of carrying out a Disaster
recovery planning in a business.
Why do you think many businesses
don’t carry out disaster recovery
planning despite the above benefits?
Class Activity 2!
67. Slide 67/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning cont’d
Advantages of disaster recovery planning:
Time: Assurance of rapid recovery of
normal operating functions
Finances:Competitive advantage given by
response to crisis situations.
Corporate Reputation: With increased
confidence in your company's ability to
operate in unexpected circumstances,
your reputation grows with customers,
staff, partners and investors.
IT Security enforcement: Not only does DRP
protect data, hardware, software, etc., but the
people that compose your organization will be
better safeguarded should a disaster occur.
Disadvantages of
disaster recovery
planning:
Time: Time-
consuming
requirement to
implement DRP in
the organization.
Finances: Higher
financial burden.
68. Slide 68/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Disaster recovery planning cont’d
69. Slide 69/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic e)
Professionalism and ethical
standards
Presented by Mukalele Rogers
i. Professionalism
ii. Ethical standards
70. Slide 70/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Professionalism
Professionalism (Professional ethics) encompass the
personal, organizational and corporate standards of behaviour
expected of professionals.
Professionals, and those working in acknowledged
professions, exercise specialist knowledge and skill.
How the use of this knowledge should be governed when
providing a service to the public can be considered a moral
issue and is termed professional ethics.
71. Slide 71/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Computer Ethics
• Ethics are a set of moral principles that govern the
behaviour of a group or individual.
• Computer ethics is set of moral principles that
regulate the use of computers.
• In other words, Computer Ethics refers to the right or
wrong behavior exercised when using computers.
• Some common issues of computer ethics include
intellectual property rights (such as copyrighted
electronic content), privacy concerns, and how
computers affect society.
72. Slide 72/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Deterrence to Unethical and Unprofessional Behavior
Deterrence: best method for preventing an unprofessional
or unethical activity; e.g., laws, policies, technical controls
Laws and policies only deter if three conditions are
present:
Fear of penalty
Probability of being caught
Probability of penalty being administered
As the world of computers evolves, organisations continue to
create ethical standards that address new issues raised by
new technologies.
73. Slide 73/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Codes of Ethics and Professional Organizations
A number of professional organizations have established
codes of professional conduct and codes of ethics that
members are expected to follow.
Codes of ethics can have a positive effect on an individual’s
judgment regarding computer use.
It is the responsibility of security professionals to act ethically
and according to the policies and procedures of their employer,
their professional organization, and the laws of society.
74. Slide 74/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Examples of Professional Organizations
1. The Computer Ethics Institute(CEI) was founded in 1985 as the Coalition
for Computer Ethics. CEI's mission is to facilitate the examination and
recognition of ethics in the development and use of computer
technologies. The output of this discussion provides educational
resources and governing rules.
In 1991, CEI held its first National Computer Ethics Conference in
Washington, D.C.
The Ten Commandments of Computer Ethics were
first presented in Dr. Ramon C. Barquin's paper
prepared for the conference,
"In Pursuit of a 'Ten Commandments' for Computer
Ethics."
75. Slide 75/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Ethics and Information Security
CEI WEBSITE: http://computerethicsinstitute.org
76. Slide 76/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Other Examples of Professional Organizations
2. Association of Computing Machinery. (www.acm.org)
3. International Information Systems Security
Certification Consortium (www.isc2.org)
4. The System Administration, Networking, and Security
Institute, or SANS (www.sans.org)
5. The Information Systems Audit and Control
Association or ISACA (www.isaca.org)
6. The Computer Security Institute (www.gocsi.com)
7. The Information Systems Security Association (ISSA)
(www.issa.org)
8. The Internet Society or ISOC (www.isoc.org)
77. Slide 77/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic f)
IT audit framework/
standardization
Presented by Musana Evans
i. IT audit framework
ii. Types of IT Audits
iii. Rationale of an IT Audit
iv. Steps of an IT Audit
v. Examples of IT Audit Systems
vi. Case Study: SBP IT Audit
78. Slide 78/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
IT Audit: Introductory Activity
1. Who are auditors?
2. Have you ever witnessed the auditing
process? If so, where?
3. Some people view the auditing process
as a confrontation. Why do you think
people have negative attitude towards
the audit process?
4. Why is the auditing process essential to
a financial institution?
Class Activity 3!
79. Slide 79/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
IT audit framework
IT audit is the process of assessing a computer system
to determine whether it has been designed to maintain
IT Security principles(CIA), allows organisational goals
to be achieved effectively and uses resources
efficiently.
An IT audit is different from a financial audit. While a financial
audit's purpose is to evaluate whether an organization is
adhering to standard accounting practices, the purposes of an
IT audit are to evaluate the system's internal control design
and effectiveness.
This includes, but is not limited to, efficiency and security protocols,
development processes, and IT governance or oversight.
80. Slide 80/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Types of IT audits
Systems and Applications Audit: - Verifies that systems and
applications are appropriate, are efficient, and adequately controlled to
ensure CIA.
Information Processing Facilities Audit: - Assesses the processing
facilities to ensure timely, accurate, and efficient processing of
applications.
Systems Development Audit: An audit to verify that the systems under
development meet the objectives and standards of the organization.
IT Management Audit: Verifies that IT management has developed an
organizational structure and procedures to ensure a controlled and
efficient environment for information processing.
Telecommunications / Network Audit:- An audit to verify that
telecommunications controls are in place across the network connecting
the clients and servers.
81. Slide 81/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Rationale of conducting IT audit
The rationale (general objective/justification) of an IT audit is to
evaluate the computerised information system (CIS) in order to
ascertain whether it produces timely, accurate, complete and
reliable information outputs, as well as ensuring confidentiality,
integrity, availability and reliability of data and adherence to
relevant legal and regulatory requirements.
The objectives of undertaking an IT audit include:
1. To assess how well management capitalises on the use of IT to improve
its business processes;
2. To assess the effect of IT on the client’s business processes, including
the development of the financial statements and the business risks
related to these processes;
3. To assess how the client’s use of IT for the processing, storage and
communication of financial information affects the internal control
systems and our consideration of inherent risk and control risk;
82. Slide 82/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Rationale of conducting IT audit
4. To Identify and understand the controls that management uses to
measure, manage and control the IT processes;
5. To Assess the effectiveness of controls over the IT processes that
have a direct and important impact on the processing of financial
information.
6. IT Audit as a subset of performance audit seeks assurance that all
aspects of the IT systems, including necessary controls, are being
effectively enforced.
7. IT Audit as a subset of performance audit may examine the efficiency
and effectiveness of a IT based business process/government
program
As such, the focus of the IT audit is to provide assurance that the IT
systems can be relied upon to help deliver the required services.
83. Slide 83/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Steps of An IT Audit
Below is the General
approach to IT Auditing,
NB: Ideally it’s a continuous
cycle and varies depending
on type of audit
1. Planning Phase
Define Scope, Learn
Controls, Historical
Incidents, review Past
Audits, Do Site Survey,
Review Current Policies,
Define Objectives, Develop
Audit Plan / Checklist,
Design Questionnaires
2. Testing Phase
Meet With Site Managers, Learn What
data will be collected, How/when will it
be collected, Do Site employee
involvement, Do Data Collection Based
on scope/objectives
3. Reporting Phase
Prepare and present reports entailing:
Preliminary findings, Introduction
defining objectives/scope, How data
was collected, Summary of problems,
In depth description of problems,
Glossary of terms and References
84. Slide 84/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Examples of IT Audit Systems
1. Tripwire
Auditing system
(Below)
2. IT Audit
using a
Firewall Log
(above)
85. Slide 85/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Case Study: SBP IT Audit
We look at the case study of the STATE BANK OF PAKISTAN (SBP)
because it is one of the institutions that are tremendously moving on
an advanced IT trend in the world. (see letter in notes section)
Information Technology Audits evaluate system processing controls,
data security, physical security, systems development procedures,
contingency planning, and systems requirements.
86. Slide 86/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Case Study: SBP IT Audit
The SBP Internal Audit Department was
established for the purpose of providing
management and the Audit Committee of the
State Bank of Pakistan Banking Services
Corporation with reasonable assurance that the
management control systems throughout the
SBPBSC (Bank) are adequate and operating
effectively.
The Internal Audit Department provides valuable support in
maintaining the public's confidence by performing
independent and objective reviews and subsequent
reporting.
SBP Audit WEBSITE: http://www.sbp.org.pk/sbp_bsc/BSC/audit/
87. Slide 87/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Case Study: SBP IT Audit cont’d
The following activities are done during SBP IT Audit:
The bank logs are analysed to check who logged into the bank systems
ATM logs of the clients are analysed for validity to prevent hacker attacks
Also software are set/programmed to restrict and report unauthenticated
access to the SBP system
The system that is being compromised according to the logs is then
monitor closely before it is being reported to the police of Pakistan.
SBP also provides authentication/access control levels with the CEO,
directors, managers and other subordinates having limits of access
according to the set bank Security policy
The bank, as a security procedure educates staff on the good practices
to prevent breaches
88. Slide 88/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Topic g)
International certifications &
standards in IT security
Presented by Ssemujju Bernard
i. Introduction
ii. International standards of IT security
iii. International certifications in IT security
89. Slide 89/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Introduction
While information security plays an important role in protecting the
data and assets of an organisation, we often hear news about
security incidents, such as defacement of websites, server
hacking and data leakage.
Organisations need to be fully aware of the need to devote more
resources to the protection of information assets, and information
security must become a top concern in both government and
business.
To address the situation, a number of governments and
organisations have set up benchmarks, standards and in some
cases, legal regulations on information security to help ensure an
adequate level of security is maintained, resources are used in the
right way, and the best security practices are adopted
90. Slide 90/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Introduction cont’d
Some industries, such as banking, are regulated, and the
guidelines or best practices put together as part of those
regulations often become a de facto standard among members of
these industries.
In this section, we give a brief introduction to the most commonly
adopted standards and regulations for information security,
including ISO standards, COBIT, the Sarbanes-Oxley Act, and so
on.
We shall also look at International certifications in IT security,
which are qualifications or designations earned by a person to
certify that he is qualified to perform a job.
91. Slide 91/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
a) ISO STANDARDS
The International Organisation for Standardisation (ISO), established in
1947, is a non- governmental international body that collaborates with
the International Electrotechnical Commission (IEC) and the
International Telecommunication Union (ITU) on information and
communications technology (ICT) standards.
The following are commonly referenced ISO security standards:
NB: See Notes Area for details and references
1. ISO/IEC27002:2005 (Code of Practice for Information Security Management)
2. ISO/IEC 27001:2005 (Information Security Management System - Requirements)
3. ISO/IEC 15408 (Evaluation Criteria for IT Security)
4. ISO/IEC 13335 (IT Security Management)15
92. Slide 92/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
b). PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
The Payment Card Industry (PCI) Data
Security Standard (DSS) 16 was
developed by a number of major credit
card companies (including American
Express, Discover Financial Services,
JCB, MasterCard Worldwide and Visa
International) as members of the PCI
Standards Council to enhance payment
account data security.
The standard consists of 12 core
requirements, which include security
management, policies, procedures,
network architecture, software design
and other critical measures.
These requirements are organised
into the following areas:
1. Build and Maintain a Secure
Network
2. Protect Cardholder Data
3. Maintain a Vulnerability
Management Program
4. Implement Strong Access
Control Measures
5. Regularly Monitor and Test
Networks
6. Maintain an Information Security
Policy
93. Slide 93/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
c) COBIT
The Control Objectives for Information and related Technology (COBIT)
is “a control framework that links IT initiatives to business requirements,
organises IT activities into a generally accepted process model, identifies
the major IT resources to be leveraged and defines the management
control objectives to be considered”.
The IT GOVERNANCE INSTITUTE (ITGI) first released it in 1995,
and the latest update is version 4.1, published in 2007.
COBIT is increasingly accepted internationally as a set of guidance
materials for IT governance that allows managers to bridge the gap
between control requirements, technical issues and business risks.
94. Slide 94/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
EXAMPLES OF STANDARDS INCLUDE;
1.Standard Of Good Practice; This was published by the Information Security
Forum(ISF) as a comprehensive list of best practices of information security.
2.Standards By North American Electric Reliability Corporation(NERC)
• NERC 1200
• NERC 1300(CIP=Critical Infrastructure Protection)
3.National Institute of Standards and Technology(NIST);
N.B: Standards are used to secure bulk electricity systems . They also provide
network security administration while still supporting test practice industry
processes
Special Publication 800-12
Provides a broad view of computer security and control areas
Emphasizes the importance of the security controls and ways to implement them.
95. Slide 95/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
EXAMPLES OF STANDARDS CONT’D;
Special publication 800-14: -Describes common security principles that are used
-provides a high level of what should be incorporated with in a computer security policy
-Also describes what can be done to improve existing security as well as developing a
security practice.
Special publication 800-26: Provides advice on how to manage IT security.
• Emphasizes the importance of self assessments as well as risk assessment.
Special publication 800-37
• It was updated in 2010. Provides a near risk approach (Guide for applying the risk
management)
Special publication 800-53 rev 3
• Guide for assessing security controls that are applied to a system to make it more
secure.
96. Slide 96/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
International certifications in IT security
Definition: A professional certification, trade certification, or professional
designation often called simply certification or qualification is a
designation earned by a person to certify that he is qualified to perform a
job.
Certification indicates that the individual has a specific set of knowledge,
skills, or abilities in the view of the certifying body.
Professional certifications are awarded by professional bodies and
corporations.
The difference between licensure and certification is licensure is required
by law, whereas certification is generally voluntary. Wikipedia
97. Slide 97/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Examples of certifications of IT security
Certified Protection Professional :The Certified Protection
Professional designation is awarded to experienced security
practitioners who have demonstrated in-depth knowledge and
management skills in eight key areas of security.
Professional Certified Investigator: Is a specialty certification
awarded to security practitioners who have demonstrated
knowledge and experience in case management, evidence
collection, and preparation of reports and testimony to
substantiate findings.
Physical Security Professional : is a specialty certification
awarded to security practitioners who have demonstrated
knowledge and experience in threat assessment and risk
analysis.
98. Slide 98/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
Question and Answer Session
99. Slide 99/100EVE GROUP G PRESENTATION: IT Security and Risk Mitigation
MUELE Assignment Questions on this chapter
1 (a). What is an IT policy?
(b). List the key components essential
to an organization wide IT policy
(c). Define the types of user
restrictions that can be
implemented through the IT policy
(d). Prepare an IT policy for any
financial institution of your choice
2 (a). Differentiate between authorization
and authentication
(b). Explain the rationale of conducting
IT audit in a financial institution
(c). State the importance of electronic
signatures
3. (a) Define the concept of a Business
Continuity Plan (BCP)
(b). List the main features of a good
BCP
(c). Describe the impact of not having a
BCP
4 (a). Explain the different threats to
information security that financial
institutions must be aware of.
(b). Explain the measures put in place
by financial institutions to curb down
attacks
5 (a). What is IS/IT audit?
(b).Why is information systems audit
essential to a financial institution?