Uploaded byTanujpandey5
PPTX, PDF101 views

IT Security & Risk

The document outlines fundamental concepts of IT security, focusing on confidentiality, integrity, and availability, collectively known as the CIA triad. It discusses risk management, risk assessment, and various controls to mitigate security threats, including preventive, detective, and corrective measures. Additionally, it emphasizes the importance of access control, threat identification, and cryptography in safeguarding information systems.

Embed presentation

Download to read offline
IT SECURITY & RISK Fundamental Concepts TANUJ PANDEY
Security Fundamentals (Confidentiality/Integrity/Availability): Fig 1: CIA Triad • Confidentiality is a set of rules that limits access to information i.e. prevent any data from unauthorized access. E.g. Credentials, Credit card details, or any PII (Personal identifiable information).
Integrity is the assurance that the information is trustworthy and accurate i.e. data is received by any receiver is accurate or valid without any modification or tampering. Availability is a guarantee of reliable access to the information by authorized people. When any Authorized Impact of loss of CIA: There are level of ratings for measuring impact of loss of CIA that can be faced by any organization: (I):Low(Rating of 1): Limited adverse effect on organizational operation assets, or individuals. (II)Medium(Rating of 2): Serious adverse effect on organizational operation assets, or individuals. (III):High(Rating of 3) Severe or catastrophic adverse effect on organizational operation assets, or individuals.
AAA(Authentication, Authorization, Accountability): • Authentication provides access controls for systems by checking too see if a user’s credential matches with credentials in a database of authorized or in a data authentication server. • Authentication is important because it enables organization to keep their networks secure by permitting only authenticated users. • Authentication used to protect any computer Systems, Networks, Databases, Websites & Other Network based application or services.
• Authorization is a process of giving someone permission to do something. • In multi users computer system a system administrator defines for system which user are allowed access to system & what privileges of use (such as access to directories, hours of access, amount of allocated space, and so forth. • Accountability is an insurance that an individual or an organization will be evaluated on their performance for which they are responsible. • Accountability and transparency are generally considered the two main pillars of good corporate governance.
Risk: • A Risk in terms of Information Technology is when any information has long been appreciated, valuable & important asset & if there is any risk of security breach through which we can face a broad impact on our business. • To calculate the risk: Risk=Loss*Impact. • Types of Risk: • Qualitative Risk: A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur. • Quantitative Risk: A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. •
Risk Analysis: • Risk analysis performed as a part of IT risk assessment & involves identify risk, threats, & determining how to manage them. • In the risk analysis we focus on: *Issue *Consequences *Likelihood *Impact level *Risk level *Mitigation Strategy *Status
Risk Assessment: • An IT Risk Assessment states you about the state of security of your IT infrastructure it can facilitate decision making on your organizational security strategy. • Purpose Of Risk Assessment: (I)Identify threats & Vulnerabilities. (II)Enhance Enterprise wide security. (III)Justify Security Investments. (IV)Risk Mitigation: 1.Preventive 2.Mitigation 3.Recovery Fig 1.1: Risk
Risk Management: • There are four phases of risk management: (I) Plan: Make plans for potential risks & Vulnerabilities. (II) Assess: Identify a risk and take an appropriate action regarding to that. (III) Handle: When we assess a risk, We mitigate the risk in this phase. (IV) Monitor & Report: Check on a regular basis to get the status of security. Fig 1.2: Risk Management
Basic Principles Of IT Security: • Principle 1. There is no such thing as absolute security. • Principle 2.The three security goals are Confidentiality, Integrity, Availability. • Principle 3. Defense in depth as security. (Protects, Detects & Records). • Principle 4. When left on their own people tend to make worst decisions. (Sharing credentials in exchange for worthless goods). • Principle 5. Computer Security depends on two types of requirements: Functional(What a system should do) & Assurance(How functional requirements should implemented & Tested). • Principle 6. Security through obscurity is not an answer. (Do not depend only on one mechanism) • Principle 7. Security=Risk Management. ( What is likelihood that this loss will occur? ). • Principle 8. Three types of controls are: (Layers of protection) (i) Preventive (ii) Detective (iii) Corrective(Responsive). Principle 9. Complexity is the enemy of security. ( Security mechanism must be known to authorized user). Principle 10. Fear, Uncertainty, and doubt do not work in selling security. (Information Security Managers must justify all investments in security using techniques). Principle 11. People, Process and Technology are all needed to adequately secure a system or facility. (Series of countermeasures & Controls). Principle 12. Open disclosure of vulnerabilities is good for security.
Controls: Security Controls are safeguards or countermeasures to avoid, detect, minimize security risks to physical/Logical property, Information, computer systems or other assets. Types of Controls: (I): Preventive: Preventive controls are designed to keep errors and irregularities from occurring in the first place. (II): Detective: Detective controls are designed to detect errors or irregularities that may have occurred. (III): Corrective (Responsive): Corrective controls are designed to correct errors or irregularities that have been detected. Various Controls which can be used to prevent security breaches: *Firewalls *IDS (Intrusion Detection System) *Biometric Access *Encryption *CCTV (Closed Circuit Television) *Strong Authentication *Motion Sensors *Security Guards
Access Control: • Access control is a way of limiting access to a system or to Physical/Logical access resources. • Access control is a process by which users are granted access & certain privileges to systems resources • or information. • Access control is a fundamental concept in IT Security which minimize the risk in an organization. • Access control are of two types: (I): Physical Access: Limits access to physical IT Assets. E.g. Guards/CCTV’s at main server room. (II): Logical Access: Limits Access to computer Network system files & Data. E.g. credentials, validation, authorization, and accountability should be defined for each users separately. Fig 1.3:Access Control
Threat/ Threat Agents: • A Threat is a possible danger that might exploit a vulnerability to breach security & therefore cause possible harm. • A Threat can be intentional (i.e. hacking an individual or organization) or accidental (e.g. Possibility of a computer • Malfunctioning) or any natural disaster. • Threat Agent is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company. • Threat Agents can take one or more of following actions against an asset: • Access: Simple Unauthorized access. • Misuse: Unauthorize use of assets. • Disclose: Any Sensitive Information. • Modify: Unauthorize change to an asset. • Deny Access: Includes destruction theft of a non-data asset.
Exploit/Vulnerability: • An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic. • Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. • A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
Cryptography: • Cryptography is a method of protecting information and communications. • Cryptography is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption). • Cryptography has two encryption algorithms: • 1.Symmetric Key: Uses only one key for encryption. • 2.Assymmetric Key: Uses different keys one for encryption & other for one decryption. • Cryptography has four Objectives: (I)Confidentiality (II)Integrity (III)Non-Repudiation (IV)Authentication

More Related Content

PDF
Information Security Management
byBhadra Gowdra
 
PPTX
IT Security and Management - Semi Finals by Mark John Lado
byMark John Lado, MIT
 
PPT
Introduction to Information Security
byDr. Loganathan R
 
PPT
Introduction to information security - by Ivan Nganda
bySee You Rise Holdings
 
PPT
Information security
byrazendar79
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
PDF
Information Security Risk Management
byErsoy AKSOY
 
PPTX
Evolution of Security
byDM_GS
 
Information Security Management
byBhadra Gowdra
 
IT Security and Management - Semi Finals by Mark John Lado
byMark John Lado, MIT
 
Introduction to Information Security
byDr. Loganathan R
 
Introduction to information security - by Ivan Nganda
bySee You Rise Holdings
 
Information security
byrazendar79
 
MIS: Information Security Management
byJonathan Coleman
 
Information Security Risk Management
byErsoy AKSOY
 
Evolution of Security
byDM_GS
 

What's hot

PPTX
Computing safety
bytitoferrus
 
PPT
Bis Chapter15
byChun Hoi Lam
 
PPTX
Introduction to information security
byKATHEESKUMAR S
 
PPT
Ch1 cse
bybhaskard8
 
PPT
Chap5 2007 C I S A Review Course
byDesmond Devendran
 
PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPTX
Cissp- Security and Risk Management
byHamed Moghaddam
 
PPT
1. security management practices
by7wounders
 
PPT
Information Security
bychenpingling
 
PPT
Introduction to information security
byKumawat Dharmpal
 
PPT
Information security management
byUMaine
 
PPT
Information Security Background
byNicholas Davis
 
PPT
Introduction to information security
byDhani Ahmad
 
PPT
Security & control in management information system
byOnline
 
PPT
Keamanan informasi
byNova Novelia
 
PPTX
CISSP Certification- Security Engineering-part1
byHamed Moghaddam
 
PPT
is_1_Introduction to Information Security
bySARJERAO Sarju
 
PDF
Cervone uof t - nist framework (1)
byStephen Abram
 
PDF
Management Information Systems
bymsd11
 
Computing safety
bytitoferrus
 
Bis Chapter15
byChun Hoi Lam
 
Introduction to information security
byKATHEESKUMAR S
 
Ch1 cse
bybhaskard8
 
Chap5 2007 C I S A Review Course
byDesmond Devendran
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cissp- Security and Risk Management
byHamed Moghaddam
 
1. security management practices
by7wounders
 
Information Security
bychenpingling
 
Introduction to information security
byKumawat Dharmpal
 
Information security management
byUMaine
 
Information Security Background
byNicholas Davis
 
Introduction to information security
byDhani Ahmad
 
Security & control in management information system
byOnline
 
Keamanan informasi
byNova Novelia
 
CISSP Certification- Security Engineering-part1
byHamed Moghaddam
 
is_1_Introduction to Information Security
bySARJERAO Sarju
 
Cervone uof t - nist framework (1)
byStephen Abram
 
Management Information Systems
bymsd11
 

Similar to IT Security & Risk

PDF
information security introduction for campus students.pdf
byhailegebrielgeta6
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PDF
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
PPTX
Security and Risk Management Practices.pptx
byharshadrai2
 
PPTX
c plus plus ssssssssssssssssssssssssssss
byASKMEDIA
 
PPTX
Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
byASKMEDIA
 
PPTX
Information security FundameFundamentals.pptx
byatuexaminations
 
PPTX
Information Security
byAlok Katiyar
 
PPTX
SECURITY AND CONTROL
byshinydey
 
PPTX
Chapter 1 compu secur.pptx of security service
byyhalemayalu
 
PPT
information security presentation topics
byOlajide Kuku
 
PPT
CISSP Certified Information System Security Professional_009.ppt
bycareerbdaugx
 
PPT
ch01.ppt
bysamsam693199
 
PPT
educational content, educational contented educational content
byOlajide Kuku
 
PPT
INFORMATION SECURITY STUDY GUIDE for STUDENTS
byhenlydailymotion
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPT
IT-Security-20210426203847.ppt
byIan Dave Balatbat
 
PPT
IT-Security-20210426203847.ppt
byRamaNingaiah
 
PPT
IT-Security-20210426203847.ppt
byssuser6c59cb
 
information security introduction for campus students.pdf
byhailegebrielgeta6
 
InfoSecConcepts.ppt
byMobileAntitheft
 
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
Security and Risk Management Practices.pptx
byharshadrai2
 
c plus plus ssssssssssssssssssssssssssss
byASKMEDIA
 
Chapter 1_Overview hhhhhhhhhhhhhhhhhhhhhhhhhh
byASKMEDIA
 
Information security FundameFundamentals.pptx
byatuexaminations
 
Information Security
byAlok Katiyar
 
SECURITY AND CONTROL
byshinydey
 
Chapter 1 compu secur.pptx of security service
byyhalemayalu
 
information security presentation topics
byOlajide Kuku
 
CISSP Certified Information System Security Professional_009.ppt
bycareerbdaugx
 
ch01.ppt
bysamsam693199
 
educational content, educational contented educational content
byOlajide Kuku
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
byhenlydailymotion
 
Introduction to Information security ppt
bykrishkiran2408
 
Introduction to Information security ppt
bykrishkiran2408
 
IT-Security-20210426203847.ppt
byIan Dave Balatbat
 
IT-Security-20210426203847.ppt
byRamaNingaiah
 
IT-Security-20210426203847.ppt
byssuser6c59cb
 

Recently uploaded

PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
apidays New York 2025 | AI in Application Security
byapidays
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 

IT Security & Risk

  • 1.
    IT SECURITY &RISK Fundamental Concepts TANUJ PANDEY
  • 2.
    Security Fundamentals (Confidentiality/Integrity/Availability): Fig 1:CIA Triad • Confidentiality is a set of rules that limits access to information i.e. prevent any data from unauthorized access. E.g. Credentials, Credit card details, or any PII (Personal identifiable information).
  • 3.
    Integrity is theassurance that the information is trustworthy and accurate i.e. data is received by any receiver is accurate or valid without any modification or tampering. Availability is a guarantee of reliable access to the information by authorized people. When any Authorized Impact of loss of CIA: There are level of ratings for measuring impact of loss of CIA that can be faced by any organization: (I):Low(Rating of 1): Limited adverse effect on organizational operation assets, or individuals. (II)Medium(Rating of 2): Serious adverse effect on organizational operation assets, or individuals. (III):High(Rating of 3) Severe or catastrophic adverse effect on organizational operation assets, or individuals.
  • 4.
    AAA(Authentication, Authorization, Accountability): •Authentication provides access controls for systems by checking too see if a user’s credential matches with credentials in a database of authorized or in a data authentication server. • Authentication is important because it enables organization to keep their networks secure by permitting only authenticated users. • Authentication used to protect any computer Systems, Networks, Databases, Websites & Other Network based application or services.
  • 5.
    • Authorization isa process of giving someone permission to do something. • In multi users computer system a system administrator defines for system which user are allowed access to system & what privileges of use (such as access to directories, hours of access, amount of allocated space, and so forth. • Accountability is an insurance that an individual or an organization will be evaluated on their performance for which they are responsible. • Accountability and transparency are generally considered the two main pillars of good corporate governance.
  • 6.
    Risk: • A Riskin terms of Information Technology is when any information has long been appreciated, valuable & important asset & if there is any risk of security breach through which we can face a broad impact on our business. • To calculate the risk: Risk=Loss*Impact. • Types of Risk: • Qualitative Risk: A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur. • Quantitative Risk: A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. •
  • 7.
    Risk Analysis: • Riskanalysis performed as a part of IT risk assessment & involves identify risk, threats, & determining how to manage them. • In the risk analysis we focus on: *Issue *Consequences *Likelihood *Impact level *Risk level *Mitigation Strategy *Status
  • 8.
    Risk Assessment: • AnIT Risk Assessment states you about the state of security of your IT infrastructure it can facilitate decision making on your organizational security strategy. • Purpose Of Risk Assessment: (I)Identify threats & Vulnerabilities. (II)Enhance Enterprise wide security. (III)Justify Security Investments. (IV)Risk Mitigation: 1.Preventive 2.Mitigation 3.Recovery Fig 1.1: Risk
  • 9.
    Risk Management: • Thereare four phases of risk management: (I) Plan: Make plans for potential risks & Vulnerabilities. (II) Assess: Identify a risk and take an appropriate action regarding to that. (III) Handle: When we assess a risk, We mitigate the risk in this phase. (IV) Monitor & Report: Check on a regular basis to get the status of security. Fig 1.2: Risk Management
  • 10.
    Basic Principles OfIT Security: • Principle 1. There is no such thing as absolute security. • Principle 2.The three security goals are Confidentiality, Integrity, Availability. • Principle 3. Defense in depth as security. (Protects, Detects & Records). • Principle 4. When left on their own people tend to make worst decisions. (Sharing credentials in exchange for worthless goods). • Principle 5. Computer Security depends on two types of requirements: Functional(What a system should do) & Assurance(How functional requirements should implemented & Tested). • Principle 6. Security through obscurity is not an answer. (Do not depend only on one mechanism) • Principle 7. Security=Risk Management. ( What is likelihood that this loss will occur? ). • Principle 8. Three types of controls are: (Layers of protection) (i) Preventive (ii) Detective (iii) Corrective(Responsive). Principle 9. Complexity is the enemy of security. ( Security mechanism must be known to authorized user). Principle 10. Fear, Uncertainty, and doubt do not work in selling security. (Information Security Managers must justify all investments in security using techniques). Principle 11. People, Process and Technology are all needed to adequately secure a system or facility. (Series of countermeasures & Controls). Principle 12. Open disclosure of vulnerabilities is good for security.
  • 11.
    Controls: Security Controls aresafeguards or countermeasures to avoid, detect, minimize security risks to physical/Logical property, Information, computer systems or other assets. Types of Controls: (I): Preventive: Preventive controls are designed to keep errors and irregularities from occurring in the first place. (II): Detective: Detective controls are designed to detect errors or irregularities that may have occurred. (III): Corrective (Responsive): Corrective controls are designed to correct errors or irregularities that have been detected. Various Controls which can be used to prevent security breaches: *Firewalls *IDS (Intrusion Detection System) *Biometric Access *Encryption *CCTV (Closed Circuit Television) *Strong Authentication *Motion Sensors *Security Guards
  • 12.
    Access Control: • Accesscontrol is a way of limiting access to a system or to Physical/Logical access resources. • Access control is a process by which users are granted access & certain privileges to systems resources • or information. • Access control is a fundamental concept in IT Security which minimize the risk in an organization. • Access control are of two types: (I): Physical Access: Limits access to physical IT Assets. E.g. Guards/CCTV’s at main server room. (II): Logical Access: Limits Access to computer Network system files & Data. E.g. credentials, validation, authorization, and accountability should be defined for each users separately. Fig 1.3:Access Control
  • 13.
    Threat/ Threat Agents: •A Threat is a possible danger that might exploit a vulnerability to breach security & therefore cause possible harm. • A Threat can be intentional (i.e. hacking an individual or organization) or accidental (e.g. Possibility of a computer • Malfunctioning) or any natural disaster. • Threat Agent is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company. • Threat Agents can take one or more of following actions against an asset: • Access: Simple Unauthorized access. • Misuse: Unauthorize use of assets. • Disclose: Any Sensitive Information. • Modify: Unauthorize change to an asset. • Deny Access: Includes destruction theft of a non-data asset.
  • 14.
    Exploit/Vulnerability: • An exploitis a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic. • Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. • A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
  • 15.
    Cryptography: • Cryptography isa method of protecting information and communications. • Cryptography is most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a process called encryption), then back again (known as decryption). • Cryptography has two encryption algorithms: • 1.Symmetric Key: Uses only one key for encryption. • 2.Assymmetric Key: Uses different keys one for encryption & other for one decryption. • Cryptography has four Objectives: (I)Confidentiality (II)Integrity (III)Non-Repudiation (IV)Authentication