Information Systems 365/765Information Systems Security and Strategy Lecture 2 Introduction to Information Security
Information Security DefinedProtecting information and informationSystems from unauthorized access, use,disclosure, disruption, modification, ordestruction. Information security isconcerned with the confidentiality,integrity and availability of data regardlessof the form the data may take: electronic,print, or other forms.
Why Study Information Security in the School of Business?• Businesses collect mass amounts of data about their customers, employees, and competitors• Most of this data is stored on computers and transmitted across networks• If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy• Protecting corporate data is no longer an option, it is a requirement
What Types of Jobs Do Information Security Professionals Hold?• Information Systems Auditor• Business Continuity and Disaster Recovery Planning and Implementation• Digital Forensics• Infrastructure Design• Business Integration
History of Information Security• Throughout history, confidentiality of information has always played a key role in military conflict• Confidentiality• Tampering• Authenticity• Physical protection• Background checks• Encryption
Key Concept of Information Security. The single mostimportant slide in this course! Confidentiality, Integrity, Availability (CIA Triad)
ConfidentialityConfidentiality is the process ofpreventing disclosure ofinformation to unauthorizedindividuals or systems.Examples: Credit card, ShoulderSurfing, Laptop theftConfidentiality is necessary, but notsufficient to maintain privacy
IntegrityIntegrity means that datacannot be modified withoutAuthorizationExamples: Manual deletion oralteration of important datafiles, Virus infection, Employeealtering their own salary,website vandalism, polling fraudIn Information Security, the term “dataintegrity” should not be confused withDatabase referential integrity
IntegrityFor any information system to serve its purpose,The information must be available when it isneeded. This means that the computing systemsused to store and process the information, thesecurity controls used to protect it, and thecommunication channels used to access it must befunctioning correctly.Examples: Power outages, Hardware failures,System upgrades and Preventing denial-of-serviceattacks
AuthenticityIn computing, e-Business andinformation security it is necessaryto ensure that the data,transactions, communications ordocuments (electronic or physical)are genuine (i.e. they have not beenforged or fabricated.)Examples: Passport, Credit cardAccounts, academic transcripts
Non-RepudiationNon-Repudiation is a complexterm used to describe the lackof deniability of ownership of amessage, piece of data, orTransactionExamples: Proof of an ATMtransaction, a stock trade, or anemail
Strong Information Security = Solid Risk ManagementProper Risk Management involves understanding andcontrolling risks, vulnerabilities and threatsRisk is the likelihood thatsomething bad will happen thatcauses harm or loss of anInformational assetVulnerability is a weaknessthat could be used to endanger orcause harm to an informationalAssetThreat is anything deliberate or random andUnanticipated that has the potential to cause harm
Risk ManagementThe likelihood that a threat will use avulnerability to cause harm creates a risk.When a threat does use a vulnerability toinflict harm, it has an impact.In the context of information security, the impact Ia loss of availability, integrity, and confidentiality,and possibly other losses (lost income, loss of life,loss of real property)It should be pointed out that it is not possible toidentify all risks, nor is it possible to eliminate allrisk. The remaining risk is called residual risk.
Risk AssessmentA risk assessment is formal project carried out by ateam of people who have knowledge of specificareas of the business. Membership of the team mayvary over time as different parts of the business areassessed.The assessment may use a subjective qualitativeanalysis based on informed opinion, or wherereliable dollar figures and historical information isavailable, the analysis may use quantitativeanalysis as well
Components of a Risk AssessmentSecurity PolicyOrganization of information security,Asset managementHuman resources security,Physical and environmental security,Communications and operations management,Access control, logical and physicalInformation systems acquisition and lifecyclemanagementDevelopment and maintenanceInformation security incident managementBusiness continuity managementRegulatory compliance
Risk Management ProcessIdentification of assets and estimating their value.Include: people, buildings, hardware, software,data (electronic, print, other), supplies.Conduct a threat assessment. Include: Acts ofnature, acts of war, accidents, malicious actsoriginating from inside or outsidethe organization.Conduct a vulnerability assessment, and for eachvulnerability, calculate the probability that it will beexploited. Evaluate policies, procedures, standards,training, physical security, quality control andtechnical security.
Risk Management ProcessCalculate the impact that each threatwould have on each asset. Use qualitativeanalysis or quantitative analysis.Identify, select and implementappropriate controls. Provide aproportional response. Considerproductivity, cost effectiveness, and valueof the asset.Evaluate the effectiveness of the controlmeasures. Ensure the controls provide therequired cost effective protection withoutdiscernible loss of productivity.
Risk RemediesFor any given risk, you may choose to:Accept the risk based upon the relative low valueof the asset, the relative low frequency ofoccurrence, and the relative low impact on thebusiness.Mitigate the risk by selecting and implementingappropriate control measures to reduce the risk.Transfer the risk to another business by buyinginsurance or out-sourcing to another business.Deny the risk, which is obviously dangerous
Information Security ControlsWhen Management chooses tomitigate a risk, they will do soby implementing one or more ofthree different types of controls• Administrative Controls• Logical/Technical Controls• Physical Controls
Administrative ControlsConsist of approved written policies, procedures,standards and guidelines.Administrative controls form the framework forrunning the business and managing people.They inform people on how the business is to be run andhow day to day operations are to be conducted.Laws and regulations created by government bodies arealso a type of administrative control, such as PCI, HIPAA,FERPA and SOXOther examples of administrative controls include thecorporate security policy, password policy, hiring policies,and disciplinary policies.
Separation of Duties is the mostimportant and often overlooked physical controlSeparation of duties ensures that an individual cannot complete a critical task by themselves.For example: an employee who submits a requestfor reimbursement should not also be able toauthorize payment or print the check.An applications programmer should not also be theserver administrator or the database administratorThese roles and responsibilities must be separatedFrom one another
Logical ControlsLogical controls (also called technicalcontrols) consist of software anddata to monitor and control accessto information and computingsystems.For example: passwords, networkand host based firewalls, networkintrusion detection systems, accesscontrol lists, and data encryption arelogical controls.
The Principle of Least Privilegeis the most important and oftenoverlooked logical control in ISThe principle of least privilege requires that an individual,program or system process is not granted any moreAccess privileges than are necessary to perform the task.A blatant example of the failure to adhere to theprinciple of least privilege is logging into Windows asuser Administrator to read Email and surf the Web.Violations of this principle can also occur when anIndividual:Collects additional access privileges over timeJob duties change, promotion, new position, etc.They are promoted to a new position, or they transfer toanother department.Examine and adjust access rights for ALL employees on aregular basis
Physical ControlsPhysical controls monitor and control theenvironment of the work place and computingfacilities. They also monitor and control access toand from such facilities.For example: doors, locks, heating and airconditioning, smoke and fire alarms, firesuppression systems, cameras, barricades,fencing, security guards, cable locks, etc.Separating the network and work place intofunctional areas are also physical controls.
Security Classification of InformationAn important aspect of informationsecurity and risk management isrecognizing the value of informationand defining appropriate proceduresand protection requirements for theinformation. Not all information isequal and so not all informationrequires the same degree ofprotection. This requires informationto be assigned a securityclassification
Security Classification of Information1. Identify a member of seniormanagement as the owner of theparticular information to beclassified6. Develop a classification policy.The policy should describe thedifferent classification labels, definethe criteria for information to beassigned a particular label, and list therequired security controls for eachclassification
Security Classification of InformationSome factors that influence whichclassification information should beassigned include:4. How much value that informationhas to the organization2. How old the information is andwhether or not the information hasbecome obsolete.9. Laws and other regulatoryrequirements are also importantconsiderations when classifyinginformation
Information Security Classification LabelsCommon information securityclassification labels used by thebusiness sector are:PublicSensitivePrivateConfidential
Information Security Classification LabelsAll employees in the organization, as wellas business partners, must be trained onthe classification schema and understandthe required security controls and handlingprocedures for each classification.The classification a particular informationasset has been assigned should bereviewed periodically to ensure theclassification is still appropriate for theinformation and to ensure the securitycontrols required by the classification arein place.