Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.

Published byGwenda Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through."— Presentation transcript:

1

2 Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through the practical application of risk assessment methods.  Discuss the application of information security best practice models in high security environments.

3 Agenda  Provide practical examples of identifying threats to information assets.  Discuss compliance obligations for Government and non-government organizations.

4 “The Need to Know” Understanding your Information System Understanding the relationship between Information Security, Data Quality and Governance

5 What is Information Security ?  Organisations which collect and store data about:  Customers  Staff, and;  Key business processes (IP)  Must be able to demonstrate effective security measures to:  Ensure that personal information is accurate and up to date and that Vital IP about the core business is secure to retain the confidence of key stakeholders  “If you can’t secure data you can’t measure it’s quality and you can’t improve integrity”

6 What is Information Security ?  “Information Security” combination of:  Communications security (Comsec)  Computer security (Compusec) Ref: Australian National Computer Security and Information Security Authority The Defence Signals Directorate

7 What is Information Security ?  "confidentiality“  ensuring that information is available only to those people properly authorized to receive it.  “ Integrity”  ensuring that information has not been changed or tampered with;  “Availability”  ensures that communications and computing systems are not disrupted in their normal operations;

8 What is Information Security ?  Authentication  ensures that a person accessing or providing information is actually who they claim to be; and,  Non-repudiation  ensures that a person is not able to deny the receipt of information if they have, in fact, received it.  These factors are rapidly growing in importance as our day-to-day business is increasingly conducted by electronic means.

9 Risk Assessment Do you understand your information system ? Risk Assessment will reveal a detailed view of your information environment.  Establish the boundaries of your system.  Identify your information inventory.  Identify and value your critical data sets.  Establish the risks to your information system.

10 Risk Assessment  The risk assessment process - converting subjective risks into objective harms. Harms to your information system can be assessed, analysed and measured. Risk is assessed against the likelihood and consequence of compromising:  Confidentiality  Integrity  Availability of your information

11 Risk Assessment  Determining the level of risk is achieved by comparing the relationship between the threats to information and assets and the known security weaknesses or vulnerability of information technology systems.  The level of acceptable risk is a managerial decision based on the information and recommendations provided in the risk assessment.

12 Risk Assessment Discover environmental data:  What data do you hold?  Where is the information?  Where does the data reside ?  Interfaces ?  Who has access to your information?  What are the boundaries of your system?  Is information systems security about computers or Information ?

13 Risk Assessment  Establish the Context  Define relationship with other systems.  Identify assets.  Establish risk criteria.  Risk Identification  Identify the risks to be managed.  Determine what to protect against (Threats).  Determine who to protect against.

14 Risk Assessment  Risk Analysis  Analyze risks to be managed.  Estimate likelihood and consequence.  Determine context against management/control measures.  Assess existing/proposed security measures.  Determine vulnerability and acceptable risk.

15 Risk Assessment  Risk Evaluation and Treatment  Compare assessed risks against risk criteria.  Consider treatment options.  Recommendations  Identify the steps to be taken to manage the accepted or residual risks.

16 High Security Environments Security in Depth

17 High Security Environments  Characterized by robust security plans.  Information Security principles are the key.  “The Need to Know” Principle.  “The availability of information limited to those who need to use or access the information to do their work”.

18 High Security Environments  Awareness - expectations about use and care of information.  Protective security procedures and measures must be understood by those who will implement and practice them.  Concept of “Security in Depth”

19 Security in Depth  Concept of Security in Depth is a key element in securing information in high security environments.  Several Protective Security barriers to access information must be penetrated by an external intruder or unauthorized staff member with no “Need to Know”.

20 Security in Depth  The barriers consist of interlocking measures designed to combine to exclude any unauthorized penetration attempt.  Protective Security procedures and measures must be understood by those who will implement and practice them.

21 Security in Depth Protective Security procedures / measures:  Staff background checks  Security instructions  Security education programs  Security guards  Access control and surveillance systems  Keys  Safes  Passwords

22 Threats to Information Assets

23 Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats:  Accidental Threats  Fire  Programming error  Technical (hardware) failure  Data entry error  Environmental  Failure of power

24 Threats to Information Assets  Deliberate Threats including:  Denial of Service  Eavesdropping  Malicious code – virus  Malicious code - logic  Malicious destruction of data  Malicious destruction of Facilities  Unauthorised access to data  Unauthorised release of data

25 Compliance Obligations  Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act).  Information must only be used for the purpose stated by the agency or organization- any other use is misuse.  Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources.  Risks must be reduced to an acceptable level.

26 Compliance Obligations  The Integrity and reliability of information systems which process, store or transmit information - require some level of protection.  Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals.  Specific security measures must be followed.

27 Information Security Plans  If you can’t map your system you can’t secure your data.  Your system is bounded by your data model.  What do you protect ?  The data in the system.  The system is more that the static ICT elements:  Paper  Media – removable  Knowledge – people  Communications – internet, phone, mobile fax etc

28 Information Security Plans Aim: Provide an effective, integral and available information system and resource by: Incorporating security into every facet of the architecture, design and operation of the System environment. Establishing a Security Management Strategy. Developing Security Standards.

29 Information Security Plans Development of Information Security Plans requires a good understanding of your data.  Step 1 Understand your information (Data)  Step 2 Understand your Information System.  Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)

30 Information Security Plans  Step 4 Develop an Information Security (IS) Policy.  Step 5 Develop an Information Security (IS) Plan.  Step 6 Develop and implement Risk Management System.  Step 7 Establish an IS Education Program.

31 Information Security Plans Implement Security System. Implement compliance management system. Implement Security Education and Awareness ProgramOutcome Protecting information against unauthorized disclosure, fraud, loss, damage or theft.

32 Security Education and Awareness Program Who is Responsible ?

33 Restricting Overview Access  All authorised users must take every possible precaution to ensure that information, regardless of its security classification and the security clearance of those in the vicinity, cannot be viewed by those without a “Need-to-Know”.  Information accessed on the System may only be divulged to another person on a strictly need-to- know basis.

34 Restricting Overview Access  Any person accessing the System may only view information which relates to that which they have a need-to-know to do their normal work.  User with Privileged Access must only access System Information on a strictly need-to-know basis only when it involves system maintenance.  Read and sign the Information Security Procedures at regular intervals

35 User Personal responsibility  Maintain NEED to KNOW  Report ALL Security Incidents to the Information Security Officer  Adhere to the Password policy  Regularly access Security informationOutcome Protecting information against unauthorized disclosure, fraud, loss, damage or theft

36 Password Security - The Basics Passwords must never be written down. Never share Passwords under any circumstances. Password length should be the minimum length defined in the Information Security Procedures. Never contain the User ID in the Password.

37 Password Security - The Basics Passwords should not be based on any common abbreviation or acronym. Passwords should not be based on any information about yourself, including family, friends, pets, birthdays etc Publish password rules in the Information Security Procedures.

38 Information Security Audit  Conduct of regular Information Security Audit will improve Governance and management of your system.  Provide better understanding of information and the system where the information resides.  Improve Governance over all system data.  The key word is UNDERSTANDING. “Managing the unknown will lead to less than optimal data quality.”

39 Review  Key concepts in information security from the practitioner’s viewpoint.  Identifying and prioritizing information assets through the practical application of risk assessment methods.  The application of information security best practice models in high security environments.

40 Review  Practical examples of identifying threats to information assets.  Compliance obligations for Government and non-government organizations.  Development of information security plans.  Advantages of conducting Information Security Audits to check the health of your information security system.

41 QUESTIONS?

Download ppt "Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through."

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Auditing Computer Systems

Auditing Computer Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Ads by Google