CREATE THE DIFFERENCE Data and Information (Special thanks to Janet Francis for this presentation)

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

Security Strategy. You will need to be able to explain:  Data Security  Data Integrity and  Data Privacy  Risks  Hacking  Denial of Service DOS.
Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works
Information Security Policies and Standards
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 An Overview of Computer Security computer security.
Introducing Computer and Network Security
FIT3105 Security and Identity Management Lecture 1.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security Week 10 Lecture 1. Why do we need security? Identify and authenticate people wanting to use the system Prevent unauthorised persons from accessing.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
SEC835 Database and Web application security Information Security Architecture.
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
PART THREE E-commerce in Action Norton University E-commerce in Action.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
What does “secure” mean? Protecting Valuables
Prepared by: Dinesh Bajracharya Nepal Security and Control.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Today’s Lecture Covers < Chapter 6 - IS Security
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
Information Systems Security
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Information Security What is Information Security?
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Chap1: Is there a Security Problem in Computing?.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Module 2: Designing Network Security
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
CONTROLLING INFORMATION SYSTEMS
Computer Security By Duncan Hall.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Welcome to the ICT Department Unit 3_5 Security Policies.
Information Security and Privacy By: Mike Battestilli.
Information Systems Security
CS457 Introduction to Information Security Systems
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Risk management.
Issues and Protections
Secure Software Confidentiality Integrity Data Security Authentication
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
How to Mitigate the Consequences What are the Countermeasures?
PLANNING A SECURE BASELINE INSTALLATION
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Mohammad Alauthman Computer Security Mohammad Alauthman
Presentation transcript:

CREATE THE DIFFERENCE Data and Information (Special thanks to Janet Francis for this presentation)

CREATE THE DIFFERENCE Aims This Lecture will coverData and Information Information Systems Information Security and Risk Management Legislation

CREATE THE DIFFERENCE Data and Information Data –raw figures, characters or words which mean nothing in isolation Information –statistics, trends or facts gained from processing raw data.

CREATE THE DIFFERENCE Categories of information Strategic –long-term planning imprecise, enterprise wide – external to departments. Tactical –medium-term e.g. departmental sales forecasts Operational –short-term, immediate goals, precise

CREATE THE DIFFERENCE Levels of information International information National information Corporate information Departmental information Individual information

CREATE THE DIFFERENCE Attributes of Information Level of detail Degree of precision required Time Task and or person associations Value

CREATE THE DIFFERENCE Information Systems Information system –refers to processes associated with the data and information in an organization including both manual and automated processes Key components –Hardware –Software –Communications

CREATE THE DIFFERENCE Information Security Relates to the protection of information and information systems from unauthorized –Access –Use –Disclosure –Disruption –Modification –Destruction. Three key components of Information Security are: –Confidentiality –Integrity –Availability

CREATE THE DIFFERENCE Confidentiality –is the property of preventing disclosure of information to unauthorized individuals or systems. –For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. Breaches of confidentiality take many forms. –Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. –If a laptop computer containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality.

CREATE THE DIFFERENCE Integrity means that data cannot be modified without authorization. (This is not the same thing as referential integrity in databases.) Integrity is violated when an employee –when an employee(accidentally or with malicious intent) deletes important data files, –when a computer virus infects a computer, –when an employee is able to modify his own salary in a payroll database –when an unauthorized user vandalizes a web site –when someone is able to cast a very large number of votes in an online poll

CREATE THE DIFFERENCE Availability Availabiliy –This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. –High availability systems aim to remain available at all times Loss of availability could be owing to –power outages –hardware failures, and system upgrades. –denial-of-service attacks

CREATE THE DIFFERENCE Risk Management Risk management –is the process of identifying vulnerabilities and threats to the information resources used by an organisation in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." [3] [3] –It is an ongoing iterative process. –It must be repeated indefinitely. –The business environment is constantly changing and new threats and vulnerabilities emerge every day. The choice of control used to manage risks must strike a balance between –Productivity –Cost –effectiveness of the control –and the value of the informational asset being protected.

CREATE THE DIFFERENCE Risk Management : Some definitions Risk –is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). vulnerability –is a weakness that could be used to endanger or cause harm to an informational asset. Threat –is anything (man made or act of nature) that has the potential to cause harm. The likelihood that a threat will use a vulnerability to cause harm creates a risk. –When a threat does use a vulnerability to inflict harm, it has an impact. –In the context of information security, the impact is a loss of availability, integrity, and confidentiality –Other losses include lost of income, loss of life, loss of property

CREATE THE DIFFERENCE Risk Assessment A risk assessment –is carried out by a team of people who have knowledge of specific areas of the business. –Membership of the team may vary over time as different parts of the business are assessed. –The assessment may use a subjective qualitative analysis based on informed opinion and/or a quantitative analysis of what may be lost and its value

CREATE THE DIFFERENCE The Risk Management Process 1.Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. 2.Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization. 3.Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security. 4.Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. 5.Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. 6.Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

CREATE THE DIFFERENCE Risk Management Decisions Accept the risk –based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Mitigate the risk –by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business. The reality of some risks may be disputed. Deny the risk. –This is itself a potential risk

CREATE THE DIFFERENCE Risk Management Controls Controls used to mitigate a risk –Administrative –Logical –Physical

CREATE THE DIFFERENCE Administrative Administrative controls –consist of approved written policies, procedures, standards and guidelines. –Laws and regulations created by government bodies are also a type of administrative control because they inform the business. Examples of administrative controls relating to the information resource are security policy password policy –Administrative controls form the basis for the selection and implementation of logical and physical controls.

CREATE THE DIFFERENCE Logical Logical controls –use software and data to monitor and control access to information and computing systems. –For example: passwords –network and host based firewalls –network intrusion detection systems –access control lists –data encryption The principle of least privilege –requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task –Violations logging into Windows as user Administrator to read . when employees' job duties change, the access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary or appropriate.

CREATE THE DIFFERENCE Physical Physical controls –monitor and control the environment of the work place and computing facilities. –monitor and control access to and from such facilities Doors Locks smoke and fire alarms An important physical control that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual can not complete a critical task by himself. An applications programmer should not also be the server administrator or the database administrator - these roles and responsibilities should be separated from one another to avoid conflict of interest

CREATE THE DIFFERENCE Access control Access to protected information must be restricted to –people who are authorised to access the information. –The computer programs, and in many cases the computers that process the information, must also be authorised. This requires that mechanisms be in place to control the access to protected information. –The sophistication of the access control mechanisms should reflect the value of the information being protected – –The foundation on which access control mechanisms are built start with identification and authentication.

CREATE THE DIFFERENCE Identification and Authentication Identification –is an assertion of who someone is or what something is. If a person makes the statement "Hello, my name is Zebedee." they are making a claim of who they are which may or may not be true. –Before Zebedee can be granted access to protected information it will be necessary to verify that the person claiming to be Zebedee really is who he says he is. Authentication –is the act of verifying a claim of identity.

CREATE THE DIFFERENCE Means of Authentication There are three different types of information that can be used for authentication –something you know a PIN a password your mother's maiden name. –something you have a driver's license a magnetic swipe card –or something you are palm prints finger prints retina (eye) scans Strong authentication means providing information from two of the three different types of authentication information. This is called two factor authentication.

CREATE THE DIFFERENCE Laws and Regulations Data Protection Act 1998 –makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The Computer Misuse Act 1990 –recognises computer crime (e.g. hacking) a criminal offence. EU Data Retention directive 2007 –requires Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.