IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

Ethics, Privacy and Information Security
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Security Controls – What Works
Chapter 1 – Introduction
Security+ Guide to Network Security Fundamentals
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Applied Cryptography for Network Security
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Computer Security: Principles and Practice
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Stephen S. Yau CSE , Fall Security Strategies.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
SEC835 Database and Web application security Information Security Architecture.
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Dr. Lo’ai Tawalbeh 2007 INCS 741: Cryptography Chapter 1:Introduction Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus
HIPAA PRIVACY AND SECURITY AWARENESS.
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security and Privacy Strategic Global Partners, LLC.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
C8- Securing Information Systems
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Introduction to Information Security
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Risk Management for Small & Medium Sized Enterprises
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
BTEC NAT Unit 15 - Organisational Systems Security ORGANISATIONAL SYSTEMS SECURITY Unit 15 Lecture 3 OTHER DAMAGING THREATS.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Trinity Industries, Inc. FEI Presentation May 31, 2012.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Welcome to the ICT Department Unit 3_5 Security Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.
Information Security and Privacy in HRIS
Information Security Management Goes Global
Securing Information Systems
Information Security Program
Information Security, Theory and Practice.
Issues and Protections
Design for Security Pepper.
Chapter 1: Introduction
Errors, Fraud, Risk Management, and Internal Controls
Securing Information Systems
Chapter 3: IRS and FTC Data Security Rules
I have many checklists: how do I get started with cyber security?
Presentation transcript:

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter Objectives Understand IT Security issues Study IT security strategies for the organization Study methods for risk assessment Study how to formulate security strategies Study of framework for secure information management Study of legal and business aspects of IT security

IT Strategy for Business © Oxford University Press 2008 All rights reserved Introduction Information security is a technical and business problem. Security is about availability, integrity, privacy, non- repudiation, authenticity and confidentiality Availability: Network and information availabilities make it possible to have systems available to users on timely basis and in required form Integrity: Integrity is the quality or the property of the system that guarantees that data are not changed arbitrarily Privacy: Protection of personal information Non-repudiation: This is the guarantee that something came from a company or individual or the source it claims. Authenticity: This means that the source as well as the information is authentic

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security strategy framework

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security strategy framework The business objective occupies the apex of the pyramid, while security forms the foundation. Availability and confidentiality support the pyramid from both sides. These exposures are controlled by security architecture formed by people, processes, and technologies

IT Strategy for Business © Oxford University Press 2008 All rights reserved Objectives of Security strategies Secure the information: Let information be available to those who are authorized to access it. Use of security of information for competitive advantage: The assured information security helps in building the competitive advantage. Use of security to minimize risks: The security strategy should asses the risks. The risks are minimized by insuring or by taking different measures to protect Balancing availability and security: The availability and security need to be balanced to meet the business objectives without loosing any competitive advantage

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security Strategies: Factors and Measures Security needs at various stages: During various stages of an organization and its knowledge life cycle, there are different security needs. Information and its classification: The security strategy should seek to strike a balance between availability and security. Continuous exposure analysis: Analysis of various points of exposure of the system. Study of the possibility of threat from the points of exposure. Identification of threats and sources: The identification of threats is important. Once the threat is identified, the strategic decision of protection can be taken. Preventive measures: The preventive measures are typically technical measures, business measures, and financial measures.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security Strategies: Factors and Measures Insurance policy: The organization needs to decide its insurance policy as a part of its security strategy. Legal aspects of exposure and security: Attacks from a particular point of exposure can be tracked and the possibility of taking legal actions against the culprit is very high. Technical measure to enhance the security: The different technical measures such as the use of latest encryption algorithms and the use of advanced authentication algorithms should support the overall security strategy.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Threat Identification: Steps Do threat exist? What are the types of threats? Analysis of Impact of the threat on the system and the overall business objective Classification of threat Prioritisation and action plan

IT Strategy for Business © Oxford University Press 2008 All rights reserved Threats Intrusion Hacking Energy variations Viruses Unhappy employees Denial of Service Destructive attacks

IT Strategy for Business © Oxford University Press 2008 All rights reserved Outsourcing and off shoring related security challenges Information transfer: The security has a challenge to make sure seamless and secured information transfer. Information Sharing: Make sure of security in distributed environment IP Protection: IP protection in distributed environment and in different legal infrastructures Decision about information sharing

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security Threats

IT Strategy for Business © Oxford University Press 2008 All rights reserved Defense Strategies Prevention and deterrence: Properly designed controls may prevent errors from occurring, deter criminals from attacking the system, and deny access to unauthorized people.. Detection Minimizing the damage and forecasting the risk Recovery and reinitiating the system in normal way Correcting and fixing fundamental problem Awareness and compliance (Dealing with soft- aspects)

IT Strategy for Business © Oxford University Press 2008 All rights reserved Defence mechanism

IT Strategy for Business © Oxford University Press 2008 All rights reserved Business Continuity and Recovery Plan

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security Initiatives and Control Decisions

IT Strategy for Business © Oxford University Press 2008 All rights reserved Risk Management Model

IT Strategy for Business © Oxford University Press 2008 All rights reserved Cyber Laws and Other Legal Aspects Selection of insuring agency: The insuring agency should have covered all important security aspects in insurance.. IP protection and strategic initiatives: The IP- strategic initiatives include selection of employees, access control, and legally protecting the IP Patenting: Patenting the important inventions and business processes give legal protection to the organization. Getting non-disclosure agreements signed: The non-disclosure agreements should be signed by the employees, customers, and all extended organizations that come into contact with the organization.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Cyber Laws and Other Legal Aspects Deciding the clauses and the legalities about the non-disclosure agreements: The clauses of the non- disclosure agreements should be legally valid across the countries the organization operates Deciding insurance-related strategies with all aspects of insurance (fire insurance, flood insurance, theft insurance, etc.): The insurance strategies should consider all possible threats and prioritisation of the threats for the insurance Legalities of responsibilities of employees: There are certain responsibilities of the employees and from security perspective the legalities of the same should be considered. For instance, cheating the employer may be illegal and organization should have guidelines for such conduct and behaviour.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Security Policy Checklist (1) Creation of security culture (2) Up-to-date security policies (3) Calculate return on investment (ROI) on security spending (4) Procedures to ensure compliance requirements (5) Have contingency plan to respond to emergency (6) Regular security audits (7) Insurance

IT Strategy for Business © Oxford University Press 2008 All rights reserved Summary Appropriate use and security of information can make or break a business. The information may also include important IP of the organization, newly developed algorithms, important business policies, business strategy document, confidential letters, or the customers’ data that could enable someone to access his bank account. To make a business successful in this environment, customer also needs to access information all the time. Security is about Availability, Privacy, non- repudiation, integrity and confidentiality The IT security strategy is all legal and technical positioning and planned actions to protect this information.

IT Strategy for Business © Oxford University Press 2008 All rights reserved End of Chapter 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.