Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Slides:



Advertisements
Similar presentations
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Controls – What Works
Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Security+ Guide to Network Security Fundamentals
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
First Practice - Information Security Management System Implementation and ISO Certification.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Information Security Update CTC 18 March 2015 Julianne Tolson.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dell Connected Security Solutions Simplify & unify.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Chapter 6 of the Executive Guide manual Technology.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Introduction to Information Security
5/18/2006 Department of Technology Services Security Architecture.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
1 UNIT 19 Data Security 2. Introduction 2 AGENDA Hardware and Software protect ion Network protect ion Some authentication technologies :smart card Storage.
1 UNIT 19 Data Security 2 Lecturer: Ghadah Aldehim.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Department for Nuclear and Radiation Safety of the Ministry for Emergency Situations (Gosatomnadzor) Leading specialist Diana Rusakevich Belarus Department.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Interaction with Vendors that Support the PFMS: Experience of Kazakhstan Treasury Committee of the Ministry of Finance of the Republic of Kazakhstan, 2016.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
CS457 Introduction to Information Security Systems
Security Standard: “reasonable security”
Learn Your Information Security Management System
UNIT 19 Data Security 2.
LAND RECORDS INFORMATION SYSTEMS DIVISION
IS4550 Security Policies and Implementation
I have many checklists: how do I get started with cyber security?
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Final HIPAA Security Rule
How to Mitigate the Consequences What are the Countermeasures?
HIPAA Security Standards Final Rule
IBM GTS Storage Security and Compliance overview.
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or processes Protecting accuracy and completeness of assets Accessibility and applicability attributes set by authorized user

Information Security Objectives enforce and constantly maintain the following properties: Accessibility Accessibility of information being processed; Integrity and authenticity Integrity and authenticity of information; Confidentiality Confidentiality of information; Legal regime Legal regime of using information, assets and IT resources of the Ministry; Normal operating mode and operating procedures Normal operating mode and operating procedures of hardware and software complexes, information systems and networks

Information Security Objectives Prevent or reduce risk of unauthorized use of information; Prevent or reduce risk of unauthorized modification of protected information; Efficient development, operation and management of information systems, assets, resources, telecommunication hardware and software of the Ministry Build a Ministry information security system to govern, implement and control information security measures.

Information Security Requirements Defined by international standards: ISO/IEC 27001:2005 — international information security standard “Information technologies. Security methods. Information security management systems. Requirements” ISO/IEC 27002:2007 — “Information technologies. Security technologies. Information security management practices” ISO/IEC — “Information technologies, Protection methods. Information security risk management” Defined by regulatory documents: Laws of the Republic of Belarus Passed November 10, 2008, No. 455-З “On information, IT and information security” Passed December 28, 2009, No. 113-З “On electronic documents and electronic digital signature” Orders of the President of the Republic of Belarus Issued April 16, 2013, No. 196, issued February 1, 2010, No. 60, issued September 30, 2010, No. 515, issued October 25, 2011, No. 486, issued November 8, 2011, No. 515, issued January 23, 2014, No. 46

Information Security Requirements Orders of the Republic of Belarus President Issued February 1, 2010, No. 60, issued September 30, 2010, No. 515, issued October 25, 2011, No. 486, issued November 8, 2011, No. 515, issued April 16, 2013, No. 196, issued January 23, 2014, No. 46 Decrees of the Republic of Belarus Council of Ministers Issued April 29, 2010, No. 644 Issued May 15, 2013, No. 375 Orders of the Operative and Analytical Center of the Republic of Belarus President Issued December 20, 2011, No. 96, issued August 30, 2013, No. 62, issued July 30, 2013, No. 51 Defined by organization Automated Financial Payment System information security concept Information security policy of the Republic of Belarus Finance Ministry Information security management system of the Republic of Belarus Finance Ministry Firewalling policy of the Automated Financial Payment System

Information Security Requirements Defined by Instructions of the Republic of Belarus Finance Ministry: Procedure of providing and using Internet access. Procedure of using electronic documents in the Automated Financial Payment System. LAN virus protection. Regulation of user activities in LAN to ensure compliance with information security requirements. User password protection in LAN. Working with LAN server and network equipment. Procedure of technical and encryption protection in Automated Financial Payment System, other information systems, as well as information systems designed for processing restricted dissemination and/or restricted access information not classified as state secret, on critical IT facilities.

Legality Sufficiency Flexibility of security system Open algorithms and protection mechanisms Personal accountability Manageability Least privilege principle Obligatory control Continuous monitoring and optimization Principles implemented in the Finance Ministry:

Effective information security Assets Threat Risk mitigation decision Asset value Potential damage Information security financing

Ministry of Finance ISMS Audits ISMS improvement and development Performance monitoring and review Risk management Personnel management Incident management Continuity management Other Asset management Define scope and limits Review and monitoring (check) Support and improve(act) Planning(plan) Implementation and and functioning (do)

Risk management at the Finance Ministry Risk control 3 3 Select risk control method 2 2 Evaluate control efficiency 4 4 Risk assessment 1 1

Several security perimeters have been put in place at the Finance Ministry and its structural units. Server rooms are inside two security perimeters. Access to server rooms is provided with two-factor authentication. Physical protection and environment protection

Access Management The Finance Ministry uses “mandatory access control” based on the access matrix. Information subjects are vested with predefined access rights to different information resources.

Telecommunication and network security A secure data transmission area has been established based on firewalls between remote structural units of the Finance Ministry; Third-party information systems are connected via firewalls; The Finance Ministry network is split into separated logical domains, each protected by a specific security perimeter.

The following solutions are used for centralized management and reporting: FortiManager- used for centralized management of Fortinet devices. FortiAnalyzer – used for collecting, analyzing and recording events from network security devices. Telecommunication and network security

Malware Protection Provided by anti-virus product “Kaspersky Endpoint Security for Business”, certified by the Operative and Analytical Center of the President of the Republic of Belarus to conform with requirements ТР 2013/027/BY and STB (sections 6.3, 6.4).

Encryption The Finance Ministry has established an open-key infrastructure consisting of: - Certifying center - 5 open-key certificate registers -137 registration centers

The Finance Ministry uses electronic digital signatures for: Confirming integrity of transmitted and stored data; Authentication of transmitted and stored data. Electronic document management system; Local treasury client; Consolidated reports Tasks where electronic digital signatures are used:

Objective assessment of current information security level Annual information security audit; Annual internal check of critical IT facilities; Scheduled risk assessment; Vulnerability control; Annual penetration test into Finance Ministry services.

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.