Presentation is loading. Please wait.

Presentation is loading. Please wait.

INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period.

Published byEllis Mutter Modified over 9 years ago

Similar presentations

Presentation on theme: "INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period."— Presentation transcript:

1 INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period 2, 2010 Today’s Reference: Whitman & Mattord, 2008, Management of Information Security, 2 nd edition Chapter 1 (alternatively, 3 rd edition is fine)

2 What is Security? “a well-informed sense of assurance that the information risks and controls are in balance.” —Jim Anderson, Inovant (2002) “The quality or state of being secure—to be free from danger” A successful organization should have multiple layers of security in place: –Physical security –Personal security –Operations security –Communications security –Network security –Information security

3 Physical Security commonly thought of as “building” security guns, dogs, guards, locks, infrared sensors, cameras, access card systems physical access systems

4 Personnel Security the most important asset (?) core of many security problems examples are: –pre-employment screening –security awareness training –exit interviews –employee contract –anti-fraud initiatives

5 What is Information Security? An Information System consists of: –hardware –software –IS people –data & information (in various forms) –procedures, processes, policies IS Security relates to all of these components Previously referred to as ‘Computer Security’ Commonly referred to as ‘Information Security’

6 Information Security

7 Why is it important? Business survival could be at stake Management attitude is (still) “It won’t happen to me” – this needs to change Vulnerabilities are greater with advent of complex networks New threats are emerging as technology is embraced Attacks on systems are more prevalent

8 Security Breaches & Impacts

9 Critical Characteristics of Information The value of information comes from the characteristics it possesses: –Confidentiality –Integrity –Availability –Privacy –Identification –Authentication –Authorisation –Accountability

10 Scope of Information Security IS Security relates to minimising the threats to the Availability, Integrity and Confidentiality of information (and the Authenticity) Availability –disruptions Environmental (e.g. airconditioning or power failure) hardware breakdowns –disasters natural disasters (flood, fire, earthquake) other disasters (war, terrorism) software bugs –catastrophic failure human safety compromised –logical or physical –accidental or deliberate

11 Integrity –errors & omissions –computer crime – hackers Confidentiality –loss of print-out report (physical/accidental) –loss of message, misdirected message (logical/accidental) –theft of PC, screen snooping (physical/deliberate) –wiretapping, hacking, electro magnetic radiation (logical/deliberate)

12 Principles Of Information Security Management The extended characteristics of information security are known as the six Ps: –Planning –Policy –Programs –Protection –People –Project Management

13 Planning Several types of InfoSec plans exist: –Incident response –Business continuity –Disaster recovery –Policy –Personnel –Technology rollout –Risk management –Security program including education, training, and awareness

14 Policy The set of organizational guidelines that dictates certain behavior within the organization is called policy In InfoSec, there are three general categories of policy: –General program policy (Enterprise Security Policy) –An issue-specific security policy (ISSP) –System-specific policies (SSSPs)

15 Programs Specific entities managed in the information security domain A security education training and awareness (SETA) program is one such entity Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on

16 Protection Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan

17 People People are the most critical link in the information security program It is imperative that managers continuously recognize the crucial role that people play Including information security personnel and the security of personnel

18 Project Management Project management discipline should be present throughout all elements of the information security program This effort involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal

19 THREATS ASSETS RISKS CONTROLS The Sequence threaten which create Which require Vulnerability?Risk Exposure?Countermeasures?

20 “Health & Safety” of a person Threats –Heart attack, stroke, car accident –Work accident, sporting injury, assault –Disease Assets –Tissue, brain, heart, mind, limbs –Organs, eyes, skin, self-esteem Risks –Death, injury, loss of limb, sickness –Brain damage, loss of eyesight Controls –Regular exercise, proper food –OH & S procedures at work –Safe sports, safe driving, –Regular doctor check-ups –Minimal stress, adequate sleep

21 Threats Something that has the potential to cause harm or loss 4 classes –interruption hardware breakdown, software bug, operators on strike –interception wiretapping, hacking –modification and fabrication Hackers tampering with & changing data adding records or transactions

22 1. Errors & omissions 2. Data network breakdowns 3. Software errors & omissions 4. Computer-based fraud 5. Accidental & natural disasters 6. Equipment failure 7. Unauthorised access 8. Deliberate destruction of equipment 9. Misuse of computing equipment 10. Theft of computers Top 10 Threats in IS

23 Risks Risk of going out of business Risk of losing competitive advantage Risk of unauthorised access Risk of being sued Risk of embarrassment Risk of losing money Risk of losing customers

24 Vulnerabilities A weakness in the security of the system which might be exploited to cause loss or harm

25 Controls/ Countermeasures 4 categories –Management –Hardware –Software –Authentication

26 Management Controls Security policies Segregation of duties Awareness training Physical security procedures Operational controls and procedures Exit Interviews New employee screening Personnel security

27 Hardware Controls Environmental conditions O/S controls Silicone, plastic, tin

28 Software Controls Access control software (RACF, ACF2, etc) Programming standards –range checks –check digits –modular programs Change control procedures Authorisation controls

29 Authentication Controls passwords PINs smart cards biometric devices something user knows something user has something user is something user can do someplace user is

30 1. IS security policy document 2. Allocation of security responsibilities 3. IS security education & training 4. Reporting of security incidents 5. Virus control 6. Business continuity planning 7. Control of proprietary copying 8. Safeguarding of company records 9. Compliance with data protection legislation 10. Compliance with security policy Top 10 Controls

31 What you need to know! What is InfoSec and why it’s important Scope of InfoSec Principles of InfoSec Management A general idea of Threats, Risks and Controls

Download ppt "INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample.

Topic Outline — Information security? — Security Why? — Security approach — Vocabulary — The weakest link — Real life security sample.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
If this is the information superhighway, it’s

If this is the information superhighway, it’s
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Principles of Information Security, 2nd Edition1 Introduction.

Principles of Information Security, 2nd Edition1 Introduction.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.

Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
INFORMATION SECURITY MANAGEMENT

INFORMATION SECURITY MANAGEMENT
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google