Download presentation
Presentation is loading. Please wait.
Published byNoah Holmes Modified over 9 years ago
1
A General Overview of Information Security Senior advisor Mona Naomi Lintvedt 221008
2
Agenda Why information security? Legal sources for information security OECD guidelines International standards Computer Emergency Report Team Norwegian National Security Authority NorCERT SERTIT International bodies
3
Why information security? (1) Security = Risk management Protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print or other forms Necessary for trust Privacy – protection of personal data
4
Why information security? (2) Confidentiality –Preventing disclosure of information to unauthorised individuals or systems Integrity –Correct and unaltered information: Data cannot be modified without authorisation Availabilty –For any information system to serve its purpose, the information must be available when it is needed: The computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly Authentication –Validate that both parties involved are who they claim they are. Ensure that the data, transactions, communications or documents (electronic or physical) are genuine.
5
Some legal sources for information security OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security:OECD Guidelines for the Security of Information Systems –a focus on security in the development of information systems and networks, and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal DataOECD Guidelines on the Protection of Privacy European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such dataEU Directive 95/46/EC EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)EU Directive 2002/58/EC
6
OECD Guidelines – nine principles (1) Awareness. Participants should be aware of the need for security information system and networks and what they can do to enhance security. Responsibility. Participants are responsible for the security of information systems and networks. Response. Participants should act in a timely and cooperative manner to prevent, detect, and respond to security incidents. Ethics. Participants should respect the legitimate interests of others and recognize that their action or inaction may harm others. Democracy. The security of information systems and networks should be compatible with essential values of a democratic society.
7
OECD Guidelines – nine principles (2) Risk Assessment. Participants should conduct risk assessments to identify threats and vulnerabilities to their information systems Security Design and Implementation. Participants should incorporate security as an essential element of information systems and networks. Security Management. Participants should adopt a comprehensive approach to security management. Reassessment. Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures, and practices.
8
International standards ISO/IEC 27002 Information technology - Security techniques - Code of practice for information security management –lists security control objectives and recommends a range of specific security controls ISO/IEC 27001 Information Technology - Security techniques - Information security management systems - Requirements –covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations) –specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System –designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties –adopting the "Plan-Do-Check-Act" (PDCA) model
9
Computer Emergency Response Team Almost everything in both the public and private sectors depend on Internet access today. The amount of vulnerabilities in these sectors have therefore increased considerably in recent years. Well-organised ICT attacks intended to disable, damage or make benefit of computerized functions in society may harm a country’s vital infrastructure. CERT (Computer Emergency Response Team) 187 CERT-groups from 37 countries One Norwegian group: NorCERT (Norwegian CERT), a department of the Norwegian National Security Authority
10
Norwegian National Security Authority Established 1 Jan 2003 as a directorate (NSM)NSM Reports to the Minister of Defence (military sector) and the Minister of Justice (civil sector) –Cross-sectoral professional and supervisory authority within the protective security services in Norway –Security Act, Defence Secrets Act, Defence Inventions Act, Protective Security Services Act The purpose of protective security is to counter threats to the independence and security of the realm and other vital national security interests, primarily espionage, sabotage or acts of terrorism. Protective security measures shall not be more intrusive than strictly necessary, and shall serve to promote a robust and safe society.
11
NorCERT Norwegian Computer Emergency Response Team –Formally Established 1 January 2006 NorCERT is an operational department in NSM consisting of two integrated sections:NorCERT –VDI: The Norwegian Alert and Early Warning System for Digital Infrastructure - identifying, classifying and issuing warnings about IT attacks against Norway. –Incident Handling: Norway’s national centre coordinating the handling of attacks against vital Norwegian ICT security. Together both sections operate the Operation Centre where they maintain an up-to-date view of the ICT threat assessment. –Available 24/7 –Approximately 20 IT-security specialists
12
NorCERT’s tasks Coordinating responses to serious IT security breaches against vital infrastructure and information Gathering information related to serious IT security threatening incidents Coordinating early patching of serious vulnerabilities in vital computer systems in our society Sharing information with other response teams regarding new threats Having an up-to-date view of IT related threats Assisting other response teams and aiding national readiness measures Being Norway’s point of contact for similar organizations abroad
13
SERTIT The public Certification Authority for IT Security in Norway Primary task: –Issue Certificates and Certification Reports –Formulation of framework and to make sure that the rules are followed by all the parties involved –Representing Norway as a member of the international community Arrangement on the Recognition of the Common Criteria Certificates in the field of Information Technology Security (CCRA). Companies that want to join the Certification Scheme as an IT Security Evaluation Facility (ITSEF) has to be approved by SERTITSERTIT The purpose of the Certification Scheme is to meet the need of the authorities and of industry for a cost-effective and efficient security evaluation and certification of IT-products and systems. Responsible for approving IT Security Evaluation Facilities (ITSEF) who carry out evaluations in accordance with more detailed Scheme criteria The Norwegian Certification Scheme Sd001E
14
International Organisations - cooperation European Government CERT Group (EGC)EGC Forum of Incident Response and Security Teams (FIRST)FIRST International Watch and Warning Network (IWWN) NATO Computer Incident Response Capability (NATO CIRC)NATO CIRC European Network and Information Security Agency (ENISA)ENISA
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.