Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.

Published byRoy Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University."— Presentation transcript:

1 Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University

2 Shocking news 25% of the organizations did not have an internal audit 50% of the organizations did not have computer audit skills 60% of the organizations had no security awareness 80% of the organizations did not conduct a risk analysis

3 General Statistics CERT/CC: Incidents Reported 1991 – 406 1993 – 1,334 1995 – 2,412 1997 – 2,134 1999 – 9,859 2001 – 52,658 2003 – 137,529

4 Common Myths  “Why should I care, I have nothing to hide.”  “Why does anyone care about my computer?”  “It’s too difficult to get access to my computer or personal information…”  “If someone tries to [insert malicious activity here], I will notice!”  “Ignorance is bliss!”

5 Are you at risk? Using the following puts you at risk: Computers Computers Credit Cards Credit Cards Banks Banks Airlines Airlines Automobiles Automobiles …many more… …many more…

6 CIA – the building blocks Confidentiality AvailabilityIntegrity

7 Confidentiality  Ensures privacy.  Applies to both data on disks and network communication.  Accomplished through encryption:  https://  s/mime  pgp  ssh and ipsec Confidentiality

8 Integrity  Develops trust of the network and computer systems.  Applies to both data on disks and network communication.  Integrity is increased by proper data and system management. Integrity

9 Availability  Another catalyst for trust.  Required for data on disk and network  Prevents Denial o Service attacks, etc. Availability

10 Defending with technology

11 Start with the basics  Basic computer security is through technology is easy; use…  A firewall,  Anti-Virus Software,  Patch your computer quickly, when required,  Strong passwords!

12 Firewalls  The most useful tool in your bag of defenses.  Prevents intruders from accessing services on your computer.  Validates/normalizes network traffic.  May provide reports and trend analysis.  Available for all major operating systems – usually for free!

13 Anti-virus software  Stops viruses and worms sent by email, attachments, downloads, etc.  Detects malicious software through intelligent heuristics.  Available for all major desktop and server operating systems.  A requirement; not an option.

14 Patches  (Usually) free updates to your computer; can be downloaded from the Internet.  Available before most exploits surface.  Automated, usually.  Critical to overall security.  Chant: “We Must Patch, We Must Patch…”

15 Strong passwords  Keeps you on-target with best practices.  Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”.  Not based on any dictionary word from any language.  Changes regularly; not shared.

16 Behavioral changes

17 What technology doesn’t solve  Security technologies adapt as threats appear. They are not able to (easily) combat:  Threats,  Hoaxes,  Scams,  The behavior of others.

18 The clue factor

19 Education and awareness  Education and awareness are key to increasing the security posture of the University, and global Internet.  Dispells the FUD (fear, uncertainty, doubt).  Addresses problems before they exist.  Extends the radius of clue.  Creates inclusion in the entire infosecurity effort.

20 Self-education  You can increase your own awareness of security related issues.  Subscribe to mailing lists for security notifications.  Visit security related websites.  Voice your concern on security related issues, helping raise awareness in others.

21 Test your efforts  Remember: security is about sharing knowledge and contacts, not technology.

22 The ‘RITE’ principles Responsibility (and knowledge of Roles) Integrity (as requirement of Membership) Trust (as distinct from Control) Ethicality (as opposed to Rules)

23 “Total” security CIA + RITE

24 Conceptualizing controls Pragmatic controls Formal controls Technical controls

25 Principle #1 Principle 1: Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.

26 Principle #2 Principle 2: Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.

27 Principle #3 Principle 3: Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.

28 Principle #4 Principle 4: Rules for managing information security have little relevance unless they are contextualized.

29 Principle #5 Principle 5: In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.

30 Principle #6 Principle 6: Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.

Download ppt "Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University."

Similar presentations

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
Security Strategy. You will need to be able to explain:  Data Security  Data Integrity and  Data Privacy  Risks  Hacking  Denial of Service DOS.

Security Strategy. You will need to be able to explain:  Data Security  Data Integrity and  Data Privacy  Risks  Hacking  Denial of Service DOS.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Computer security 101 computer security 101 Eric Pancer Computer Security Response Team

Computer security 101 computer security 101 Eric Pancer Computer Security Response Team
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Social Networking Systems: Education Awareness Briefing.

Social Networking Systems: Education Awareness Briefing.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Email evidence. Safety To stay safe on the internet there are many points you need to follow. The first point is to change your password regularly, you.

evidence. Safety To stay safe on the internet there are many points you need to follow. The first point is to change your password regularly, you.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
Internet Safety By Megan Wilkinson. Viruses If your computer haves a viruses on it, it will show one of them or a different one. All commuters have different.

Internet Safety By Megan Wilkinson. Viruses If your computer haves a viruses on it, it will show one of them or a different one. All commuters have different.
Internet safety By Lydia Snowden.

Internet safety By Lydia Snowden.
Contents  Viruses Viruses  Computer Worms Computer Worms  Trojans Trojans  Spyware Spyware  Adware Adware  Spam Spam  Hoaxes and Scams Hoaxes and.

Contents  Viruses Viruses  Computer Worms Computer Worms  Trojans Trojans  Spyware Spyware  Adware Adware  Spam Spam  Hoaxes and Scams Hoaxes and.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Similar presentations

Ads by Google