Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers.

Published byRoxanne Sutton Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers."— Presentation transcript:

1 Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers

2 ▸ 8 weken college ▸ Afsluiting dmv tentamen ▸ George Pluimakers ▸ PluGM@hr.nl, lieverL hro-g.pluimakers@xs4all.nl PluGM@hr.nlhro-g.pluimakers@xs4all.nl ▸ Med.hr.nl/plugm, klik op module Introductie

3 ▸ Goal ▸ The purpose of information security is to protect an organization’s valuable resources, such as information, hardware, and software. ▸ How? ▸ Through the selection and application of appropriate safeguards, security helps an organization to meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. What is Information Security

4 ▸ What will we do? ▸ We will examine the elements of computer security, employee’s roles and responsibilities, and common threats ▸ What will we consider? ▸ We will also examine the need for management controls, policies and procedures, and risk management. ▸ Examples? ▸ we will include current examples of procedures, policies, and examples that can be used to help implement the security program at your organization. Wat is Information Security

5 Elements of Information security

6 ▸ Information security should support the business objectives or mission of the enterprise. 1

7 ▸ This idea cannot be stressed enough ▸ Often, information security personnel lose track of their goals and responsibilities ▸ The position of information security professional has been created to support the enterprise, not the other way around. 1

8 ▸ Information security is an integral element of fiduciary duty. * 2 A legal obligation of one party to act in the best interest of another. The obligated party is typically a fiduciary, that is, someone entrusted with the care of money or property. Also called: fiduciary obligation. Source: http://www.businessdictionary.com / *

9 ▸ Senior management is charged with two basic responsibilities: ▸ a duty of loyalty ▸ duty of care 2

10 ▸ a duty of loyalty—this means that whatever decisions they make must be made in the best interest of the enterprise. 2

11 ▸ duty of care—this means that senior management is required to implement reasonable and prudent controls to protect the assets of the enterprise and make informed business decisions. 2

12 ▸ An effective information security program will assist senior management in meeting these duties 2

13 ▸ Information security must be cost-effective. 3

14 ▸ Implementing controls based on edicts is counter to the business climate. ▸ Before any control can be proposed, it will be necessary to confirm that a significant risk exists. ▸ Implementing a timely risk management process can complete this task. 3

15 ▸ By identifying risks and then proposing appropriate controls, the mission and business objectives of the enterprise will be better met. 3

16 ▸ Information security responsibilities and accountabilities should be made explicit. 4

17 ▸ For any program to be effective, it will be necessary to: ▸ publish an information security policy statement and ▸ Publish a group mission statement. 4

18 ▸ The policy should identify the roles and responsibilities of all employees. ▸ To ensure third parties comply with our policies and procedures, the contract language indicating these requirements must be incorporated into the purchase agreements for all contract personnel and consultants. 4

19 ▸ System owners have information security responsibilities outside their own organization. 5

20 ▸ Access to information will often extend beyond the business unit or even the enterprise. ▸ It is the responsibility of the information owner (normally the senior level manager in the business that created the information or is the primary user of the information). 5

21 ▸ One of the main responsibilities is to monitor usage to ensure that it complies with the level of authorization granted to the user. 5

22 ▸ Information security requires a comprehensive and integrated approach. 6

23 ▸ To be as effective as possible, it will be necessary for information security issues to be part of the system development life cycle. 6

24 ▸ During the initial or analysis phase, information security should receive as its deliverables ▸ a risk assessment, ▸ a business impact analysis, ▸ and an information classification document. 6

25 ▸ Additionally, because information is resident in all departments throughout the enterprise, each business unit should establish an individual responsible for implementing an information security program to meet the specific business needs of the department. 6

26 ▸ Information security should be periodically reassessed. 7

27 ▸ As with anything, time changes the needs and objectives. ▸ A good information security program will examine itself on a regular basis and make changes wherever and whenever necessary. ▸ This is a dynamic and changing process and therefore must be reassessed at least every 18 months. 7

28 ▸ Information security is constrained by the culture of the organization. 8

29 ▸ The information security professional must understand that the basic information security program will be implemented throughout the enterprise. ▸ However, each business unit must be given the latitude to make modifications to meet their specific needs. 8

30 ▸ If your organization is multinational, it will be necessary to make adjustments for each of the various countries. ▸ These adjustments will have to be examined throughout the United States too. What might work in Des Moines, Iowa, may not fly in Berkley, California. ▸ Provide for the ability to find and implement alternatives. 8

31 ▸ Information security: ▸ should support the business objectives or mission of the enterprise. ▸ is an integral element of fiduciary duty. ▸ must be cost-effective. ▸ responsibilities and accountabilities should be made explicit. ▸ requires a comprehensive and integrated approach. ▸ should be periodically reassessed. ▸ is constrained by the culture of the organization. Resume

32 ▸ Information security is a means to an end and not the end in itself. ▸ In business, having an effective information security program is usually secondary to the need to make a profit. ▸ In the public sector, information security is secondary to the agency’s services provided to its constancy. Resume

33

Download ppt "Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers."

Similar presentations

Chapter 2 Analyzing the Business Case.

Chapter 2 Analyzing the Business Case.
1 Global Real Estate Valuation Policy Update: the European Perspective The principle: the EU Treaty does not provide the European institutions with direct.

1 Global Real Estate Valuation Policy Update: the European Perspective The principle: the EU Treaty does not provide the European institutions with direct.
Professional Behaviour

Professional Behaviour
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
Mott Community College

Mott Community College
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.

MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Anatomy of a Project What Every Engineer Should Know About Project Management, A.M. Ruskin and W.E. Estes A project has a beginning and an end. The major.

Anatomy of a Project What Every Engineer Should Know About Project Management, A.M. Ruskin and W.E. Estes A project has a beginning and an end. The major.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
IS Audit Function Knowledge

IS Audit Function Knowledge
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Information Systems Security Officer

Information Systems Security Officer
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Similar presentations

Ads by Google