Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Published byTimothy Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or."— Presentation transcript:

1

2 Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or processes Protecting accuracy and completeness of assets Accessibility and applicability attributes set by authorized user

3 Information Security Objectives enforce and constantly maintain the following properties: Accessibility Accessibility of information being processed; Integrity and authenticity Integrity and authenticity of information; Confidentiality Confidentiality of information; Legal regime Legal regime of using information, assets and IT resources of the Ministry; Normal operating mode and operating procedures Normal operating mode and operating procedures of hardware and software complexes, information systems and networks

4 Information Security Objectives Prevent or reduce risk of unauthorized use of information; Prevent or reduce risk of unauthorized modification of protected information; Efficient development, operation and management of information systems, assets, resources, telecommunication hardware and software of the Ministry Build a Ministry information security system to govern, implement and control information security measures.

5 Information Security Requirements Defined by international standards: ISO/IEC 27001:2005 — international information security standard “Information technologies. Security methods. Information security management systems. Requirements” ISO/IEC 27002:2007 — “Information technologies. Security technologies. Information security management practices” ISO/IEC 27005 — “Information technologies, Protection methods. Information security risk management” Defined by regulatory documents: Laws of the Republic of Belarus Passed November 10, 2008, No. 455-З “On information, IT and information security” Passed December 28, 2009, No. 113-З “On electronic documents and electronic digital signature” Orders of the President of the Republic of Belarus Issued April 16, 2013, No. 196, issued February 1, 2010, No. 60, issued September 30, 2010, No. 515, issued October 25, 2011, No. 486, issued November 8, 2011, No. 515, issued January 23, 2014, No. 46

6 Information Security Requirements Orders of the Republic of Belarus President Issued February 1, 2010, No. 60, issued September 30, 2010, No. 515, issued October 25, 2011, No. 486, issued November 8, 2011, No. 515, issued April 16, 2013, No. 196, issued January 23, 2014, No. 46 Decrees of the Republic of Belarus Council of Ministers Issued April 29, 2010, No. 644 Issued May 15, 2013, No. 375 Orders of the Operative and Analytical Center of the Republic of Belarus President Issued December 20, 2011, No. 96, issued August 30, 2013, No. 62, issued July 30, 2013, No. 51 Defined by organization Automated Financial Payment System information security concept Information security policy of the Republic of Belarus Finance Ministry Information security management system of the Republic of Belarus Finance Ministry Firewalling policy of the Automated Financial Payment System

7 Information Security Requirements Defined by Instructions of the Republic of Belarus Finance Ministry: Procedure of providing and using Internet access. Procedure of using electronic documents in the Automated Financial Payment System. LAN virus protection. Regulation of user activities in LAN to ensure compliance with information security requirements. User password protection in LAN. Working with LAN server and network equipment. Procedure of technical and encryption protection in Automated Financial Payment System, other information systems, as well as information systems designed for processing restricted dissemination and/or restricted access information not classified as state secret, on critical IT facilities.

8 Legality Sufficiency Flexibility of security system Open algorithms and protection mechanisms Personal accountability Manageability Least privilege principle Obligatory control Continuous monitoring and optimization Principles implemented in the Finance Ministry:

9 Effective information security Assets Threat Risk mitigation decision Asset value Potential damage Information security financing

10 Ministry of Finance ISMS Audits ISMS improvement and development Performance monitoring and review Risk management Personnel management Incident management Continuity management Other Asset management Define scope and limits Review and monitoring (check) Support and improve(act) Planning(plan) Implementation and and functioning (do)

11 Risk management at the Finance Ministry Risk control 3 3 Select risk control method 2 2 Evaluate control efficiency 4 4 Risk assessment 1 1

12 Several security perimeters have been put in place at the Finance Ministry and its structural units. Server rooms are inside two security perimeters. Access to server rooms is provided with two-factor authentication. Physical protection and environment protection

13 Access Management The Finance Ministry uses “mandatory access control” based on the access matrix. Information subjects are vested with predefined access rights to different information resources.

14 Telecommunication and network security A secure data transmission area has been established based on firewalls between remote structural units of the Finance Ministry; Third-party information systems are connected via firewalls; The Finance Ministry network is split into separated logical domains, each protected by a specific security perimeter.

15 The following solutions are used for centralized management and reporting: FortiManager- used for centralized management of Fortinet devices. FortiAnalyzer – used for collecting, analyzing and recording events from network security devices. Telecommunication and network security

16 Malware Protection Provided by anti-virus product “Kaspersky Endpoint Security for Business”, certified by the Operative and Analytical Center of the President of the Republic of Belarus to conform with requirements ТР 2013/027/BY and STB 34.101.08-2006 (sections 6.3, 6.4).

17 Encryption The Finance Ministry has established an open-key infrastructure consisting of: - Certifying center - 5 open-key certificate registers -137 registration centers

18 The Finance Ministry uses electronic digital signatures for: Confirming integrity of transmitted and stored data; Authentication of transmitted and stored data. Electronic document management system; Local treasury client; Consolidated reports Tasks where electronic digital signatures are used:

19 Objective assessment of current information security level Annual information security audit; Annual internal check of critical IT facilities; Scheduled risk assessment; Vulnerability control; Annual penetration test into Finance Ministry services.

20 Thank you

Download ppt "Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Similar presentations

Ads by Google