Date post: | 08-Jun-2015 |
Category: |
Technology |
Upload: | chenpingling |
View: | 2,220 times |
Download: | 4 times |
Information Security
prepared by Mark Chen November 2008
definition
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
CIA
Confidentiality Integrity Availability
Confidentiality Confidentiality is the property of preve
nting disclosure of information to unauthorized individuals or systems
a credit card transaction on the Internet
someone looking over your shoulder at your computer screen
a laptop computer containing sensitive information is stolen or sold
Integrity Integrity means that data cannot be
modified without authorization an employee (accidentally or with mal
icious intent) deletes important data files
a computer virus infects a computer
Availability For any information system to serve it
s purpose, the information must be available when it is needed
computing systems, security controls and the communication channels must be functioning correctly
High availability systems aim to remain available at all times
Risk Management
Vulnerability A vulnerability is a weakness that could
be used to endanger or cause harm to an informational asset Threat
Threat A threat is anything (man made or act of
nature) that has the potential to cause harm.
Risk Management process 123 Identification of assets and estimating their
value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies.
Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.
Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security.
Risk Management process 456 Calculate the impact that each threat woul
d have on each asset. Use qualitative analysis or quantitative analysis.
Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.
Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
Executive Management For any given risk
to accept the risk the relative low value of the asset, low
frequency of occurrence, or low impact on the business
to mitigate the risk to implement controls
to deny the risk This is itself a potential risk
Controls
Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines
Logical and Physical
Logical controls Logical controls (also called technical
controls) use software and data to monitor and control access to information and computing systems. For example:
passwords, firewalls, data encryption,…
principle of least privilege
Physical controls Physical controls monitor and control
the environment of the work place and computing facilities, including access to and from such facilities.
doors, locks, cameras,… Separating the network and work plac
e into functional areas separation of duties
Security Classification to recognize the value of information to definite appropriate procedures an
d protection requirements for the information.
Security Classification Labels Common information security classification
labels used by the business sector are: Public, Sensitive, Private, Confidential
Common information security classification labels used by government are: Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret, Top Secret and their non-English equivalents.
Change Management Change management is a formal proc
ess for directing and controlling alterations to the information processing environment.
including alterations to desktop computers, the network, servers and software
Change Management Process (1) Requested (2) Approved: (3) Planned (4) Tested (5) Scheduled (6) Communicated (7) Implemented (8) Documented (9) Post change review
Security Governance (1) An Enterprise-wide Issue. (2) Leaders are Accountable. (3) Viewed as a Business Requirement. (4) Risk-based. (5) Roles, Responsibilities, and Segrega
tion of Duties Defined. (6) Addressed and Enforced in Policy.
Security Governance (7) Adequate Resources Committed. (8) Staff Aware and Trained. (9) A Development Life Cycle Require
ment. (10) Planned, Managed, Measurable,
and Measured. (11) Reviewed and Audited.
Incident Response Plans (1) Selecting team members (2) Define roles, responsibilities and lines of authori
ty (3) Define a security incident (4) Define a reportable incident (5) Training (6) Detection (7) Classification (8) Escalation (9) Containment (10) Eradication (11) Documentation
Laws and regulations Sarbanes-Oxley Act of 2002 (SOX). Section 404 of th
e act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments
Conclusion Information security is the ongoing process
of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution.
The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review