WELCOME

Information System Security

WHAT IS INFORMATION SECURITY?

The protection of information and its

elements including systems, hardware that

use, store and transmit the

information

SECURITY TYPES• Physical Security : To protect Physical items, objects or areas

• Personal Security : To protect the individual or group of individuals who are

authorized

• Operations Security : To protect the details of a particular operation or activities

• Communications Security : To protect communication media, technology and

content

• Network Security : To protect networking components, connections and

contents

• Information Security : To protect information assets

THREATS TO INFORMATION SYSTEM

There are many information security threats that we need to be constantly aware of and protect against in order to ensure our sensitive information remains secure. Some of the threats are as follows:

UNAUTHORIZED ACCESS –

 • The attempted or successful access of information or systems,

without permission or rights to do so.

Ensure you have a properly configured firewall, up to date

malware prevention software and all software has the latest

security updates.

Protect all sensitive information, utilizing encryption where

appropriate, and use strong passwords that are changed

regularly.

CYBER ESPIONAGE

• The act of spying through the use of computers, involving the

covert access or ‘hacking’ of company or

government networks to obtain sensitive information.

Be alert for social engineering attempts and

verify all requests for sensitive information.

Ensure software has the latest security updates, your network

is secure and monitor for unusual network behavior.

MALWARE

• A collective term for malicious software, such as viruses, worms

and trojans; designed to infiltrate systems and information for

criminal, commercial or destructive purposes.

Ensure you have a properly configured firewall, up to date

malware prevention and all software has the latest security

updates.

Do not click links or open attachments in emails from unknown

senders, visit un-trusted websites or install dubious software.

DATA LEAKAGE • The intentional or accidental loss, theft or exposure of

sensitive company or personal information

Ensure all sensitive information stored on removable

storage media, mobile devices or laptops is encrypted

Be mindful of what you post online, check email recipients

before pressing send, and never email sensitive company

information to personal email accounts

MOBILE DEVICE ATTACK

• The malicious attack on, or unauthorized access of mobile

devices and the information stored or processed by them;

performed wirelessly or through physical possession.

Keep devices with you at all times, encrypt all sensitive data

and removable storage media, and use strong passwords.

Avoid connecting to insecure, un-trusted public wireless

networks and ensure Bluetooth is in ‘undiscoverable’ mode.

SOCIAL ENGINEERING

• Tricking and manipulating others by phone, email, online or in-

person, into divulging sensitive information, in order to access

company information or systems.

Verify all requests for sensitive information, no matter how

legitimate they may seem, and never share your passwords with

anyone – not even the helpdesk.

Never part with sensitive information if in doubt, and report

suspected social engineering attempts immediately.

INSIDERS • An employee or worker with malicious intent to steal

sensitive company information, commit fraud or cause

damage to company systems or information

Ensure access to sensitive information is restricted to only

those that need it and revoke access when no longer

required

Report all suspicious activity or workers immediately

PHISHING • A form of social engineering, involving the sending of legitimate looking

emails aimed at fraudulently extracting sensitive information from recipients,

usually to gain access to systems or for identity theft.

• Look out for emails containing unexpected or unsolicited requests for

sensitive information, or contextually relevant emails from unknown senders.

• Never click on suspicious looking links within emails, and report all

suspected phishing attempts immediately.

SPAM

• Unsolicited email sent in bulk to many individuals, usually

for commercial gain, but increasingly for spreading

malware.

Only give your email to those you trust and never post your

address online for others to view.

Use a spam filter and never reply to spam emails or click

links within them.

IDENTITY THEFT • The theft of an unknowing individual’s personal information, in order

to fraudulently assume that individual’s identity to commit a crime,

usually for financial gain.

• Never provide personal information to un-trusted individuals or

websites.

• Ensure personal information is protected when stored and securely

disposed of when no longer needed.

PROTECTING INFORMATION SYSTEM

1. Data security is fundamental

Data security is crucial to all academic, medical and

business operations.

All existing and new business and data processes should

include a data security review to be sure data is safe from

loss and secured against unauthorized access.

2. Plan ahead

Create a plan to review your data security status and

policies and create routine processes to access, handle and

store the data safely as well as archive unneeded data.

Make sure you and your colleagues know how to respond if

you have a data loss or data breach incident.

3. Know what data you have

The first step to secure computing is knowing what data you

have and what levels of protection are required to keep the

data both confidential and safe from loss.

4. Scale down the data

Keep only the data you need for routine current business,

safely archive or destroy older data, and remove it from all

computers and other devices (smart phones, laptops, flash

drives, external hard disks).

5. Lock up!

Physical security is the key to safe and confidential computing.

All the passwords in the world won't get your laptop back if the

computer itself is stolen.

Back up the data to a safe place in the event of loss.

INFORMATION SECURITY CONTROLS

Security is generally defined as the freedom from danger or

as the condition of safety.

Computer security, specifically, is the protection of data in

a system against unauthorized disclosure, modification, or

destruction and protection of the computer system itself

against unauthorized use, modification, or denial of service.

PHYSICAL CONTROLS

It is the use of locks, security guards, badges, alarms, and similar

measures to control access to computers, related equipment

(including utilities), and the processing facility itself.

In addition, measures are required for protecting computers,

related equipment, and their contents from espionage, theft, and

destruction or damage by accident, fire, or natural disaster (e.g.,

floods and earthquakes).

TECHNICAL CONTROLS

Involves the use of safeguards incorporated in computer

hardware, operations or applications software,

communications hardware and software, and related devices.

Technical controls are sometimes referred to as logical

controls.

TECHNICAL CONTROLSPreventive technical controls are used to prevent

unauthorized personnel or programs from gaining remote access to computing resources. Examples of these controls include:

o Access control softwareo Antivirus softwareo Library control systemso Passwordso Smart cardso EncryptionoDial-up access control and callback systems

ADMINISTRATIVE CONTROLS

Consists of management constraints, operational

procedures, accountability procedures, and supplemental

administrative controls established to provide an acceptable

level of protection for computing resources.

In addition, administrative controls include procedures

established to ensure that all personnel who have access to

computing resources have the required authorizations and

appropriate security clearances.

ADMINISTRATIVE CONTROLSPreventive administrative controls are personnel-oriented techniques

for controlling people’s behavior to ensure the confidentiality, integrity, and availability of computing data and programs. Examples of preventive administrative controls include:o Security awareness and technical trainingo Separation of dutieso Procedures for recruiting and terminating employeeso Security policies and procedureso Supervision.o Disaster recovery, contingency, and emergency planso User registration for computer access

THANK YOU