Welingkar’s Distance Learning Division
I.T. for Management
CHAPTER-18
Information Security
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
IT Security, Control, Audit & governanceInformation is Power is a very old adage in the IT sector. In today’s world information is being increasingly viewed as an Asset which has real value & is to be protected Accumulating information was once done more for Statutory purposes. Today sophisticated data warehouses are hold what may be considered as “gold mine” of knowledge & data mining tools are available to extract the right information at right time
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
Objectives of IT Security ManagementThe purpose of IT Security Management is to ensure:• Confidentiality: Restricting access to right people for
the right purpose• Integrity: Correctness& validity of information stored
or processed• Availability: Ensuring information is available to
authorized persons
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
In almost every large enterprise, the physical and IT security departments operate independently of each other. They are generally unaware of the strengths and weaknesses of one another's practices, the liabilities of operating independently, and the benefits of integrated security management.
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information SecurityPhysical Security and IT Security
Physical security focuses on the protection of physical assets, personnel and facility structures. This involves managing the flow of individuals and assets into, out of, and within a facility. IT security focuses on the protection of information resources, primarily computer and telephone systems and their data networks. This involves managing the flow of information into, out of, and within a facility’s IT systems, including human access to information systems and their networks. Clearly these two are separate domains. Why should they be integrated?
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information SecurityPhysical Security and IT Security a Management Issue
The question above accurately reflects the thoughts of most security practitioners as they approach this subject. How is the question misleading? To lean on a common idiom, it focuses on the trees rather than the forest.It is the management of physical and IT security that must be integrated. No one is going to integrate a brick wall and a database. However, the management of who is allowed inside the wall and inside the database must be integrated, or there will be gaps in the organization’s security. Figure 1 below illustrates the concept of integrated security management. Whenever you hear or read the phrase “integration of physical and IT security,” think “integration of physical and IT security management” and you’ll be on the right track.
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
While it is true that many of the physical and IT security processes and procedures must be integrated at the technology level, it is not the technology that defines the integration. The business processes and procedures define it; the technology implements it. That's why the first step in integrating physical and IT security is an examination of security-related business requirements and the physical and IT security processes that support them. The integration of the business processes will determine where integration of physical security and IT technology is required
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
We Learn – A Continuous Learning Forum
Types of control Examples
Physical control
Doors & Lock, Security gates, raised floors, double doors, ups system
IT related Password, Directory services, Firewall, antivirus Application server, Hot standby server, backup of software
Document related
Correct labeling, version control, copies of key documents
Application Specific
Data validation so that correct data only acceptedLength, Range, Code checkedProcess related checksOutput controls
Welingkar’s Distance Learning Division
Information Security StandardsBS 7799 Standard
The subject of IT security is therefore not one of merely putting appropriate control measures A process approach whereby the information security has• Defined organizational policy• Backed by management commitment• Necessary resources, Defined procedures• Appropriate control objectives• Suitable control measures• Recording & reviewing incidences• Continuous improvement of security process
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security StandardsBS 7799 Standard
The BS7799 is a British standard which addresses precisely this aspect. It provides a comprehensive framework within which an organization can set up an effective Information Security Management System(ISMS)More specifically some of controls objectives which it describes include following• Management of ISMS• Physical security• Information processing• Access to information to IT employees, outsourced vendors• Access from remote location
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security StandardsBS 7799 Standard
To implement the BS7799 standard an organization must take following steps.Define Information security policyOrganization & its management must demonstrate its commitment to information There must be formal reviews related with security incidentsRisk assessment. The organization must conduct risk assessment.This will help to identify the more important sources of risk. It would select from the following strategies Risk avoidance, Migration, Insurance or transfer Assumption of risk Cont…..
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security StandardsBS 7799 Standard
• Based on the strategy decided for each risk asset combination it will select appropriate control to manage the risk.
• For instance to prevent unauthorized entry it may provide smart card or biometric entry
• The organization would have also identified detailed procedure for implementing and monitoring ,defined roles various controls, Dos & don’t to all employees
• Finally process needs to be sustained & continuously evaluated
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security StandardsBusiness Continuity Planning (BCP)
Availability is one of the key elements in the information security. Failure in IT for e.g incidents like power failure, Virus attack can be disastrous
Organizations such as the stock exchange or a bank works on a Central data center. BCP outlines:The Objective of plan in event of disasterThe resourcesPriorities assigned for Business continuityProcedures to follow in the event of disaster Communication to outsider
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security StandardsBusiness Continuity Planning (BCP)
The BCP ensures that certain critical business functions continue despite a disasterThe BCP also can be viewed from point of 3 stages• Pre-disaster• During the disaster• Post disasterThus each procedure should cover these three stagesDisaster Recovery is a set of plans to enable an organization to come back to normalcy
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security StandardsBusiness Continuity Planning (BCP)
Disaster RecoveryThe time frame within which the recovery must happen is a matter of practicality & organizations policy. Solutions used for BCP
We Learn – A Continuous Learning Forum
Hard disk crash RAID Arrays Mirror diskSAN/NAS solution
Complete data center crippled Hot remote site e.g. NSE has a hot site at Pune, which take over if Mumbai center fails
Telecom/ISP crashes Have a leased line from more than one ISP
Welingkar’s Distance Learning Division
Information Security StandardsBusiness Continuity Planning (BCP)
The choice of solution depends upon the perceived impact of the disaster on business continuityMost of the times the BCP/DR misses out on Mock DrillsThis can be best done thru simulation by generating a disaster conditions thereby enabling & training people to understand individual role at the time of disaster & specific actions to be taken
We Learn – A Continuous Learning Forum
Welingkar’s Distance Learning Division
Information Security
End of Chapter 18
We Learn – A Continuous Learning Forum