SlideShare a Scribd company logo

Intro.ppt

Download as PPT, PDF
R
RamaNingaiah

This document outlines the topics to be covered in a course on information security. The course is divided into 5 parts that cover topics such as access control, cryptography, risk analysis, business continuity planning, data classification, security awareness, computer systems security, telecommunications security, organization architecture, legal and regulatory issues, investigations, application security, physical security, operations security, information ethics, and policy development. Each topic is briefly described with its key elements and considerations. The document also discusses the Computer Security Act of 1987 and outlines the steps for developing a comprehensive security program.

Technology
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
CS 620 Introduction to Information Security Dr. Karen Forcht Department of Computer Science James Madison University
Part I (Overview, Access, Control, Cryptography, Risk Analysis) Part II (Business Continuity Planning, Data Classification, Security Awareness, Computer and System Security)
Part III (Telecommunications Security, Organization Architecture, Legal Regulatory Investigation) Part IV (Investigation, Application program Security, Physical Security, Operations Security)
Part V (Information Ethics, Policy Development)
Computer Security Act of 1987 Requires: • Sensitive systems and data must be identified • Plans for ensuring security and control of such systems must be created • Personnel training programs must be developed and in place
Development of Security Program • Objectives • Policies • Connectivity, Corporate Structure, and Security • Plans • Responsibilities
Security Policy Goals • Avoidance • Deterrence • Detection • Correction
Risk Analysis • Identify sensitivity of data • Determine value of systems and information • Assess threats and vulnerabilities (sabotage, environment, errors)
Purposes of Risk Analysis • No significant intentional or accidental threat is overlooked • Assure that cost-benefit analysis is reasonable
Contingency Plan • Purpose: Protect, detect, recover • Criticality: Formulated, communicated to ALL employees, tested regularly
Legal Issues • Licenses • Fraud/Misuse • Privacy • Copyright • Trade Secrets • Employee Agreements
Access Control Collection of mechanisms to restrain or prohibit use of information and systems Includes: Functions, implementation, good practices, environmental constraints
Considerations • Ownership of Data • Custodian of Data • Accountability • Reconciliation • Rule of Least Privilege
User Authentication and Password Management • Access Control • Knowledge-Based Authentication • Token-Based Authentication • Characteristic-Based Authentication • Password Management
Access Control • Policies • Procedures • Standards • Control
Cryptography Definition: Use of secret codes to provide integrity/confidentiality of information during transfer and storage Considerations: -Complexity -Secrecy - Characteristics of key
Definition: Encryption: plaintext to ciphertext Decryption: From ciphertext to plaintext
Key Management • Public vs. Private • Selecting Key • Management of the Keys • Protection of Keys • Testing of Keys • Updating Keys • Error Detection
Risk Management Includes ideas, models, methods, techniques to control risk Includes: -Assessment -Reduction -Protective measures -Risk Acceptance -Insurance
Considerations of Risk Assessment • Annual Loss Expectancy(ALE) • Asset Valuation/Inventory • Types of Attacks/Threats • Availability of Resources/Denial of Service • Detection • Exposure • Passive Threats • Perils • Prevention • Analysis/Assessment/Management of Risk • Data Valuation
Classification of People/Assets Should Include: -People -Procedures -Data/Information -Software -Hardware
Threat and Exposure Assessment • Density/Volume of Information • Accessibility of Systems • Complexity • Electronic Vulnerability • Media Vulnerability • Human Factors
Safeguards and Counter Measures • Prevent Exposures • Detect Attempted Threats • Correct the Causes of Threats
Business Continuity Planning (1) • Planning and Analysis Methods • Rates of Occurrence of Disabling Events • Availability and Use of Planning Tools/Aids • Identification of Business Success factors(BSF) and Critical capabilities(Critical or Key Success Factors (CSF/KSF)
Business Continuity Planning (2) • Alternative Sources of Supply • Legal and Regulatory Requirements
Backups and Procedures • Importance for Recovery • Data Value • Manuals and Documentation • Back Up Frequency • On-Line Systems • Equipment
The Three C’s -Catastrophe -Contingency -Continuation BE PREPARED!!!
Off-site Backups and Storage Two Control Points: 1. When backup material is being transferred to/from the site 2. When backup material is stored at the site (also consider in-house storage)
Data Classification • Elements and Objectives of a Classification Scheme • Criteria used to Classify Data • Procedures to be Used • Differences Between Government and Commercial Programs • Limitations • Program Implementation
To Be Included: • Distinguish Between Classification and Sensitivity • Classified vs. Sensitive • Data Elements • Handling of Data • Identify Criteria • Classification Schemes • Rule of Users Managers • Effect of Data Aggregation on Classification • Techniques for Avoiding Disclosure
Security Awareness Include: • Corporate Policies, Procedures, Intentions • Areas Where Remedial Actions are Needed • Assessment of Threats and Vulnerabilities • Technology Trends • Behaviors to be Encouraged • User Motives • Applicable Laws and Regulation • Available/Applicable Communication Channels/Media
Administrative/Organizational Controls • Policies • Awareness • Employee Non-Disclosure Considerations • Employee Training • Telecommuting Considerations • Effects of Technological Changes/Updates
Personnel Considerations • Human Motives for Criminal Action • Employee Selection • Professional Certificates • Working Environment • Technological Updates (Effect on Users) • Employee Separation
Computer and System Security Professionals Should Understand: • Computer Organizations, Architectures, Designs • Source and Origin of Security Requirements • Advantages/Disadvantages of Various Architectures • Security Features/Functions of Various Components • Choices to be Considered When Selecting Components
Common Flaws and Penetration Methods • Operating Systems Flaws • Penetration Techniques(Trojan Horses, Virus, Salami Attack, Deception)
Viruses • Design • Protection • Recovery • Prevention • Counter Measures
Telecommunications Security • Objectives • hazards and Exposures • Effects of Topology, Media, Protocols, Switching • Hazards and Classes of Attack • Defenses and Protective Measures
Methods • Aborted Connection • Active Wiretapping • Between - The - Lines Entry • Call Back • Emanations • Covert Channel • Cross-Talk • Eavesdropping • Electronic Funds Transfer(EFT) • Handshaking
Considerations • Transmission Technologies • Bandwidth • Connectivity Potential • Geographical Scope • Noise Immunity • Security • Applications • Relative Cost
System Security Officer • Organizational Knowledge (Structural and Behavioral) • Technical Knowledge • Accounting/Audit Concepts • Personnel Administration Matters • Laws/Legislation • Strategic/Tactical Planning • Labor/Negotiation/Strategies/Tactics
Computer Security Incidence Response • Goals • Constituency • Structure • Management Support/Funding • Charter • Handbook of Operations • Staffing
Legal/Regulatory • Federal Laws/Regulations • State Laws/Regulations • International Issues • Organizational/Agency Considerations • Personal Behavior • Remedies to Constituents • Civil vs. Criminal Law • Pending Legislation
Computer Crime • Fraud • Embezzlement • Unauthorized Access • “White Collar” Crime • Theft of Hardware/Copying Software • Physical Abuse • Misuse of Information • Privacy/Confidentiality Violations • Intellectual Property • Negligence • License Agreements
Investigation • Legal Requirements for Maintaining a Trail of Evidence • Interrogation Techniques • Legal Limits on Interrogation Methods Permitted
Application Program Security • Distribution of Controls Between Application and System • Controls Specific to Key, Common, or Industry Applications • Criteria for Selection and Application • Tests for Adequacy • Standards for Good Practice
Software Controls • Development • Maintenance • Assurance • Specification and Verification • Database Security Controls • Accounting/Auditing
Physical Security • Site/Building Location • External characteristics/Appearance • Location of Computer Centers • Construction Standards • Electrical Power(UPS) • Water/Fire Considerations • Traffic/Access Control • Air Conditioning/Exhaust • Entrances/Exits • Furnishings • Storage of Media/Supplies
Operations Security • Resources to be Protected • Privileges to be Restricted • Available Control Mechanisms • Potential for Abuse of Access • Appropriateness of Controls • Acceptable Norms of Good Practice
Information Ethics Doing the Right Thing!! • Privacy/Confidentiality • Common Good • Professional Societies • Professional Certifications
Policy Development Considerations: • Have Longevity • Be Jargon Free • Be Independent of Jobs, Titles, or Positions • Set Objectives • Fix Responsibility • Provide Resources • Allocate Staff • Be Implemented Using Standards and Guidelines
That’s All Folks (and not a minute too soon!!) I’m Looking Forward to working With You!!!!

More Related Content

PPT
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
rasanjakavindu54
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
PDF
1. Security and Risk Management
Sam Bowne
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
PDF
1. Security and Risk Management
Sam Bowne
 
PPTX
Security Baselines and Risk Assessments
Priyank Hada
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
rasanjakavindu54
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
1. Security and Risk Management
Sam Bowne
 
Security Foundation and Incident Mgmt and BCMS.pptx
MohsenMojabi1
 
1. Security and Risk Management
Sam Bowne
 
Security Baselines and Risk Assessments
Priyank Hada
 
Introduction to Information security ppt
krishkiran2408
 
Introduction to Information security ppt
krishkiran2408
 

Similar to Intro.ppt (20)

PPT
Testing
lorenceman
 
PPTX
Week 9- 1 information security slides.pptx
hassanarif1022
 
PPTX
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
PDF
1 info sec+risk-mgmt
madunix
 
PDF
Internal Controls Over Information Systems
Jeffrey Paulette
 
PDF
Fundamentals of Information Systems Security
dmjldssgz284
 
PPTX
Security and Risk Management Practices.pptx
harshadrai2
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PDF
(eBook PDF) Information Security: Principles and Practices 2nd Edition
rrnohojhxx852
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
PPT
InfoSecConcepts.ppt
MobileAntitheft
 
PPT
2.4.1 - Intro to Cyber Security for students.ppt
rameshselvarajkkp
 
PPTX
ISO27k Awareness presentation.pptx
harigopala
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
PPTX
MIS: Information Security Management
Jonathan Coleman
 
PPT
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
PPTX
SECURITY AND CONTROL
shinydey
 
PPTX
An Introduction to Cyber security
Samanvay Jain
 
PPT
M014 Confluence Presentation 08 15 06
gbroadbent67
 
PPSX
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
Testing
lorenceman
 
Week 9- 1 information security slides.pptx
hassanarif1022
 
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
1 info sec+risk-mgmt
madunix
 
Internal Controls Over Information Systems
Jeffrey Paulette
 
Fundamentals of Information Systems Security
dmjldssgz284
 
Security and Risk Management Practices.pptx
harshadrai2
 
Chapter 12 iso 27001 awareness
newbie2019
 
(eBook PDF) Information Security: Principles and Practices 2nd Edition
rrnohojhxx852
 
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
InfoSecConcepts.ppt
MobileAntitheft
 
2.4.1 - Intro to Cyber Security for students.ppt
rameshselvarajkkp
 
ISO27k Awareness presentation.pptx
harigopala
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
MIS: Information Security Management
Jonathan Coleman
 
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
SECURITY AND CONTROL
shinydey
 
An Introduction to Cyber security
Samanvay Jain
 
M014 Confluence Presentation 08 15 06
gbroadbent67
 
1 Info Sec+Risk Mgmt
Alfred Ouyang
 

Recently uploaded (20)

PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
August Patch Tuesday
Ivanti
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
August Patch Tuesday
Ivanti
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 

Intro.ppt

  • 1. CS 620 Introduction to Information Security Dr. Karen Forcht Department of Computer Science James Madison University
  • 2. Part I (Overview, Access, Control, Cryptography, Risk Analysis) Part II (Business Continuity Planning, Data Classification, Security Awareness, Computer and System Security)
  • 3. Part III (Telecommunications Security, Organization Architecture, Legal Regulatory Investigation) Part IV (Investigation, Application program Security, Physical Security, Operations Security)
  • 4. Part V (Information Ethics, Policy Development)
  • 5. Computer Security Act of 1987 Requires: • Sensitive systems and data must be identified • Plans for ensuring security and control of such systems must be created • Personnel training programs must be developed and in place
  • 6. Development of Security Program • Objectives • Policies • Connectivity, Corporate Structure, and Security • Plans • Responsibilities
  • 7. Security Policy Goals • Avoidance • Deterrence • Detection • Correction
  • 8. Risk Analysis • Identify sensitivity of data • Determine value of systems and information • Assess threats and vulnerabilities (sabotage, environment, errors)
  • 9. Purposes of Risk Analysis • No significant intentional or accidental threat is overlooked • Assure that cost-benefit analysis is reasonable
  • 10. Contingency Plan • Purpose: Protect, detect, recover • Criticality: Formulated, communicated to ALL employees, tested regularly
  • 11. Legal Issues • Licenses • Fraud/Misuse • Privacy • Copyright • Trade Secrets • Employee Agreements
  • 12. Access Control Collection of mechanisms to restrain or prohibit use of information and systems Includes: Functions, implementation, good practices, environmental constraints
  • 13. Considerations • Ownership of Data • Custodian of Data • Accountability • Reconciliation • Rule of Least Privilege
  • 14. User Authentication and Password Management • Access Control • Knowledge-Based Authentication • Token-Based Authentication • Characteristic-Based Authentication • Password Management
  • 15. Access Control • Policies • Procedures • Standards • Control
  • 16. Cryptography Definition: Use of secret codes to provide integrity/confidentiality of information during transfer and storage Considerations: -Complexity -Secrecy - Characteristics of key
  • 18. Key Management • Public vs. Private • Selecting Key • Management of the Keys • Protection of Keys • Testing of Keys • Updating Keys • Error Detection
  • 19. Risk Management Includes ideas, models, methods, techniques to control risk Includes: -Assessment -Reduction -Protective measures -Risk Acceptance -Insurance
  • 20. Considerations of Risk Assessment • Annual Loss Expectancy(ALE) • Asset Valuation/Inventory • Types of Attacks/Threats • Availability of Resources/Denial of Service • Detection • Exposure • Passive Threats • Perils • Prevention • Analysis/Assessment/Management of Risk • Data Valuation
  • 21. Classification of People/Assets Should Include: -People -Procedures -Data/Information -Software -Hardware
  • 22. Threat and Exposure Assessment • Density/Volume of Information • Accessibility of Systems • Complexity • Electronic Vulnerability • Media Vulnerability • Human Factors
  • 23. Safeguards and Counter Measures • Prevent Exposures • Detect Attempted Threats • Correct the Causes of Threats
  • 24. Business Continuity Planning (1) • Planning and Analysis Methods • Rates of Occurrence of Disabling Events • Availability and Use of Planning Tools/Aids • Identification of Business Success factors(BSF) and Critical capabilities(Critical or Key Success Factors (CSF/KSF)
  • 25. Business Continuity Planning (2) • Alternative Sources of Supply • Legal and Regulatory Requirements
  • 26. Backups and Procedures • Importance for Recovery • Data Value • Manuals and Documentation • Back Up Frequency • On-Line Systems • Equipment
  • 28. Off-site Backups and Storage Two Control Points: 1. When backup material is being transferred to/from the site 2. When backup material is stored at the site (also consider in-house storage)
  • 29. Data Classification • Elements and Objectives of a Classification Scheme • Criteria used to Classify Data • Procedures to be Used • Differences Between Government and Commercial Programs • Limitations • Program Implementation
  • 30. To Be Included: • Distinguish Between Classification and Sensitivity • Classified vs. Sensitive • Data Elements • Handling of Data • Identify Criteria • Classification Schemes • Rule of Users Managers • Effect of Data Aggregation on Classification • Techniques for Avoiding Disclosure
  • 31. Security Awareness Include: • Corporate Policies, Procedures, Intentions • Areas Where Remedial Actions are Needed • Assessment of Threats and Vulnerabilities • Technology Trends • Behaviors to be Encouraged • User Motives • Applicable Laws and Regulation • Available/Applicable Communication Channels/Media
  • 32. Administrative/Organizational Controls • Policies • Awareness • Employee Non-Disclosure Considerations • Employee Training • Telecommuting Considerations • Effects of Technological Changes/Updates
  • 33. Personnel Considerations • Human Motives for Criminal Action • Employee Selection • Professional Certificates • Working Environment • Technological Updates (Effect on Users) • Employee Separation
  • 34. Computer and System Security Professionals Should Understand: • Computer Organizations, Architectures, Designs • Source and Origin of Security Requirements • Advantages/Disadvantages of Various Architectures • Security Features/Functions of Various Components • Choices to be Considered When Selecting Components
  • 35. Common Flaws and Penetration Methods • Operating Systems Flaws • Penetration Techniques(Trojan Horses, Virus, Salami Attack, Deception)
  • 36. Viruses • Design • Protection • Recovery • Prevention • Counter Measures
  • 37. Telecommunications Security • Objectives • hazards and Exposures • Effects of Topology, Media, Protocols, Switching • Hazards and Classes of Attack • Defenses and Protective Measures
  • 38. Methods • Aborted Connection • Active Wiretapping • Between - The - Lines Entry • Call Back • Emanations • Covert Channel • Cross-Talk • Eavesdropping • Electronic Funds Transfer(EFT) • Handshaking
  • 39. Considerations • Transmission Technologies • Bandwidth • Connectivity Potential • Geographical Scope • Noise Immunity • Security • Applications • Relative Cost
  • 40. System Security Officer • Organizational Knowledge (Structural and Behavioral) • Technical Knowledge • Accounting/Audit Concepts • Personnel Administration Matters • Laws/Legislation • Strategic/Tactical Planning • Labor/Negotiation/Strategies/Tactics
  • 41. Computer Security Incidence Response • Goals • Constituency • Structure • Management Support/Funding • Charter • Handbook of Operations • Staffing
  • 42. Legal/Regulatory • Federal Laws/Regulations • State Laws/Regulations • International Issues • Organizational/Agency Considerations • Personal Behavior • Remedies to Constituents • Civil vs. Criminal Law • Pending Legislation
  • 43. Computer Crime • Fraud • Embezzlement • Unauthorized Access • “White Collar” Crime • Theft of Hardware/Copying Software • Physical Abuse • Misuse of Information • Privacy/Confidentiality Violations • Intellectual Property • Negligence • License Agreements
  • 44. Investigation • Legal Requirements for Maintaining a Trail of Evidence • Interrogation Techniques • Legal Limits on Interrogation Methods Permitted
  • 45. Application Program Security • Distribution of Controls Between Application and System • Controls Specific to Key, Common, or Industry Applications • Criteria for Selection and Application • Tests for Adequacy • Standards for Good Practice
  • 46. Software Controls • Development • Maintenance • Assurance • Specification and Verification • Database Security Controls • Accounting/Auditing
  • 47. Physical Security • Site/Building Location • External characteristics/Appearance • Location of Computer Centers • Construction Standards • Electrical Power(UPS) • Water/Fire Considerations • Traffic/Access Control • Air Conditioning/Exhaust • Entrances/Exits • Furnishings • Storage of Media/Supplies
  • 48. Operations Security • Resources to be Protected • Privileges to be Restricted • Available Control Mechanisms • Potential for Abuse of Access • Appropriateness of Controls • Acceptable Norms of Good Practice
  • 49. Information Ethics Doing the Right Thing!! • Privacy/Confidentiality • Common Good • Professional Societies • Professional Certifications
  • 50. Policy Development Considerations: • Have Longevity • Be Jargon Free • Be Independent of Jobs, Titles, or Positions • Set Objectives • Fix Responsibility • Provide Resources • Allocate Staff • Be Implemented Using Standards and Guidelines
  • 51. That’s All Folks (and not a minute too soon!!) I’m Looking Forward to working With You!!!!