SlideShare a Scribd company logo

Lecture 02-Principles and practices.pptx

Download as PPTX, PDF
D
DngKhnh39

Lecture 02-Principles and practices.pptx. Lecture 02-Principles and practices.pptx

Engineering
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Faculty of InformationTechnology, Hanoi University PRINCIPLES AND PRACTICES
Contents I. SecurityThreats II. Information Security Frameworks andArchitecture III. Pillars of Security IV. Implementation of Information Security V. Principles of Information Security
SECURITY THREATS
SECURITY THREATS - ASSETS 1. Hardware: Including computer systems and other data processing, data storage, and data communications devices A major threat to computer system hardware is the threat to availability. Theft of PC, workstation, equipment such as CD-ROMs and DVDs can lead to loss of confidentiality. Physical and administrative security measures are needed to deal with these threats
SECURITY THREATS - ASSETS 2. Software: Including the operating system, system utilities, and applications.  A key threat to software is an attack on availability. Application software is often easy to be deleted. Software can also be altered or damaged to render it useless.  Careful software configuration management, which includes making backups of the most recent version of software, can maintain high availability.  Software modification that results in a program that still functions but that behaves differently than before, which is a threat to integrity/authenticity.  Computer viruses and related attacks fall into this category.  A final problem is protection against software piracy, the problem of unauthorized copying of software has not been solved.
SECURITY THREATS - ASSETS 3. Data: Including files and databases, as well as security- related data, such as password files Availability concerns destruction of data files, which can occur either accidentally or maliciously Secrecy concerns unauthorized reading of data files or databases Integrity concerns modifications to data files can have consequences ranging from minor to disastrous.
SECURITY THREATS - ASSETS 4. Communication facilities and networks: Local and wide area network communication links, bridges, routers, and so on  A passive attack attempts to learn or make use of information from the system but does not affect system resources, Difficult to detect because they do not involve any alteration of the data. The message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern Use encryption to prevent these attacks  An active attack attempts to alter system resources or affect their operation Involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: replay, masquerade, modification of messages, and denial of service
SECURITY THREATS - VULNERABILITY  It can be corrupted, so that it does the wrong thing or gives wrong answers. For example, stored data values may differ from what they should be because they have been improperly modified.  It can become leaky. For example, someone who should not have access to some or all of the information available through the network obtains such access.  It can become unavailable or very slow.That is, using the system or network becomes impossible or impractical.
INFORMATION SECURITY FRAMEWORKS AND ARCHITECTURE  Information security framework provides guidance for the effective implementation of information security in the organization and development of an effective information security architecture  Such framework or architecture enables you to either prevent or detect and react to attacks or to recover from attacks  To protect information and data from the above threats, organizations typically have “layers of protection.”
Lecture 02-Principles and practices.pptx
INFORMATION SECURITY FRAMEWORKS AND ARCHITECTURE  The Physical security layer ensures controls like secured access, asset control, and fire protection  The Access Control or User Layer ensures clear authentication and authorization, the security clearance through appropriate controls  The Application security layer ensures effective controls over web servers, databases, and applications through various controls like encryption and identity management  The Network security layer provides protection through controls like the firewall, IDS/IPS  The Platform/Host security layer ensures controls like Host IDS/IPS, and anti-virus software
INFORMATION SECURITY FRAMEWORKS AND ARCHITECTURE There are various Security Frameworks that are provided by various standards or models or methodologies. Some of these are  An Information Security Management Systems Framework provided by InformationTechnology – security techniques – information security management systems – requirements (ISO/IEC27001:2013)supported by InformationTechnology – security techniques – code of practice for information security controls (ISO/IEC 27002:2013) and related standards.  NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information SystemView complemented by 800- 53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.  SABSA® ( SABSA® is a registered trademark ofThe SABSA Institute which governs and co-ordinates the worldwide development of the SABSA Method.)
Lecture 02-Principles and practices.pptx
PILLARS OF SECURITY
PILLARS OF SECURITY 1. People: - Strongest pillars also the weakest ones because of the lack of awareness or bad motives - Easily prone to social engineering attacks or other malicious attacks. 2. Organization of Information Security - Everybody needs to involve: receptionists, security staff, housekeeping staff, top managers… - Requires commitment from all levels of an organization to ensure the effectiveness of information security - Plan and implement information security to protect the organization, customers, partners, suppliers, and other relevant stakeholders
PILLARS OF SECURITY 3. Policies, Procedures, and Processes - Describe how the intent of the policies is to be implemented - Detail step-by-step instructions on how to carry on the work so that the intentions of these policies are adhered to - Need to be reviewed and kept current - Training is a must, and should be ongoing and continual - Information security is incomplete without clearly defined policies - Policies provide guidance to everyone and depict the commitment of management to them. - Some of the policies that are important to most of the organizations:
 Information Security Management Systems Policy  Access Control Policy  Information Classification and Handling Policy  Physical and Environmental Security Policy  Acceptable Use ofAssets Policy  Clear Desk and Clear Screen Policy  Privacy and Protection of Personally Identifiable Information Policy  Mobile Devices andTeleworking Policy  Backup Policy  Restrictions on Software Installations and Use Policy PILLARS OF SECURITY
 Protection from Malware Policy  Management ofTechnicalVulnerabilities Policy  InformationTransfer Policy  Communications Security Policy  Cryptographic Controls Policy  Policy on Supplier Relationships 4.Technology - Should fulfil the requirement of information security architecture - Auto monitoring and alerting systems, logging systems, detecting systems, preventive systems, and recovery systems. Examples are firewalls, IDS/IPS, and anti-virus software PILLARS OF SECURITY
IMPLEMENTATION OF INFORMATION SECURITY
IMPLEMENTATION OF INFORMATION SECURITY 1. Risk assessment -Vulnerabilities and threats to information assets even from the outside world 2. Planning and Architecture - Identify the owners for various activities, roles, and responsibilities - Schedules used also clearly depicts the timelines - The steps planned depend upon the methodology or framework used - Effective information security infrastructure or architecture provides ease of use and generates confidence to all the stakeholders including business users
IMPLEMENTATION OF INFORMATION SECURITY 3. Gap analysis - Ensures a check on the implementation of the policies, procedures, and processes, as well as the effectiveness of the existing protective mechanisms or controls including the effectiveness of the information security architecture - May be done through periodical risk re-assessments leading to additional controls to be implemented through new risk treatment plans
IMPLEMENTATION OF INFORMATION SECURITY 4. Integration and deployment - An integrated view at all times in the totality of the business and the organization is required - Effective deployment of all intended policies, procedures, and processes, along with the intended implementation of information security architecture and its various layers is required - Incomplete implementation or inadequate attention to any one of the layers may defeat the controls built in other layers. - Relevant people need to be trained, and tools, if any, need to be configured appropriately.The correct working of such tools should be confirmed by testing as required and defects, if any, have to be fixed or their impact understood and only then these tools have to be used.
IMPLEMENTATION OF INFORMATION SECURITY 5. Operations - Information security should not be ignored in day-to-day operations - It should be an integral part of all the activities. - Operations need to be carried out strictly according to the established policies, procedures, and processes - Any violation to speed up the activities or ignorance can lead to serious consequences - Example: Not checking the backup media through periodical restoration may lead to the tape being not readable or restorable when required, or backups were not taken because the system administrators were busy on another activity
IMPLEMENTATION OF INFORMATION SECURITY 6. Monitoring and Forensic Analysis - Any organization needs to keep monitoring the threats to it so that it can react to the threats effectively and on time - For example, to find out about all the intruder activities manually through logs is a humungous activity.There are many tools available to monitor, filter, detect, and/or to correct and alert on such aspects such as: firewalls and IDS/IPS. Even simple things like disk space monitoring and bandwidth usage monitoring, if not done on a timely basis, may lead to systems not being usable or available - Sometimes the forensic analysis (where the causes may not be obvious or straight forward) may have to be carried out
IMPLEMENTATION OF INFORMATION SECURITY 7. Legal compliance and audit - One of the biggest threats to an organization’s existence is non- compliance to legal requirements - Organizations can be permanently shut down if the non- compliance is severe. - There are a lot of laws enacted to prevent the misuse of information technology which may require special skills to understand the compliance in the context of information technology - Hence, periodic audits by knowledgeable independent or internal experts will help the organizations
IMPLEMENTATION OF INFORMATION SECURITY 8. Crisis management - The Crisis Management Plan, Business Continuity Plan, or Disaster Recovery Plan are interchangeably used to denote a single entity - Organizations can face crisis because of natural disasters, mistakes of employees, senior management, or because of the external attacks like the attacks from the hackers. - Organizations need to respond effectively and also restore their business back to normalcy after such attacks - a well-planned business continuity and crisis management plan should be put in place - Disaster recovery and business continuity should become an integral part
Principles of Information Security Principle 1:Computer Security Supports the Mission of the Organization As we have seen, every organization has objectives to achieve, whether they are business goals or social goals. Any other system is rendered useless, whether it be information technology system or procedures or otherwise, if it does not enable the achievement of these primary objectives of the organization in conjunction with the goals of these systems too.
Principles of Information Security Principle 2:Computer Security is an Integral Element of Sound Management This principle is straight forward and it cannot be more relevant than in today’s world. In today’s well connected world, where the attacks can happen on any system from any other part of the world and nobody can be absolutely sure of the protection put in place, information security can be ignored only at the peril of an organization.
Principles of Information Security Principle 3:Computer Security Should Be Cost-Effective At the end of the day, every organization has to sustain, continue to sustain, and grow its business and profitability. Even organizations with social objectives have limited funding available to them and the expectation is that they use it judiciously. Hence, just because an excellent security system is available in the market, one should not go ahead with it unless the benefits accrued by its usage are far more than the costs of their purchase and implementation.This is one of the fundamental requirements for any organization of any size in any business.
Principles of Information Security Principle 4:Systems Owners Have Security Responsibilities OutsideTheir Own Organization Today, in the era of the Internet and web applications, many of the systems are used by users, whether employees or customers, from outside the organizational physical boundaries. Every individual has the right to be assured that the system or applications that she/he is using is secure. It is the organization’s responsibility to ensure that safety is built into these applications and their users are duly assured of the security in them. No organization can shirk its responsibility in this regard as the growth of business, in recent times, depends on new tools of doing business.
Principles of Information Security Principle 5:Computer Security Responsibilities and Accountability Should Be Made Explicit Having clarity is what makes the difference when it comes to achievement.As we have seen, decisions are not made by the people who are normally working with the data because the authorities are not clearly defined and assigned. Such a state of confusion can lead to disasters in organizations today, as computer security incidents or breaches and disasters on account of them have to be dealt with using speed, precision, and clarity.
Principles of Information Security Principle 6:Computer Security Requires a Comprehensive and Integrated Approach Most of the organizations operate in a highly competitive environment. For their efficiency and effectiveness, all aspects of business, business enablers and business protection systems have to work in perfect harmony and need to complement and supplement each other seamlessly into a comprehensive and integrated approach. This is what we emphasized throughout our discussions in this chapter, including in the context of information security frameworks / architecture.
Principles of Information Security Principle 7:Computer Security Should Be Periodically Reassessed As we discussed earlier, changes are the only constant in this world. In the changing context, we need to navigate in the right direction. In order to check for our direction and do course corrections, we need to do periodical reassessment of the organizational computer security. We have already discussed the benefits of the periodical gap analysis through periodical risk assessment as a means of course correction.
Principles of Information Security Principle 8:Computer Security is Constrained by Societal Factors It is true that there is a possibility of conflict between information security requirements and societal factors, e.g. logging activities and privacy requirements. While each of them has significance of their own, we need to ensure a balance between these. The balancing depends upon the context and expectations. It is possible that under certain circumstances, one can complement and support the other.
Summary I. SecurityThreats II. Information Security Frameworks andArchitecture III. Pillars of Security IV. Implementation of Information Security V. Principles of Information Security
Q & A

More Related Content

PPT
Information security
razendar79
 
PPT
Information security
Praveen Minz
 
PPTX
Information Security Blueprint
Zefren Edior
 
PDF
Fundamentals of-information-security
madunix
 
PPTX
SECURITY AND CONTROL
shinydey
 
PPT
IT-Security-20210426203847.ppt
Ian Dave Balatbat
 
PPT
IT-Security Assessment for IT assets.ppt
santoshsahu190428
 
PPT
IT-Security-20210426203847.ppt
RamaNingaiah
 
Information security
razendar79
 
Information security
Praveen Minz
 
Information Security Blueprint
Zefren Edior
 
Fundamentals of-information-security
madunix
 
SECURITY AND CONTROL
shinydey
 
IT-Security-20210426203847.ppt
Ian Dave Balatbat
 
IT-Security Assessment for IT assets.ppt
santoshsahu190428
 
IT-Security-20210426203847.ppt
RamaNingaiah
 

Similar to Lecture 02-Principles and practices.pptx (20)

PPT
IT-Security-20210426203847.ppt
ssuser6c59cb
 
PDF
Unit 1&2.pdf
Ndheh
 
PPTX
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
PPT
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
 
PPTX
Security Policies and Standards
primeteacher32
 
PDF
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
PPT
Security information for internet and security
Somesh Kumar
 
PPT
168581476-Critical-Characteristics-of-Information-In-Information-Security.ppt
SenzotaSemakuwa
 
PPTX
Information Systems Policy
Ali Sadhik Shaik
 
PDF
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
PDF
Describe two methods for communicating the material in an Informatio.pdf
archgeetsenterprises
 
PPT
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
PPT
Information security management
UMaine
 
PPT
Security analysis
Yulisa Rosliana S.Kom
 
PPT
Analityk jakis robi durne prezentacje by
Eryk21
 
PDF
IA 124 Lecture 01 2022 -23-1.pdf hahahah
flyinimohamed
 
PPTX
Security and control in mis
Gurjit
 
PDF
Ch09 Information Security Best Practices
phanleson
 
PPTX
Security Ch-1.pptx
KeenboonAsaffaa
 
PPTX
Foundation of the information securiety
ALIZAIB KHAN
 
IT-Security-20210426203847.ppt
ssuser6c59cb
 
Unit 1&2.pdf
Ndheh
 
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
 
Security Policies and Standards
primeteacher32
 
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
Security information for internet and security
Somesh Kumar
 
168581476-Critical-Characteristics-of-Information-In-Information-Security.ppt
SenzotaSemakuwa
 
Information Systems Policy
Ali Sadhik Shaik
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Describe two methods for communicating the material in an Informatio.pdf
archgeetsenterprises
 
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Information security management
UMaine
 
Security analysis
Yulisa Rosliana S.Kom
 
Analityk jakis robi durne prezentacje by
Eryk21
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
flyinimohamed
 
Security and control in mis
Gurjit
 
Ch09 Information Security Best Practices
phanleson
 
Security Ch-1.pptx
KeenboonAsaffaa
 
Foundation of the information securiety
ALIZAIB KHAN
 
Ad

Recently uploaded (20)

PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PPT
Drone Technology Electronics components_1
EswaramoorthyKV
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PPTX
Fluid Mechanics, Module 3: Basics of Fluid Mechanics
Dr. Rahul Kumar
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
Drone Technology Electronics components_1
EswaramoorthyKV
 
Welding lecture in detail for understanding
sahilpoonia10
 
Fluid Mechanics, Module 3: Basics of Fluid Mechanics
Dr. Rahul Kumar
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Ad

Lecture 02-Principles and practices.pptx

  • 1. Faculty of InformationTechnology, Hanoi University PRINCIPLES AND PRACTICES
  • 2. Contents I. SecurityThreats II. Information Security Frameworks andArchitecture III. Pillars of Security IV. Implementation of Information Security V. Principles of Information Security
  • 4. SECURITY THREATS - ASSETS 1. Hardware: Including computer systems and other data processing, data storage, and data communications devices A major threat to computer system hardware is the threat to availability. Theft of PC, workstation, equipment such as CD-ROMs and DVDs can lead to loss of confidentiality. Physical and administrative security measures are needed to deal with these threats
  • 5. SECURITY THREATS - ASSETS 2. Software: Including the operating system, system utilities, and applications.  A key threat to software is an attack on availability. Application software is often easy to be deleted. Software can also be altered or damaged to render it useless.  Careful software configuration management, which includes making backups of the most recent version of software, can maintain high availability.  Software modification that results in a program that still functions but that behaves differently than before, which is a threat to integrity/authenticity.  Computer viruses and related attacks fall into this category.  A final problem is protection against software piracy, the problem of unauthorized copying of software has not been solved.
  • 6. SECURITY THREATS - ASSETS 3. Data: Including files and databases, as well as security- related data, such as password files Availability concerns destruction of data files, which can occur either accidentally or maliciously Secrecy concerns unauthorized reading of data files or databases Integrity concerns modifications to data files can have consequences ranging from minor to disastrous.
  • 7. SECURITY THREATS - ASSETS 4. Communication facilities and networks: Local and wide area network communication links, bridges, routers, and so on  A passive attack attempts to learn or make use of information from the system but does not affect system resources, Difficult to detect because they do not involve any alteration of the data. The message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern Use encryption to prevent these attacks  An active attack attempts to alter system resources or affect their operation Involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: replay, masquerade, modification of messages, and denial of service
  • 8. SECURITY THREATS - VULNERABILITY  It can be corrupted, so that it does the wrong thing or gives wrong answers. For example, stored data values may differ from what they should be because they have been improperly modified.  It can become leaky. For example, someone who should not have access to some or all of the information available through the network obtains such access.  It can become unavailable or very slow.That is, using the system or network becomes impossible or impractical.
  • 9. INFORMATION SECURITY FRAMEWORKS AND ARCHITECTURE  Information security framework provides guidance for the effective implementation of information security in the organization and development of an effective information security architecture  Such framework or architecture enables you to either prevent or detect and react to attacks or to recover from attacks  To protect information and data from the above threats, organizations typically have “layers of protection.”
  • 11. INFORMATION SECURITY FRAMEWORKS AND ARCHITECTURE  The Physical security layer ensures controls like secured access, asset control, and fire protection  The Access Control or User Layer ensures clear authentication and authorization, the security clearance through appropriate controls  The Application security layer ensures effective controls over web servers, databases, and applications through various controls like encryption and identity management  The Network security layer provides protection through controls like the firewall, IDS/IPS  The Platform/Host security layer ensures controls like Host IDS/IPS, and anti-virus software
  • 12. INFORMATION SECURITY FRAMEWORKS AND ARCHITECTURE There are various Security Frameworks that are provided by various standards or models or methodologies. Some of these are  An Information Security Management Systems Framework provided by InformationTechnology – security techniques – information security management systems – requirements (ISO/IEC27001:2013)supported by InformationTechnology – security techniques – code of practice for information security controls (ISO/IEC 27002:2013) and related standards.  NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information SystemView complemented by 800- 53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.  SABSA® ( SABSA® is a registered trademark ofThe SABSA Institute which governs and co-ordinates the worldwide development of the SABSA Method.)
  • 15. PILLARS OF SECURITY 1. People: - Strongest pillars also the weakest ones because of the lack of awareness or bad motives - Easily prone to social engineering attacks or other malicious attacks. 2. Organization of Information Security - Everybody needs to involve: receptionists, security staff, housekeeping staff, top managers… - Requires commitment from all levels of an organization to ensure the effectiveness of information security - Plan and implement information security to protect the organization, customers, partners, suppliers, and other relevant stakeholders
  • 16. PILLARS OF SECURITY 3. Policies, Procedures, and Processes - Describe how the intent of the policies is to be implemented - Detail step-by-step instructions on how to carry on the work so that the intentions of these policies are adhered to - Need to be reviewed and kept current - Training is a must, and should be ongoing and continual - Information security is incomplete without clearly defined policies - Policies provide guidance to everyone and depict the commitment of management to them. - Some of the policies that are important to most of the organizations:
  • 17.  Information Security Management Systems Policy  Access Control Policy  Information Classification and Handling Policy  Physical and Environmental Security Policy  Acceptable Use ofAssets Policy  Clear Desk and Clear Screen Policy  Privacy and Protection of Personally Identifiable Information Policy  Mobile Devices andTeleworking Policy  Backup Policy  Restrictions on Software Installations and Use Policy PILLARS OF SECURITY
  • 18.  Protection from Malware Policy  Management ofTechnicalVulnerabilities Policy  InformationTransfer Policy  Communications Security Policy  Cryptographic Controls Policy  Policy on Supplier Relationships 4.Technology - Should fulfil the requirement of information security architecture - Auto monitoring and alerting systems, logging systems, detecting systems, preventive systems, and recovery systems. Examples are firewalls, IDS/IPS, and anti-virus software PILLARS OF SECURITY
  • 20. IMPLEMENTATION OF INFORMATION SECURITY 1. Risk assessment -Vulnerabilities and threats to information assets even from the outside world 2. Planning and Architecture - Identify the owners for various activities, roles, and responsibilities - Schedules used also clearly depicts the timelines - The steps planned depend upon the methodology or framework used - Effective information security infrastructure or architecture provides ease of use and generates confidence to all the stakeholders including business users
  • 21. IMPLEMENTATION OF INFORMATION SECURITY 3. Gap analysis - Ensures a check on the implementation of the policies, procedures, and processes, as well as the effectiveness of the existing protective mechanisms or controls including the effectiveness of the information security architecture - May be done through periodical risk re-assessments leading to additional controls to be implemented through new risk treatment plans
  • 22. IMPLEMENTATION OF INFORMATION SECURITY 4. Integration and deployment - An integrated view at all times in the totality of the business and the organization is required - Effective deployment of all intended policies, procedures, and processes, along with the intended implementation of information security architecture and its various layers is required - Incomplete implementation or inadequate attention to any one of the layers may defeat the controls built in other layers. - Relevant people need to be trained, and tools, if any, need to be configured appropriately.The correct working of such tools should be confirmed by testing as required and defects, if any, have to be fixed or their impact understood and only then these tools have to be used.
  • 23. IMPLEMENTATION OF INFORMATION SECURITY 5. Operations - Information security should not be ignored in day-to-day operations - It should be an integral part of all the activities. - Operations need to be carried out strictly according to the established policies, procedures, and processes - Any violation to speed up the activities or ignorance can lead to serious consequences - Example: Not checking the backup media through periodical restoration may lead to the tape being not readable or restorable when required, or backups were not taken because the system administrators were busy on another activity
  • 24. IMPLEMENTATION OF INFORMATION SECURITY 6. Monitoring and Forensic Analysis - Any organization needs to keep monitoring the threats to it so that it can react to the threats effectively and on time - For example, to find out about all the intruder activities manually through logs is a humungous activity.There are many tools available to monitor, filter, detect, and/or to correct and alert on such aspects such as: firewalls and IDS/IPS. Even simple things like disk space monitoring and bandwidth usage monitoring, if not done on a timely basis, may lead to systems not being usable or available - Sometimes the forensic analysis (where the causes may not be obvious or straight forward) may have to be carried out
  • 25. IMPLEMENTATION OF INFORMATION SECURITY 7. Legal compliance and audit - One of the biggest threats to an organization’s existence is non- compliance to legal requirements - Organizations can be permanently shut down if the non- compliance is severe. - There are a lot of laws enacted to prevent the misuse of information technology which may require special skills to understand the compliance in the context of information technology - Hence, periodic audits by knowledgeable independent or internal experts will help the organizations
  • 26. IMPLEMENTATION OF INFORMATION SECURITY 8. Crisis management - The Crisis Management Plan, Business Continuity Plan, or Disaster Recovery Plan are interchangeably used to denote a single entity - Organizations can face crisis because of natural disasters, mistakes of employees, senior management, or because of the external attacks like the attacks from the hackers. - Organizations need to respond effectively and also restore their business back to normalcy after such attacks - a well-planned business continuity and crisis management plan should be put in place - Disaster recovery and business continuity should become an integral part
  • 27. Principles of Information Security Principle 1:Computer Security Supports the Mission of the Organization As we have seen, every organization has objectives to achieve, whether they are business goals or social goals. Any other system is rendered useless, whether it be information technology system or procedures or otherwise, if it does not enable the achievement of these primary objectives of the organization in conjunction with the goals of these systems too.
  • 28. Principles of Information Security Principle 2:Computer Security is an Integral Element of Sound Management This principle is straight forward and it cannot be more relevant than in today’s world. In today’s well connected world, where the attacks can happen on any system from any other part of the world and nobody can be absolutely sure of the protection put in place, information security can be ignored only at the peril of an organization.
  • 29. Principles of Information Security Principle 3:Computer Security Should Be Cost-Effective At the end of the day, every organization has to sustain, continue to sustain, and grow its business and profitability. Even organizations with social objectives have limited funding available to them and the expectation is that they use it judiciously. Hence, just because an excellent security system is available in the market, one should not go ahead with it unless the benefits accrued by its usage are far more than the costs of their purchase and implementation.This is one of the fundamental requirements for any organization of any size in any business.
  • 30. Principles of Information Security Principle 4:Systems Owners Have Security Responsibilities OutsideTheir Own Organization Today, in the era of the Internet and web applications, many of the systems are used by users, whether employees or customers, from outside the organizational physical boundaries. Every individual has the right to be assured that the system or applications that she/he is using is secure. It is the organization’s responsibility to ensure that safety is built into these applications and their users are duly assured of the security in them. No organization can shirk its responsibility in this regard as the growth of business, in recent times, depends on new tools of doing business.
  • 31. Principles of Information Security Principle 5:Computer Security Responsibilities and Accountability Should Be Made Explicit Having clarity is what makes the difference when it comes to achievement.As we have seen, decisions are not made by the people who are normally working with the data because the authorities are not clearly defined and assigned. Such a state of confusion can lead to disasters in organizations today, as computer security incidents or breaches and disasters on account of them have to be dealt with using speed, precision, and clarity.
  • 32. Principles of Information Security Principle 6:Computer Security Requires a Comprehensive and Integrated Approach Most of the organizations operate in a highly competitive environment. For their efficiency and effectiveness, all aspects of business, business enablers and business protection systems have to work in perfect harmony and need to complement and supplement each other seamlessly into a comprehensive and integrated approach. This is what we emphasized throughout our discussions in this chapter, including in the context of information security frameworks / architecture.
  • 33. Principles of Information Security Principle 7:Computer Security Should Be Periodically Reassessed As we discussed earlier, changes are the only constant in this world. In the changing context, we need to navigate in the right direction. In order to check for our direction and do course corrections, we need to do periodical reassessment of the organizational computer security. We have already discussed the benefits of the periodical gap analysis through periodical risk assessment as a means of course correction.
  • 34. Principles of Information Security Principle 8:Computer Security is Constrained by Societal Factors It is true that there is a possibility of conflict between information security requirements and societal factors, e.g. logging activities and privacy requirements. While each of them has significance of their own, we need to ensure a balance between these. The balancing depends upon the context and expectations. It is possible that under certain circumstances, one can complement and support the other.
  • 35. Summary I. SecurityThreats II. Information Security Frameworks andArchitecture III. Pillars of Security IV. Implementation of Information Security V. Principles of Information Security
  • 36. Q & A