SlideShare a Scribd company logo

Ch2 Introduction to Information Security (3).pdf

M
mominabotayea1997

This document provides an overview of information security concepts including: the history of computer security evolving into information security; key terms like availability, integrity, and confidentiality; components of an information system; approaches to implementing security like top-down and bottom-up; and the security systems development life cycle with phases like investigation, analysis, design, implementation, and maintenance. It also outlines security professionals' roles in an organization.

1 of 40
Download to read offline
Chapter 2 Introduction to Information Security
Slide 2 Learning Objectives: Upon completion of this chapter you should be able to: – Understand what information security is and how it came to mean what it does today. – Comprehend the history of computer security and how it evolved into information security. – Understand the key terms and critical concepts of information security as presented in the chapter. – Outline the phases of the security systems development life cycle. – Understand the role professionals involved in information security in an organizational structure.
Slide 3 What Is Information Security? Information security in today’s enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” –Jim Anderson, Inovant (2002)
Slide 4 The History Of Information Security  Computer security began immediately after the first mainframes were developed.  Groups developing code-breaking computations during World War II created the first modern computers  Physical controls were needed to limit access to authorized personnel to sensitive military locations  Only rudimentary controls were available to defend against physical theft, espionage, and sabotage
Slide 5 The 1960s Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant networked communications. Larry Roberts developed the project from its inception. Objectives: develop networking and resource sharing
Slide 6 Figure 1-2 - ARPANET
Slide 7 The 1970s and 80s  ARPANET grew in popularity as did its potential for misuse  Fundamental problems with ARPANET security were identified – No safety procedures for dial-up connections to the ARPANET – User identification and authorization to the system were non-existent  In the late 1970s the microprocessor expanded computing capabilities and security threats
Slide 8 The Start of the Study of Computer Security Information Security began with Rand Report R-609 The scope of computer security grew from physical security to include: – Safety of the data – Limiting unauthorized access to that data – Involvement of personnel from multiple levels of the organization
Slide 9 The 1990s Networks of computers became more common, so too did the need to interconnect the networks. Resulted in the Internet, the first manifestation of a global network of networks. In early Internet deployments, security was treated as a low priority.
Slide 10 The Present The Internet has brought millions of computer networks into communication with each other – many of them unsecured. Ability to secure each now influenced by the security on every computer to which it is connected.
Slide 11 What Is Security?  “The quality or state of being secure--to be free from danger”  To be protected from adversaries  A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security
Slide 12 What Is Information Security?  The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information  Tools, such as policy, awareness, training, education, and technology are necessary  The C.I.A. triangle was the standard based on confidentiality, integrity, and availability  The C.I.A. triangle has expanded into a list of critical characteristics of information
Slide 13 Critical Characteristics Of Information The value of information comes from the characteristics it possesses. – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession
Slide 14 Components of an Information System  To fully understand the importance of information security, you need to know the elements of an information system.  An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization.
Slide 15 Securing the Components The computer can be either or both the subject of an attack and/or the object of an attack When a computer is – the subject of an attack, it is used as an active tool to conduct the attack – the object of an attack, it is the entity being attacked
Slide 16 Figure 1-5 – Subject and Object of Attack
Slide 17 Balancing Security and Access It is impossible to obtain perfect security - it is not an absolute; it is a process. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats.
Slide 18 Security Implementation: 1) Bottom-up Approach Security from a grass-roots effort - systems administrators attempt to improve the security of their systems. Key advantage - technical expertise of the individual administrators. Seldom works, as it lacks a number of critical features: – participant support – organizational staying power
Slide 19 Figure 1-7 – Approaches to Security Implementation
Slide 20 2) Top-down Approach  Initiated by upper management: – issue policy, procedures, and processes – dictate the goals and expected outcomes of the project – determine who is accountable for each of the required actions  This approach has strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture  May also involve a formal development strategy referred to as a systems development life cycle – Most successful top-down approach
Slide 21 The Systems Development Life Cycle Information security must be managed in a manner similar to any other major system implemented in the organization. Using a methodology – ensures a rigorous process – avoids missing steps The goal is creating a comprehensive security posture/program
Slide 22 Figure 1-8 – SDLC Waterfall Methodology
Slide 23 SDLC and the SecSDLC The SecSDLC may be – event-driven - started in response to some occurrences or – plan-driven - as a result of a carefully developed implementation strategy At the end of each phase comes a structured review
Slide 24 1) Investigation What is the problem the system is being developed to solve? – The objectives, constraints, and scope of the project are specified – A preliminary cost/benefit analysis is developed – A feasibility analysis is performed to assess the economic, technical, and behavioral feasibilities of the process
Slide 25 2) Analysis  Consists primarily of – assessments of the organization – the status of current systems – capability to support the proposed systems  Analysts begin to determine – what the new system is expected to do – how the new system will interact with existing systems  Ends with the documentation of the findings and a feasibility analysis update
Slide 26 3) Logical Design  Based on business need, applications are selected capable of providing needed services  Based on applications needed, data support and structures capable of providing the needed inputs are identified  Finally, based on all of the above, select specific ways to implement the physical solution are chosen  At the end, another feasibility analysis is performed
Slide 27 4) Physical Design Specific technologies are selected to support the alternatives identified and evaluated in the logical design. Selected components are evaluated based on a make-or-buy decision. Entire solution is presented to the end-user representatives for approval.
Slide 28 5) Implementation Components are ordered, received, assembled, and tested Users are trained and documentation created Users are then presented with the system for a performance review and acceptance test
Slide 29 6) Maintenance and Change Tasks necessary to support and modify the system for the remainder of its useful life. The life cycle continues until the process begins again from the investigation phase. When the current system can no longer support the mission of the organization, a new project is implemented.
Slide 30 Security Systems Development Life Cycle (SecSDLC) The same phases used in the traditional SDLC adapted to support the specialized implementation of a security project Basic process is identification of threats and controls to counter them The SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
Slide 31 1) Investigation Identifies process, outcomes and goals of the project, and constraints Begins with a statement of program security policy Teams are organized, problems analyzed, and scope defined, including objectives, and constraints not covered in the program policy An organizational feasibility analysis is performed
Slide 32 2) Analysis Analysis of existing security policies or programs, along with documented current threats and associated controls. Includes an analysis of relevant legal issues that could impact the design of the security solution. The risk management task (identifying, assessing, and evaluating the levels of risk) also begins.
Slide 33 3) Logical & Physical Design  Creates blueprints for security  Critical planning and feasibility analyses to determine whether or not the project should continue  In physical design, security technology is evaluated, alternatives generated, and final design selected  At end of phase, feasibility study determines readiness so all parties involved have a chance to approve the project
Slide 34 4) Implementation The security solutions are acquired (made or bought), tested, and implemented, and tested again. Personnel issues are evaluated and specific training and education programs conducted. Finally, the entire tested package is presented to upper management for final approval.
Slide 35 5) Maintenance and Change The maintenance and change phase is perhaps most important, given the high level of ingenuity in today’s threats. The reparation and restoration of information is a constant duel with an often unseen adversary. As new threats emerge and old threats evolve, the information security profile of an organization requires constant adaptation.
Slide 36 Security Professionals and the Organization It takes a wide range of professionals to support a diverse information security program. To develop and execute specific security policies and procedures, additional administrative support and technical expertise is required.
Slide 37 Senior Management  Chief Information Officer (CIO) – the senior technology officer – primarily responsible for advising the senior executive(s) for strategic planning  Chief Information Security Officer(CISO) – responsible for the assessment, management, and implementation of securing the information in the organization – may also be referred to as the Manager for Security, the Security Administrator, or a similar title
Slide 38 Security Project Team A number of individuals who are experienced in one or multiple requirements of both the technical and non-technical areas: – The team leader – Security policy developers – Risk assessment specialists – Security professionals – Systems administrators – End users
Slide 39 Data Ownership Data Owner - responsible for the security and use of a particular set of information Data Custodian - responsible for the storage, maintenance, and protection of the information. Data Users - the end systems users who work with the information to perform their daily jobs supporting the mission of the organization.
Slide 40 Information Security: Is it an Art or a Science? With the level of complexity in today’s information systems, the implementation of information security has often been described as a combination of art and science.

More Related Content

Ch2 Introduction to Information Security (3).pdf

  • 1. Chapter 2 Introduction to Information Security
  • 2. Slide 2 Learning Objectives: Upon completion of this chapter you should be able to: – Understand what information security is and how it came to mean what it does today. – Comprehend the history of computer security and how it evolved into information security. – Understand the key terms and critical concepts of information security as presented in the chapter. – Outline the phases of the security systems development life cycle. – Understand the role professionals involved in information security in an organizational structure.
  • 3. Slide 3 What Is Information Security? Information security in today’s enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” –Jim Anderson, Inovant (2002)
  • 4. Slide 4 The History Of Information Security  Computer security began immediately after the first mainframes were developed.  Groups developing code-breaking computations during World War II created the first modern computers  Physical controls were needed to limit access to authorized personnel to sensitive military locations  Only rudimentary controls were available to defend against physical theft, espionage, and sabotage
  • 5. Slide 5 The 1960s Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant networked communications. Larry Roberts developed the project from its inception. Objectives: develop networking and resource sharing
  • 6. Slide 6 Figure 1-2 - ARPANET
  • 7. Slide 7 The 1970s and 80s  ARPANET grew in popularity as did its potential for misuse  Fundamental problems with ARPANET security were identified – No safety procedures for dial-up connections to the ARPANET – User identification and authorization to the system were non-existent  In the late 1970s the microprocessor expanded computing capabilities and security threats
  • 8. Slide 8 The Start of the Study of Computer Security Information Security began with Rand Report R-609 The scope of computer security grew from physical security to include: – Safety of the data – Limiting unauthorized access to that data – Involvement of personnel from multiple levels of the organization
  • 9. Slide 9 The 1990s Networks of computers became more common, so too did the need to interconnect the networks. Resulted in the Internet, the first manifestation of a global network of networks. In early Internet deployments, security was treated as a low priority.
  • 10. Slide 10 The Present The Internet has brought millions of computer networks into communication with each other – many of them unsecured. Ability to secure each now influenced by the security on every computer to which it is connected.
  • 11. Slide 11 What Is Security?  “The quality or state of being secure--to be free from danger”  To be protected from adversaries  A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security
  • 12. Slide 12 What Is Information Security?  The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information  Tools, such as policy, awareness, training, education, and technology are necessary  The C.I.A. triangle was the standard based on confidentiality, integrity, and availability  The C.I.A. triangle has expanded into a list of critical characteristics of information
  • 13. Slide 13 Critical Characteristics Of Information The value of information comes from the characteristics it possesses. – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession
  • 14. Slide 14 Components of an Information System  To fully understand the importance of information security, you need to know the elements of an information system.  An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization.
  • 15. Slide 15 Securing the Components The computer can be either or both the subject of an attack and/or the object of an attack When a computer is – the subject of an attack, it is used as an active tool to conduct the attack – the object of an attack, it is the entity being attacked
  • 16. Slide 16 Figure 1-5 – Subject and Object of Attack
  • 17. Slide 17 Balancing Security and Access It is impossible to obtain perfect security - it is not an absolute; it is a process. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats.
  • 18. Slide 18 Security Implementation: 1) Bottom-up Approach Security from a grass-roots effort - systems administrators attempt to improve the security of their systems. Key advantage - technical expertise of the individual administrators. Seldom works, as it lacks a number of critical features: – participant support – organizational staying power
  • 19. Slide 19 Figure 1-7 – Approaches to Security Implementation
  • 20. Slide 20 2) Top-down Approach  Initiated by upper management: – issue policy, procedures, and processes – dictate the goals and expected outcomes of the project – determine who is accountable for each of the required actions  This approach has strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture  May also involve a formal development strategy referred to as a systems development life cycle – Most successful top-down approach
  • 21. Slide 21 The Systems Development Life Cycle Information security must be managed in a manner similar to any other major system implemented in the organization. Using a methodology – ensures a rigorous process – avoids missing steps The goal is creating a comprehensive security posture/program
  • 22. Slide 22 Figure 1-8 – SDLC Waterfall Methodology
  • 23. Slide 23 SDLC and the SecSDLC The SecSDLC may be – event-driven - started in response to some occurrences or – plan-driven - as a result of a carefully developed implementation strategy At the end of each phase comes a structured review
  • 24. Slide 24 1) Investigation What is the problem the system is being developed to solve? – The objectives, constraints, and scope of the project are specified – A preliminary cost/benefit analysis is developed – A feasibility analysis is performed to assess the economic, technical, and behavioral feasibilities of the process
  • 25. Slide 25 2) Analysis  Consists primarily of – assessments of the organization – the status of current systems – capability to support the proposed systems  Analysts begin to determine – what the new system is expected to do – how the new system will interact with existing systems  Ends with the documentation of the findings and a feasibility analysis update
  • 26. Slide 26 3) Logical Design  Based on business need, applications are selected capable of providing needed services  Based on applications needed, data support and structures capable of providing the needed inputs are identified  Finally, based on all of the above, select specific ways to implement the physical solution are chosen  At the end, another feasibility analysis is performed
  • 27. Slide 27 4) Physical Design Specific technologies are selected to support the alternatives identified and evaluated in the logical design. Selected components are evaluated based on a make-or-buy decision. Entire solution is presented to the end-user representatives for approval.
  • 28. Slide 28 5) Implementation Components are ordered, received, assembled, and tested Users are trained and documentation created Users are then presented with the system for a performance review and acceptance test
  • 29. Slide 29 6) Maintenance and Change Tasks necessary to support and modify the system for the remainder of its useful life. The life cycle continues until the process begins again from the investigation phase. When the current system can no longer support the mission of the organization, a new project is implemented.
  • 30. Slide 30 Security Systems Development Life Cycle (SecSDLC) The same phases used in the traditional SDLC adapted to support the specialized implementation of a security project Basic process is identification of threats and controls to counter them The SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
  • 31. Slide 31 1) Investigation Identifies process, outcomes and goals of the project, and constraints Begins with a statement of program security policy Teams are organized, problems analyzed, and scope defined, including objectives, and constraints not covered in the program policy An organizational feasibility analysis is performed
  • 32. Slide 32 2) Analysis Analysis of existing security policies or programs, along with documented current threats and associated controls. Includes an analysis of relevant legal issues that could impact the design of the security solution. The risk management task (identifying, assessing, and evaluating the levels of risk) also begins.
  • 33. Slide 33 3) Logical & Physical Design  Creates blueprints for security  Critical planning and feasibility analyses to determine whether or not the project should continue  In physical design, security technology is evaluated, alternatives generated, and final design selected  At end of phase, feasibility study determines readiness so all parties involved have a chance to approve the project
  • 34. Slide 34 4) Implementation The security solutions are acquired (made or bought), tested, and implemented, and tested again. Personnel issues are evaluated and specific training and education programs conducted. Finally, the entire tested package is presented to upper management for final approval.
  • 35. Slide 35 5) Maintenance and Change The maintenance and change phase is perhaps most important, given the high level of ingenuity in today’s threats. The reparation and restoration of information is a constant duel with an often unseen adversary. As new threats emerge and old threats evolve, the information security profile of an organization requires constant adaptation.
  • 36. Slide 36 Security Professionals and the Organization It takes a wide range of professionals to support a diverse information security program. To develop and execute specific security policies and procedures, additional administrative support and technical expertise is required.
  • 37. Slide 37 Senior Management  Chief Information Officer (CIO) – the senior technology officer – primarily responsible for advising the senior executive(s) for strategic planning  Chief Information Security Officer(CISO) – responsible for the assessment, management, and implementation of securing the information in the organization – may also be referred to as the Manager for Security, the Security Administrator, or a similar title
  • 38. Slide 38 Security Project Team A number of individuals who are experienced in one or multiple requirements of both the technical and non-technical areas: – The team leader – Security policy developers – Risk assessment specialists – Security professionals – Systems administrators – End users
  • 39. Slide 39 Data Ownership Data Owner - responsible for the security and use of a particular set of information Data Custodian - responsible for the storage, maintenance, and protection of the information. Data Users - the end systems users who work with the information to perform their daily jobs supporting the mission of the organization.
  • 40. Slide 40 Information Security: Is it an Art or a Science? With the level of complexity in today’s information systems, the implementation of information security has often been described as a combination of art and science.