SlideShare a Scribd company logo

Information Security Background

Download as PPT, PDF
Nicholas Davis
Nicholas Davis

This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.

1 of 29
Information Systems 365/765 Information Systems Security and Strategy Lecture 2 Introduction to Information Security
Information Security Defined Protecting information and information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
Why Study Information Security in the School of Business? • Businesses collect mass amounts of data about their customers, employees, and competitors • Most of this data is stored on computers and transmitted across networks • If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy • Protecting corporate data is no longer an option, it is a requirement
What Types of Jobs Do Information Security Professionals Hold? • Information Systems Auditor • Business Continuity and Disaster Recovery Planning and Implementation • Digital Forensics • Infrastructure Design • Business Integration
History of Information Security • Throughout history, confidentiality of information has always played a key role in military conflict • Confidentiality • Tampering • Authenticity • Physical protection • Background checks • Encryption
Key Concept of Information Security. The single most important slide in this course! Confidentiality, Integrity, Availability (CIA Triad)
Confidentiality Confidentiality is the process of preventing disclosure of information to unauthorized individuals or systems. Examples: Credit card, Shoulder Surfing, Laptop theft Confidentiality is necessary, but not sufficient to maintain privacy
Integrity Integrity means that data cannot be modified without Authorization Examples: Manual deletion or alteration of important data files, Virus infection, Employee altering their own salary, website vandalism, polling fraud In Information Security, the term “data integrity” should not be confused with Database referential integrity
Integrity For any information system to serve its purpose, The information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. Examples: Power outages, Hardware failures, System upgrades and Preventing denial-of-service attacks
Authenticity In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated.) Examples: Passport, Credit card Accounts, academic transcripts
Non-Repudiation Non-Repudiation is a complex term used to describe the lack of deniability of ownership of a message, piece of data, or Transaction Examples: Proof of an ATM transaction, a stock trade, or an email
Strong Information Security = Solid Risk Management Proper Risk Management involves understanding and controlling risks, vulnerabilities and threats Risk is the likelihood that something bad will happen that causes harm or loss of an Informational asset Vulnerability is a weakness that could be used to endanger or cause harm to an informational Asset Threat is anything deliberate or random and Unanticipated that has the potential to cause harm
Risk Management The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact I a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property) It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.
Risk Assessment A risk assessment is formal project carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis as well
Components of a Risk Assessment Security Policy Organization of information security, Asset management Human resources security, Physical and environmental security, Communications and operations management, Access control, logical and physical Information systems acquisition and lifecycle management Development and maintenance Information security incident management Business continuity management Regulatory compliance
Risk Management Process Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outsidethe organization. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control and technical security.
Risk Management Process Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
Risk Remedies For any given risk, you may choose to: Accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. Transfer the risk to another business by buying insurance or out-sourcing to another business. Deny the risk, which is obviously dangerous
Information Security Controls When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls • Administrative Controls • Logical/Technical Controls • Physical Controls
Administrative Controls Consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control, such as PCI, HIPAA, FERPA and SOX Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies.
Separation of Duties is the most important and often overlooked physical control Separation of duties ensures that an individual can not complete a critical task by themselves. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator These roles and responsibilities must be separated From one another
Logical Controls Logical controls (also called technical controls) consist of software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.
The Principle of Least Privilege is the most important and often overlooked logical control in IS The principle of least privilege requires that an individual, program or system process is not granted any more Access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an Individual: Collects additional access privileges over time Job duties change, promotion, new position, etc. They are promoted to a new position, or they transfer to another department. Examine and adjust access rights for ALL employees on a regular basis
Physical Controls Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls.
Security Classification of Information An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification
Security Classification of Information 1. Identify a member of senior management as the owner of the particular information to be classified 6. Develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification
Security Classification of Information Some factors that influence which classification information should be assigned include: 4. How much value that information has to the organization 2. How old the information is and whether or not the information has become obsolete. 9. Laws and other regulatory requirements are also important considerations when classifying information
Information Security Classification Labels Common information security classification labels used by the business sector are: Public Sensitive Private Confidential
Information Security Classification Labels All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification. The classification a particular information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.

More Related Content

Information Security Background

  • 1. Information Systems 365/765 Information Systems Security and Strategy Lecture 2 Introduction to Information Security
  • 2. Information Security Defined Protecting information and information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
  • 3. Why Study Information Security in the School of Business? • Businesses collect mass amounts of data about their customers, employees, and competitors • Most of this data is stored on computers and transmitted across networks • If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy • Protecting corporate data is no longer an option, it is a requirement
  • 4. What Types of Jobs Do Information Security Professionals Hold? • Information Systems Auditor • Business Continuity and Disaster Recovery Planning and Implementation • Digital Forensics • Infrastructure Design • Business Integration
  • 5. History of Information Security • Throughout history, confidentiality of information has always played a key role in military conflict • Confidentiality • Tampering • Authenticity • Physical protection • Background checks • Encryption
  • 6. Key Concept of Information Security. The single most important slide in this course! Confidentiality, Integrity, Availability (CIA Triad)
  • 7. Confidentiality Confidentiality is the process of preventing disclosure of information to unauthorized individuals or systems. Examples: Credit card, Shoulder Surfing, Laptop theft Confidentiality is necessary, but not sufficient to maintain privacy
  • 8. Integrity Integrity means that data cannot be modified without Authorization Examples: Manual deletion or alteration of important data files, Virus infection, Employee altering their own salary, website vandalism, polling fraud In Information Security, the term “data integrity” should not be confused with Database referential integrity
  • 9. Integrity For any information system to serve its purpose, The information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. Examples: Power outages, Hardware failures, System upgrades and Preventing denial-of-service attacks
  • 10. Authenticity In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine (i.e. they have not been forged or fabricated.) Examples: Passport, Credit card Accounts, academic transcripts
  • 11. Non-Repudiation Non-Repudiation is a complex term used to describe the lack of deniability of ownership of a message, piece of data, or Transaction Examples: Proof of an ATM transaction, a stock trade, or an email
  • 12. Strong Information Security = Solid Risk Management Proper Risk Management involves understanding and controlling risks, vulnerabilities and threats Risk is the likelihood that something bad will happen that causes harm or loss of an Informational asset Vulnerability is a weakness that could be used to endanger or cause harm to an informational Asset Threat is anything deliberate or random and Unanticipated that has the potential to cause harm
  • 13. Risk Management The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact I a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property) It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.
  • 14. Risk Assessment A risk assessment is formal project carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis as well
  • 15. Components of a Risk Assessment Security Policy Organization of information security, Asset management Human resources security, Physical and environmental security, Communications and operations management, Access control, logical and physical Information systems acquisition and lifecycle management Development and maintenance Information security incident management Business continuity management Regulatory compliance
  • 16. Risk Management Process Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outsidethe organization. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control and technical security.
  • 17. Risk Management Process Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
  • 18. Risk Remedies For any given risk, you may choose to: Accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. Transfer the risk to another business by buying insurance or out-sourcing to another business. Deny the risk, which is obviously dangerous
  • 19. Information Security Controls When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls • Administrative Controls • Logical/Technical Controls • Physical Controls
  • 20. Administrative Controls Consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control, such as PCI, HIPAA, FERPA and SOX Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies.
  • 21. Separation of Duties is the most important and often overlooked physical control Separation of duties ensures that an individual can not complete a critical task by themselves. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administrator These roles and responsibilities must be separated From one another
  • 22. Logical Controls Logical controls (also called technical controls) consist of software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls.
  • 23. The Principle of Least Privilege is the most important and often overlooked logical control in IS The principle of least privilege requires that an individual, program or system process is not granted any more Access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an Individual: Collects additional access privileges over time Job duties change, promotion, new position, etc. They are promoted to a new position, or they transfer to another department. Examine and adjust access rights for ALL employees on a regular basis
  • 24. Physical Controls Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls.
  • 25. Security Classification of Information An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification
  • 26. Security Classification of Information 1. Identify a member of senior management as the owner of the particular information to be classified 6. Develop a classification policy. The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required security controls for each classification
  • 27. Security Classification of Information Some factors that influence which classification information should be assigned include: 4. How much value that information has to the organization 2. How old the information is and whether or not the information has become obsolete. 9. Laws and other regulatory requirements are also important considerations when classifying information
  • 28. Information Security Classification Labels Common information security classification labels used by the business sector are: Public Sensitive Private Confidential
  • 29. Information Security Classification Labels All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification. The classification a particular information asset has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place.