SlideShare a Scribd company logo

Introduction to information security

Download as PPTX, PDF
K
KATHEESKUMAR S

This document introduces information security and outlines its key concepts. It defines information security as protecting information from unauthorized access, use, disclosure, disruption or destruction. Successful security involves multiple layers, including physical, personal, operations, communications, network and information security. Information has critical characteristics of availability, accuracy, authenticity, confidentiality and integrity that security aims to protect. A top-down approach to implementation led by management is most effective, following a security systems development life cycle of investigation, analysis, design, implementation and maintenance phases.

Related slideshows

Basic concepts in computer security
Basic concepts in computer securityBasic concepts in computer security
Basic concepts in computer security
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
1 of 25
Introduction to Information Security Computer Security
About Me S .Katheeskumar (National Diploma in ICT) katheeskumar@outlook.com www.katheesh.github.io Batticaloa, Sri Lanka
Objectives • Understand the definition of information security • Understand the critical characteristics of information • Understand the comprehensive model for information security • Outline the approaches to information security implementation • Outline the phases of the security systems development life cycle • Understand the key terms of information security
Introduction • Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” —James Anderson, Inovant (2002) • The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The History of Information Security • Began immediately after the first mainframes were developed • Groups developing code-breaking computations during World War II created the first modern computers • Physical controls to limit access to sensitive military locations to authorized personnel • Rudimentary in defending against physical theft, espionage, and damage
What is Security? • “The quality or state of being secure—to be free from danger” • A successful organization should have multiple layers of security in place: • Physical security-Product the Physical items, object or areas from unauthorized access and misuse • Personal security-Protection to personal who authorized to access organization and its operation • Operations security-Protection of the details of particular operation or activities • Communications security-Protection of organizations communication media, technology and content • Network security-Protection of Networking Components, Connections and Contents • Information security-Protection of information and its Critical elements
What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
Components of Information Security
Critical Characteristics of Information • Availability • Accuracy • Authenticity • Confidentiality • Integrity • Utility • Possession
Critical Characteristics of Information Cond… • The value of information comes from the characteristics it possesses(Defined by CIA Triangle): • Availability : Enables authorized users or computers to access information without interference or obstruction and to receive it in the required format • Accuracy : When it is free from mistakes or errors and it has the value that user expects [Bank Balance] • Authenticity : The Quality or State of being genuine or Original, rather than a Reproduction or Fabrication [Email spoofing]
Critical Characteristics of Information Cond… • Confidentiality : Prevented from the disclosure or exposure to unauthorized individuals or systems [bits & pieces of info / Salami theft] • Integrity : It is Whole, complete and uncorrupted [file hashing] • Utility : The quality or state of having value for some purpose or end • Possession: The quality or state of having ownership or control of some object or item
Approaches to Information Security Implementation: Bottom-Up Approach • Grassroots effort: systems administrators attempt to improve security of their systems • Key advantage: technical expertise of individual administrators • Seldom works, as it lacks a number of critical features: • Participant support • Organizational staying power
Approaches to Information Security Implementation: Top-Down Approach • Initiated by upper management • Issue policy, procedures and processes • Dictate goals and expected outcomes of project • Determine accountability for each required action • The most successful also involve formal development strategy referred to as systems development life cycle
Approaches to Information Security Implementation Contd…
The Security Systems Development Life Cycle • The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project • Identification of specific threats and creating controls to counter them • SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
Phase 1:Investigation • Management Identifies process, outcomes, goals, budget and constraints of the project • Begins with enterprise information security policy • Outline project scope and goals • Estimate cost • Organizational feasibility analysis is performed
Phase 2:Analysis • Documents from investigation phase are studied • Analyzes existing security policies or programs, along with documented current threats and associated controls • Study integration new system with existing system • Includes analysis of relevant legal issues that could impact design of the security solution • The risk management task begins
Phase 3:Logical Design • Creates and develops blueprints for information security • Incident response actions planned: • Continuity planning • Incident response • Disaster recovery • Feasibility analysis to determine whether project should continue or be outsourced
Phase 4:Physical Design • Needed security technology is evaluated, alternatives generated, and final design selected • Develop definition of successful solution • At end of phase, feasibility study determines readiness of the project Implementation
Phase 5:Implementation • Security solutions are acquired, tested, implemented, and tested again • Personnel issues evaluated; specific training and education programs conducted • Entire tested package is presented to management for final approval
Phase 6:Maintenance and Change • Perhaps the most important phase, given the ever-changing threat environment • Often, reparation and restoration of information is a constant duel with an unseen adversary • Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
Key Terms[Terminology] • Access • Asset • Attack • Control, Safeguard or Countermeasure • Exploit • Exposure • Hacking • Object • Risk
Key Terms[Terminology] • Security Blueprint • Security Model • Security Posture or Security Profile • Subject • Threats • Threat Agent • Vulnerability
Summary • Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” • Computer security began immediately after first mainframes were developed • Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information. • Security should be considered a balance between protection and availability • Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC
Thank you

More Related Content

Introduction to information security

  • 1. Introduction to Information Security Computer Security
  • 2. About Me S .Katheeskumar (National Diploma in ICT) katheeskumar@outlook.com www.katheesh.github.io Batticaloa, Sri Lanka
  • 3. Objectives • Understand the definition of information security • Understand the critical characteristics of information • Understand the comprehensive model for information security • Outline the approaches to information security implementation • Outline the phases of the security systems development life cycle • Understand the key terms of information security
  • 4. Introduction • Information security: a “well-informed sense of assurance that the information risks and controls are in balance.” —James Anderson, Inovant (2002) • The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
  • 5. The History of Information Security • Began immediately after the first mainframes were developed • Groups developing code-breaking computations during World War II created the first modern computers • Physical controls to limit access to sensitive military locations to authorized personnel • Rudimentary in defending against physical theft, espionage, and damage
  • 6. What is Security? • “The quality or state of being secure—to be free from danger” • A successful organization should have multiple layers of security in place: • Physical security-Product the Physical items, object or areas from unauthorized access and misuse • Personal security-Protection to personal who authorized to access organization and its operation • Operations security-Protection of the details of particular operation or activities • Communications security-Protection of organizations communication media, technology and content • Network security-Protection of Networking Components, Connections and Contents • Information security-Protection of information and its Critical elements
  • 7. What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
  • 9. Critical Characteristics of Information • Availability • Accuracy • Authenticity • Confidentiality • Integrity • Utility • Possession
  • 10. Critical Characteristics of Information Cond… • The value of information comes from the characteristics it possesses(Defined by CIA Triangle): • Availability : Enables authorized users or computers to access information without interference or obstruction and to receive it in the required format • Accuracy : When it is free from mistakes or errors and it has the value that user expects [Bank Balance] • Authenticity : The Quality or State of being genuine or Original, rather than a Reproduction or Fabrication [Email spoofing]
  • 11. Critical Characteristics of Information Cond… • Confidentiality : Prevented from the disclosure or exposure to unauthorized individuals or systems [bits & pieces of info / Salami theft] • Integrity : It is Whole, complete and uncorrupted [file hashing] • Utility : The quality or state of having value for some purpose or end • Possession: The quality or state of having ownership or control of some object or item
  • 12. Approaches to Information Security Implementation: Bottom-Up Approach • Grassroots effort: systems administrators attempt to improve security of their systems • Key advantage: technical expertise of individual administrators • Seldom works, as it lacks a number of critical features: • Participant support • Organizational staying power
  • 13. Approaches to Information Security Implementation: Top-Down Approach • Initiated by upper management • Issue policy, procedures and processes • Dictate goals and expected outcomes of project • Determine accountability for each required action • The most successful also involve formal development strategy referred to as systems development life cycle
  • 14. Approaches to Information Security Implementation Contd…
  • 15. The Security Systems Development Life Cycle • The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project • Identification of specific threats and creating controls to counter them • SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
  • 16. Phase 1:Investigation • Management Identifies process, outcomes, goals, budget and constraints of the project • Begins with enterprise information security policy • Outline project scope and goals • Estimate cost • Organizational feasibility analysis is performed
  • 17. Phase 2:Analysis • Documents from investigation phase are studied • Analyzes existing security policies or programs, along with documented current threats and associated controls • Study integration new system with existing system • Includes analysis of relevant legal issues that could impact design of the security solution • The risk management task begins
  • 18. Phase 3:Logical Design • Creates and develops blueprints for information security • Incident response actions planned: • Continuity planning • Incident response • Disaster recovery • Feasibility analysis to determine whether project should continue or be outsourced
  • 19. Phase 4:Physical Design • Needed security technology is evaluated, alternatives generated, and final design selected • Develop definition of successful solution • At end of phase, feasibility study determines readiness of the project Implementation
  • 20. Phase 5:Implementation • Security solutions are acquired, tested, implemented, and tested again • Personnel issues evaluated; specific training and education programs conducted • Entire tested package is presented to management for final approval
  • 21. Phase 6:Maintenance and Change • Perhaps the most important phase, given the ever-changing threat environment • Often, reparation and restoration of information is a constant duel with an unseen adversary • Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
  • 22. Key Terms[Terminology] • Access • Asset • Attack • Control, Safeguard or Countermeasure • Exploit • Exposure • Hacking • Object • Risk
  • 23. Key Terms[Terminology] • Security Blueprint • Security Model • Security Posture or Security Profile • Subject • Threats • Threat Agent • Vulnerability
  • 24. Summary • Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” • Computer security began immediately after first mainframes were developed • Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information. • Security should be considered a balance between protection and availability • Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC