Introduction to information security
- 2. About Me
S .Katheeskumar (National Diploma in ICT)
katheeskumar@outlook.com
www.katheesh.github.io
Batticaloa, Sri Lanka
- 3. Objectives
• Understand the definition of information security
• Understand the critical characteristics of information
• Understand the comprehensive model for information security
• Outline the approaches to information security implementation
• Outline the phases of the security systems development life cycle
• Understand the key terms of information security
- 4. Introduction
• Information security: a “well-informed sense of assurance that the
information risks and controls are in balance.” —James Anderson,
Inovant (2002)
• The practice of defending information from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or
destruction.
- 5. The History of Information Security
• Began immediately after the first mainframes were developed
• Groups developing code-breaking computations during World War II
created the first modern computers
• Physical controls to limit access to sensitive military locations to
authorized personnel
• Rudimentary in defending against physical theft, espionage, and
damage
- 6. What is Security?
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of security in place:
• Physical security-Product the Physical items, object or areas from
unauthorized access and misuse
• Personal security-Protection to personal who authorized to access
organization and its operation
• Operations security-Protection of the details of particular operation or
activities
• Communications security-Protection of organizations communication
media, technology and content
• Network security-Protection of Networking Components, Connections
and Contents
• Information security-Protection of information and its Critical elements
- 7. What is Information Security?
• The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A. triangle was standard based on confidentiality, integrity, and
availability
• C.I.A. triangle now expanded into list of critical characteristics of
information
- 9. Critical Characteristics of Information
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
- 10. Critical Characteristics of Information Cond…
• The value of information comes from the characteristics it
possesses(Defined by CIA Triangle):
• Availability : Enables authorized users or computers to access
information without interference or obstruction and to receive it in
the required format
• Accuracy : When it is free from mistakes or errors and it has the value
that user expects [Bank Balance]
• Authenticity : The Quality or State of being genuine or Original,
rather than a Reproduction or Fabrication [Email spoofing]
- 11. Critical Characteristics of Information Cond…
• Confidentiality : Prevented from the disclosure or exposure to
unauthorized individuals or systems [bits & pieces of info / Salami
theft]
• Integrity : It is Whole, complete and uncorrupted [file hashing]
• Utility : The quality or state of having value for some purpose or end
• Possession: The quality or state of having ownership or control of
some object or item
- 12. Approaches to Information Security
Implementation: Bottom-Up Approach
• Grassroots effort: systems administrators attempt to improve security
of their systems
• Key advantage: technical expertise of individual administrators
• Seldom works, as it lacks a number of critical features:
• Participant support
• Organizational staying power
- 13. Approaches to Information Security
Implementation: Top-Down Approach
• Initiated by upper management
• Issue policy, procedures and processes
• Dictate goals and expected outcomes of project
• Determine accountability for each required action
• The most successful also involve formal development strategy
referred to as systems development life cycle
- 15. The Security Systems Development Life Cycle
• The same phases used in traditional SDLC may be adapted to support
specialized implementation of an IS project
• Identification of specific threats and creating controls to counter them
• SecSDLC is a coherent program rather than a series of random, seemingly
unconnected actions
- 16. Phase 1:Investigation
• Management Identifies process, outcomes, goals, budget and
constraints of the project
• Begins with enterprise information security policy
• Outline project scope and goals
• Estimate cost
• Organizational feasibility analysis is performed
- 17. Phase 2:Analysis
• Documents from investigation phase are studied
• Analyzes existing security policies or programs, along with
documented current threats and associated controls
• Study integration new system with existing system
• Includes analysis of relevant legal issues that could impact design of
the security solution
• The risk management task begins
- 18. Phase 3:Logical Design
• Creates and develops blueprints for information security
• Incident response actions planned:
• Continuity planning
• Incident response
• Disaster recovery
• Feasibility analysis to determine whether project should continue or
be outsourced
- 19. Phase 4:Physical Design
• Needed security technology is evaluated, alternatives generated, and
final design selected
• Develop definition of successful solution
• At end of phase, feasibility study determines readiness of the project
Implementation
- 20. Phase 5:Implementation
• Security solutions are acquired, tested, implemented, and tested
again
• Personnel issues evaluated; specific training and education programs
conducted
• Entire tested package is presented to management for final approval
- 21. Phase 6:Maintenance and Change
• Perhaps the most important phase, given the ever-changing threat
environment
• Often, reparation and restoration of information is a constant duel
with an unseen adversary
• Information security profile of an organization requires constant
adaptation as new threats emerge and old threats evolve
- 24. Summary
• Information security is a “well-informed sense of assurance that the
information risks and controls are in balance.”
• Computer security began immediately after first mainframes were
developed
• Successful organizations have multiple layers of security in place:
physical, personal, operations, communications, network, and
information.
• Security should be considered a balance between protection and
availability
• Information security must be managed similar to any major system
implemented in an organization using a methodology like SecSDLC