Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Chapter1 Why Study Information Security? To protect computers

advertisement 
Chapter1
Why Study Information Security?
To protect computers, networks, and the information they store
Who is information security specialist?
Is more than a technician who prevents hackers from attacking a Web Site?
Growing ITS (information technologies Security) Importance.


Increased services to both end-users and employees
create risks to the confidentiality, integrity, and availability
How to become a great Information Security Specialist?





Get the right certification
Consider earning a graduate degree in INFOSEC
Increase your disaster recovery and risk management skills
Build a home laboratory
Get on a project working with strategic partners
Contextualizing Information Security (umbrella)
1. Compliance
2. Auditing
3. Administration
4. Indent response
5. Permission controls
6. Physical security
7. Software development security
8. Standers
9. Polices
10. Instruction detection and prevention
11. Antivirus
12. Key management
13. Operation controls
14. Security testing
15. Public key infrastructure
16. Access controls
17. Training and awareness
18. Disaster recovery
To support business operations a number of common positions and career opportunities
are needed
1.
2.
3.
4.
5.
Security administrators
Access coordinators
Security architects and network engineers
Security consultants
Security testers
Chapter 2
 Information Security Principles of Success
1. There Is No Such Thing as Absolute Security
2. Three Security Goals (CIA)
3. Defense in Depth as Strategy
4. When Left on Their Own, People Tend to Make the Worst Security Decisions
5. Functional and Assurance Requirements
6. Security Through Obscurity Is Not an Answer
7. Security = Risk Management
8. Security Controls: Preventative, Detective, and Responsive
9. Complexity Is The Enemy of Security
10. Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security
11. People, Process and Technology Are All Needed
12. Open Disclosure of Vulnerabilities Is Good for Security
 There Is No Such Thing as Absolute Security
Given enough time, tools, skills, and, a hacker can break through any security measure
 Three Security Goals (CIA)
 Protect the confidentiality
o To assure that no unauthorized access to information is permitted and that accidental
disclosure of sensitive information is not possible
 Preserve the integrity of data
 Promote the availability of data for authorized use
o Availability keep data and resources available for authorized use
 Defense in Depth as Strategy
 Defense in depth
o Security implemented in overlapping layers that provide the three elements
needed to secure assets: prevention, detection, and response
o The weaknesses of one security layer affect by the strengths of two or more layers
 When Left on Their Own, People Tend to Make the Worst Security Decisions
Many people are easily convinced to double-click on the attachment
 Functional and Assurance Requirements
 Functional requirements
o Describe what a system should do
 Assurance requirements
o Describe how functional requirements should be implemented and tested
Does the system do the right things in the right way?
 Verification:
The process of confirming that one or more predetermined requirements or specifications are
met
 Validation:
A determination of the correctness or quality of the mechanisms used in meeting the needs
 Note:
Computer security specialists must not only know the technical side of their jobs but also must
understand the principles behind information security
Chapter3
 Certification Programs and the Common Body of Knowledge

Certification Programs
1.
2.
3.
4.
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Global Information Assurance Certifications (GIAC)
Vendor-Specific Certification Programs

Information Security CBK (Common Body of Knowledge)
The CBK is a compilation and distillation of all security information collected that is relevant to
information security professionals
o Contains 10 domains
1. Security Management Practices
2. Security Architecture and Models
3. Business Continuity Planning
4. Law, Investigations, and Ethics
5. Physical Security
6. Operations Security
7. Access Control Systems and Methodology
8. Cryptography
9. Telecommunications, Network, and Internet Security
10. Applications Development Security
What is The benefits of certification and immersion into the CBK ?
Are clear to both employers and professionals who commit to life-long learning and to the
betterment of themselves and their careers
Chapter 4
 Security Management
Security Management is a broad set of executive support and management activities that define
an IT security programmed
 How Security Policies Set the Stage for Success?
Policies are the most crucial element in a corporate information security infrastructure and must
be considered before security technology is acquired and deployed
 Effective policies



1.
2.
3.
4.
can rectify many of the weaknesses from failures to understand the business direction and
security mission
can help to prevent or eliminate many of the faults and errors caused by a lack of security
guidance
What are the types of policies?
Programme-level policy
Programme-framework policy
Issue-specific policy
System-specific policy
 Programme-Framework Policies
Provide
An organization-wide direction for broad areas of programme implementation
Define
The organization’s security programme elements that form the foundation for the computer
security programme
Reflect
Information technology management’s decisions about priorities for protection, resource
allocation, and assignment of responsibilities
 Specific Policies components:
1.
2.
3.
4.
5.
6.
Issue statement
Statement of the organization’s position
Applicability
Roles and responsibilities
Compliance
Points of contact and supplementary information
 Development and Management of Security Policies
 Three-level model for system security policy
o Security objectives
o Operational security
o Policy implementation
 Standards Taxonomy
Standards are formal written documents that describe several security concepts that are
fundamental to all successful programmers
 Risk Analysis and Management
A risk analysis answers three fundamental questions:
o What am I trying to protect?
o What is threatening my system?
o How much time, effort, and money am I willing to spend?
 Two basic types of risk analysis
o Quantitative Risk Analysis
o Qualitative Risk Analysis
 Qualitative Risk Analysis
Attempts to establish and maintain an independent set of risk metrics and statistics
Some of the calculations used for quantitative risk analysis
 Annualized loss expectancy (ALE)
 Probability
 Threat
 Control
 Vulnerability
Who Is Responsible for Security?
Everyone who uses information technology is responsible for maintaining the security and
confidentiality of information resources and must comply with security policies and procedures

o
o
o
o
o
o
Chief information security officer (CISO),
information resources manager,
information resources security officer,
owners of information resources,
custodians of information resources,
technical managers (network and system administrators),
internal auditors, and users
Related documents
John Sicklick
John Sicklick
PRESS RELEASE: McCoy Bolt Works, Inc. announced the receipt of
PRESS RELEASE: McCoy Bolt Works, Inc. announced the receipt of
Clinical Services Team Member Job Description
Clinical Services Team Member Job Description
Fire hazard properties certification form
Fire hazard properties certification form
Homework 2 - Math 541, Spring 2016
Homework 2 - Math 541, Spring 2016
Lecture 16 Security Assurance Thierry Sans 15-349: Introduction to Computer and Network Security
Lecture 16 Security Assurance Thierry Sans 15-349: Introduction to Computer and Network Security
Curiosity-Based Knowing in Developing an Inquiry Stance in
Curiosity-Based Knowing in Developing an Inquiry Stance in
CENTRAL BANK OF KENYA April 2012
CENTRAL BANK OF KENYA April 2012
Classroom Community: I want our ENG 102 class to be a safe and
Classroom Community: I want our ENG 102 class to be a safe and
Download
advertisement