Information Technology Security Management
EEC10507
2/27/2020
IT Security Management
1
Aim
The primary aim of this course to present the student with a full awareness of
the values of information technology security management that are used in
business enterprises. It also will introduce the student to various frameworks
and methods used and discover the suitability of these critically for addressing
current business security needs.
Credit hours
4 (3hrs theory , 1hr Tutorial )
2/27/2020
IT Security Management
2
Teaching/Learning Strategy
The methods of teaching will depend on computer-based tools along with video
lectures, guest lectures for efficient module delivery to students. The Students will
be given coursework/ assignments and self-learning tasks which will be focusing
on the latest practices done in the industries. There will be a collaboration of
students in groups to discuss all current, future and challenges in IT security
management.
Transferable Skills: By completing this course students will develop skills to
plan, conduct and critically appraise research and develop new approaches to
problem-solving. Also, will improve their communication and leadership skills.
2/27/2020
IT Security Management
3
Assessment format
Course work - 60% (Individual Assignment- 40% , Presentation-20%)
Final Exam - 40% (Unseen Written Examination of 3 hours duration)
Pass Requirement:50%
2/27/2020
IT Security Management
4
Learning Outcomes
On completion of this module students will be able to:
1. Demonstrate an understanding of the key concepts and essentials of information
technology security management.
2. Apply IT Security management concepts for designing solutions to manage security risks
effectively.
3. Describe mutual relations between the various elements of information security
management and their role in protecting business enterprises and organizations.
4. Describe the impact of new technological developments on information technology security
management.
5. Demonstrate an understanding of current legal and social contexts where the enterprises
impinge on IT Security management.
6. Design an emergency plan for a given IT environment.
2/27/2020
IT Security Management
5
Syllabus
The main course topics to be covered are:
Introduction to Information Security: Understand the important of information security by
awareness of 12 generally accepted basic principles of information security; Distinguish
between three main goals of security: confidentiality, Availability and Integrity. Introduction
to Certification Programs and the Common Body of Knowledge.
Governance and Risk Management: Introduction to Security Policies, Understand the Four
Types of Policies
Business Continuity Planning and Disaster Recovery Planning: Overview of the Business
Continuity Plan and Disaster Recovery; Creating the Business Impact Analysis, Disaster
Recovery Planning.
Access Control Systems and Methodology :Introduction, Terms and Concepts, Identification,
Authentication, Least Privilege , Information Owner , Discretionary Access Control , Access
Control Lists ,User Provisioning ,Mandatory Access Control ,Role-Based Access Control
Law, Investigations, and Ethics: Introduction, Types of Computer Crime, How Cybercriminals
Commit Crimes, The Computer and the Law, Legislative Branch of the Legal System
Administrative Branch of the Legal System Judicial Branch of the Legal System, Intellectual
Property
Law.
2/27/2020
IT Security Management
6
CHAPTER 1
Introduction to Information Security:
Understand the important of information security by awareness of 12
generally accepted basic principles of information security;
Distinguish between three main goals of security: confidentiality, Availability
and Integrity.
Introduction to Certification Programs and the Common Body of Knowledge.
2/27/2020
IT Security Management
7
12 generally accepted basic principles of information security
Principle 1: There Is No Such Thing As Absolute Security.
• Given enough time, tools, skills, and inclination, a malicious person can break
through any security measure.
E.g. In 2003, the art collection of the Whitworth Gallery in Manchester, England
• Four common classes of safe ratings are B-Rate, C-Rate, UL TL-15, and UL TL-30
• Resisting attacks long enough provides the opportunity to catch the attacker in
the act and to quickly recover from the incident.
2/27/2020
IT Security Management
8
12 generally accepted basic principles of information security
cont.….
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and
Availability
• All information security measures try to address at least one of three goals:
• Protect the confidentiality of data
• Preserve the integrity of data
• Promote the availability of data for authorized use
Integrity Models
• Protects system data from intentional or accidental changes. Integrity models
have three goals:
• Prevent unauthorized users from making modifications to data or programs
• Prevent authorized users from making improper or unauthorized modifications
• Maintain internal and external consistency of data and programs
2/27/2020
IT Security Management
9
12 generally accepted basic principles of information security
cont.….
• Availability models keep data and resources available for authorized use
• Three common challenges to availability:
• DoS due to intentional attacks or because of undiscovered flaws in implementation (for
example, program crash due to unexpected input)
• Loss of information system capabilities because of natural disasters or human actions (bombs
or strikes)
• Equipment failures during normal use
Some activities that preserve CIA are:
(i)granting access only to authorized personnel,
(ii) applying encryption to information that will be sent over the Internet or stored on digital
media
(iii)periodically testing computer system security to uncover new vulnerabilities
(iv)building software defensively
(v) developing a disaster recovery plan to ensure that the business continuity
2/27/2020
IT Security Management
10
12 generally accepted basic principles of information security cont.….
Principle 3: Defense in Depth as Strategy
• A bank would never leave its assets inside an unguarded safe alone
• Layered security, is known as defense in depth.
• It is implemented in overlapping layers that provide : prevention, detection, and response to
attacks on systems.
• In IS world, defense requires layering security devices in a series that protects, detects, and
responds to attacks on systems.
E.g. routers, firewalls, IDS to protect the network from intruders; traffic analyzers and
real-time human monitors to watch for anomalies; automated mechanisms to turn off access
or remove the system from the network in response to the detection of an intruder.
• Phishing for Dollars
2/27/2020
IT Security Management
11
12 generally accepted basic principles of information security
cont.….
Principle 4: When Left on Their Own, People Tend to Make the Worst Security
Decisions
• The primary reason identity theft, viruses, worms, and stolen passwords are so
common is that people are easily duped into giving up the secrets technologies
use to secure systems.
Principle 5: Computer Security Depends on Two Types of Requirements:
Functional and Assurance
• Functional requirements describe what a system should do.
• Assurance requirements describe how functional requirements should be
implemented and tested.
• Both sets of requirements are needed to answer the Verification and Validation
2/27/2020
IT Security Management
12
12 generally accepted basic principles of information security cont.….
Principle 6: Security Through Obscurity Is Not an Answer
hiding the details of the security mechanisms is not sufficient to secure the system
• make sure no one mechanism is responsible for the security of the entire system
•
Principle 7: Security = Risk Management
Risk analysis and risk management are central themes to securing Information systems.
• When risks are well understood: easy to mitigate, acquire Insurance , manage consequences.
• Determine the degree of a risk and based on the risk rating, take appropriate actions
• Vulnerability: a known problem within a system or program. E.g. buffer overflow or overrun
• Exploit: a program or “cookbook” on how to take advantage of a specific vulnerability
• Attacker: link between a vulnerability and an exploit.
• IS practitioner must anticipate who might want to attack the system, how capable they might
be, how available the exploits to a vulnerability are, and which systems have the vulnerability.
2/27/2020
IT Security Management
13
12 generally accepted basic principles of information security cont.….
Principle 8: The Three Types of Security Controls Are Preventative, Detective,
and Responsive
Controls and countermeasures(like firewalls) must be implemented. E.g.Bank safe
Principle 9: Complexity Is the Enemy of Security
The more complex a system gets, the harder it is to secure. With too many
“moving parts” or interfaces between programs and other systems, the system or
interfaces become difficult to secure while still permitting them to operate as
intended.
Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security
At one time, “scaring” management into spending resources on security to avoid
the unthinkable was effective. The tactic of fear, uncertainty, and doubt (FUD) no
longer works: Information security and IT management is too mature.
2/27/2020
IT Security Management
14
12 generally accepted basic principles of information security cont.….
Principle 11: People, Process, and Technology Are All Needed to Adequately
Secure a System or Facility
• Implement Process controls like US army having a dual control protocol
• Establish procedures, document it and verify it
• People, Process, and Technology are 3 pillars of IS
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
• Users have a right to know about defects in the products they purchase, just
as they have a right to know about automobile recalls because of defects.
2/27/2020
IT Security Management
15
Basic Components of Security:
Confidentiality, Integrity, Availability (CIA)
• CIA
• Confidentiality: Who is authorized to use data?
• Integrity: Is data „good?”
• Availability: Can access data whenever need it?

CIA or CIAAAN… 
(other security components added to CIA)
 Authentication
 Authorization
 Non-repudiation
 …
2/27/2020
IT Security Management
I
C
S
A
S = Secure
16
CIA
• Confidentiality means Hiding the information from unauthorized access. Most commonly
enforced through encryption.
• Integrity means that data is protected from unauthorized changes. Protection of
information and systems from being modified by unauthorized entities and unauthorized
mechanisms.
• Availability means that authorized users have access to the systems and the resources they
need
2/27/2020
IT Security Management
17
Need to Balance CIA

Example 1: C vs. I+A



Disconnect computer from Internet to increase confidentiality
Availability suffers, integrity suffers due to lost updates
Example 2: I vs. C+A
 Have extensive data checks by different people/systems to increase
integrity
 Confidentiality suffers as more people see data, availability suffers due to
locks on data under verification)
2/27/2020
IT Security Management
18
Confidentiality
• “Need to know” basis for data access
• How do we know who needs what data?
Approach: access control specifies who can access what
• How do we know a user is the person he/she claims to be?
Need his/her identity and need to verify this identity
Approach: identification and authentication
• Confidentiality is:
• Difficult to ensure
• Easiest to assess in terms of success (binary in nature: Yes / No)
2/27/2020
IT Security Management
19
Integrity
• Integrity vs. Confidentiality
• Concerned with unauthorized modification of assets (= resources)
Confidentiality - concered with access to assets
• Integrity is more difficult to measure than confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in different contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency / meaningfulness / usefulness ...}
2/27/2020
IT Security Management
20
Availability
• Not understood very well yet
“Full implementation of availability is security’s next challenge”
E.g. Full implemenation of availability for Internet users (with ensuring security)
• Complex-Context-dependent
Could mean any subset of these asset (data or service) properties :
{ usefulness / sufficient capacity /completed in an acceptable period of time / ...}
• We can say that an asset (resource) is available if:
•
•
•
•
•
Timely request response
Fair allocation of resources (no starvation!)
Fault tolerant (no total breakdown)
Easy to use in the intended way
Provides controlled concurrency (concurrency control, deadlock control, ...)
2/27/2020
IT Security Management
21
Introduction to Certification Programs and the
Common Body of Knowledge.
• More prominent Information security certifications are:
• Certified Information Systems Security Professional (CISSP)- IS certification
granted by the International Information System Security Certification
Consortium, also known as (IISSCC or ISC ²)-for people in managerial positions
or for senior people)
• CISSPs define the architecture, design ,management and/or controls that
ensure the security of business environments.
• Systems Security Certified Practitioner (SSCP)-for people who specialize in
areas of security operations
• Both CISSP and SSCP are based on Common Body of Knowledge(CBK).
• CBK- a collection of relevant topics for IS security professionals worldwide
2/27/2020
IT Security Management
22
10 different areas covered in CISSP exam
•
•
•
•
•
•
•
•
•
•
Access controls system and methodology
Systems and application security development
Cryptography
Disaster recovery and business continuity plans
Investigation laws and ethics
Security models and architectures
Physical security
Best management practices
Networking and telecommunications security
Operations security
Rigorous examination(6 hrs,250 questions)
Only 94,000 professionals hold the CISSP certification worldwide (149 countries)
2/27/2020
IT Security Management
23
Certification and IS
Benefits of Certifications to employers:
• Global Recognition-Provide increased credibility while working with
contractors and vendors.
• Common language-circumvents ambiguity with industry accepted terms and
standards
• Experience-Professionals have years of Experience and prescribed educational
standard.
• Continuing professional education
• Certification mandate: Certified staff are most wanted by Organizations/ sub
contractors and service providers.
2/27/2020
IT Security Management
24
Benefits of Certifications to Professionals
• Higher salary and promotions
• Verifiable proof of efficiency
• Entry into one of the largest communities of recognized IS professionals in the
world
• Access to global resources, peer networking, mentoring and wide IS
opportunities
2/27/2020
IT Security Management
25
ISC ²
• Global, non profit consortium. Its goals are:
• Maintaining a common body of knowledge for IS
• Certifying industry professionals and practitioners according to the international IS
standard
• Administering training and certification examinations
• Ensuring that credentials are maintained, through continuing education.
• Thousands of IS professionals in 149 countries obtained certifications in CISSP or
SSCP
• Credentials indicate –Individuals have demonstrated experience in IS, passed
Rigorous examination, subscribed to code of ethics and will maintain certification
with continuing education requirements(3 years).
2/27/2020
• ISO approved CISSP in 2004-the
IT Security Management
1st
accredited IT certificate(ISO/IEC 17024)
26
The IS CBK
• Is a compilation and distillation of all security information collected internationally
that is relevant to IS professionals.
• ISC² ensures that CISSP certified IS professionals have a working knowledge of all
10 domains of the CBK.
10 domains of CBK are:
1. IS governance and risk management –Focus on the importance of security plans
for protecting data and how it is administered.
2. Security Architecture and design
Concepts,principles,structures and standards used to design, implement, monitor
and secure Oss, equipment, networks ,applications and other controls to enforce
various levels of CIA.
3. Business continuity and disaster recovery planning
Focusses on BCP along with Business Impact Assessment and the DRP
2/27/2020
IT Security Management
27
CBK Domains cont…
4.Legal Regulations, Investigations, and Compliance
Covers the different targets of computer crimes, laws and regulations that apply
to computer security.
5.Physical (Environmental) security
Focus on securing the physical site using policies and procedures with alarms,
IDS,IMS and so on.
6.Operations Security
Includes defining controls over media, H/W and operators with special system
privileges
7.Access Control
Who may access the system and what may they do?
Understanding I,A,A and logging and monitoring techniques and technologies
2/27/2020
IT Security Management
28
CBK Domains cont.…
8.Cryptography
InfoSec specialist should understand the function of Cryptography
Use C to maintain network security, using Dig Sig,understanding PKI,identifying
non repudiation
9.Telecommunications and network Security
10.Software Development Security
2/27/2020
IT Security Management
29
Other Programs
• Certified IS Auditor
• Certified Information Security Manager
• Certified in Risk and Information Systems control
• Global Information Assurance Certification
• (ISC)2 specialization certifications
• Certified Cyber Forensic Professional
• HealthCare Information Security and Privacy Practitioner.
• CCNP
• Certificate of Cloud Security Knowledge
• Certified Ethical Hacker
2/27/2020
IT Security Management
30
Tutorial
2/27/2020
IT Security Management
31
2/27/2020
IT Security Management
32
2/27/2020
IT Security Management
33
2/27/2020
IT Security Management
34
2/27/2020
IT Security Management
35
References
• CISSP – The World's Premier Cyber security Certification [Online]. Available
from:https://www.isc2.org/ Certifications/ CISSP. [Accessed:23rd February 2020]
• INFOSEC[ONLINE].Availablefrom:https://resources.infosecinstitute.com/
category/certifications-training/cissp/renewal-requirements/#gref.
[Accessed:23rd February 2020]
• Wheeler, E., 2017. Security Risk Management: Building an Information Security
Risk Management Program from the Ground Up. Syngress.
2/27/2020
IT Security Management
36