Intro to Security lecture

advertisement
Information Security Management (INFS 5055)
&
Information Security Management (INFS 3070)
Study Period 2, 2010
INTRODUCTION
TO
INFORMATION SECURITY
MANAGEMENT
Today’s Reference:
Whitman & Mattord, 2008,
Management of Information Security, 2nd edition
Chapter 1
(alternatively, 3rd edition is fine)
What is Security?
• “a well-informed sense of assurance
that the information risks and controls
are in balance.” —Jim Anderson,
Inovant (2002)
• “The quality or state of being
secure—to be free from danger”
• A successful organization should
have multiple layers of security in
place:
–
–
–
–
–
–
Physical security
Personal security
Operations security
Communications security
Network security
Information security
Physical Security
• commonly thought of as
“building” security
• guns, dogs, guards, locks,
infrared sensors, cameras,
access card systems
• physical access systems
Personnel Security
• the most important asset (?)
• core of many security
problems
• examples are:
– pre-employment screening
– security awareness training
– exit interviews
– employee contract
– anti-fraud initiatives
What is Information Security?
• An Information System consists
of:
–
–
–
–
hardware
software
IS people
data & information (in various
forms)
– procedures, processes, policies
• IS Security relates to all of these
components
• Previously referred to as
‘Computer Security’
• Commonly referred to as
‘Information Security’
Information Security
PHYSICAL
SABOTAGE
VIRUSES
HACKERS
Policy
manual
Encryption
SOFTWARE BUGS
Backup
Fire
doors
Locks
FIRE
HARDWARE
SOFTWARE
PROCEDURES
INPUT
ERROR
Software
validation
TELECOMMUNICATIONS
PEOPLE
User ID’s &
passwords
Pre-employment
screening
LOSS OF PEOPLE
FRAUD
DATA
DOCUMENTATION
UNAUTH.
ACCESS
Segregation
of duties
Maintenance
contract
HARDWARE
MALFUNCTION
Guns,
dogs
& guards
Power
supply
LOSS OF
ELECTRICITY
THEFT
Why is it important?
• Business survival could be at
stake
• Management attitude is (still)
“It won’t happen to me” – this
needs to change
• Vulnerabilities are greater
with advent of complex
networks
• New threats are emerging as
technology is embraced
• Attacks on systems are more
prevalent
Security Breaches &
Impacts
Critical Characteristics of
Information
• The value of information comes
from the characteristics it
possesses:
– Confidentiality
– Integrity
– Availability
– Privacy
– Identification
– Authentication
– Authorisation
– Accountability
Scope of Information
Security
• IS Security relates to minimising
the threats to the Availability,
Integrity and Confidentiality of
information (and the Authenticity)
• Availability
– disruptions
• Environmental (e.g. airconditioning or
power failure)
• hardware breakdowns
– disasters
• natural disasters (flood, fire,
earthquake)
• other disasters (war, terrorism)
• software bugs
– catastrophic failure
• human safety compromised
– logical or physical
– accidental or deliberate
• Integrity
– errors & omissions
– computer crime – hackers
• Confidentiality
– loss of print-out report
(physical/accidental)
– loss of message, misdirected
message (logical/accidental)
– theft of PC, screen snooping
(physical/deliberate)
– wiretapping, hacking, electro
magnetic radiation
(logical/deliberate)
Principles Of Information
Security Management
• The extended characteristics
of information security are
known as the six Ps:
– Planning
– Policy
– Programs
– Protection
– People
– Project Management
Planning
• Several types of InfoSec
plans exist:
– Incident response
– Business continuity
– Disaster recovery
– Policy
– Personnel
– Technology rollout
– Risk management
– Security program including
education, training, and
awareness
Policy
• The set of organizational
guidelines that dictates
certain behavior within the
organization is called policy
• In InfoSec, there are three
general categories of policy:
– General program policy
(Enterprise Security Policy)
– An issue-specific security
policy (ISSP)
– System-specific policies
(SSSPs)
Programs
• Specific entities managed in
the information security
domain
• A security education training
and awareness (SETA)
program is one such entity
• Other programs that may
emerge include a physical
security program, complete
with fire, physical access,
gates, guards, and so on
Protection
• Risk management activities,
including risk assessment
and control, as well as
protection mechanisms,
technologies, and tools
• Each of these mechanisms
represents some aspect of
the management of specific
controls in the overall
information security plan
People
• People are the most critical
link in the information
security program
• It is imperative that
managers continuously
recognize the crucial role that
people play
• Including information security
personnel and the security of
personnel
Project Management
• Project management
discipline should be present
throughout all elements of
the information security
program
• This effort involves
identifying and controlling the
resources applied to the
project, as well as measuring
progress and adjusting the
process as progress is made
toward the goal
The Sequence
THREATS
threaten
ASSETS
which create
RISKS
Which require
CONTROLS
Vulnerability?
Countermeasures?
Risk Exposure?
“Health & Safety” of a
person
• Threats
– Heart attack, stroke, car accident
– Work accident, sporting injury,
assault
– Disease
• Assets
– Tissue, brain, heart, mind, limbs
– Organs, eyes, skin, self-esteem
• Risks
– Death, injury, loss of limb, sickness
– Brain damage, loss of eyesight
• Controls
–
–
–
–
–
Regular exercise, proper food
OH & S procedures at work
Safe sports, safe driving,
Regular doctor check-ups
Minimal stress, adequate sleep
Threats
• Something that has the
potential to cause harm or
loss
• 4 classes
– interruption
• hardware breakdown, software
bug, operators on strike
– interception
• wiretapping, hacking
– modification and fabrication
• Hackers tampering with &
changing data
• adding records or transactions
Top 10 Threats in IS
•
•
•
•
•
•
•
•
1. Errors & omissions
2. Data network breakdowns
3. Software errors & omissions
4. Computer-based fraud
5. Accidental & natural disasters
6. Equipment failure
7. Unauthorised access
8. Deliberate destruction of
equipment
• 9. Misuse of computing
equipment
• 10. Theft of computers
Risks
• Risk of going out of business
• Risk of losing competitive
advantage
• Risk of unauthorised access
• Risk of being sued
• Risk of embarrassment
• Risk of losing money
• Risk of losing customers
Vulnerabilities
• A weakness in the security of
the system which might be
exploited to cause loss or
harm
Controls/
Countermeasures
• 4 categories
– Management
– Hardware
– Software
– Authentication
Management Controls
•
•
•
•
•
Security policies
Segregation of duties
Awareness training
Physical security procedures
Operational controls and
procedures
• Exit Interviews
• New employee screening
• Personnel security
Hardware Controls
• Environmental conditions
• O/S controls
• Silicone, plastic, tin
Software Controls
• Access control software
(RACF, ACF2, etc)
• Programming standards
– range checks
– check digits
– modular programs
• Change control procedures
• Authorisation controls
Authentication Controls
•
•
•
•
•
•
•
•
•
passwords
PINs
smart cards
biometric devices
something user knows
something user has
something user is
something user can do
someplace user is
Top 10 Controls
•
•
•
•
•
•
•
•
•
1. IS security policy document
2. Allocation of security responsibilities
3. IS security education & training
4. Reporting of security incidents
5. Virus control
6. Business continuity planning
7. Control of proprietary copying
8. Safeguarding of company records
9. Compliance with data protection
legislation
• 10. Compliance with security policy
What you need to know!
• What is InfoSec and why it’s
important
• Scope of InfoSec
• Principles of InfoSec
Management
• A general idea of Threats,
Risks and Controls
Download