Professional Documents
Culture Documents
Info Security - Information Security Essentials For IT Managers - B-ICT - Apr 2017
Info Security - Information Security Essentials For IT Managers - B-ICT - Apr 2017
By
2
Books & Resources
Principles of Information Security, 4th Edition, 2011, by
Michael Whitman & Herbert Mattord, Cengage
Learning.
A Practical Guide to Security Engineering &
Information Assurance, by Debra S. Hermann, CRC
Press, 2002.
A Guide to Computer Security, by Joseph M. Kizza,
Springer, 2009.
Information Security Management Handbook, edited
by Ed. Skoudis, CRC Press, 2002.
3
Learning Outcomes
To discuss the fact that information security goes
beyond technical controls and encompasses people,
technology, policy, and operations in a way that few
other business objectives do.
To discuss areas which are essential for the successful
and strategic execution of the CISO’s responsibilities.
4
InfoSec Essentials
Cyber-security is NOT an IT problem; it is a Business
problem.
Information security is defined as the protection of
information and information systems from
unauthorized access, use, disclosure, disruption,
modification or destruction.
There are 3 main cyber-security processes:
Prevention;
Detection;
Recovery.
5
InfoSec Essentials
Key objectives of Information Security:
Intelligence;
Trusted alliances;
Innovative thinking;
Risk management (liability protection);
Compliance challenges:
Contractual;
Statutory & Regulatory;
Industry Standards.
6
InfoSec Essentials
CISO’s Key Functions:
Information & Computer Security;
Business Continuity or Continuity of Operations (CCOP) or
Disaster Recovery Planning;
Privacy;
Critical Infrastructure Protection Policy
Emergency Communications.
7
InfoSec Essentials
• Strategic Security Plan Elements:
• Organization & Authority Controls;
• Policy
• Risk Management Program;
• Intelligence program;
• Audit & Compliance Program;
• Privacy Program;
• Incident Management;
• Education & Awareness program;
• Operational Management;
• Technical Security & Access Controls;
• Monitoring, Measurement & Reporting;
• Physical & Environment Security;
• Asset Identification & Classification;
• Employee & Related Account Management Practices.
8
InfoSec Essentials
The Moving parts of InfoSec:
Governance;
Policy;
Organizational;
Personnel (incl. background checks)
Access controls;
Risk management;
Technology oversight (e.g. what are your security
requirements?);
Compliance;
Incident Response;
Forensics & investigations;
Legal;
Cryptography.
9
InfoSec Essentials
Unintended consequences of embracing the Internet:
1 in 25 end-users are socio-pathetic???//**
That is, in the world of networked computers, every
sociopath is your neighbor…..
10
InfoSec Essentials
11
InfoSec Essentials
3R’s of Accountable Systems: 4th dimension “R” added by Endicott-Popovsky
Survivability Strategy Tools
Resistance – ability to repel attacks Firewalls;
User Authentication;
Diversification, e.g. backups;
Recognition Intrusion detection systems;
– ability to detect an attack or a probe; Internal Integrity checks;
- Ability to react or adapt during an
attack
Recovery Incident response;
- Provide essential services during Replication;
attack; Backup systems;
- Restore services following an attack; Fault tolerant designs;
Redress Computer forensics;
- Ability to hold intruders accountable Legal remedies;
in a court of law; Active defense;
- Ability to retaliate;
12
InfoSec Essentials
4 Protection mechanisms are:
i. Deterrence – first line of defense against intruders who may
try to gain access;
ii. Prevention – a process of trying to stop intruders from
gaining access to resources of the system;
E.g. firewalls, DMZs, access items, such as keys, access cards,
biometrics, and other access control measures;
iii. Detection – occurs when the intruder has succeeded or is in
the process of gaining access to the system;
E.g. alerts to the existence of an intruder; it could be real-time
or stored for further analysis.
iv. Response – is an after-effect process that tries to respond to
the failure of any of the first 3 mechanisms;
E.g. try to stop and/or prevent future damage or access to the
facility.
13
InfoSec Essentials
Computer security focuses on creating a secure
environment for the use of computer; usually focused
on “behavior of users”
It has 4 areas of interest:
Computer ethics;
Development of software protocols;
Development of hardware protocols;
Development of best practices;
14
InfoSec Essentials
Network security – involves creating an environment
in which a computer network, including all its
resources; all the data in it both in storage and in
transit; and all its users are secure;
Its areas of interest are:
Cryptography;
Communications;
Transport;
Exchange of protocols;
Best practices;
15
InfoSec Essentials
Information security – involves the creation of a state
in which information and data are secure;
Its areas of interest are:
Computer science (incl. computer & network security);
Business management;
Information studies;
Engineering;
The model object is information or data, which is
either in motion through the communication channels
or in storage in databases on a server;
State of both data and information in motion;
16
InfoSec Essentials
CSVA Model, ●
●
Loss of revenues
Loss of corporate image
RISK ● Loss of investor confidence
(Yeboah-
Risk
● Loss of customer confidence
● Cost due to security breaches
● Cost of mitigation
URGENCY CRITICALITY
● Tangible assets
2012)
Assets Value
● Intangible assets
● Classification
● Identification
● Characterization
● Motivation
THREAT ● Capability
Threats
AGENTS ● Opportunity
● Impact (attractiveness)
● Technical
● Human
Vulnerabilities
● Physical (environment)
● Operational
CONFIDENTIALITY AVAILABILITY
● Business continuity
● Human errors
● Destruction
● Transmission errors
● Removal
● Data storage INTEGRITY
● Interruption
● Data disposal
● Human errors
● Natural disasters
● Human errors
● Transmission errors
● Software bugs
● Hardware malfunction
● Natural disasters
17
Availability Confidentiality Vulnerabilities
& Availability
Obviously a Techie
Threats
Risks
MAJOR
SEVERE
(impact)
18
InfoSec Essentials
19
Summary
We have learnt, understood and discussed the concepts of
cyber-security, various aspects and attributes of it..
We have emphasized that Information Security is essential
for today’s businesses and daily living;
We have underscored the fact that Information Security is
NOT a technology problem but rather a BUSINESS case.
We can now define risk parameters and assess them; as
well as to distinguish between vulnerabilities and threats …
20
Thank You All!!!
21