Professional Documents
Culture Documents
Ch-2
Ch-2
Security
IS Security Fundamentals
Outline
Information System Security Fundamentals
Components of Information Systems security
Principles of Information Systems Security
Introduction to IS Security Policy
Plan, Design and Implement IS Security
Understanding Information Security
The threat landscape refers to the evolving set of potential risks and
vulnerabilities that pose a threat to information security.
Common Threats include malware, phishing attacks, insider threats, and
denial of service attacks.
Risk Management
Technology Components:
Firewalls
Control and monitor network traffic to prevent unauthorized access.
Establish barriers between a trusted internal network and untrusted external
networks.
Technology Components…
Encryption:
Protect data confidentiality by converting plaintext data into cipher text.
Uses cryptographic algorithms and keys to encrypt and decrypt data.
Technology Components…
Access Controls:
Manage and enforce user access to information and resources.
Includes authentication mechanisms, access control lists, and role-based
access control (RBAC).
Human Component
User Authentication:
Verify the identity of users accessing systems or data.
Authentication methods include passwords, biometrics, and two-factor
authentication (2FA).
Integration of Technology and Human Components
Firewalls and IDS help defend against external threats by monitoring and
controlling network traffic.
Encryption safeguards sensitive data from unauthorized access or
interception.
Access controls enforce security policies and limit access to authorized
users.
Security awareness training and user authentication help prevent insider
threats and unauthorized access.
Key Takeaways
1. Confidentiality
Definition: Ensuring that information is accessible only to authorized
individuals or entities.
Methods: Encryption, access controls, and data classification.
Importance: Protects sensitive information from unauthorized access or
disclosure.
Principles of Information Systems Security…
2.Integrity:
Definition: Maintaining the accuracy, consistency, and reliability of
information and systems.
Methods: Data validation, checksums, digital signatures, and access
controls.
Importance: Prevents unauthorized modification or tampering of data,
ensuring its trustworthiness.
Principles of Information Systems Security…
3.Avialablity:
Definition: Ensuring that information and systems are accessible and
usable when needed by authorized users.
Methods: Redundancy, backups, disaster recovery plans, and fault
tolerance.
Importance: Minimizes downtime and disruption, ensuring continuity of
operations.
Computer Security
Security Goals
Prevention of
unauthorized disclosure
of information Confidentiality
Prevention of
Prevention of
unauthorized withholding
unauthorized modification
of information or resource
of information
Integrity
Availaibility
4. Authentication
Planning Phase:
Risk Assessment
Identify and assess potential security risks and vulnerabilities.
Consider threats, asset values, existing controls, and likelihood of occurrence.
Prioritize risks based on impact and likelihood to inform security strategy.
Planning Phase…
Security Objectives:
Define clear security objectives aligned with organizational goals and
priorities.
Establish measurable goals and targets to guide security efforts.
Ensure alignment with regulatory requirements and industry standards.
Design Phase
Security Architecture:
Develop a comprehensive security architecture that addresses
identified risks.
Design security controls and mechanisms to protect information and
systems.
Consider defense-in-depth approach, layered security, and security
zones.
Security Controls
Deployment
Roll out security measures across the organization according to the security
architecture.
Configure systems, networks, and applications to enforce security policies.
Implement security controls, such as firewalls, encryption, access controls,
and monitoring tools.
Testing and Evaluation
Ensure that security measures align with and support business processes
and objectives.
Involve stakeholders from various departments in the planning and design
phases to ensure buy-in and alignment.
Consider usability, performance, and scalability requirements when
designing and implementing security controls.
Training and Awareness