Ch2-Fundamentals of Information System

Security

IS Security Fundamentals
Outline
 Information System Security Fundamentals
 Components of Information Systems security
 Principles of Information Systems Security
 Introduction to IS Security Policy
 Plan, Design and Implement IS Security
 Understanding Information Security

 Information security is the practice of protecting information

from unauthorized access, use, disclosure, disruption,
modification, or destruction.
 It encompasses various measures, technologies, and processes
designed to safeguard sensitive data and systems.
Computer Security
 Threat Landscape

 The threat landscape refers to the evolving set of potential risks and
vulnerabilities that pose a threat to information security.
 Common Threats include malware, phishing attacks, insider threats, and
denial of service attacks.
 Risk Management

 Risk management involves identifying, assessing, and mitigating potential

risks to information security.
 It includes processes for determining risk tolerance, implementing
controls, and monitoring security posture.
 Why Information Security Matters?

 Protects sensitive data from unauthorized access or disclosure.

 Safeguards against financial losses, reputational damage, and legal
consequences.
 Ensures compliance with regulations and industry standards.
 Key Objectives of Information Security

 Confidentiality: Ensuring that information is accessible only to

authorized individuals.
 Integrity: Maintaining the accuracy and reliability of information and
systems.
 Availability: Ensuring that information and systems are available and
accessible when needed.
 Takeaway Points

 Information security is essential for protecting sensitive data and systems

from unauthorized access or misuse.
 Understanding the threat landscape and implementing effective risk
management practices are crucial components of information security.
 The primary objectives of information security are confidentiality,
integrity, and availability.
 Components of Information Systems Security

Technology Components:
Firewalls
 Control and monitor network traffic to prevent unauthorized access.
 Establish barriers between a trusted internal network and untrusted external
networks.
 Technology Components…

 Intrusion Detection Systems (IDS):Identify and respond to suspicious

activities or security breaches.
 Analyze network traffic patterns and behavior to detect anomalies.
 Technology Components…

Encryption:
 Protect data confidentiality by converting plaintext data into cipher text.
 Uses cryptographic algorithms and keys to encrypt and decrypt data.
 Technology Components…

Access Controls:
 Manage and enforce user access to information and resources.
 Includes authentication mechanisms, access control lists, and role-based
access control (RBAC).
 Human Component

Security Awareness Training:

 Educate users about security best practices, policies, and procedures.
 Raise awareness of common threats and risks, such as phishing and
social engineering attacks.
 Human component…

User Authentication:
 Verify the identity of users accessing systems or data.
 Authentication methods include passwords, biometrics, and two-factor
authentication (2FA).
 Integration of Technology and Human Components

 Effective information systems security requires a combination of both

technology and human components.
 Technology components provide the infrastructure and tools to protect
information and systems.
 Human components, such as user awareness and authentication, complement
technology by ensuring secure behaviors and practices
 Importance of Components

 Firewalls and IDS help defend against external threats by monitoring and
controlling network traffic.
 Encryption safeguards sensitive data from unauthorized access or
interception.
 Access controls enforce security policies and limit access to authorized
users.
 Security awareness training and user authentication help prevent insider
threats and unauthorized access.
 Key Takeaways

 Information systems security relies on both technology and human

components to protect data and systems.
 Technology components include firewalls, intrusion detection systems,
encryption, and access controls.
 Human components encompass security awareness training and user
authentication to promote secure behaviors and practices.
Principles of Information Systems Security

1. Confidentiality
 Definition: Ensuring that information is accessible only to authorized
individuals or entities.
 Methods: Encryption, access controls, and data classification.
 Importance: Protects sensitive information from unauthorized access or
disclosure.
 Principles of Information Systems Security…

2.Integrity:
 Definition: Maintaining the accuracy, consistency, and reliability of
information and systems.
 Methods: Data validation, checksums, digital signatures, and access
controls.
 Importance: Prevents unauthorized modification or tampering of data,
ensuring its trustworthiness.
 Principles of Information Systems Security…

3.Avialablity:
 Definition: Ensuring that information and systems are accessible and
usable when needed by authorized users.
 Methods: Redundancy, backups, disaster recovery plans, and fault
tolerance.
 Importance: Minimizes downtime and disruption, ensuring continuity of
operations.
 Computer Security
Security Goals
Prevention of
unauthorized disclosure
of information Confidentiality

Prevention of
Prevention of
unauthorized withholding
unauthorized modification
of information or resource
of information

Integrity
Availaibility
 4. Authentication

 Definition: Verifying the identity of users or entities attempting to access

information or systems.
 Methods: Passwords, biometrics, smart cards, and two-factor
authentication.
 Importance: Prevents unauthorized access by ensuring that users are who
they claim to be.
 5. Authorization

 Definition: Granting or denying access rights and privileges to

authenticated users based on their roles or permissions.
 Methods: Role-based access control (RBAC), access control lists (ACLs),
and permission matrices.
 Importance: Limits access to resources and data to only those who have
been explicitly authorized.
 6. Accountability

 Definition: Ensuring that actions taken by users or entities can be traced

back to them.
 Methods: Audit logs, logging mechanisms, and digital signatures.
 Importance: Enables tracking of activities and accountability for security
incidents or breaches.
 7. Non-repudiation

 Definition: Ensuring that the origin or transmission of data cannot be

denied by the sender or receiver.
 Methods: Digital signatures, timestamps, and cryptographic hashing.
 Importance: Provides evidence of transactions or communications,
preventing disputes or fraud.
 Key Takeaways

 Principles of information systems security form the foundation for

designing and implementing security measures.
 Confidentiality, integrity, and availability (CIA) are core principles,
complemented by authentication, authorization, accountability, and non-
repudiation.
 Effective implementation of these principles helps protect data and
systems from unauthorized access, modification, or disruption.
 Introduction to IS Security Policy

What is an IS Security Policy?

• Definition: An IS security policy is a set of rules, guidelines, and
procedures designed to ensure the confidentiality, integrity, and
availability of information and systems.
• Purpose: Establishes expectations, responsibilities, and controls to protect
sensitive data and mitigate security risks.
 Key Components of an IS Security Policy

 Acceptable Use Policies (AUP)

 Defines acceptable and unacceptable uses of information systems and resources.
 Specifies guidelines for employee behavior, including internet usage, email usage,
and data handling.
 Data Classification Guidelines
 Classifies data based on its sensitivity and importance.
 Determines appropriate handling, storage, and protection requirements for different
data types.
 Incident Response Procedures…

 Outlines steps to be taken in the event of a security incident or breach.

 Specifies roles and responsibilities for incident detection, reporting,
investigation, and resolution.
 Key Components of an IS Security Policy (contd.)

Access Control Policies:

 Defines rules and procedures for controlling access to information and
systems.
 Specifies authentication mechanisms, access levels, and permissions.
Password Policies:
 Establishes requirements for creating, managing, and protecting
passwords.
 Includes guidelines for password complexity, expiration, and reuse.
 Security Awareness Training

 Provides training and education to employees on security best

practices, policies, and procedures.
 Raises awareness of common threats and risks and promotes a
security-conscious culture.
 Benefits of an IS Security Policy

 Risk Reduction: Helps mitigate security risks by implementing controls

and procedures.
 Compliance: Ensures compliance with regulatory requirements, industry
standards, and organizational policies.
 Consistency: Provides a consistent framework for security practices and
decision-making across the organization.
 Accountability: Clarifies roles, responsibilities, and expectations for
employees regarding information security.
 Challenges of Implementing an IS Security Policy

 Employee Compliance: Ensuring that employees understand and adhere

to security policies.
 Complexity: Managing and updating policies to address evolving threats
and compliance requirements.
 Resource Constraints: Allocating sufficient resources for policy
development, implementation, and enforcement.
 Best Practices for Developing an IS Security Policy

 Risk Assessment: Identify and prioritize security risks to inform policy

development.
 Stakeholder Involvement: Involve key stakeholders from various
departments in policy development and review.
 Clear Communication: Communicate policy expectations clearly to
employees through training and awareness programs.
 Best Practices for Developing an IS Security Policy (contd.)

 Regular Review And Updates: Regularly review and update

policies to address emerging threats and changes in the business
environment.
 Enforcement and Monitoring: Enforce policy compliance
through monitoring, audits, and enforcement mechanisms.
 Continuous Improvement: Continuously evaluate and
improve security policies and procedures based on lessons
learned and feedback.
 Conclusion

 An IS security policy is a critical component of an

organization's overall security strategy.
 It establishes guidelines, procedures, and controls to protect
sensitive information and mitigate security risks.
 By developing and implementing effective security policies,
organizations can enhance their security posture and reduce the
likelihood of security incidents.
 Plan, Design, and Implement IS Security

Planning Phase:
 Risk Assessment
 Identify and assess potential security risks and vulnerabilities.
 Consider threats, asset values, existing controls, and likelihood of occurrence.
 Prioritize risks based on impact and likelihood to inform security strategy.
 Planning Phase…

Security Objectives:
 Define clear security objectives aligned with organizational goals and
priorities.
 Establish measurable goals and targets to guide security efforts.
 Ensure alignment with regulatory requirements and industry standards.
 Design Phase

Security Architecture:
 Develop a comprehensive security architecture that addresses
identified risks.
 Design security controls and mechanisms to protect information and
systems.
 Consider defense-in-depth approach, layered security, and security
zones.
 Security Controls

 Select and implement appropriate security controls to mitigate

identified risks.
 Include preventive, detective, and corrective controls to address
various threats.
 Consider technical, administrative, and physical controls to provide
comprehensive protection.
 implementation Phase

Deployment
 Roll out security measures across the organization according to the security
architecture.
 Configure systems, networks, and applications to enforce security policies.
 Implement security controls, such as firewalls, encryption, access controls,
and monitoring tools.
 Testing and Evaluation

 Conduct security testing and evaluations to ensure the

effectiveness of implemented security measures.
 Perform vulnerability assessments, penetration testing, and
security audits.
 Address any identified vulnerabilities or weaknesses before
deploying into production.
 Integration with Business Processes

 Ensure that security measures align with and support business processes
and objectives.
 Involve stakeholders from various departments in the planning and design
phases to ensure buy-in and alignment.
 Consider usability, performance, and scalability requirements when
designing and implementing security controls.
 Training and Awareness

 Provide training and awareness programs to educate employees about

security policies and best practices.
 Ensure that employees understand their roles and responsibilities in
maintaining security.
 Foster a culture of security awareness and accountability throughout the
organization.
 Continuous Improvement

 Regularly review and update security measures to adapt to evolving

threats and business needs.
 Monitor security controls and performance metrics to identify areas for
improvement.
 Conduct post-implementation reviews and lessons learned sessions to
inform future security initiatives.
 Conclusion

 Planning, designing, and implementing IS security is a systematic process that

involves assessing risks, defining objectives, designing controls, and
deploying measures to protect information and systems.
 Integration with business processes, training and awareness, and continuous
improvement are essential elements of effective IS security.
 By following best practices and maintaining vigilance, organizations can
enhance their security posture and mitigate security risks effectively
 Questions?

 Feel free to ask any questions or discuss further.

 Quiz: (5 Points )
 List What are the Benefits of an IS Security Policy
 What are the security pillars or goals of security
 How non repudiation can ensure security
 What is thereat ?
Thank You !!!