SlideShare una empresa de Scribd logo

INFORMATION SECURITY MANAGEMENT

Descargar como DOCX, PDF
N
Ni

MSC(IT) PART II SEM III

Tecnología
1 de 11
INFORMATION SECURITY MANAGEMENT: A. SECURITY RISK ASSESSMENT AND MANAGEMENT:  RISK: Risk is potential harm that may arise from some current process. Risk is accessed by identifying threats and vulnerabilities and determining the impact for each risk.  RISK MANAGEMENT: Risk management is the process of understanding and responding to factors that may lead to failure in the confidentiality, integrity or availability of an information system. There are three steps of risk management: 1. Risk Assessment. 2. Risk Mitigation. 3. Risk Evaluation. ie: a) Identification and evaluation of risk. b) Identifying the levels of risk. c) Weakness of the risk.  Factors of the risk management are as follows: 1. Risk Avoidance: Implementing actions to reduce the risk. 2. Risk Reduction: Implementing actions to reduce the risk. 3. Risk Spreading: Distributing risk across various programs. 4. Risk Transfer: Ensuring the costs incurred by loss taken place. 5. Risk Acceptance: It is a knowledgeable determination to view risk and managing it as best level.  REACTIVE APPROACH TO RISK MANAGEMENT: Reactive risk management is brought into action once an accident happens or problems are identified after the audit. The accident is investigated and measures are taken to avoid similar events happening in the future. Reactive risk management catalogues all previous accidents and documents them to find the errors which lead to the accident.  PROACTIVE APPROACH TO RISK MANAGEMENT: It can be defined as “Adaptive, closed loop feedback control strategy based on measurement, observation of the present safety levels. Identifies all relevant risk types before an incident occurs.  FEATURES OF PROACTIVE AND REACTIVE RISK MANAGEMENT: 1. TIMEFRAME: Reactive risk management solely depends on past accidental analysis and response. Proactive risk management combines a mixed method of past, present and future predictions before finding solutions to avoid risks. 2. FLEXIBILITY: Reactive risk management does not support prediction, creativity and problem-solving ability of humans which makes it less flexible to changes
and challenges. Proactive risk management includes creative thinking and prediction. Further, it depends on the accident source to reduce the accident.  RISK ASSESSMENT: It is the first process in the risk management methodology. Risk assessment methodology includes primary step as: 1. System Characteristics. 2. Threat Identification. 3. Vulnerability Identification. 4. Control Analysis. 5. Likelihood Determination. 6. Impact Analysis. 7. Risk Determination. 8. Control Recommendations. 9. Results Documentation.  QUANTITATIVE RISK ASSESSMENT: Standard way of measuring risks in many fields such as insurance, but it is not commonly used to measure risk in information systems. Two of the reasons are: 1. Difficulties in identifying and assigning values to assets. 2. Lack of statistical information that would make it possible to determine frequency.  It looks upon methodologies used by financial institutions and insurance companies.  Quantitative risk can be expressed as: ALE=SLE*ARO  Annualized Loss Expectancy (ALE): It is the expected monetary loss that can be expected for an asset due to a risk being realized over a one-year period.  Single Loss Expectancy(SLE): It is the value of a single loss of the asset. This is the impact of the loss.  Annualized Rate of Occurrence (ARO): It is how often the loss occurs.  This is not cost-effective way to perform a quantitative risk assessment for an IT system, due to difficulty in obtaining accurate and complete information.  If the information is reliable, this type of assessment is extremely powerful tool to communicate risks to all level of management.  QUALITATIVE RISK ASSESSMENT: It supports the uncertainty and impact values of risk in subjective or qualitative terms. It typically gives risk results as “High”, “Moderate” and “Low”. 1) Identifying Threats: Some common threat source includes: a) Natural Threats: Flood, Earthquakes, Hurricanes etc. b) Human Threats: Threats caused by human beings including unintentional network-based attacks, virus infection and unauthorized access. ALE=SLE*ARO
c) Environmental Threats: Power failure, pollution, chemicals and water damage. 2) Identifying Vulnerabilities: a) Vulnerability Scanners: Software that can examine an operating system, network application or code for flaws by comparing the system to a database or flaw signatures. b) Penetration Testing: An attempt by human security analyst to exercise threats against the system. This includes operational vulnerabilities such as social engineering. 3) Defining Likelihood: a) Low: 0-25% chances of successful exercise of threat during a one-year period. b) Moderate: 26-75% chances of successful exercise of threat during a one- year period. c) High: 76-100% chances of successful exercise of threat during a one-year period. 4) Defining Impact: a) Low: The loss of confidentiality leads to limited effect on the organization. The loss of integrity leads to limited effect on the organization. The loss of availability leads to limited effect on the organization. b) Moderate: Confidentiality leads to serious effect on the organization. Integrity leads to serious effect on the organization. Availability leads to serious effect on the organization. c) High: Confidentiality leads to a more severe effect on the organization. Integrity leads to a more severe effect on the organization. Availability leads to a more severe effect on the organization.  MANAGING THE RISK: i. Mitigation: It involves the fixing of flaws to reduce the likelihood or impact associated with the flaw. ii. Transference: It is a process of allowing another group of people to accept the risk on your behalf. It is not widely done for IT system but for general systems such as insurance etc. iii. Acceptance: It allows the systemto operate within a known risk. The risk is classified in two ways:  Low risk: This is simply acceptable.  High risk: It requires high cost of mitigation.
iv. Avoidance: It is a process of removing the vulnerability of the system especially in IT systems. v. Communicating Risks: In the organization, the risk must be communicated to the management to resolve the risk and find solutions. Risk management decisions are based on cost of the risk. It is compared with the cost risk management strategy.  OCTAVE APPROACH(OPERATIONALLY CRITICAL THREAT ASSET VULNERABILITY EVALUATION) APPROACH:  This approach is developed by software engineering institute.  It helps the organization to improve the ability to manage and protect themselves from information security risk.  It is a workshop-based method rather than tool-based which means the participants needs to understand the risk and its components rather than using a tool. There are three phases of workshop: i. Phase 1: It collects the knowledge about important asset, threats and various methods as a solution from senior managers. a) Process 1: Identifies senior management knowledge. b) Process 2: Identifies operational area management knowledge. c) Process 3: Identifies staff knowledge. d) Process 4: Create threat profiles. ii. Phase 2: It collects the knowledge from operational area managers. a) Process 5: Identifies key components. b) Process 6: Evaluates selected components. iii. Phase 3: It collects the knowledge from the staff. a) Process 7: Conducting risk analysis. b) Process 8: Develop a protection strategy.  COBIT APPROACH(CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY)APPROACH:  It is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.  It uses a maturity mode as a means of assessing the maturity of the processes.  The model encompasses the following levels: i. Non-existent. ii. Initial/ad hoc. iii. Repeatable but intuitive. iv. Defined process. v. Managed and measurable. vi. Optimized.
 COBIT is made up of number of domains are: 1. Plan and Organize(PO): i. Process 1: Define a strategic IT plan and direction. ii. Process 2: Define the Information Architecture. iii. Process 3: Determine Technological Direction. iv. Process 4: Define the IT Processes, Organization and Relationships. v. Process 5: Manage the IT Investments. vi. Process 6: Communicate Management Aims and Direction. vii. Process 7: Manage IT Human Resources. viii. Process 8: Manage Quality. ix. Process 9: Assess and Manage IT risks. x. Process 10: Manage Projects. 2. Acquire and Implement(AI): i. Process 1: Identify Automated Solutions. ii. Process 2: Acquire and Maintain Application Software. iii. Process 3: Acquire and Maintain Technology Infrastructure. iv. Process 4: Enable Operation and Use. v. Process 5: Procure IT resources. vi. Process 6: Manage Changes. vii. Process 7: Install and Accredit Solutions and Changes. 3. Deliver and Support(DS): i. Process 1: Define and Manage Service Levels. ii. Process 2: Manage Third Party Services. iii. Process 3: Manage Performance and Capacity. iv. Process 4: Ensure Continuous Service. v. Process 5: Ensure Systems Security. vi. Process 6: Identify and Allocate Costs. vii. Process 7: Educate and Train Users. viii. Process 8: Manage Service Desk and Incidents. ix. Process 9: Manage the configuration. x. Process 10: Manage Problems. xi. Process 11: Manage Data. xii. Process 12: Manage the physical environment. xiii. Process 13: Manage Operations. 4. Monitor and Evaluate(ME): i. Process 1: Monitor and Evaluate IT Processes. ii. Process 2: Monitor and Evaluate Internal Control. iii. Process 3: Ensure Regulatory Compliance
iv. Process 4: Provide IT Governance. B. SECURITY MANAGEMENTOF ITSYSTEMS:  NETWORKSECURITY:  INTRODUCTION TO NETWORK SECURITY: It is used to control major access to computer network and its services practically. There are three elements of network security such as: 1. Cryptography. 2. Secure Network Protocols. 3. Access Control Mechanisms.  TYPES OF NETWORKS: 1. TRUSTED AND UNTRUSTED NETWORK:  Trusted Networks are the organization is responsible to protect from various kinds of attacks.  This type of network includes authorized users within organization to access and control security measures.  The use of firewalls helps to identify the type of configuration in an organization.  Untrusted Networks are the networks that are known to be outside of an organization security parameter.  The organization has no control on such networks and security policies for such network. 2. SEMI-TRUSTED NETWORK:  In this, the use of internet is considered as a part of communication. It also includes proxy servers and domain name systems and it is not used for sharing confidential information.  NETWORK ATTACKS:  In this type of attack, intruder tries to attack the network and get information about the resources of the network.  Network attacks can be classified as follows: a. Interruption: Denial of Service to authorized users. b. Interception: Unauthorized users are trying to obtain access to the particular service. c. Modification: Unauthorized access and tampering with data. d. Fabrication: It checks the authenticity of users as well as data.  There are five methods of attacks: a. Password Attacks: This method is implemented using various programs such as Trojans, packet sniffers and IP spoofing.
Password attacks usually refer to identify a user account or password for repeated number of times. b. Network Packet Sniffers: It is a software application that uses network adapter card that senses all the packets received on local area network. Most of the network applications distribute packets in a clear text which allows the attacker to obtain username and passwords easily. c. IP spoofing and DOS attack: This attack occurs when the attacker situated outside the network and seems like a trusted computer. By using IP address within a particular range of the network allows the user to get specified resources on the network.  DOS Attack: In this attack, the systemreceiving the request becomes flooded with network traffic and further the service is not able to respond. d. Distribution of Sensitive Information: In organization, the network security policy affects the distribution of data in the network. The majority of computer attacks often come from people within the organization or outside the organization. e. Man-in-the middle attack: The attacker tries to access the communication and packets being transferred over the network. Information such as ID, passwords can be easily intercepted by using websites.  NETWORK SECURITY DIMENSIONS:  In networks, protecting confidential information becomes a critical task for the internet users.  Some common issues for network security are as follows: i. Attack against information and physical asset in the organization. ii. Security of wireless network. iii. World Wide Web Security. iv. Intrusion Detection System. v. Host Security.  FIREWALLS: It protects the network and controls network traffic and provides restricted access in a computer network. It consists of hardware and software keeps the track of user, IP address and maintains the confidentiality of information.  NEED OF FIREWALL: i. Remote Login: It is a process of connecting to a computer and access the files easily.
ii. Viruses: Firewall tries to prevent viruses to spread across the network. iii. Spam: It contains link to the websites, emails which tries to harm the system. iv. Application Backdoor: It means providing hidden access to the program for the data in the network. v. Macros: It allows repeated execution of commands and often hacker can use macro to destroy the data. vi. SMTP Session Hijacking: It is concerned with sending email and requires SMTP server to communicate between host and actual sender who is involved in sending spam mails. vii. Email Bombs: It is a type of personal attack where someone sends the email thousands of times until the system cannot accept any more messages.  TYPES OF FIREWALLS: A. Packet Filter Firewalls: In this firewall, the routers examine every packet flowing in the network and tries to control the security of network. They look after destination address and block the packets based on conditions. It has certain set criteria: i. Source IP Address. ii. Destination IP Address. iii. TCP, UDP Protocols (Source). iv. TCP, UDP Destination Port. Packet filter has certain limitations: i. No logging capability (administrator is not able to determine whether router or firewall is compromised). ii. Difficulty in testing packet filtering rules. iii. Separate mechanism for authentication is required on each host. B. Application Level Firewalls: In this type of firewall, a host computer is running proxy server software and manages the flow of packets from one network to another. It operates at application layer of OSI model. It analyzes every data packet and decides whether to forward the packet or not. INTERNET ROUTER PC 1 PC 2 PC 3 LAN
C. Screened Host Firewall: In this type of firewall, it uses the concept of packet filtering router and bastion host.  Bastion Host is a gateway between internal and external network. It also provides single entrance, exit points to the Internet. It provides services at network layer and application layer of OSI model. The bastion host is configured on the local trusted network and packet filter router is configured on untrusted network. FIG 1: SCREENED HOST FIREWALL. ACTUAL CLIENT FILE SERVERPROXY SERVER ANALYSISOF APPLICATION PROTOCOL PROXY CLIENT REQUEST FORWADED REPLY REPLY FORWADED REQUEST PC PC PC PC INTERNET PACKETFILTER ROUTER INFORMATION SERVER APPLICATION GATEWAY INTERNALNETWORK
FIG 2: BASTION HOST.  DESIGN AND IMPLEMENTATION ISSUES IN FIREWALL: a) In an organization, the policy of security is configured to support IT architecture. The firewall is configured to deny all services and provide good audit methods. b) The objective of organization needs to be implemented and a checklist is prepared to monitor activities in the organization. c) It includes design architecture and implementation of firewalls. The cost to implement firewall is high in terms of configuration.  POLICIES OF FIREWALL: a) It blocks unwanted traffic. b) It hides vulnerable systems that are different to secure from Internet. c) It keeps the track of data flow in the private network. d) It can hide critical information such as network topology, user ids etc. e) Firewalls combined with IDS provides good authentication. f) It allows us to direct network traffic to trustworthy systems.  INTRUSION DETECTION SYSTEM(IDS): o It can detect several intrusions that pass through firewall or local area network (LAN). o The security policy in the organization allows firewalls to support IDS, router security, host security etc.  CATEGORIES OF IDS: a) Misuse Detection: It analyzes the information and compares with a database of attack signatures. It depends on the type of attacks documented and is only good for network packets. b) Anomaly Detection: It consists of network traffic state, protocol, packet size which can be monitored against present state to identify anomalies. INTERNET ROUTER PROTECTION NETWORK BASTION HOST ROUTER PERMITS TRAFFICBETWEEN BASTION HOST SCREENED HOST PC
c) Network based IDS: It focuses on network traffic and tries to uncover possible attacks. It detects malicious packets shared by attackers and filters out such packets. NIDS is not able to detect attacks against a host in which intruder is logged in. d) Host based IDS: It is installed on individual work stations to track inappropriate attacks. In this, IDS examines activity of computers based on systemfiles and administrative rights. e) Passive IDS: It detects security breach and logs the information and system alerts. f) Reactive IDS: In this, IDS manages suspicious activities such as logging off the system, configuring firewall to block network traffic etc.  CHARACTERISTICS OF GOOD IDS: a) Uptime: In this, the system should have smooth and continuous efficiency running in the background. b) Fault Tolerance: In system crash, the entire computer should be capable to manage the errors and continue with its activities. c) Robustness: The systemshould be able to monitor itself from suspicious network activities such as malicious code. d) Performance: The systemshould be much effective to support all the activities with effective timeframe. e) Easy Adaptability: The systemshould adapt to the changing environment by making changes, addition new applications and supporting new upgrades. f) Easy Configurability: Every systemshould have support of different patterns and should be easy to adapt to such set of patterns.

Recomendados

Isaca june 19, 2010
Isaca june 19, 2010Isaca june 19, 2010
Isaca june 19, 2010Vicky Shah
 
Cryptography summary
Cryptography summaryCryptography summary
Cryptography summaryNi
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.Ni
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementBhadra Gowdra
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack newbie2019
 
Securing information system
Securing information systemSecuring information system
Securing information systemTanjim Rasul
 

Recomendados

Isaca june 19, 2010
Isaca june 19, 2010Isaca june 19, 2010
Isaca june 19, 2010Vicky Shah
 
Cryptography summary
Cryptography summaryCryptography summary
Cryptography summaryNi
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.Ni
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementBhadra Gowdra
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack newbie2019
 
Securing information system
Securing information systemSecuring information system
Securing information systemTanjim Rasul
 
Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of SecurityDM_GS
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
Data security
Data securityData security
Data securitySoumen Mondal
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident ReportCommunity IT Innovators
 
Iss lecture 1
Iss lecture 1Iss lecture 1
Iss lecture 1Ali Habeeb
 
Cyber security
Cyber securityCyber security
Cyber securityAkdu095
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Mis 1
Mis 1Mis 1
Mis 1Rohit Garg
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Information security
Information securityInformation security
Information securityOnkar Sule
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in HealthcareQuick Heal Technologies Ltd.
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systemsProf. Othman Alsalloum
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copyyuliana_mar
 
E Commerce security
E Commerce securityE Commerce security
E Commerce securityMayank Kashyap
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
RISK ANALYSIS Day 1.pptx
RISK ANALYSIS Day 1.pptxRISK ANALYSIS Day 1.pptx
RISK ANALYSIS Day 1.pptxSAMUELWAGEMA
 

Más contenido relacionado

La actualidad más candente

Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of SecurityDM_GS
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident ReportCommunity IT Innovators
 
Cyber security
Cyber securityCyber security
Cyber securityAkdu095
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Information security
Information securityInformation security
Information securityOnkar Sule
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copyyuliana_mar
 

La actualidad más candente (20)

Evolution of Security
Evolution of SecurityEvolution of Security
Evolution of Security
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Data security
Data securityData security
Data security
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report2021 Nonprofit Cybersecurity Incident Report
2021 Nonprofit Cybersecurity Incident Report
 
Iss lecture 1
Iss lecture 1Iss lecture 1
Iss lecture 1
 
Cyber security
Cyber securityCyber security
Cyber security
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1
 
Mis 1
Mis 1Mis 1
Mis 1
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Security and management
Security and managementSecurity and management
Security and management
 
Information security
Information securityInformation security
Information security
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
 
Information Security Management. Security solutions copy
Information Security Management. Security solutions copyInformation Security Management. Security solutions copy
Information Security Management. Security solutions copy
 
E Commerce security
E Commerce securityE Commerce security
E Commerce security
 

Similar a INFORMATION SECURITY MANAGEMENT

case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
RISK ANALYSIS Day 1.pptx
RISK ANALYSIS Day 1.pptxRISK ANALYSIS Day 1.pptx
RISK ANALYSIS Day 1.pptxSAMUELWAGEMA
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversitySwaminath Sam
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security ChallengesJorge Sebastiao
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™CPaschal
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Editor IJCATR
 
1Contents1 Introduction21.1 Project Description21.2
1Contents1 Introduction21.1 Project Description21.2 1Contents1 Introduction21.1 Project Description21.2
1Contents1 Introduction21.1 Project Description21.2 EttaBenton28
 

Similar a INFORMATION SECURITY MANAGEMENT (20)

case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
RISK ANALYSIS Day 1.pptx
RISK ANALYSIS Day 1.pptxRISK ANALYSIS Day 1.pptx
RISK ANALYSIS Day 1.pptx
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Dj24712716
Dj24712716Dj24712716
Dj24712716
 
RiskAssesment.ppt
RiskAssesment.pptRiskAssesment.ppt
RiskAssesment.ppt
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
800-30.pptx
800-30.pptx800-30.pptx
800-30.pptx
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
1Contents1 Introduction21.1 Project Description21.2
1Contents1 Introduction21.1 Project Description21.2 1Contents1 Introduction21.1 Project Description21.2
1Contents1 Introduction21.1 Project Description21.2
 

Más de Ni

Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIINi
 
India's social challenge
India's social challengeIndia's social challenge
India's social challengeNi
 
ADOBE DREAMWEAVER
ADOBE DREAMWEAVERADOBE DREAMWEAVER
ADOBE DREAMWEAVERNi
 
PYTHON NOTES
PYTHON NOTESPYTHON NOTES
PYTHON NOTESNi
 
Code coverage analysis in testing
Code coverage analysis in testingCode coverage analysis in testing
Code coverage analysis in testingNi
 
ASP.NET MVC.
ASP.NET MVC.ASP.NET MVC.
ASP.NET MVC.Ni
 
LASER
LASERLASER
LASERNi
 
Java communication api
Java communication apiJava communication api
Java communication apiNi
 
Library management system
Library management systemLibrary management system
Library management systemNi
 
Impact of social networking sites- advantages and disadvantages
Impact of social networking sites- advantages and disadvantagesImpact of social networking sites- advantages and disadvantages
Impact of social networking sites- advantages and disadvantagesNi
 
Ppt on nan
Ppt on nanPpt on nan
Ppt on nanNi
 

Más de Ni (11)

Embedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM IIIEmbedded Systems Q and A M.Sc.(IT) PART II SEM III
Embedded Systems Q and A M.Sc.(IT) PART II SEM III
 
India's social challenge
India's social challengeIndia's social challenge
India's social challenge
 
ADOBE DREAMWEAVER
ADOBE DREAMWEAVERADOBE DREAMWEAVER
ADOBE DREAMWEAVER
 
PYTHON NOTES
PYTHON NOTESPYTHON NOTES
PYTHON NOTES
 
Code coverage analysis in testing
Code coverage analysis in testingCode coverage analysis in testing
Code coverage analysis in testing
 
ASP.NET MVC.
ASP.NET MVC.ASP.NET MVC.
ASP.NET MVC.
 
LASER
LASERLASER
LASER
 
Java communication api
Java communication apiJava communication api
Java communication api
 
Library management system
Library management systemLibrary management system
Library management system
 
Impact of social networking sites- advantages and disadvantages
Impact of social networking sites- advantages and disadvantagesImpact of social networking sites- advantages and disadvantages
Impact of social networking sites- advantages and disadvantages
 
Ppt on nan
Ppt on nanPpt on nan
Ppt on nan
 

Último

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Último (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

INFORMATION SECURITY MANAGEMENT

  • 1. INFORMATION SECURITY MANAGEMENT: A. SECURITY RISK ASSESSMENT AND MANAGEMENT:  RISK: Risk is potential harm that may arise from some current process. Risk is accessed by identifying threats and vulnerabilities and determining the impact for each risk.  RISK MANAGEMENT: Risk management is the process of understanding and responding to factors that may lead to failure in the confidentiality, integrity or availability of an information system. There are three steps of risk management: 1. Risk Assessment. 2. Risk Mitigation. 3. Risk Evaluation. ie: a) Identification and evaluation of risk. b) Identifying the levels of risk. c) Weakness of the risk.  Factors of the risk management are as follows: 1. Risk Avoidance: Implementing actions to reduce the risk. 2. Risk Reduction: Implementing actions to reduce the risk. 3. Risk Spreading: Distributing risk across various programs. 4. Risk Transfer: Ensuring the costs incurred by loss taken place. 5. Risk Acceptance: It is a knowledgeable determination to view risk and managing it as best level.  REACTIVE APPROACH TO RISK MANAGEMENT: Reactive risk management is brought into action once an accident happens or problems are identified after the audit. The accident is investigated and measures are taken to avoid similar events happening in the future. Reactive risk management catalogues all previous accidents and documents them to find the errors which lead to the accident.  PROACTIVE APPROACH TO RISK MANAGEMENT: It can be defined as “Adaptive, closed loop feedback control strategy based on measurement, observation of the present safety levels. Identifies all relevant risk types before an incident occurs.  FEATURES OF PROACTIVE AND REACTIVE RISK MANAGEMENT: 1. TIMEFRAME: Reactive risk management solely depends on past accidental analysis and response. Proactive risk management combines a mixed method of past, present and future predictions before finding solutions to avoid risks. 2. FLEXIBILITY: Reactive risk management does not support prediction, creativity and problem-solving ability of humans which makes it less flexible to changes
  • 2. and challenges. Proactive risk management includes creative thinking and prediction. Further, it depends on the accident source to reduce the accident.  RISK ASSESSMENT: It is the first process in the risk management methodology. Risk assessment methodology includes primary step as: 1. System Characteristics. 2. Threat Identification. 3. Vulnerability Identification. 4. Control Analysis. 5. Likelihood Determination. 6. Impact Analysis. 7. Risk Determination. 8. Control Recommendations. 9. Results Documentation.  QUANTITATIVE RISK ASSESSMENT: Standard way of measuring risks in many fields such as insurance, but it is not commonly used to measure risk in information systems. Two of the reasons are: 1. Difficulties in identifying and assigning values to assets. 2. Lack of statistical information that would make it possible to determine frequency.  It looks upon methodologies used by financial institutions and insurance companies.  Quantitative risk can be expressed as: ALE=SLE*ARO  Annualized Loss Expectancy (ALE): It is the expected monetary loss that can be expected for an asset due to a risk being realized over a one-year period.  Single Loss Expectancy(SLE): It is the value of a single loss of the asset. This is the impact of the loss.  Annualized Rate of Occurrence (ARO): It is how often the loss occurs.  This is not cost-effective way to perform a quantitative risk assessment for an IT system, due to difficulty in obtaining accurate and complete information.  If the information is reliable, this type of assessment is extremely powerful tool to communicate risks to all level of management.  QUALITATIVE RISK ASSESSMENT: It supports the uncertainty and impact values of risk in subjective or qualitative terms. It typically gives risk results as “High”, “Moderate” and “Low”. 1) Identifying Threats: Some common threat source includes: a) Natural Threats: Flood, Earthquakes, Hurricanes etc. b) Human Threats: Threats caused by human beings including unintentional network-based attacks, virus infection and unauthorized access. ALE=SLE*ARO
  • 3. c) Environmental Threats: Power failure, pollution, chemicals and water damage. 2) Identifying Vulnerabilities: a) Vulnerability Scanners: Software that can examine an operating system, network application or code for flaws by comparing the system to a database or flaw signatures. b) Penetration Testing: An attempt by human security analyst to exercise threats against the system. This includes operational vulnerabilities such as social engineering. 3) Defining Likelihood: a) Low: 0-25% chances of successful exercise of threat during a one-year period. b) Moderate: 26-75% chances of successful exercise of threat during a one- year period. c) High: 76-100% chances of successful exercise of threat during a one-year period. 4) Defining Impact: a) Low: The loss of confidentiality leads to limited effect on the organization. The loss of integrity leads to limited effect on the organization. The loss of availability leads to limited effect on the organization. b) Moderate: Confidentiality leads to serious effect on the organization. Integrity leads to serious effect on the organization. Availability leads to serious effect on the organization. c) High: Confidentiality leads to a more severe effect on the organization. Integrity leads to a more severe effect on the organization. Availability leads to a more severe effect on the organization.  MANAGING THE RISK: i. Mitigation: It involves the fixing of flaws to reduce the likelihood or impact associated with the flaw. ii. Transference: It is a process of allowing another group of people to accept the risk on your behalf. It is not widely done for IT system but for general systems such as insurance etc. iii. Acceptance: It allows the systemto operate within a known risk. The risk is classified in two ways:  Low risk: This is simply acceptable.  High risk: It requires high cost of mitigation.
  • 4. iv. Avoidance: It is a process of removing the vulnerability of the system especially in IT systems. v. Communicating Risks: In the organization, the risk must be communicated to the management to resolve the risk and find solutions. Risk management decisions are based on cost of the risk. It is compared with the cost risk management strategy.  OCTAVE APPROACH(OPERATIONALLY CRITICAL THREAT ASSET VULNERABILITY EVALUATION) APPROACH:  This approach is developed by software engineering institute.  It helps the organization to improve the ability to manage and protect themselves from information security risk.  It is a workshop-based method rather than tool-based which means the participants needs to understand the risk and its components rather than using a tool. There are three phases of workshop: i. Phase 1: It collects the knowledge about important asset, threats and various methods as a solution from senior managers. a) Process 1: Identifies senior management knowledge. b) Process 2: Identifies operational area management knowledge. c) Process 3: Identifies staff knowledge. d) Process 4: Create threat profiles. ii. Phase 2: It collects the knowledge from operational area managers. a) Process 5: Identifies key components. b) Process 6: Evaluates selected components. iii. Phase 3: It collects the knowledge from the staff. a) Process 7: Conducting risk analysis. b) Process 8: Develop a protection strategy.  COBIT APPROACH(CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY)APPROACH:  It is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.  It uses a maturity mode as a means of assessing the maturity of the processes.  The model encompasses the following levels: i. Non-existent. ii. Initial/ad hoc. iii. Repeatable but intuitive. iv. Defined process. v. Managed and measurable. vi. Optimized.
  • 5.  COBIT is made up of number of domains are: 1. Plan and Organize(PO): i. Process 1: Define a strategic IT plan and direction. ii. Process 2: Define the Information Architecture. iii. Process 3: Determine Technological Direction. iv. Process 4: Define the IT Processes, Organization and Relationships. v. Process 5: Manage the IT Investments. vi. Process 6: Communicate Management Aims and Direction. vii. Process 7: Manage IT Human Resources. viii. Process 8: Manage Quality. ix. Process 9: Assess and Manage IT risks. x. Process 10: Manage Projects. 2. Acquire and Implement(AI): i. Process 1: Identify Automated Solutions. ii. Process 2: Acquire and Maintain Application Software. iii. Process 3: Acquire and Maintain Technology Infrastructure. iv. Process 4: Enable Operation and Use. v. Process 5: Procure IT resources. vi. Process 6: Manage Changes. vii. Process 7: Install and Accredit Solutions and Changes. 3. Deliver and Support(DS): i. Process 1: Define and Manage Service Levels. ii. Process 2: Manage Third Party Services. iii. Process 3: Manage Performance and Capacity. iv. Process 4: Ensure Continuous Service. v. Process 5: Ensure Systems Security. vi. Process 6: Identify and Allocate Costs. vii. Process 7: Educate and Train Users. viii. Process 8: Manage Service Desk and Incidents. ix. Process 9: Manage the configuration. x. Process 10: Manage Problems. xi. Process 11: Manage Data. xii. Process 12: Manage the physical environment. xiii. Process 13: Manage Operations. 4. Monitor and Evaluate(ME): i. Process 1: Monitor and Evaluate IT Processes. ii. Process 2: Monitor and Evaluate Internal Control. iii. Process 3: Ensure Regulatory Compliance
  • 6. iv. Process 4: Provide IT Governance. B. SECURITY MANAGEMENTOF ITSYSTEMS:  NETWORKSECURITY:  INTRODUCTION TO NETWORK SECURITY: It is used to control major access to computer network and its services practically. There are three elements of network security such as: 1. Cryptography. 2. Secure Network Protocols. 3. Access Control Mechanisms.  TYPES OF NETWORKS: 1. TRUSTED AND UNTRUSTED NETWORK:  Trusted Networks are the organization is responsible to protect from various kinds of attacks.  This type of network includes authorized users within organization to access and control security measures.  The use of firewalls helps to identify the type of configuration in an organization.  Untrusted Networks are the networks that are known to be outside of an organization security parameter.  The organization has no control on such networks and security policies for such network. 2. SEMI-TRUSTED NETWORK:  In this, the use of internet is considered as a part of communication. It also includes proxy servers and domain name systems and it is not used for sharing confidential information.  NETWORK ATTACKS:  In this type of attack, intruder tries to attack the network and get information about the resources of the network.  Network attacks can be classified as follows: a. Interruption: Denial of Service to authorized users. b. Interception: Unauthorized users are trying to obtain access to the particular service. c. Modification: Unauthorized access and tampering with data. d. Fabrication: It checks the authenticity of users as well as data.  There are five methods of attacks: a. Password Attacks: This method is implemented using various programs such as Trojans, packet sniffers and IP spoofing.
  • 7. Password attacks usually refer to identify a user account or password for repeated number of times. b. Network Packet Sniffers: It is a software application that uses network adapter card that senses all the packets received on local area network. Most of the network applications distribute packets in a clear text which allows the attacker to obtain username and passwords easily. c. IP spoofing and DOS attack: This attack occurs when the attacker situated outside the network and seems like a trusted computer. By using IP address within a particular range of the network allows the user to get specified resources on the network.  DOS Attack: In this attack, the systemreceiving the request becomes flooded with network traffic and further the service is not able to respond. d. Distribution of Sensitive Information: In organization, the network security policy affects the distribution of data in the network. The majority of computer attacks often come from people within the organization or outside the organization. e. Man-in-the middle attack: The attacker tries to access the communication and packets being transferred over the network. Information such as ID, passwords can be easily intercepted by using websites.  NETWORK SECURITY DIMENSIONS:  In networks, protecting confidential information becomes a critical task for the internet users.  Some common issues for network security are as follows: i. Attack against information and physical asset in the organization. ii. Security of wireless network. iii. World Wide Web Security. iv. Intrusion Detection System. v. Host Security.  FIREWALLS: It protects the network and controls network traffic and provides restricted access in a computer network. It consists of hardware and software keeps the track of user, IP address and maintains the confidentiality of information.  NEED OF FIREWALL: i. Remote Login: It is a process of connecting to a computer and access the files easily.
  • 8. ii. Viruses: Firewall tries to prevent viruses to spread across the network. iii. Spam: It contains link to the websites, emails which tries to harm the system. iv. Application Backdoor: It means providing hidden access to the program for the data in the network. v. Macros: It allows repeated execution of commands and often hacker can use macro to destroy the data. vi. SMTP Session Hijacking: It is concerned with sending email and requires SMTP server to communicate between host and actual sender who is involved in sending spam mails. vii. Email Bombs: It is a type of personal attack where someone sends the email thousands of times until the system cannot accept any more messages.  TYPES OF FIREWALLS: A. Packet Filter Firewalls: In this firewall, the routers examine every packet flowing in the network and tries to control the security of network. They look after destination address and block the packets based on conditions. It has certain set criteria: i. Source IP Address. ii. Destination IP Address. iii. TCP, UDP Protocols (Source). iv. TCP, UDP Destination Port. Packet filter has certain limitations: i. No logging capability (administrator is not able to determine whether router or firewall is compromised). ii. Difficulty in testing packet filtering rules. iii. Separate mechanism for authentication is required on each host. B. Application Level Firewalls: In this type of firewall, a host computer is running proxy server software and manages the flow of packets from one network to another. It operates at application layer of OSI model. It analyzes every data packet and decides whether to forward the packet or not. INTERNET ROUTER PC 1 PC 2 PC 3 LAN
  • 9. C. Screened Host Firewall: In this type of firewall, it uses the concept of packet filtering router and bastion host.  Bastion Host is a gateway between internal and external network. It also provides single entrance, exit points to the Internet. It provides services at network layer and application layer of OSI model. The bastion host is configured on the local trusted network and packet filter router is configured on untrusted network. FIG 1: SCREENED HOST FIREWALL. ACTUAL CLIENT FILE SERVERPROXY SERVER ANALYSISOF APPLICATION PROTOCOL PROXY CLIENT REQUEST FORWADED REPLY REPLY FORWADED REQUEST PC PC PC PC INTERNET PACKETFILTER ROUTER INFORMATION SERVER APPLICATION GATEWAY INTERNALNETWORK
  • 10. FIG 2: BASTION HOST.  DESIGN AND IMPLEMENTATION ISSUES IN FIREWALL: a) In an organization, the policy of security is configured to support IT architecture. The firewall is configured to deny all services and provide good audit methods. b) The objective of organization needs to be implemented and a checklist is prepared to monitor activities in the organization. c) It includes design architecture and implementation of firewalls. The cost to implement firewall is high in terms of configuration.  POLICIES OF FIREWALL: a) It blocks unwanted traffic. b) It hides vulnerable systems that are different to secure from Internet. c) It keeps the track of data flow in the private network. d) It can hide critical information such as network topology, user ids etc. e) Firewalls combined with IDS provides good authentication. f) It allows us to direct network traffic to trustworthy systems.  INTRUSION DETECTION SYSTEM(IDS): o It can detect several intrusions that pass through firewall or local area network (LAN). o The security policy in the organization allows firewalls to support IDS, router security, host security etc.  CATEGORIES OF IDS: a) Misuse Detection: It analyzes the information and compares with a database of attack signatures. It depends on the type of attacks documented and is only good for network packets. b) Anomaly Detection: It consists of network traffic state, protocol, packet size which can be monitored against present state to identify anomalies. INTERNET ROUTER PROTECTION NETWORK BASTION HOST ROUTER PERMITS TRAFFICBETWEEN BASTION HOST SCREENED HOST PC
  • 11. c) Network based IDS: It focuses on network traffic and tries to uncover possible attacks. It detects malicious packets shared by attackers and filters out such packets. NIDS is not able to detect attacks against a host in which intruder is logged in. d) Host based IDS: It is installed on individual work stations to track inappropriate attacks. In this, IDS examines activity of computers based on systemfiles and administrative rights. e) Passive IDS: It detects security breach and logs the information and system alerts. f) Reactive IDS: In this, IDS manages suspicious activities such as logging off the system, configuring firewall to block network traffic etc.  CHARACTERISTICS OF GOOD IDS: a) Uptime: In this, the system should have smooth and continuous efficiency running in the background. b) Fault Tolerance: In system crash, the entire computer should be capable to manage the errors and continue with its activities. c) Robustness: The systemshould be able to monitor itself from suspicious network activities such as malicious code. d) Performance: The systemshould be much effective to support all the activities with effective timeframe. e) Easy Adaptability: The systemshould adapt to the changing environment by making changes, addition new applications and supporting new upgrades. f) Easy Configurability: Every systemshould have support of different patterns and should be easy to adapt to such set of patterns.