SlideShare una empresa de Scribd logo

Information security

Descargar como PPTX, PDF
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2

Information Security

Tecnología
1 de 22
INFORMATION SECURITY LUSUNGU MKANDAWIRE MARCH 12, 2015 IIAM IT AUDIT ESSENTIALS WORKSHOP
AGENDA  What is Information Security  Core Principles of Information Security  Security Governance  Organizational Structures  Roles and Responsibilities  Information Classification  Risk Management  Information Systems Controls  General Controls  Application Controls  Auditing Information Security
OBJECTIVES  Provide an overview of Information Security and describe its importance  Describe one approach to Auditing Information Security.  Describe current trends in Information Security and how they can be incorporated into IT Security Audits
WHAT IS INFORMATION SECURITY  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information.  Information security is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, reading, inspection, recording or destruction.
CORE PRINCIPLES OF INFORMATION SECURITY
The core principles of information security are:  Confidentiality - to prevent the disclosure of information to unauthorized individuals or systems  Integrity - to ensure that data is accurate and complete and it cannot be modified by unauthorized person(s)  Availability - to ensure the information is available when it is needed, where it is needed, and by whom it is needed  Accountability - to ensure users are responsible for their actions CORE PRINCIPLES OF INFORMATION SECURITY
Organizational Structures  Typical Organization of and official responsibilities for Information security include  BoD, CEO  CFO, CIO, CSO, CISO  Director, Manager  IT/IS Security  Audit INFORMATION SECURITY GOVERNANCE
Organizational Structures INFORMATION SECURITY GOVERNANCE
Organizational Structures  Audit should be separate from implementation and operations  Independence is not compromised  Responsibilities for security should be defined in job descriptions  Senior management has ultimate responsibility for security  Security officers/managers have functional responsibility INFORMATION SECURITY GOVERNANCE
Roles and Responsibilities  Best Practices  Least Privilege  Mandatory Vacations  Job Rotation  Separation of Duties INFORMATION SECURITY GOVERNANCE
Roles and Responsibilities  Owners  Determine security requirements  Custodians  Manage security based on requirements  Users  Access as allowed by security requirements INFORMATION SECURITY GOVERNANCE
Information Classification  Not all information has the same value  Need to evaluate value based on CIA  Value determines protection level  Protection levels determine procedures  Labeling informs users on handling INFORMATION SECURITY GOVERNANCE
RISK MANAGEMENT “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.” (ISACA)
RISK MANAGEMENT The Risk management Process  Identification of assets and estimating their value.  Conduct a threat assessment.  Conduct a vulnerability assessment.  Calculate the impact that each threat would have on each asset.  Identify, select and implement appropriate controls.  Evaluate the effectiveness of the control measures.
INFORMATION SYSTEM CONTROLS  Information system controls are methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities.  Controls must be developed to ensure proper data entry, processing techniques, storage methods, and information output
INFORMATION SYSTEM CONTROLS General Controls  General controls apply to information system activities throughout an organization.  The most important general controls are the measures that control access to computer systems and the information stored there or transmitted over telecommunications networks.
INFORMATION SYSTEM CONTROLS Application Controls  Application controls are specific to a given application and include such measures as validating input data, logging the accesses to the system, regularly archiving copies of various databases, and ensuring that information is disseminated only to authorized users
AUDITING INFORMATION SECURITY Auditing information security covers the following topics:  the physical security of offices and data centers  the logical security of networks databases  technical, physical and administrative controls.
AUDITING INFORMATION SECURITY Auditing Core Systems: Areas to Focus on include;  Network vulnerabilities  Controls  Encryption and IT audit  Logical security audit  Specific tools used in network security
AUDITING INFORMATION SECURITY Auditing Applications: Areas to Focus on include;  Application security  Segregation of duties  Controls
SUMMARY  Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”  Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.  Security should be considered a balance between protection and availability
Thank You! Lusungu Mkandawire Lusungu.Mkandawire@mw.airtel.com 265999989153 www.linkedin.com/pub/lusungu-mkandawire/57/102/283 https://twitter.com/MLusungu

Recomendados

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Information security
Information security Information security
Information security
AishaIshaq4
 
Information security
Information securityInformation security
Information security
linalona515
 
System security
System securitySystem security
System security
invertis university
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
learnt
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
ANAND MURALI
 
Data security
Data securityData security
Data security
ForeSolutions
 

Recomendados

Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
jayashri kolekar
 
Information security
Information security Information security
Information security
AishaIshaq4
 
Information security
Information securityInformation security
Information security
linalona515
 
System security
System securitySystem security
System security
invertis university
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
learnt
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
ANAND MURALI
 
Data security
Data securityData security
Data security
ForeSolutions
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
haneen Emeir, CISA, ISO27001
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
Amos Oyoo
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
Shreedevi Tharanidharan
 
Information security threats
Information security threatsInformation security threats
Information security threats
complianceonline123
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
CAS
 
Information security
Information security Information security
Information security
Jin Castor
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
Yasir Nafees
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
divyanshigarg4
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 

Más contenido relacionado

La actualidad más candente

CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Information security threats
Information security threatsInformation security threats
Information security threats
complianceonline123
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

La actualidad más candente (20)

1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Information security
Information securityInformation security
Information security
 
Information security
Information securityInformation security
Information security
 
Information security awareness, middle management
Information security awareness, middle managementInformation security awareness, middle management
Information security awareness, middle management
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
 
Information security threats
Information security threatsInformation security threats
Information security threats
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
Information security
Information security Information security
Information security
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 

Similar a Information security

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...
IJCSIS Research Publications
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 

Similar a Information security (20)

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
001_Cybersecurity Fundamentals Security Principles.pdf
001_Cybersecurity Fundamentals Security Principles.pdf001_Cybersecurity Fundamentals Security Principles.pdf
001_Cybersecurity Fundamentals Security Principles.pdf
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Information Security
Information Security Information Security
Information Security
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptxESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
ESTABLISHING A FRAMEWORK FOR SECURITY AND CONTROL.pptx
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
800-37.pptx
800-37.pptx800-37.pptx
800-37.pptx
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 

Más de Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2

Más de Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2 (7)

Lusungu Mkandawire CV
Lusungu Mkandawire CVLusungu Mkandawire CV
Lusungu Mkandawire CV
 
Membership Document
Membership DocumentMembership Document
Membership Document
 
CTO Fellowship Report Presentation - Lusungu Mkandawire
CTO Fellowship Report Presentation - Lusungu MkandawireCTO Fellowship Report Presentation - Lusungu Mkandawire
CTO Fellowship Report Presentation - Lusungu Mkandawire
 
CTO Fellowship Report Presentation - Lusungu Mkandawire
CTO Fellowship Report Presentation - Lusungu MkandawireCTO Fellowship Report Presentation - Lusungu Mkandawire
CTO Fellowship Report Presentation - Lusungu Mkandawire
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
It service management
It service managementIt service management
It service management
 
It governance
It governanceIt governance
It governance
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Information security

  • 1. INFORMATION SECURITY LUSUNGU MKANDAWIRE MARCH 12, 2015 IIAM IT AUDIT ESSENTIALS WORKSHOP
  • 2. AGENDA  What is Information Security  Core Principles of Information Security  Security Governance  Organizational Structures  Roles and Responsibilities  Information Classification  Risk Management  Information Systems Controls  General Controls  Application Controls  Auditing Information Security
  • 3. OBJECTIVES  Provide an overview of Information Security and describe its importance  Describe one approach to Auditing Information Security.  Describe current trends in Information Security and how they can be incorporated into IT Security Audits
  • 4. WHAT IS INFORMATION SECURITY  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information.  Information security is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, reading, inspection, recording or destruction.
  • 5. CORE PRINCIPLES OF INFORMATION SECURITY
  • 6. The core principles of information security are:  Confidentiality - to prevent the disclosure of information to unauthorized individuals or systems  Integrity - to ensure that data is accurate and complete and it cannot be modified by unauthorized person(s)  Availability - to ensure the information is available when it is needed, where it is needed, and by whom it is needed  Accountability - to ensure users are responsible for their actions CORE PRINCIPLES OF INFORMATION SECURITY
  • 7. Organizational Structures  Typical Organization of and official responsibilities for Information security include  BoD, CEO  CFO, CIO, CSO, CISO  Director, Manager  IT/IS Security  Audit INFORMATION SECURITY GOVERNANCE
  • 9. Organizational Structures  Audit should be separate from implementation and operations  Independence is not compromised  Responsibilities for security should be defined in job descriptions  Senior management has ultimate responsibility for security  Security officers/managers have functional responsibility INFORMATION SECURITY GOVERNANCE
  • 10. Roles and Responsibilities  Best Practices  Least Privilege  Mandatory Vacations  Job Rotation  Separation of Duties INFORMATION SECURITY GOVERNANCE
  • 11. Roles and Responsibilities  Owners  Determine security requirements  Custodians  Manage security based on requirements  Users  Access as allowed by security requirements INFORMATION SECURITY GOVERNANCE
  • 12. Information Classification  Not all information has the same value  Need to evaluate value based on CIA  Value determines protection level  Protection levels determine procedures  Labeling informs users on handling INFORMATION SECURITY GOVERNANCE
  • 13. RISK MANAGEMENT “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.” (ISACA)
  • 14. RISK MANAGEMENT The Risk management Process  Identification of assets and estimating their value.  Conduct a threat assessment.  Conduct a vulnerability assessment.  Calculate the impact that each threat would have on each asset.  Identify, select and implement appropriate controls.  Evaluate the effectiveness of the control measures.
  • 15. INFORMATION SYSTEM CONTROLS  Information system controls are methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities.  Controls must be developed to ensure proper data entry, processing techniques, storage methods, and information output
  • 16. INFORMATION SYSTEM CONTROLS General Controls  General controls apply to information system activities throughout an organization.  The most important general controls are the measures that control access to computer systems and the information stored there or transmitted over telecommunications networks.
  • 17. INFORMATION SYSTEM CONTROLS Application Controls  Application controls are specific to a given application and include such measures as validating input data, logging the accesses to the system, regularly archiving copies of various databases, and ensuring that information is disseminated only to authorized users
  • 18. AUDITING INFORMATION SECURITY Auditing information security covers the following topics:  the physical security of offices and data centers  the logical security of networks databases  technical, physical and administrative controls.
  • 19. AUDITING INFORMATION SECURITY Auditing Core Systems: Areas to Focus on include;  Network vulnerabilities  Controls  Encryption and IT audit  Logical security audit  Specific tools used in network security
  • 20. AUDITING INFORMATION SECURITY Auditing Applications: Areas to Focus on include;  Application security  Segregation of duties  Controls
  • 21. SUMMARY  Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”  Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.  Security should be considered a balance between protection and availability