Más contenido relacionado


Information security

  2. OBJECTIVES  Define Basic security concepts  Begin to Assess Security Risks  Outline a security policy  Locate Information Security Resources
  3. BASIC SECURITY CONCEPTS  Information Security – Perception  Information Security – Reality  CIA (Confidentiality, Data Integrity and Availability)  PPP (Physical Security, Privacy and Marketplace Security)
  4.  What is Information?  What is Information Security?  What is Risk?  An Introduction to ISO for information Technology.
  5. Information is an asset, which, like other important business assets, has the value to an organization and consequently needs to be suitably protected. BS ISO 27002:2005
  6. INFORMATION CAN BE:  Created  Stored  Destroyed  Processed  Transmitted  Used – ( for proper and improper processes)  Corrupted  Lost  Stolen  Printed or Written on paper  Stored electronically  Transmitted by post or using electronic means  Shown on completed videos  Displayed / Published on web  Verbal – spoken in conversations ‘ … Whatever form information takes, or means by which it is shared, or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
  7. WHAT IS INFORMATION SECURITY  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect viral processes and systems that provide those processes  Security is not something you buy, it is something you do
  8. WHAT IS INFORMATION SECURITY  The architecture where an integrated combination of appliances, systems and solutions, software, alarms and vulnerability scans working together.  Monitored 24*7  Having People, Process, Technology, Policies and procedures  Security is for PPT and not for appliances or devices
  10. PEOPLE “ WHO WE ARE”  People who use or interact with the Information include: • Shareholders/owners • Management • Employees • Business Partners • Service providers • Contractors • Customers / Clients • Regulators etc…
  11. PROCESS : “WHAT WE DO”  The processes or “work practices” or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: • Helpdesk / Service Management • Incident Reporting and Management • Change Requests Process • Request fulfillment • Access Management • Identity Management • Service Level / Third party Services Management • IT Procurement process etc..
  12. TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Network Infrastructure: • Cabling, Data/ Voice Networks and equipment • Telecommunication Services (PABX), including VOIP Services, ISDN, Video Conferencing • Server computers and associated storage devices • Operating software for server computers • Communications equipment and related hardware • Intranet and Internet connections • VPNS and virtual environments • Remote access services • Wireless Connectivity
  13. TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Application Software: • Finance and assets systems, including accounting packages, Inventory management, HR systems, Assessments, and reporting systems • Software as a service (SaaS) – Instead of software as a packaged or custom- made-product. Etc.  Physical Security components: • CCTV cameras • Clock in systems/ Biometrics • Environmental management systems: Humidity control, ventilation, Air conditioning, Firecontrol Systems • Electricity / Power backup  Access Devices: • Desktop computers • Laptops, Ultra-mobile laptops and PDAs. • Thin client computing. • Digital cameras, Printers, Scanners, and photocopier etc.
  14. INFORMATION SECURITY  Protects information from a range of threats  Ensures business continuity  Minimizes financial loss  Optimizes return on investments  Increases business opportunities Business Survival depends on Information Security
  15. ISO 27002:2005 DEFINES INFORMATION SECURITY AS THE PRESERVATION OF: - Confidentiality - Integrity - Availability Ensuring that information is accessible to only those authorized to have access Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorized users have access to information and associated assets when required
  16. WHAT IS RISK?  Risk : A Possiblity that a threat exploits a vulnerability in an asset and causes damage or loss to asset  Threat: Something that can potentially cause damage to the organization, IT systems or network  Vulnerability: A weakness in the organization, IT systems, or network that can be exploited by a threat.
  17. ISO 27001 SECURITY
  18. THREAT IDENTIFICATION Elements of Threats Agent: The catalyst that performs the threat. Human Machine Nature Motive: Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human Results: The outcome of applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability
  19. THREATS • Employees • External parties • Low Awareness of security issues • Growth in networking and distributed computing • Growith in complexity and effectiveness hacking tools and viruses • Natural disasters e.g., fire, flood, earthquake
  20. ISO27001 SECURITY
  21. ISO27001 SECURITY
  22. CYBER THREAT HISTORY  Early 1990 • DTI(UK) established a working group • Information Security Management code of practice produced as BSI- DISC publication  1995 • BS7799 published as UK Standard  1999 • BS 7799-1:1999 second revision published  2000 • BS 7799-1 accepted by ISO as ISO-17799 published • BS 7799-2:2002 published
  23. HISTORY  ISO 27001:2005 Information Technology – Security Techniques – Information Security management systems - Requirements  ISO 27002:2005 Information technology – Security techniques – code of practice for information security management
  24. ISO 27001 ISO 27001: This International standard covers all types of organizations (e.g., commercial enterprises, government agencies, non-profit organizations). This International standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of the security controls customized to the needs of the individual organizations or parts thereof. The ISMS is designated to ensure the selection of adequate and proportionate security controls that protect Information assests and give confidence to interested parties.
  25. FEATURES Features of ISO 27001 • Plan, Do, Check, Act (PCDA) process model • Process based approach • Stress on continual process improvements • Scope covers information security not only IT security • Covers people, process and technology. • 5600 plus organizations worldwide have been certified • 11 Domains, 39 control objectives, 133 controls
  26. PDCA
  28. CONTROL CLAUSES • Information Security policy- To provide management direction and support for information security. • Organization of information security – management framework for implementation • Assest management – To ensure security of valuable organizational IT and its related assets • Human Resources security – To reduce risks of human error, theft, fraud or misuse of facilities. • Physical & Enivironmental Security – To prevent unauthorized access, theft, compromise, damage, information and information processing facilities.
  29.  Communications & Operations management – To ensure the correct and secure operation of information processing facilities.  Access Control – To control access to information and information processing facilities on ‘ need to know’ and ‘need to do’ basis  Information systems acquisition, Development & Maintenance – To ensure security built into information systems  Information security incident management – To ensure information security events and weaknesses associated with information systems are communicated.
  30. CONTROL CLAUSES  Business continuity management – To reduce disruptions caused by disasters and security failures to an acceptable level.  Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
  32. BENEFITS  At the organization level – commitment  At the legal level – compliance  At the operational level – Risk management  At the commercial level – credibility and confidence  At the financial level – Reduced costs  At the human level – Improved employee awareness
  36. USER RESPONSIBILITIES ISO:27001 Security Incidents  Report security incidents ( IT and NON – IT) to Helpdesk through • E-mail to • Telephone: xxxx-xxxx-xxxx • Anonymous reporting through Drop boxes e.g.: IT Incidents: Mail spamming, Virus attack, Hacking etc., Non-IT incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized media. Do not discuss security incidents with any one outside organization Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents.
  37. USER RESPONSIBILITIES  Ensure your desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops / media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure backup of sensitive and critical information assets  Understand compliance issues such as • Cyber Law • IPR, Copyrights, NDA • Contractual obligations with customer  Verify credentials, if the message is received from unknown sender  Always keep switch off your computer before leaving for the day  Keep yourself updated on information security aspects
  38. BASIC SECURITY CONCEPTS CIA TRIADE PPP TRIADE Integrity Availability Confidentiality Privacy Physical Security Market Place • Confidentiality – Only individuals can access data • Integrity – data changes are tracked and properly controlled • Availability – Systems are accessible for business needs
  39. ASSESSING RISKS ASSESSMENT CAN BE PERFORMED USING A 5-STEP PROCESS  Check existing security policies and processes  Analyze, prioritize and categorize resources  Consider business concerns  Evaluate existing security Controls  Leverage existing management and control architecture.
  40. ASSESSING RISKS  Check existing security policies and processes  Analyze, prioritize, and categorize resources by determining:  Total cost of ownership, internal value, and external value. - TCO refers to the total monetary and labor costs calculated over a specific time period - Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company - External value refers to the money or another commodity that the asset brings to the company from external sources.
  41. ASSESSING RISK  Consider the business concerns through the annualized loss expectancy( ALE = SLE *ARO) - Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor(EF) • Asset value = TCO + internal value + external value • EF is the percentage of asset loss that Is expected from a particular threat - Annualized Rate of Occurance (ARO) is the estimated frequency with which a particular threat may occur each year.
  42.  Evaluate existing security controls to determine what controls are deployed and effective  Leverage existing management and control architecture to build a persuasive business case for, against, implementing new security controls. ASSESSING RISK
  43. SECURITY POLICY  At a minimum, an organization’s security policy should cover the following: • Physical security • Access Control • Network Security • System security • Authorized security Tools • Auditing procedures
  44. BENEFITS OF A SECURITY POLICY  A Security Policy has the following three important benefits:  Communicates a common vision for security throughout a company  Represents a single easy-to-use source of security requirements  Exists as a flexible document that should be updated at less annually to address new security threats
  45. INPUTS FOR SECURITY POLICY  Local Laws, regulations and business contracts  Internal business goals, principles and guidelines  Security measures deemed essential through risk assessment.
  46. BUILDING A SECURITY POLICY  An organization’s security policy should cover the following:  Foreword: Purpose, Scope, Responsibilities, and Penalties for non- compliance  Physical Security: Controls to protect the people, equipment, facilites and computer assets  USER ID and rights management: Only authorized individuals have access to the necessary systems and network devices
  47. BUILDING A SECURITY POLICY An organization’s security policy should cover the following: • Network Security: Protect the network devices and data in transit • System security: Necessary defenses to protect computer systems from compromise • Testing: Authorized security tools and testing • Auditing: Procedures to periodically check security compliance
  48. BUILDING A SECURITY POLICY FOREWORD • Purpose: Why is the policy being established? • Scope: What people, systems, software, information and facilities are covered? • Responsibilties: Who is responsible for the various computing roles in a company? • Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance?
  49. BUILDING A SECURITY POLICY PHYSICAL SECURITY • Human threats: theft, vandalism, sabotage, and terrorism • Building damage: fire, water damage, and toxic leaks • Natural disasters: floods, hurricanes, and tornadoes • Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines • Equipment failure: computer system damage and network device failure
  50. BUILDING A SECURITY POLICY USER ID AND RIGHTS Authentication: • Authentication model • Implementing technologies • Implementation mechanism Access controls – determine who gets what access to what • Access control model • Implementing mechanism
  51. BUILDING A SECURITY POLICY NETWORK SECURITY • Specific timeframes for changing passwords on network devices • Use of network protocols • Firewalls of specific chokepoints in a network architecture • Use of authentication servers to access network devices
  52. BUILDING A SECURITY POLICY SYSTEM SECURITY • The systems section is used to outline the specific settings required to secure a particular operating system or application - For Example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS. - For a particular UNIX flavor, shadow passwords may be required to hide user IDS and passwords from general users.
  53. BUILDING A SECURITY POLICY TESTING AND AUDITING • Specific requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment • Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools • Specify corporate auditing requirements, frequencies and organizations.
  54. SECURITY RESOURCES AND CERTIFICATIONS • CISSP - Certified Information Systems Security Professional. • SSCP - Systems Security Certified Practitioner • GIAC - Global Information Assurance Certification • CISA - Certified Information Systems Auditor • CIW - Certified Internet Web Professional
  55. SUMMARY • The CIA TRIAD categorizes aspect of information that must be protected from attacks: confidentiality, integrity, and availability. • The PPP TRIAD depicts security, privacy and market place perception as three additional abstract concepts that should drive security efforts.
  56. SUMMARY • The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: - Check for existing security policies and processes - Analyze, prioritize and categorize resources - Consider business concerns - Evaluate existing security controls - Leverage existing management and control architecture • To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO • A Security policy has three major benefits. IT: - Communicates a common vision for security throughout a company ` - Represents a single easy-to-use source of security requirements - Exists as a flexible document that should be updated at least annually to address new security threats
  57. SUMMARY • An effective security policy includes security requirements in the following areas: - Physical security - USERID rights and rights management - Systems - Network - Security Tools - Auditing • There are a number of security related certifications to help security professionals quantify their knowledge on a resume. • Every security professional must stay current about the latest threats through web resources, mailing lists, and printed materials.
  58. THE END