Interactive Powerpoint_How to Master effective communication
Information Security Discussion for GM667 Saint Mary's University of MN
1. 1
Fundamental Principles of Security
Three Control Objectives
• Confidentiality
• Integrity
• Availability
These three fundamental control objectives provide means to
identify all business exposures,assess risks and select controls
2. 2
Three Control Objectives
Confidentiality principle
Protection of sensitive information from unauthorized disclosure;
prevention of inappropriate reading or copying
• Examples of confidential information
– Medical records
– Payroll lists
– Client lists
– Trade secrets
3. 3
Three Control Objectives
Integrity principle
Detection or prevention of inappropriate and unauthorized
data transformations
• Threats to integrity may be classified as either accidental or intentional:
– Errors
– Omissions
– Modification
– Deletion
– Replay and Insertion
• Accidental integrity violations are actually data reliability problems
4. 4
Three Control Objectives
Availability principle
Ensuring systems resources are available to sustain
critical business activities
• Preparation for an unforeseen event
• It has many names: Contingency Planning; Disaster Recovery
Planning; Business Continuance Planning
• Two Primary Objectives
– Disaster Avoidance or Mitigation Strategies
– Disaster Recovery Procedures
5. 5
Three Control Objectives
Three Control Objectives (“CIA”)
Confidentiality
Integrity
Availability
These three fundamental control objectives provide means to
identify all business exposures,assess risks and select controls
Which one is the most important to your organization?
6. 6
Information Security Definition
The protection of information assets from unauthorized disclosure,
modification, or destruction;
or the inability to process that information
Confidentiality principle
Integrity principle
Availability principle
Embedded within the basic definition of information security are
the three fundamental principles of information security:
7. 7
Risk Management
The following terms are routinely used during information
security projects; they are often used interchangeably and
incorrectly.
• Threat
• Vulnerability
• Threat Agent
• Exposure
• Control
• Risk
9. 9
Examples of Threats
• Unauthorized access
– Hackers
– Mishandled password
• Misuse of authorized access
• Interception of information
– Wiretap
– Document left at a copier
• Introduction of malicious
software
– Virus
– Worms
– Trojan Horses
• Denial of Service Attacks
• Accidental alteration or
deletion of data
• Social Engineering
• Undetected software errors
• Natural disasters
• A bomb
• A fire
• Disgruntled employee
10. 10
Risk Management Terminology
Vulnerability
A Condition Which Allows a Threat to Occur
Or
A Software, Hardware or Procedural Weakness
• Threats considered alone do not provide very meaningful information
• Threats and vulnerabilities are best considered in pairs
• Threats describe the environment; external considerations
– Your organization may have little control or influence over these
• Vulnerabilities describe the internal environment
– Vulnerabilities are your responsibility; you can take action to correct
these
11. 11
Examples of Threat/Vulnerability Pairing
Threats
Bomb
Water
Disgruntled employee
Severed network cables
Vulnerabilities
An operations center with signage
A data center below ground level
No exit or termination procedures
Unlocked telecom cables closets
We have little or no
control over these
Things you can change
13. 13
Risk Management Terminology
Exposure
The Negative Effect or Loss that Results after a Threat Occurs
• Monetary Loss
– Direct: Destruction or Theft of Assets
– Indirect: Replacement Costs, Customer Bad Will
• Loss of Business
• Loss of Public Trust or Confidence
• Negative Publicity
• Loss of New Business Opportunities
14. 14
Risk Management Terminology
Risk
The Likelihood of a Threat Agent Taking
Advantage of a Vulnerability
There are two approaches are used to measure risk:
• Quantitative Methods
• Qualitative Methods
15. 15
Risk Management Terminology
Control
Mechanisms or Procedures Used to
Prevent, Detect Or Limit Exposures
or
A Countermeasure or Safeguard that Mitigates Risk
There Are Three Basic Types of Controls:
• Administrative
• Physical
• Technical
17. 17
Risk Management Terminology
P D L
A
P
T
Examples of Controls
Administrative/Prevention Controls
• Segregation of duties
• Security checks on new personnel
• Authorization process for changes
Physical/Detection Controls:
• Cameras
• Door intrusion alarms
Technical/Limiting Controls:
• Transaction limits on ATM cards
• Access privileges on user accounts
19. 19
Risk Management Terminology Summary
Threat An event or action that can have a negative impact
upon an organization
Vulnerability A condition that allows a threat to occur
Threat Agent The entity that takes advantage of a vulnerability
Exposure The negative effect or loss that results after a
threat occurs
Control Mechanisms or procedures used to prevent, detect
or limit exposures
20. 20
Risk Management Terminology
From: CISSP Exam Guide
Shon Harris
McGraw Hill
Threat
Agent
Threat
Vulner-
ability
Risk
Asset
Exposure
Control
Gives
rise to a
Which
exploits a
and creates
Can damage
And cause an
May be
Countered
with…
21. 21
Information Security Definition
The protection of information assets from unauthorized disclosure,
modification, or destruction
or the inability to process that information
Remember, our basic definition of security is to protect information.
This information may be moving (through a network), at rest (in
storage), or is being manipulated (processed by a computer or human).
Keep your eye on the information, no matter where it is.