SlideShare a Scribd company logo

Information Security Discussion for GM667 Saint Mary's University of MN

Download as PPTX, PDF
Saint Mary's University of Minnesota
Saint Mary's University of Minnesota

Information security basics

EducationTechnologyEconomy & Finance
1 of 21
1 Fundamental Principles of Security Three Control Objectives • Confidentiality • Integrity • Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls
2 Three Control Objectives Confidentiality principle Protection of sensitive information from unauthorized disclosure; prevention of inappropriate reading or copying • Examples of confidential information – Medical records – Payroll lists – Client lists – Trade secrets
3 Three Control Objectives Integrity principle Detection or prevention of inappropriate and unauthorized data transformations • Threats to integrity may be classified as either accidental or intentional: – Errors – Omissions – Modification – Deletion – Replay and Insertion • Accidental integrity violations are actually data reliability problems
4 Three Control Objectives Availability principle Ensuring systems resources are available to sustain critical business activities • Preparation for an unforeseen event • It has many names: Contingency Planning; Disaster Recovery Planning; Business Continuance Planning • Two Primary Objectives – Disaster Avoidance or Mitigation Strategies – Disaster Recovery Procedures
5 Three Control Objectives Three Control Objectives (“CIA”)  Confidentiality  Integrity  Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls Which one is the most important to your organization?
6 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction; or the inability to process that information Confidentiality principle Integrity principle Availability principle Embedded within the basic definition of information security are the three fundamental principles of information security:
7 Risk Management The following terms are routinely used during information security projects; they are often used interchangeably and incorrectly. • Threat • Vulnerability • Threat Agent • Exposure • Control • Risk
8 Risk Management Terminology Threat An Event or Action that can have a Negative Impact upon an Organization or A Potential Danger to an Information System
9 Examples of Threats • Unauthorized access – Hackers – Mishandled password • Misuse of authorized access • Interception of information – Wiretap – Document left at a copier • Introduction of malicious software – Virus – Worms – Trojan Horses • Denial of Service Attacks • Accidental alteration or deletion of data • Social Engineering • Undetected software errors • Natural disasters • A bomb • A fire • Disgruntled employee
10 Risk Management Terminology Vulnerability A Condition Which Allows a Threat to Occur Or A Software, Hardware or Procedural Weakness • Threats considered alone do not provide very meaningful information • Threats and vulnerabilities are best considered in pairs • Threats describe the environment; external considerations – Your organization may have little control or influence over these • Vulnerabilities describe the internal environment – Vulnerabilities are your responsibility; you can take action to correct these
11 Examples of Threat/Vulnerability Pairing Threats Bomb Water Disgruntled employee Severed network cables Vulnerabilities An operations center with signage A data center below ground level No exit or termination procedures Unlocked telecom cables closets We have little or no control over these Things you can change
12 Risk Management Terminology Threat Agent The Entity that Takes Advantage of a Vulnerability Examples: • Intruder • Employee • Software
13 Risk Management Terminology Exposure The Negative Effect or Loss that Results after a Threat Occurs • Monetary Loss – Direct: Destruction or Theft of Assets – Indirect: Replacement Costs, Customer Bad Will • Loss of Business • Loss of Public Trust or Confidence • Negative Publicity • Loss of New Business Opportunities
14 Risk Management Terminology Risk The Likelihood of a Threat Agent Taking Advantage of a Vulnerability There are two approaches are used to measure risk: • Quantitative Methods • Qualitative Methods
15 Risk Management Terminology Control Mechanisms or Procedures Used to Prevent, Detect Or Limit Exposures or A Countermeasure or Safeguard that Mitigates Risk There Are Three Basic Types of Controls: • Administrative • Physical • Technical
16 Prevent Detect Limit Administrative Physical Technical Controls Cube Risk Management Terminology This simple graphic Shows the types of controls available. All types must be used To form a complete and effective system of controls
17 Risk Management Terminology P D L A P T Examples of Controls Administrative/Prevention Controls • Segregation of duties • Security checks on new personnel • Authorization process for changes Physical/Detection Controls: • Cameras • Door intrusion alarms Technical/Limiting Controls: • Transaction limits on ATM cards • Access privileges on user accounts
18 Controls-Another Perspective Information Assets Network Controls Computer Controls Audit Programs Physical Controls Other controls...
19 Risk Management Terminology Summary Threat An event or action that can have a negative impact upon an organization Vulnerability A condition that allows a threat to occur Threat Agent The entity that takes advantage of a vulnerability Exposure The negative effect or loss that results after a threat occurs Control Mechanisms or procedures used to prevent, detect or limit exposures
20 Risk Management Terminology From: CISSP Exam Guide Shon Harris McGraw Hill Threat Agent Threat Vulner- ability Risk Asset Exposure Control Gives rise to a Which exploits a and creates Can damage And cause an May be Countered with…
21 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction or the inability to process that information Remember, our basic definition of security is to protect information. This information may be moving (through a network), at rest (in storage), or is being manipulated (processed by a computer or human). Keep your eye on the information, no matter where it is.

Recommended

Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)Jan Wong
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system securityJan Wong
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)Naba Barkakati
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementEC-Council
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 

Recommended

Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)Jan Wong
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system securityJan Wong
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)A summary of gao’s review of information security (naba barkakati)
A summary of gao’s review of information security (naba barkakati)Naba Barkakati
 
Information Security Management
Information Security ManagementInformation Security Management
Information Security ManagementEC-Council
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosheramiable_indian
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Audit Implications of Integrated Financial Management Information Systems
Audit Implications of Integrated Financial Management Information Systems Audit Implications of Integrated Financial Management Information Systems
Audit Implications of Integrated Financial Management Information Systems icgfmconference
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationTripwire
 
How to apply risk management to IT
How to apply risk management to ITHow to apply risk management to IT
How to apply risk management to ITJohn Bun
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101Donald E. Hester
 
Overview
OverviewOverview
Overviewphanleson
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceJTLeekley
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Risk management of basel norms
Risk management of basel norms Risk management of basel norms
Risk management of basel norms SKMohamedKasim
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Auditing information System
Auditing information SystemAuditing information System
Auditing information SystemDr. Rosemarie Sibbaluca-Guirre
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...Dr. Rosemarie Sibbaluca-Guirre
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Computerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsComputerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsDigital-360
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 

More Related Content

What's hot

MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosheramiable_indian
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Audit Implications of Integrated Financial Management Information Systems
Audit Implications of Integrated Financial Management Information Systems Audit Implications of Integrated Financial Management Information Systems
Audit Implications of Integrated Financial Management Information Systems icgfmconference
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationTripwire
 
How to apply risk management to IT
How to apply risk management to ITHow to apply risk management to IT
How to apply risk management to ITJohn Bun
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceJTLeekley
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Risk management of basel norms
Risk management of basel norms Risk management of basel norms
Risk management of basel norms SKMohamedKasim
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...Dr. Rosemarie Sibbaluca-Guirre
 

What's hot (20)

MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosher
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 
Audit Implications of Integrated Financial Management Information Systems
Audit Implications of Integrated Financial Management Information Systems Audit Implications of Integrated Financial Management Information Systems
Audit Implications of Integrated Financial Management Information Systems
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
How to apply risk management to IT
How to apply risk management to ITHow to apply risk management to IT
How to apply risk management to IT
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
Overview
OverviewOverview
Overview
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Remote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC ComplainceRemote Deposit Capture Risk Management & FFIEC Complaince
Remote Deposit Capture Risk Management & FFIEC Complaince
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Risk management of basel norms
Risk management of basel norms Risk management of basel norms
Risk management of basel norms
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Auditing information System
Auditing information SystemAuditing information System
Auditing information System
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 

Viewers also liked

Computerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsComputerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsDigital-360
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the WorkplaceJohn Macasio
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System ValidationEric Silva
 

Viewers also liked (6)

Computerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsComputerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence Solutions
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the Workplace
 
Cia security model
Cia security modelCia security model
Cia security model
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System Validation
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System Validation
 

Similar to Information Security Discussion for GM667 Saint Mary's University of MN

IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk Tanujpandey5
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowkCura_Relativity
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationRahulBhole12
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceSami Benafia
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Describe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfDescribe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfarchgeetsenterprises
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 

Similar to Information Security Discussion for GM667 Saint Mary's University of MN (20)

IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Cyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to KnowCyber Risk in e-Discovery: What You Need to Know
Cyber Risk in e-Discovery: What You Need to Know
 
Ch5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA CertificationCh5-20_CISA.ppt About CISA Certification
Ch5-20_CISA.ppt About CISA Certification
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Risk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approachRisk assessment managment and risk based audit approach
Risk assessment managment and risk based audit approach
 
Information security management
Information security managementInformation security management
Information security management
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Ingenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM complianceIngenia consultants-9 basic steps towards TRM compliance
Ingenia consultants-9 basic steps towards TRM compliance
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Describe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdfDescribe two methods for communicating the material in an Informatio.pdf
Describe two methods for communicating the material in an Informatio.pdf
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.
 
Rm 11-1
Rm 11-1Rm 11-1
Rm 11-1
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012
 
Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
 

More from Saint Mary's University of Minnesota

More from Saint Mary's University of Minnesota (20)

Digital literacy, competence and citizenship
Digital literacy, competence and citizenshipDigital literacy, competence and citizenship
Digital literacy, competence and citizenship
 
Ed tech tools and categories
Ed tech tools and categoriesEd tech tools and categories
Ed tech tools and categories
 
Teaching fellows 2018
Teaching fellows 2018Teaching fellows 2018
Teaching fellows 2018
 
17 11 2 master p-pt
17 11 2 master p-pt17 11 2 master p-pt
17 11 2 master p-pt
 
Digital literacy short
Digital literacy shortDigital literacy short
Digital literacy short
 
Blackboard basics
Blackboard basicsBlackboard basics
Blackboard basics
 
Powerpoint tips
Powerpoint tipsPowerpoint tips
Powerpoint tips
 
Types of Instructional Technology
Types of Instructional TechnologyTypes of Instructional Technology
Types of Instructional Technology
 
Blackboard basics
Blackboard basicsBlackboard basics
Blackboard basics
 
Symposium eddeve
Symposium eddeveSymposium eddeve
Symposium eddeve
 
At risk high school students and high prestige
At risk high school students and high prestigeAt risk high school students and high prestige
At risk high school students and high prestige
 
Teaching fellows 2016
Teaching fellows 2016Teaching fellows 2016
Teaching fellows 2016
 
Gsoe presentation 100915
Gsoe presentation 100915Gsoe presentation 100915
Gsoe presentation 100915
 
Blackboard Basics for New Faculty Orientation 10/15
Blackboard Basics for New Faculty Orientation 10/15Blackboard Basics for New Faculty Orientation 10/15
Blackboard Basics for New Faculty Orientation 10/15
 
Blended redesign workshop 10 1-15
Blended redesign workshop 10 1-15Blended redesign workshop 10 1-15
Blended redesign workshop 10 1-15
 
Strategic Change Interventions Team D/Module 7
Strategic Change Interventions Team D/Module 7 Strategic Change Interventions Team D/Module 7
Strategic Change Interventions Team D/Module 7
 
E friday technology for online content learning
E friday technology for online content learningE friday technology for online content learning
E friday technology for online content learning
 
Bb Intro for EdD 818
Bb Intro for EdD 818Bb Intro for EdD 818
Bb Intro for EdD 818
 
Trial for blackboard
Trial for blackboardTrial for blackboard
Trial for blackboard
 
Blended Learning
Blended LearningBlended Learning
Blended Learning
 

Recently uploaded

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 

Recently uploaded (20)

mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 

Information Security Discussion for GM667 Saint Mary's University of MN

  • 1. 1 Fundamental Principles of Security Three Control Objectives • Confidentiality • Integrity • Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls
  • 2. 2 Three Control Objectives Confidentiality principle Protection of sensitive information from unauthorized disclosure; prevention of inappropriate reading or copying • Examples of confidential information – Medical records – Payroll lists – Client lists – Trade secrets
  • 3. 3 Three Control Objectives Integrity principle Detection or prevention of inappropriate and unauthorized data transformations • Threats to integrity may be classified as either accidental or intentional: – Errors – Omissions – Modification – Deletion – Replay and Insertion • Accidental integrity violations are actually data reliability problems
  • 4. 4 Three Control Objectives Availability principle Ensuring systems resources are available to sustain critical business activities • Preparation for an unforeseen event • It has many names: Contingency Planning; Disaster Recovery Planning; Business Continuance Planning • Two Primary Objectives – Disaster Avoidance or Mitigation Strategies – Disaster Recovery Procedures
  • 5. 5 Three Control Objectives Three Control Objectives (“CIA”)  Confidentiality  Integrity  Availability These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls Which one is the most important to your organization?
  • 6. 6 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction; or the inability to process that information Confidentiality principle Integrity principle Availability principle Embedded within the basic definition of information security are the three fundamental principles of information security:
  • 7. 7 Risk Management The following terms are routinely used during information security projects; they are often used interchangeably and incorrectly. • Threat • Vulnerability • Threat Agent • Exposure • Control • Risk
  • 8. 8 Risk Management Terminology Threat An Event or Action that can have a Negative Impact upon an Organization or A Potential Danger to an Information System
  • 9. 9 Examples of Threats • Unauthorized access – Hackers – Mishandled password • Misuse of authorized access • Interception of information – Wiretap – Document left at a copier • Introduction of malicious software – Virus – Worms – Trojan Horses • Denial of Service Attacks • Accidental alteration or deletion of data • Social Engineering • Undetected software errors • Natural disasters • A bomb • A fire • Disgruntled employee
  • 10. 10 Risk Management Terminology Vulnerability A Condition Which Allows a Threat to Occur Or A Software, Hardware or Procedural Weakness • Threats considered alone do not provide very meaningful information • Threats and vulnerabilities are best considered in pairs • Threats describe the environment; external considerations – Your organization may have little control or influence over these • Vulnerabilities describe the internal environment – Vulnerabilities are your responsibility; you can take action to correct these
  • 11. 11 Examples of Threat/Vulnerability Pairing Threats Bomb Water Disgruntled employee Severed network cables Vulnerabilities An operations center with signage A data center below ground level No exit or termination procedures Unlocked telecom cables closets We have little or no control over these Things you can change
  • 12. 12 Risk Management Terminology Threat Agent The Entity that Takes Advantage of a Vulnerability Examples: • Intruder • Employee • Software
  • 13. 13 Risk Management Terminology Exposure The Negative Effect or Loss that Results after a Threat Occurs • Monetary Loss – Direct: Destruction or Theft of Assets – Indirect: Replacement Costs, Customer Bad Will • Loss of Business • Loss of Public Trust or Confidence • Negative Publicity • Loss of New Business Opportunities
  • 14. 14 Risk Management Terminology Risk The Likelihood of a Threat Agent Taking Advantage of a Vulnerability There are two approaches are used to measure risk: • Quantitative Methods • Qualitative Methods
  • 15. 15 Risk Management Terminology Control Mechanisms or Procedures Used to Prevent, Detect Or Limit Exposures or A Countermeasure or Safeguard that Mitigates Risk There Are Three Basic Types of Controls: • Administrative • Physical • Technical
  • 16. 16 Prevent Detect Limit Administrative Physical Technical Controls Cube Risk Management Terminology This simple graphic Shows the types of controls available. All types must be used To form a complete and effective system of controls
  • 17. 17 Risk Management Terminology P D L A P T Examples of Controls Administrative/Prevention Controls • Segregation of duties • Security checks on new personnel • Authorization process for changes Physical/Detection Controls: • Cameras • Door intrusion alarms Technical/Limiting Controls: • Transaction limits on ATM cards • Access privileges on user accounts
  • 19. 19 Risk Management Terminology Summary Threat An event or action that can have a negative impact upon an organization Vulnerability A condition that allows a threat to occur Threat Agent The entity that takes advantage of a vulnerability Exposure The negative effect or loss that results after a threat occurs Control Mechanisms or procedures used to prevent, detect or limit exposures
  • 20. 20 Risk Management Terminology From: CISSP Exam Guide Shon Harris McGraw Hill Threat Agent Threat Vulner- ability Risk Asset Exposure Control Gives rise to a Which exploits a and creates Can damage And cause an May be Countered with…
  • 21. 21 Information Security Definition The protection of information assets from unauthorized disclosure, modification, or destruction or the inability to process that information Remember, our basic definition of security is to protect information. This information may be moving (through a network), at rest (in storage), or is being manipulated (processed by a computer or human). Keep your eye on the information, no matter where it is.