Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
3. • Introduction
• Layers of personnel around an information resources
Operator
-System-
Security Staff
Security Administrator
System Owner
Information Security Management
Introduction to Information Security Management
4. Information Security Management
• Why Information Security Matters?
• Information drives enterprise business value generation.
• Information is the basis of competitive advantage.
• Assets are very independent.
To protect one asset the whole computing environment should be
protected.
Introduction to Information Security Management
5. Information Security Management
Information Sensitivity Classification
Information sensitivity taxonomy
Introduction to Information Security Management
Information
Sensitivity
Public
Information
Confidential
Information
Internal
Use
Proprietary
Information
Highly
Confidential
Top
Secret
6. Information Security Management
Information Security Governance
Corporate governance has to do with how the board of directors and executive
management run and control a company
IT governance is how technology is used and managed so that it supports business needs.
Information security governance is a coherent system of integrated security components
• products
• personnel
• training
• processes
• policies ...
that exist to ensure that the organization survives and hopefully thrives.
Introduction to Information Security Management
7. The Computing Environment
Security of an information system
Information
System
Security
People security
Technology
Security
Network Security
Security of IS
Activities
Data Security
Information Security Management
Introduction to Information Security Management
8. Security of Various Components in the Computer
Environments
Protecting organization, information system , or any computing environment means
following:
• Personal security to protect people
• Qualification assurance
• Specifications of the job
• Security clearance
• Screening Assurance
• Authorizing of process
• Security Training
• Nondisclosure Agreement
Information Security Management
Introduction to Information Security Management
9. Security of an information system
1. Introduction to Information Security Management
CIA Triad
CIA
Triad
Confidentiality
Integrity
Availability
10. CIA triad suffers from at least 2 drawbacks:
Security Star Model
Confidentiality
Availability
Non-Repudiation
Integrity
Authentication
1. Introduction to Information Security Management
The Security Star
11. Parker’s View of Information Security
Parker’s View of Information Security
• CIA Triad
• Authenticity
• Possession Envelope
• Utility
Possession defines ownership or control of information
Authenticity aims at ensuring that the origin of the transmission is correct and that the
authorship of the transmitted documents is valid
Utility emphasized the usefulness of the information in possession
Information Security Management
Introduction to Information Security Management
12. What is Information Security Management
1. Identify computing environment, define its critically, prioritize its contribution to the
organization’s business-value-generation capabilities;
2. Identify all security risks, assess them, mitigate them by devising a comprehensive risk-
driven security program;
3. Provide continual improvement of the organization’s risk position.
Information Security Management
Introduction to Information Security Management
13. Security Controls
Managerial Controls:
• Risk Assessment
• Planning
• System and Service acquisition
• Certification, accreditation and security assessment
Technical Controls:
• Personnel Security
• Physical and environmental protection
• Contingency planning
• Configuration management
Information Security Management
Introduction to Information Security Management
14. Security Controls
Operational Controls:
• Personnel Security
• Physical and environmental protection
• Contingency planning
• Configuration management
• Maintenance
• System and Information Integrity
• Media Protection
• Incident Response
• Awareness and Training
Information Security Management
Introduction to Information Security Management
15. The NSA Triad for Security Assessment
Assessment - Security Planning for 3 years
Not technical, often qualitative
Doesn’t involve any testing
Collaborative, often shared by users, managers, and owner
Evaluation - How to use technology to support information security
Technical but not invasive
Passive testing required for self study
Collaborative to some extends
Involves diagnostic tools
Involves internal audit
Information Security Management
Introduction to Information Security Management
16. The NSA Triad for Security Assessment
Penetration Testing
Non-collaborative
Technical in nature
Invasive in nature
Involves external audit
Active penetration tests
Risk to compromise the target system exists but has to be avoided
Active assessment expertise is required
Information Security Management
Introduction to Information Security Management
Notas del editor
A computing environment as Raggad’s taxonomy of information security is made up for five continuously interacting components. Information system is viewed as smaller computing environment made to efficiently achieve information system objectives.
Information security cannot just be devised based on the specifications of security solutions; a thorough study of the organization business value generation model and its computing environment is needed before prescribing any security programs. Any security investigation has to be risk driven
Off-the -self solutions will not work :
1. security requirements vary depending on vulnerabilities and threats of organization’s computing environment
2. the effect and consequences of similar security incidents vary from one organization to another.
Information sensitivity taxonomy proposed by the ISO/IEC 177799 or ISO/IEC 27002.
CIA triad suffers from at least 2 drawbacks:
The tree security goals are not sufficient and more security goals have to be added
A risk-driven model based on CIA is not sufficient to achieve security as long as security management is not incorporated in the security model.
Authentication - verifying the identity of an agent before access is granted smart cards, public key, biometrics
Non-Repudiation - both ends of transmission cannot deny their involvement in the transmission: Digital signatures
Possession: Even if information is securely encrypted in a packet, just loosing the packet is a breach of possession
Utility: if information is available to you in an encrypted form, but you have no way to decrypt it this information is not useful to you
Provide continual improvement of the organization’s risk position: automatically revising the risk driven security program as security requirements change with changes in computing environment