1.1.

Introduction:
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...). Sometimes referred to as computer security, Information Technology Security is information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems. The act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to; natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arises.

1.2. Managements Concern about IT Security:

Dependence on IT systems Information systems which can provide accurate services when and where they are required are the key to the survival of most modern businesses.

IT Security

Page 1

 Exposure of IT systems IT systems need a stable environment. Organizations rely upon the accuracy of information provided by their systems. Investment in IT systems Information systems are costly both to develop and maintain, and management should protect their investment like any other valuable asset.

1.3. Balance of Protecting IT Assets:

Appropriate to an organizations business needs yet comprehensive in its coverage . Justified to the extent that it will reduce perceived risks to the level that management is willing to accept. Effective against actual threats.

1.4. Objective of IT Security:

Information is accessible only to those authorized to have access (confidentiality). Safeguarding the accuracy and completeness of information and processing methods (integrity). Ensuring that authorized users have access to information and associated assets when required (availability).

IT Security

Page 2

2.1 Organization of Information Security:

Information security structure Security of third party access Outsourcing

I.

Information Security Structure: The objective is to deal with management of information security within the organization. A management framework should be established to initiate and control the implementation of information security within the organization Review to IS Management course. Security of 3rd Party Access:

II.

The objective is to maintain security of organizational information processing facilities accessed by third parties. Access to organizations information processing facilities by third parties should be controlled.

III.

Outsourcing: The objective is to maintain security of information when responsibility for processing is outsourced.

IT Security

Page 3

2.2 Types of Information Systems Assets:

Information assets databases and data files, system documentation, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, archived information. Software assets application software, system software, development tools and utilities. Physical assets computer equipment (processors, monitors, laptops, modems), communication equipment (routers, PABX, fax machines), magnetic media (tapes and disks). Services computing and communication services, general utilities, e.g. heating, lighting, power, air-conditioning.

2.3 Networking & Communication) New Threats and Risks:

Data loss Data may be deleted or lost in transmission. Data corruption Data errors can occur during transmission. System unavailability Network links may be easily damaged. A loss of a hub can affect the processing ability of many users. Communications lines often extend beyond the boundaries of control of the client, e.g. the client may rely on the local telephone company for ISDN lines.

IT Security

Page 4

2.4.IT Security Standards & Frameworks:

ISO/IEC 27001:2005 COBIT (Control Objectives for Information and Related Technology). etc

2.4.1 ISO/IEC 27001:2005:

ISO/IEC 27001:2005, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC). Its full name is ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements. As of July 2013, a new version is in draft: ISO/IEC 27001:2013. ISO/IEC 27001:2005 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard (more below). The standard contains 11 domains (apart from introductory sections)1. Security policy - management direction. 2. Organization of information security - governance of information security. 3. Asset management - inventory and classification of information assets. 4. Human resources security - security aspects for employees joining, moving and leaving an organization. 5. Physical and environmental security - protection of the computer facilities.
IT Security Page 5

6. Communications and operations management - management of technical security controls in systems and networks. 7. Access control - restriction of access rights to networks, systems, applications, functions and data. 8. Information systems acquisition, development and maintenance - building security into applications. 9. Information security incident management - anticipating and responding appropriately to information security breaches. 10. Business continuity management - protecting, maintaining and recovering businesscritical processes and systems. 11. Compliance - ensuring conformance with information security policies, standards, laws and regulations.

2.4.2 COBIT:
Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Newest: COBIT 5 Widely used: COBIT 4.1 Framework Control Objectives Management Guidelines Maturity Models

IT Security

Page 6

2.5 IT Risk Analysis:

Objective identify the various ways in which data, the information system, and network which support it, are exposed to risk. Involves assessing the possibility that each of a wide range of threats. End result security requirement for each type of threat that could affect the system.

2.6 Risk:
Risk in IT combination of threat, vulnerability, and impact. Threat an unwanted that could remove, disable, damage, or destroy an IT asset. Vulnerability a weakness that could be exploited by a threat. Impact the consequences of vulnerability in a system being exploited by a threat.

2.7 Risk Analysis & Risk Management:

IT Security

Page 7

2.8 Risk Analysis Principles:

Business modeling to determine which information systems support which business functions Impact analysis to determine the sensitivity of key business functions to a breach of confidentiality, integrity or availability Dependency analysis to determine points of access to information systems and assets that must be in place to deliver a service to a business function Threat and vulnerability analysis to determine points of weakness in the system configuration and the likelihood of events

2.9 Components of IT Risk:

IT Security

Page 8

2.10 Reviewing IT risks:

IT risk analysis involves identifying IT assets that are at risk: What type of threats do they face? What are their likely causes and their probable impact(s)? What is the likelihood of the threat succeeding? How would we know if the threat did succeed? What can we do to prevent the impact? What can we do to recover if the threat does succeed?

2.11 Risk Management:

Involves the identification, selection, and implementation of countermeasures that are designed to reduce the identified levels of risk to acceptable levels It is impossible to reduce all risks to zero (by term of cost-effective RM)

2.12 Risk Management Process:

Prioritize actions Based on the risk levels presented in the risk assessment report, the implementation actions are prioritized. Evaluate recommended control actions The technical feasibility and effectiveness of all identified controls should be evaluated so that the most appropriate control is chosen.
IT Security Page 9

 Conduct cost-benefit analysis To allocate resources and implement cost-effective solutions, organizations should conduct a cost-benefit analysis for each proposed control. Select control On the basis of the results of the cost-benefit analysis, management selects the cost-effective controls for reducing risks. Assign responsibility Responsibility should be assigned to in-house experts or an outside agency which have the appropriate skill set and expertise to implement the selected control. Develop safeguard implementation plan The safeguard implementation plan prioritizes the implementation actions and projects the start dates and the target completion dates. Implement selected controls The selected controls should be implemented so that the risks are brought down within the acceptable levels.

IT Security

Page 10

3.1 Conclusion:
Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution. The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review. This makes information security an indispensable part of all the business operations across different domains. With the use of the advanced technologies the information security systems provides a high level confidentiality, integrity and safety services.

IT Security

Page 11

3.2 Bibliography:

https://www.securityforum.org/ http://en.wikipedia.org/wiki/Information_security http://en.wikipedia.org/wiki/Cobit http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx http://en.wikipedia.org/wiki/ISO/IEC_27001

IT Security

Page 12

3.3 Glossary:
COBIT- Control Objectives for Information and Related Technology. IEC- International Electrotechnical Commission. ISDN- Integrated Services Digital Network. ISO- International Organization for Standardization. IT- Information technology. RM- Risk Management.

IT Security

Page 13