Scribd
Upload
23 views30 pages

Lesson 1 Review of The Introduction To Is

The document provides an introduction to Information Security, outlining key concepts such as the definition of information, the importance of information security, and the relationship between risk, threats, and vulnerabilities. It emphasizes the need for a comprehensive approach to security involving people, processes, and technology to protect information assets. Additionally, it highlights the consequences of security breaches and the essential role of management in achieving security objectives.

Uploaded by

scuyno439
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views30 pages

Lesson 1 Review of The Introduction To Is

The document provides an introduction to Information Security, outlining key concepts such as the definition of information, the importance of information security, and the relationship between risk, threats, and vulnerabilities. It emphasizes the need for a comprehensive approach to security involving people, processes, and technology to protect information assets. Additionally, it highlights the consequences of security breaches and the essential role of management in achieving security objectives.

Uploaded by

scuyno439
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

lOMoARcPSD|46423229

Lesson 1 Handouts - Introduction to Information Security

Information Assurance Security (University of Rizal System)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university


Downloaded by Edenjoy Manuel ([email protected])
lOMoARcPSD|46423229

INFORMATION SECURITY
Lesson 1

August 28, 2021

willistowerswatson.com

Downloaded by Edenjoy Manuel ([email protected])


lOMoARcPSD|46423229

▪What is Information?
A ▪What is Information Security?
G
E
N
▪What is Risk?
D
A ▪An Introduction to ISO for
Information Technology
▪User Responsibilities

Downloaded by Edenjoy Manuel ([email protected]) 2


lOMoARcPSD|46423229

“Information is an asset which, like


N
F
O
R
other important business assets,
M has value to an organization and
A
T consequently needs to be suitably
I
O
protected”
N BS ISO 27002:2005

Downloaded by Edenjoy Manuel ([email protected]) 3


lOMoARcPSD|46423229

I
N Information can be
F
O
R
➢ Created
M ➢ Stored
A
T ➢ Destroyed
I
O L ➢ Processed
N I
F ➢ Transmitted
E
C ➢ Used – (For proper & improper purposes)
Y
C
➢ Corrupted
L ➢ Lost
E
➢ Stolen

Downloaded by Edenjoy Manuel ([email protected])


lOMoARcPSD|46423229

I
N
F ➢Printed or written on paper
O
R ➢Stored electronically
M
A ➢ Transmitted by post or using electronics means
T
I
➢Shown on corporate videos
O
➢Displayed / published on web
N
➢Verbal – spoken in conversations
T
Y ‘…Whatever form the information takes, or
P means by which it is shared or stored, it
E
should always be appropriately protected’
S

(BS ISO 27002:2005)


Downloaded by Edenjoy Manuel ([email protected])
lOMoARcPSD|46423229

I
N What Is Information Security?
F
O
R ➢ The quality or state of being secure to be free
M from danger.
A
T ➢ Security is achieved using several strategies.
I
O ➢ Security is achieved using several strategies
N S simultaneously or used in combination with one
E
another.
C
U ➢ Security is recognized as essential to protect vital
R
processes and the systems that provide those
I
T
processes.
Y
➢ Security is not something you buy but it is
something you do.
Downloaded by Edenjoy Manuel ([email protected])
lOMoARcPSD|46423229

I
N What Is Information Security?
F
O
R ➢ The architecture where an integrated combination of
M appliances, systems and solutions, software, alarms, and
A vulnerability scans working together
T
I
➢ Monitored 24x7
O
N S
E
➢ Having People, Processes, Technology, Policies, &
C
Procedures
U
R
I ➢ Security is for PPT and not only for appliances or
T devices
Y

6/16/201 Mohan Kamat


Downloaded by Edenjoy Manuel ([email protected])
1
lOMoARcPSD|46423229

I
N
F
O
S
E
C PEOPLE

C
O
M PROCESSES
P
O
N
E
N TECHNOLOGY
T
S

Downloaded by Edenjoy Manuel ([email protected]) 8


lOMoARcPSD|46423229

People “Who we are”


People who use or interact with the Information include:
• Share Holders / Owners
P • Management
E • Employees
O • Business
P • Partners
L • Service
E • Providers
• Contractors
• Customers
• Clients
• Regulators

Downloaded by Edenjoy Manuel ([email protected])


Process “What we do”
lOMoARcPSD|46423229

The processes refer to "work practices" or workflow.


Processes are the repeatable steps to accomplish
P
business objectives. Typical process in our IT include:
R
O
• Helpdesk / Service Management Incident
C • Reporting and Management
E
• Change Requests
S
S • Request Fulfillment
• Access Management Identity
• Service Level / Third-party Services
Management
• IT Procurement

Downloaded by Edenjoy Manuel ([email protected])


lOMoARcPSD|46423229

Technology
“What we use to improve what we do”
T
E Network Infrastructure:
C • Cabling, Data/Voice Networks and equipment
H • Telecommunications services (PABX), including VoIP services,
N ISDN, Video Conferencing
O • Server computers and associated storage devices
L • Operating software for server computers
O • Communications equipment and related hardware
G
• Intranet and Internet connections
Y
• VPNs and Virtual environments
• Remote access services
• Wireless connectivity

Downloaded by Edenjoy Manuel ([email protected])


lOMoARcPSD|46423229

Technology
“What we use to improve what we do”
T Application Software:
E • Finance and assets systems, including Accounting packages,
Inventory management, HR systems, Assessment and reporting
C system
H • Software as a service (SaaS) - instead of software as a packaged or
custom-made product.
N
O
Physical Security Components:
L
• CCTV Cameras
O • Clock in Systems/ Biometrics
G • Environmental Management Systems: Humidity Control, Ventilation, Air
Y Conditioning, Fire Control Systems
• Electricity/ Power backup

Access Devices:
• Desktop computers
• Laptops, ultra-mobile laptops and
• PDAs Thin client computing
• Digital cameras, Printers, Scanners, Photocopier etc.
6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 12
1
lOMoARcPSD|46423229

I
N INFORMATION SECURITY
F
O
R
M 1. Protects information from a range of threats
A 2. Ensures business continuity
T 3. Minimizes financial loss
I 4. Optimizes return on investments
O 5. Increases business opportunities
N S
E
C
U
R
Business survival depends on
I
T information security.
Y

6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 13
1
lOMoARcPSD|46423229

I
N ISO 27002:2005 defines Information Security
F as the preservation of:
O
R
M Ensuring that information is
A – Confidentiality accessible only to those
T authorized to have access.
I A
O T
N T Safeguarding the accuracy and
completeness of information
R – Integrity and processing methods.
I
B
U
Ensuring that authorized
T
users have access to
E
S
– Availability information and associated
assets when required.

6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 14
1
lOMoARcPSD|46423229

Security breaches leads to…


• Reputation loss
• Financial loss
• Intellectual Property loss
• Legislative Breaches leading to legal actions (Cyber Law)
• Loss of customer confidence
• Business interruption costs

LOSS OF GOODWILL
6/16/201
Downloaded by Edenjoy Manuel
Mohan ([email protected])
Kamat 15
1
lOMoARcPSD|46423229

What is a Risk?

Risk: A possibility that a threat exploits a


vulnerability in an asset and causes
R damage or loss to the asset.
I
S Threat: Something that can potentially cause
K
damage to the organization, IT
Systems or network.

Vulnerability: A weakness in the organization, IT


Systems, or network that can be
exploited by a threat.

Downloaded by Edenjoy Manuel ([email protected]) 17


lOMoARcPSD|46423229

Relationship between Risk, Threats, and Vulnerabilities

exploit
Threats Vulnerabilities

Information
Controls * Risk assets
reduce

Protection Asset values


Requirements

* Controls: A practice, procedure or mechanism that reduces risk


Downloaded by Edenjoy Manuel ([email protected]) 18
lOMoARcPSD|46423229

T
H Threat Identification
R
E
A Elements of Threats
T

I Agent: The catalyst that performs the


D
E threat.
N • Human
T
I • Machine
F
I
• Nature
C
A
T
I
O
N

6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 19
1
lOMoARcPSD|46423229

T
H
R Threat Identification
E
A
T
Elements of Threats
I
D Motive: Something that causes the agent
E
N
to act.
T • Accidental
I
F
• Intentional
I
• Only motivating factor that can be both
C
A
accidental and intentional is human
T
I
O
N

6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 20
1
lOMoARcPSD|46423229

T
H
R
Threat Identification
E
A
T
I Elements of Threats
D
E Results: The outcome of the applied
N
T
threat. The results normally lead to the
I loss of CIA
F • Confidentiality
I
C • Integrity
A
• Availability
T
I
O
N

6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 21
1
lOMoARcPSD|46423229

No Categories of Threat Example


1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or Unauthorized Access and/or data collection
trespass
T
4 Deliberate Acts of Information Blackmail of information exposure /
H
extortion disclosure
R
5 Deliberate Acts of sabotage / Destruction of systems / information
E vandalism
A
6 Deliberate Acts of theft Illegal confiscation of equipment or
T information
S 7 Deliberate software attacks Viruses, worms, macros Denial of service
8 Deviations in quality of service from Power and WAN issues
service provider
9 Forces of nature Fire, flood, earthquake, lightening
10 Technical hardware failures or errors Equipment failures / errors
11 Technical software failures or errors Bugs, code problems, unknown loopholes
12 Technological Obsolesce Antiquated or outdated technologies

6/16/2011 Downloaded by Edenjoy Mohan


Manuel ([email protected])
Kamat 24
lOMoARcPSD|46423229

R
I
S
K
S

& High User


Theft, Virus Attacks
Knowledge of IT
Sabotage,
Systems
Misuse

T
H
R
E
A
T
S

Natural
Systems & Lack Of Lapse in
Calamities &
Network Documentation Physical
Fire
Failure Security

6/16/201
1 Mohan Kamat 25
Downloaded by Edenjoy Manuel ([email protected])
lOMoARcPSD|46423229

SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?

6/16/201
Downloaded by EdenjoyMohan
Manuel ([email protected])
Kamat 26
1
lOMoARcPSD|46423229

What Is Management?

• A process of achieving objectives using a given set of


M resources
A • To manage the information security process, first
N understand core principles of management
A • A manager is “someone who works with and through
other people by coordinating their work activities in
G
order to accomplish organizational goals”
E
M
E
N
T

Management of Information Security, Downloaded


2nd ed. -byChapter 1 ([email protected])
Edenjoy Manuel Slide 26
lOMoARcPSD|46423229

Managerial Roles
• Informational role: Collecting, processing, and using
M information to achieve the objective
A
N • Interpersonal role: Interacting with superiors, subordinates,
outside stakeholders, and others
A
G • Decisional role: Selecting from alternative approaches, and
E resolving conflicts, dilemmas, or challenges
M
E
N
T

Management of Information Security, Downloaded


2nd ed. -byChapter 1 ([email protected])
Edenjoy Manuel Slide 27
lOMoARcPSD|46423229

Characteristics of a Leader

M
A 1. Bearing 8. Integrity
N 2. Courage 9. Judgment
A
3. Decisiveness 10.Justice
G
4. Dependability 11.Knowledge
E
M
5. Endurance 12.Loyalty
E 6. Enthusiasm 13.Tact
N 7. Initiative 14.Unselfishness
T

Downloaded by Edenjoy Manuel ([email protected])


lOMoARcPSD|46423229

Be…Know…Do…

M A leader must BE a person of strong


A
and honorable character and must
N
A KNOW the details of your situation,
G the standards to which you work,
E
yourself, human nature, and your team,
M
E
and must DO by providing purpose,
N direction, and motivation to your team
T

Management of Information Security, Downloaded


2nd ed. -byChapter 1 ([email protected])
Edenjoy Manuel Slide 30
lOMoARcPSD|46423229

6/16/2011 Downloaded by Edenjoy Mohan


Manuel ([email protected])
Kamat 59
lOMoARcPSD|46423229

TAWE AWAY:
Read about ISO 27001

Information Security Policy


• Confidentiality
• Integrity
• Availability

Downloaded by Edenjoy Manuel ([email protected])

You might also like