Scribd
Upload
531 views27 pages

Developing Secure Information System

1) Developing secure information systems requires considering security features from the beginning of the development process rather than adding them later. This leads to establishing an Information Security Management System (ISMS). 2) An ISMS involves implementing policies and procedures to manage an organization's sensitive data and reduce security risks. 3) Developing security policies is important to define guidelines for protecting physical and technology resources, as well as confidentiality, integrity, and availability of information.

Uploaded by

jayamalar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
531 views27 pages

Developing Secure Information System

1) Developing secure information systems requires considering security features from the beginning of the development process rather than adding them later. This leads to establishing an Information Security Management System (ISMS). 2) An ISMS involves implementing policies and procedures to manage an organization's sensitive data and reduce security risks. 3) Developing security policies is important to define guidelines for protecting physical and technology resources, as well as confidentiality, integrity, and availability of information.

Uploaded by

jayamalar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 27

Developing secure information

system
Developing secure information system

• Early days systems or applications are


developed only based on the customer
requirements.
• So security has to be provided separately as
firewall, routers, setup server etc
• But nowadays they started designing the
system by considering the security features
• It leads to ISMS.
Information security management system

• ISMS –Set of policies and procedures for


managing the organization sensitive data
• Goal of ISMS – to reduce risk and secure data
Security Management responsibilities
• Figuring out the goals, policies, standards and
plans to reach the goals
• Figuring out the actual goals to be completed
• Deciding business goals and security risks
• Defining the steps to make sure that all the
above are properly done.
Security Policies
• Security policy is a document that consist of guidelines to
safeguard the company physical resources and knowledge
technology asset.

• A security policy must specifically accomplish three


objectives:
• 1) confidentiality
• 2) Protection for the integrity of your company’s information.
• 3) It must provide for the availability of your company’s
information.
Policies should define:
A security policy should have, at minimum, the
following sections.
1. Overview: Provides background information on the
issue that the policy will address.
2. Purpose: Specifies why the policy is needed.
3. Scope: Lays out exactly who and what the policy
covers.
4. Target Audience: Advises for whom the policy is
intended
• 5.Policies: This is the main section of the document, and
provides statements on each aspect of the policy
• For example, an Acceptable Use Policy might have
individual policy statements relating to Internet use, email
use, software installation, and network access from home
computers, etc
• 6. Definitions: For clarity, any technical terms should be
defined.
• 7. Version: To ensure consistent use and application of the
policy, include a version number that is changed to reflect
any changes/updates to the policy.
• Security policies should be concise and as brief as
possible while still fulfilling their purpose.
Why is a Security Policy Necessary?

1. It is generally impossible to accomplish a


complex task without a detailed plan for doing
so.
A security policy is that plan, and provides
security principles throughout your company.
2. A security policy indicates senior
management’s commitment to maintaining a
secure network. It helps IT Staff for securing
the company’s information assets.
• 3. Ultimately, a security policy will reduce your
risk of a damaging security incident.

• 4. A security policy can provide legal protection to


your company. It provide information to your
users exactly how they can and cannot use the
network, how they should treat confidential
information, and the proper use of encryption,
you are reducing the security breaches incident.

• 5. Further, a security policy provides a written


record of your company’s policies
• 6. Security policies are often required by third
parties that do business with your company
• Third parties are auditors, customers, partners,
and investors

• 7. Companies create security policies today is to


fulfill regulations and meet standards that
relate to security of digital information.
• proprietary
Security policy classes and kinds
• Determine the worth of our information
• Develop the group of security policies
• Policies applies to users, org and IT department
• After writing policies
Categorize the information
How to secure transmission of
information
what policies , network structures needed to secure
our information (importance and price)
• Policies can be classified in to 3 types
1. User policies 2. It policies and
3. General policies

User policies:
1. Password policy: This policy helps to keep
user account secure
Long password
2. Proprietary info use:
How to use proprietary information
who can use the info
who can transmit the info
3. Internet Usage:
Use of net mail, Use of programs with password,
unencrypted msg sent over the network.
4. VPN and remote user system- Should be checked for
viruses, Trojan horse
5. Acceptable use of hardware's like modem, pen drive
etc
Key elements of IS policy
• It is a set of rules put in to law by an
organization
• Prescription
• This policy will protect the sensitive
information.
• To detect the wrong and bad use of data,
networks and computer programs
• Protect the reputation of an organization
• Information Security Objectives
Confidentiality
Integrity
Availability
Access control policy
Authorization
• Classification of knowledge
3 types
High risk class:
Information protected by state and federal
laws ex: money, payroll, personnel details

Confidential category:
The information is not protected under
law. Information owner thinks to protect it
from unauthorized person
• Category public- This data is freely distributed
Information system Development Lifecycle

• https://www.brainkart.com/article/The-
Security-Systems-Development-Life-Cycle-
(Sec-SDLC-)_7921/
Information security governance and Risk
management
• Objectives
Determine frame work for implementing
and auditing security controls
Determine frame work for risk assessment-
distinguish between qualitative and
quantitative risk assessment- action taken as a
response of risk
Security governance
• It is a framework to reduce risk by protecting
the system and data
• Enterprise security governance include
activities
Institutionalization
Enterprise risk management
Security policies
Safeguard org digital assets
guarantee information loss interference
Shield organization name

Information Technology governance


• Focus on data technology, their
performance and risk management
– First goal- ensure the investment in IT is worth for
business –mitigate the risk related to IT
• Financial governance
• Financial governance refers to the way a
company collects, manages, monitors and con
trols financial information.
• Financial governance includes how companies
track financial transactions, manage
performance and control data, compliance,
operations, and disclosures.
• Financial governance includes:
• Internal controls
• Financial policies
• Internal and external audits
• Workflow
• Financial controls
• Data tracking and validation
• Data security

Good financial governance ensures financial data is
correct.

You might also like