Information

Security
Learning Objectives

01 02 03 04 05 06 07 08 09

Discuss recent
technologies
Describe the that Describe audit
importance of revolutionize involvement in
information organizations’ Discuss an information
security to IT information Describe Discuss roles security control
organizations environments security threats relevant and responsi- Explain what Describe the examination
and how and the and risks, and information bilities of information significance of and provide
information significance of how they security Explain what an various security selecting, reference
represents a implementing represent a standards and information information controls are, implementing, information on
critical asset in adequate constant guidelines security policy system groups and their and testing tools and best
today’s security to challenge to available for is and illustrate within importance in information practices to
business protect the information organizations examples of its information safeguarding security assist such
organizations information. systems. and auditors. content. security. the information. controls. audits.
Information Security

• Information represents a critical asset in many organizations today. Without

reliable and properly secured information, organizations would most likely go
out of business.
• The preservation and enhancement of an organization’s reputation is directly
linked to the way in which information is managed.
Information Security – Three Fundamental
Objectives

Confidentiality Integrity Availability

• protection of • the correctness • maintaining
information from and information
unauthorized completeness of systems in
access. information. support of
business
processes.
Information Security Threats and Risks
Techniques Used to Commit Cybercrimes

Spamming Phishing Spoofing Pharming

Distributed
Denial-of-
denial-of- Viruses Trojan horse
service attack
service

Worm Malware Spyware

Information Security Threats and Risks
Sources of Cyber Threats

Criminal groups

Foreign nation states

Hackers

Hacktivists

Disgruntled insiders

Terrorists
Information Security Standards

Others
• ITIL
COBIT ISO/IEC 27002 NIST • PCI-DSS
• CSA
Information Security Policy

• What information is critical to the business?

• Who creates that critical information?
• Who uses that information?
• What would happen if critical information is stolen, corrupted, or lost?
• How long can the company operate without access to critical information?
Information Security Policy Categories

• General—Includes information security policy templates covering the areas of: Acceptable
Encryption Policy, Acceptable Use Policy, Clean Desk Policy, Data Breach Response
Policy, Disaster Recovery Plan Policy, Digital Signature Acceptance Policy, Email Policy,
Ethics Policy, Pandemic Response Planning Policy, Password Construction Guidelines,
Password Protection Policy, Security Response Plan Policy, and End User Encryption Key
Protection Policy.
• Network Security—Includes information security policy templates covering the areas of:
Acquisition Assessment Policy, Bluetooth Baseline Requirements Policy, Remote Access
Policy, Remote Access Tools Policy, Router and Switch Security Policy, Wireless
Communication Policy, and Wireless Communication Standard.
Information Security Policy Categories

• Server Security—Includes information security policy templates covering the

areas of: Database Credentials Policy, Technology Equipment Disposal Policy,
Information Logging Standard, Lab Security Policy, Server Security Policy,
Software Installation Policy, and Workstation Security (for HIPAA) Policy.
• Application Security—Includes information security policy templates covering
the area of Web Application Security Policy.
Information Security
Roles and Responsibilities

Information Information
Owner Custodian
Responsibilities Responsibilities

User Third-Party
Responsibilities Responsibilities
Information Security Controls

Vulnerability Threat Trust Identity Incident

Management Management Management Management Management
Vulnerability Management

• Vulnerabilities
• Weaknesses or exposures in IT assets or processes that may lead to a business risk or a
security risk
• Vulnerability Management Process
• Identification
• Evaluation
• Remediation
Threat Management

• virus protection and spam control

• intrusion detection
• monitors a network for malicious activity or policy violations

• Security information and event management (SIEM)

• an approach to security management that combines SIM (security information
management) and SEM (security event management)
• They provide real-time analysis of security alerts generated by applications and network
hardware.
Trust Management

• Who are you?

• Can you prove who you are?
• What can you do?
• What did you do?
• Is it tamperproof?
• Who can see it?
• Can I prove that you said what you said?
Identity Management

• Reduced manual processes and potential for human error

• Improved management reporting of user access rights
• Ability to enforce segregation of duties according to business rules
• Automatically revoked access rights of inactive employees
• Audit trail of requests and approvals
Incident Management

• Identified and recorded

• Reported to a focal point
• Prioritized for action
• Analyzed and acted upon
Selection and Testing of
Information Security Controls

• Some of the reasons for the lack of testing involve:

• Leadership not providing clear expectations for assessing controls and/or testing schedules
• Inadequate oversight of the risk management program
• Lack of skilled test managers and testers/security assessors
• Leadership pressure to condense the testing cycle due to the schedule having a higher priority than the
security of a system
• Test Plan
• A list of applicable security controls
• A test plan encompassing all of the applicable security controls
• A test report (pass/fail)
• Mitigations for any failed controls
Involvement in an Information Security Audit

• Common audit objectives of an information security audit include ensuring

that:
• Security configuration of applications, databases, networks, and operating systems is
adequately managed to protect against unauthorized changes to programs and data that
may result in incomplete, inaccurate, or invalid processing or recording of financial
information.
• Effective security is implemented to protect against unauthorized access and modifications
of systems and information, which may result in the processing or recording of
incomplete, inaccurate, or invalid financial information
Questions?
End