Chapter #1

Information Security
Introductions to Information Security
Outlines

1. Grading System

2. Text Book

3. Course Outlines
Grading System

Grading Item Marks

Homework + Quiz 35
Presentations 15
Midterm 20
Final exam 30
Total 100
Text Book

• Principles of Information Security

Author: Michael E. Whitman and Herbert J. Mattord
Course Outlines
 History of Information Security

 Defining of Information Security

 Goals of Info. Security

 Key Information Security Concepts

 Components of an Information System

 Balancing Information Security and Access

 Approaches to Information Security Implementation

History of Information Security

• The history of information security begins with “Computer Security”.

• The need for Computer security started-with the need to secure

physical locations, hardware and software from Threats during World
War II when the first mainframes developed to aid code breaking.

• Multiple levels of Security were implemented to protect these

mainframes and maintain the Integrity of their data.
History of Information Security

• The growing need to maintain national security led to more complex

and more technologically sophisticated Computer Security safeguards.

• During these early years, Information security was processed as

Physical Security.

• The primary threat to security were Theft of equipment and systems.

Cont. History

• In 1967, the scope of computer security expanded from Safety of

physical location and hardware to include the following:

1. Securing the Data

2. Limiting random & unauthorized access to that Data.

3. Involving personnel from multiple levels of the organization in

matters pertaining to information security
Defining of Information Security

• Information Security: Protection of the confidentiality, integrity, and

availability of information assets, whether in storage, processing, or
transmission, via the application of policy, education, training and
awareness, and technology.
Defining of Information Security

Components of
information security:
Primary goals of Information Security

• There are three

Confidentiality
primary goals of
InfoSec:
Integrity

Availability
Primary goals of Information Security

• To be secured, information needs to

be hidden from unauthorized access

(Confidentiality), protected from

unauthorized change (Integrity), and

available to an authorized entity

when it is needed (Availability).

Key Information Security Concepts

• Subjects and objects: A

computer can be either the
subject of an attack—an
agent entity used to conduct
the attack—or the object of
an attack: the target entity.
Key Information Security Concepts
• Access: a subject or object’s ability to use, manipulate, modify, or
affect another subject or object. Authorized users have legal access to
a system.

• Asset: the organizational resource that is being protected.

• Attack: an intentional or unintentional act that can damage or

otherwise compromise information and the systems that support it.
Key Information Security Concepts
• Control, safeguard, or countermeasure: Security mechanisms,
policies, or procedures that can successfully counter attacks, reduce
risk, resolve vulnerabilities, and otherwise improve security within an
organization.

• Exploit: a technique used to compromise a system.

• Vulnerability: a weakness or fault in a system or protection

mechanism that opens it to attack or damage.
Key Information Security Concepts

• Threat: a category of objects, people, or other entities that represents

a danger to an asset.

• Threat can be anything that can take advantage of a vulnerability to

breach security .
 software

networks hardware
Components of
an Information
System
procedures data

people
Components of an Information System

• Information system (IS)

The entire set of software,
hardware, data, people,
procedures, and networks
that enable the use of
information resources in
the organization.
Part 1
Balancing Information Security and Access

• Even with the best planning and implementation, it is impossible to

obtain perfect information security.

• Information security cannot be absolute: it is a process, not a goal.

• A completely secure information system would not allow anyone

access.
Balancing Information Security and Access

• To achieve balance—that is, to

operate an information system
that satisfies the user and the
security professional—the
security level must allow
reasonable access, yet protect
against threats.
Approaches to Information Security
Implementation
• Bottom-up approach: A method of establishing security policies that
begins as a grassroots effort in which systems administrators attempt
to improve the security of their systems.

• Top-down approach: A methodology of establishing security policies

that is initiated by upper management.
To be continued
Information security Implementation
Information security Implementation
• Information security must be managed like any other major system in an
organization.

• Approach for implementing an information security system in an

organization is to use a Security systems development life cycle
(SecSDLC).

• To understand a security systems development life cycle, you must first

understand the principles of the method on which it is based.
The Systems development life cycle

Terms:

Methodology: A formal approach to solving a problem based on a

structured sequence of procedures.

Waterfall model: A type of SDLC in which each phase of the process

“flows from” the information gained in the previous phase, with
multiple opportunities to return to previous phases and make
adjustments.
The Systems development life cycle

• SDLC is a methodology for the design and implementation

of an information system to increase the probability of
success.

• SDLC consists of six general phases.

Phases of SDLC
Phases of SDLC

Investigation: the first phase;

• What problem is the system being developed to solve? The investigation

phase begins by examining the event.

Analysis: second step

• This phase consists primarily of assessments of the organization, its

current systems, and its capability to support the proposed systems.
Phases of SDLC

Logical design:

Is the blueprint for the desired solution. In this stage, analysts generate
estimates of costs and benefits to allow for a general comparison of
available options. At the end of this phase, another feasibility analysis is
performed.
Phases of SDLC
Physical Design: specific technologies are selected - a make-or-buy decision.

Implementation: any needed software is created. A feasibility analysis is again

prepared, and the sponsors are then presented with the system for a performance

review and acceptance test.

Maintenance and Change: The maintenance and change phase is the longest and

most expensive of the process. the system is tested for compliance, and the

feasibility of continuance versus discontinuance is evaluated. Upgrades, updates,

and patches are managed.

The Security Systems Development Life Cycle

• The same phases used in the traditional SDLC can be adapted

to support the implementation of an information security
project.

• Implementing information security involves identifying specific

threats and creating specific controls to counter them.
• Table 1-2 summarizes the steps performed both in the systems
development life cycle and the security systems development
life cycle.

• Because the security systems development life cycle is based

on the systems development life cycle, the steps in the cycles
are similar.
To be continue
Security Professionals responsibilities
Senior Management responsibilities

Chief Information Officer (CIO) An executive-level position that

oversees the organization’s computing technology and strives to create
efficiency in the processing and access of the organization’s information.

Chief information security officer (CISO) Typically considered the top

information security officer in an organization. The CISO is usually not
an executive-level position, and frequently the person in this role reports
to the CIO.
Chief Information Officer (CIO)
• The CIO is primarily responsible for advising the Chief Executive
Officer, president, or company owner on strategic planning that affects
the management of information in the organization.

• The CIO translates the strategic plans of the organization as a whole

into strategic information plans for the information systems or data
processing division of the organization.
Chief Information Security Officer (CISO)

The Chief information security officer (CISO) has primary

responsibility for the assessment, management, and implementation
of information security in the organization.

• The CISO may also be referred to as the manager for IT security, the
security administrator, or by a similar title.
Senior Management
Information Security Project Team

Project Team: A small functional team of people who are experienced in

one or multiple facets of the required technical and nontechnical areas for
the project to which they are assigned.

Members of the security project team fill the following roles:

Members of the security project team
Champion: A senior executive who promotes the project and ensures its
support, both financially and administratively, at the highest levels of the
organization.

Team leader: A project manager who may also be a departmental line

manager or staff unit manager, and who understands project management,
personnel management, and information security technical requirements.
Members of the security project team

• Security policy developers: People who understand the organizational

culture, existing policies, and requirements for developing and
implementing successful policies.

• Risk assessment specialists: People who understand financial risk

assessment techniques, the value of organizational assets, and the
security methods to be used.
Members of the security project team

• Security professionals: Dedicated, trained, and well-educated

specialists in all aspects of information security from both a technical
and nontechnical standpoint.

• Systems administrators: People with the primary responsibility for

administering systems that house the information used by the
organization.

• End users: Those whom the new system will most directly affect.
Data Responsibilities

• Data owners: People who own the information and thus determine the
level of classification for their data and approve its access authorization.

• Data custodians: People who are responsible for the storage,

maintenance, and protection of information such as CISO.

• Data users: People who work with the information to perform their
daily jobs and support the mission of the organization.
Chapter Recap
Introduction to Information Security:
• History of Information security
• Goal of Information Security
• Components of Information system.
• Balancing Information security
• Approaches to information security and Security in SDLC.
• Senior management Roles and Responsibilities
• Security Professionals Responsibilities
• Information Security Project Team
• Data Responsibilities.
END CHAPTER ONE