The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.
2. • Scope and context
• What do we mean by security
• Topics we will cover
Overview
• The aim is to let you see the scope
• And to get you familiar with the concepts and issues
2SAC
9. IS in context: Application Environment
• Growing business dependence on IS/IT
• Development of general purpose rather than dedicated
applications
– Build using common toolsets.
– Less variety in structure & design
• Large scale integration of data sets
• Computer to computer transactions
• Autonomous trading systems
9SAC
10. IS in context: Computing Environment
• Growth in the power and availability of technology
• Rapid spread of data communications networks
• Development of powerful databases and search engines
• High degree of component commonality
10SAC
11. IS in context: Socio-economic-legal
• Increasing computer fraud
• Concerns about privacy
• Greater public knowledge of computing
• Rising globalisation of trade
• Introduction of specific laws to control the use of IT
• Public policy v personal preference?
11SAC
12. The scope of this course:
(Business) Computer and Information Systems
The scope of this course:
(Business) Computer and Information Systems
• That is: we’re taking the viewpoint of an organisation and its
management
– Could be government, public sector or NGO
• Issues around consumers or individual citizen rights are not central
to what we cover
• …nor is the role of ‘national security’ in setting the computer
environment
…though these are interesting and important in their own right
12SAC
15. What is security?
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose security that makes us feel more secure over security that actually
makes us more secure. And that’s what governments, companies, family members,
and everyone else provide. Of course, there are two ways to make people feel more
secure.
1. The first is to make people actually more secure, and hope they notice.
2. The second is to make people feel more secure without making them actually
more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice when 1)
there are enough positive and negative examples to draw a conclusion, and 2) there
isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose security that makes us feel more secure over security that actually
makes us more secure. And that’s what governments, companies, family members,
and everyone else provide. Of course, there are two ways to make people feel more
secure.
1. The first is to make people actually more secure, and hope they notice.
2. The second is to make people feel more secure without making them actually
more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice when 1)
there are enough positive and negative examples to draw a conclusion, and 2) there
isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
15SAC
17. Security
• Complex passwords are
secure
• Encryption protects assets
Access
• Complex passwords prevent
access
• Encryption slows things down
17SAC
The security balance
• Technology is not enough
• Controls often conflict with usability and business objectives
Risk
18. The security balance 2
18SAC
Effectiveness
Level of technical security
Too complex
to work
Optimum balance
Too risky
19. What is security?
Information security as…
• Security as an engineering discipline
• Subject to systems thinkingScienceScience
• When things get complicated, it gets to much to plan
• The security manager is left to judge the best way(s)
forward
ArtArt
• People interact with systems: users need to do things
• Behavioural aspects of organisations and change
management
Social
science
Social
science
19SAC
20. What is security?
Example of making a business secure
Schneier’s three steps
to improved security:
1. Enforce liabilities
2. Allow liabilities to be
transferred
3. Outsource security
“Network security is a business
problem, and the only way to fix it
is to concentrate on the business
issues…
I have a three-step program
towards improving computer and
network security. None of the
steps has anything to do with the
technology; they all have to do
with businesses, economics, and
people.”
Liability & Security
in Schneier (2008)
“Network security is a business
problem, and the only way to fix it
is to concentrate on the business
issues…
I have a three-step program
towards improving computer and
network security. None of the
steps has anything to do with the
technology; they all have to do
with businesses, economics, and
people.”
Liability & Security
in Schneier (2008)
20SAC
21. Security in business: Concept map
Business
model
Raval & Fichadia 2007, Ch 1
Control &
Security
Manage-
ment
Structure
Process
Inform-
ation
Is comprised of
Warrant actions for
by
21SAC
23. Information Security Attributes
• Protecting privacyConfidentiality
• Protection from accidental or deliberate
(malicious) modificationIntegrity
• …for legitimate users
• Prevention of DoS attacks etcAvailability
• who are you – supports non-deniabilityAuthentication
• what can you do?Authorization
• Effective auditing and logging is the key to
non-repudiationAuditing
23SAC
24. Business requirements in COBIT
• Relevant and pertinent
• Timely, correct, consistentEffectiveness
• Productive and economicalEfficiency
• No unauthorised disclosureConfidentiality
• Protection from accidental or malicious modification
• Accurate, complete, validIntegrity
• …for legitimate users
• Prevention of DoS attacks etcAvailability
• Appropriate information to support management
decisionsReliability
24SAC
COBIT 4.1
25. Secure Computing
• A computing regime under which
information may be stored and
processed:
– To defined standards of confidentiality, integrity
and availability.
– To an assessable level of assurance
Security is not a commodity
Security is a state of being!
Security is not a commodity
Security is a state of being!
26SAC
28. Governance frameworks
• From the state: Legal
– Privacy Laws
– Property legislation – computers, IPR etc
• Sources of law
– National
– European
– USA
• Standards
– Security Criteria
– Published Standards
29SAC
29. Ethics
• Computing poses a new environment for
ethical consideration
• Who decides the ethical aspects?
– Computer Professionals
– Leaders of Commerce & Industry
– Computer Users
– Citizens
• What happens when different values collide?
30SAC
30. Governance: Privacy
• Holding of data relating to people
• Aggregation of personal data
– Data matching
– Marketing of data
– Universal Identifiers
• Enforcement of fair practice
• Need for a legal context
– Local
– Global
• Interacts with individuals’ expression of their identity online
32SAC
31. Governance: Fraud & Abuse
• Corrupting information
• Damage and disruption
• Threats to the person
• Theft of property and services
• Financial crime
33SAC
32. Managing threats and vulnerabilities
ThreatThreat
Potential
event that can
adversely
affect an
asset
Potential
event that can
adversely
affect an
asset
AttackAttack
A successful
attack
exploits
vulnerabilities
in your
system
A successful
attack
exploits
vulnerabilities
in your
system
RiskRisk
Likelihood
and impact of
that threat
occurring
Likelihood
and impact of
that threat
occurring
35SAC
35. System design principles
• Authorisation
– Rule driven controls
• Least Privilege
– Need to Know principle
• Separation of duty
– No individuals in complete control
• Redundancy
– To allow graceful degradation
38SAC
37. Controls
• Control activities are:
– actions, supported by policies and procedures that,
• when carried out properly and in a timely manner,
–manage or reduce risks.
40SAC
38. Controls
Prevent Controls
• Preventive controls attempt to
deter or prevent undesirable
events from occurring.
• They are proactive controls
that help to prevent a loss.
• Examples of preventive
controls are separation of
duties, proper authorization,
adequate documentation, and
physical control over assets.
Detect Controls
• Detective controls, on the other
hand, attempt to detect
undesirable acts.
• They provide evidence that a
loss has occurred but do not
prevent a loss from occurring.
• Examples of detective controls
are reviews, analyses,
variance analyses,
reconciliations, physical
inventories, and audits.
41SAC
39. Controls
• Both types of controls are essential to an effective internal control
system.
• From a quality standpoint, preventive controls are essential because
they are proactive and emphasize quality.
• However, detective controls play a critical role providing evidence that
the preventive controls are functioning and preventing losses
42SAC