SlideShare uma empresa Scribd logo

Information security

Transferir como PPTX, PDF
A
avinashbalakrishnan2

This presentation describes Information Security and the various aspects of information security in IT environment.

Vendas
1 de 59
INTRODUCTION TO INFORMATION SECURITY By Avinash Balakrishnan ENBLISS IT SERVICES PVT LTD
OBJECTIVES  Define Basic security concepts  Begin to Assess Security Risks  Outline a security policy  Locate Information Security Resources
BASIC SECURITY CONCEPTS  Information Security – Perception  Information Security – Reality  CIA (Confidentiality, Data Integrity and Availability)  PPP (Physical Security, Privacy and Marketplace Security)
 What is Information?  What is Information Security?  What is Risk?  An Introduction to ISO for information Technology.
Information is an asset, which, like other important business assets, has the value to an organization and consequently needs to be suitably protected. BS ISO 27002:2005
INFORMATION CAN BE:  Created  Stored  Destroyed  Processed  Transmitted  Used – ( for proper and improper processes)  Corrupted  Lost  Stolen  Printed or Written on paper  Stored electronically  Transmitted by post or using electronic means  Shown on completed videos  Displayed / Published on web  Verbal – spoken in conversations ‘ … Whatever form information takes, or means by which it is shared, or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
WHAT IS INFORMATION SECURITY  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect viral processes and systems that provide those processes  Security is not something you buy, it is something you do
WHAT IS INFORMATION SECURITY  The architecture where an integrated combination of appliances, systems and solutions, software, alarms and vulnerability scans working together.  Monitored 24*7  Having People, Process, Technology, Policies and procedures  Security is for PPT and not for appliances or devices
PEOPLE, PROCESS AND TECHNOLOGY:
PEOPLE “ WHO WE ARE”  People who use or interact with the Information include: • Shareholders/owners • Management • Employees • Business Partners • Service providers • Contractors • Customers / Clients • Regulators etc…
PROCESS : “WHAT WE DO”  The processes or “work practices” or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: • Helpdesk / Service Management • Incident Reporting and Management • Change Requests Process • Request fulfillment • Access Management • Identity Management • Service Level / Third party Services Management • IT Procurement process etc..
TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Network Infrastructure: • Cabling, Data/ Voice Networks and equipment • Telecommunication Services (PABX), including VOIP Services, ISDN, Video Conferencing • Server computers and associated storage devices • Operating software for server computers • Communications equipment and related hardware • Intranet and Internet connections • VPNS and virtual environments • Remote access services • Wireless Connectivity
TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Application Software: • Finance and assets systems, including accounting packages, Inventory management, HR systems, Assessments, and reporting systems • Software as a service (SaaS) – Instead of software as a packaged or custom- made-product. Etc.  Physical Security components: • CCTV cameras • Clock in systems/ Biometrics • Environmental management systems: Humidity control, ventilation, Air conditioning, Firecontrol Systems • Electricity / Power backup  Access Devices: • Desktop computers • Laptops, Ultra-mobile laptops and PDAs. • Thin client computing. • Digital cameras, Printers, Scanners, and photocopier etc.
INFORMATION SECURITY  Protects information from a range of threats  Ensures business continuity  Minimizes financial loss  Optimizes return on investments  Increases business opportunities Business Survival depends on Information Security
ISO 27002:2005 DEFINES INFORMATION SECURITY AS THE PRESERVATION OF: - Confidentiality - Integrity - Availability Ensuring that information is accessible to only those authorized to have access Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorized users have access to information and associated assets when required
WHAT IS RISK?  Risk : A Possiblity that a threat exploits a vulnerability in an asset and causes damage or loss to asset  Threat: Something that can potentially cause damage to the organization, IT systems or network  Vulnerability: A weakness in the organization, IT systems, or network that can be exploited by a threat.
ISO 27001 SECURITY
THREAT IDENTIFICATION Elements of Threats Agent: The catalyst that performs the threat. Human Machine Nature Motive: Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human Results: The outcome of applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability
THREATS • Employees • External parties • Low Awareness of security issues • Growth in networking and distributed computing • Growith in complexity and effectiveness hacking tools and viruses • Natural disasters e.g., fire, flood, earthquake
ISO27001 SECURITY
ISO27001 SECURITY
CYBER THREAT HISTORY  Early 1990 • DTI(UK) established a working group • Information Security Management code of practice produced as BSI- DISC publication  1995 • BS7799 published as UK Standard  1999 • BS 7799-1:1999 second revision published  2000 • BS 7799-1 accepted by ISO as ISO-17799 published • BS 7799-2:2002 published
HISTORY  ISO 27001:2005 Information Technology – Security Techniques – Information Security management systems - Requirements  ISO 27002:2005 Information technology – Security techniques – code of practice for information security management
ISO 27001 ISO 27001: This International standard covers all types of organizations (e.g., commercial enterprises, government agencies, non-profit organizations). This International standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of the security controls customized to the needs of the individual organizations or parts thereof. The ISMS is designated to ensure the selection of adequate and proportionate security controls that protect Information assests and give confidence to interested parties.
FEATURES Features of ISO 27001 • Plan, Do, Check, Act (PCDA) process model • Process based approach • Stress on continual process improvements • Scope covers information security not only IT security • Covers people, process and technology. • 5600 plus organizations worldwide have been certified • 11 Domains, 39 control objectives, 133 controls
PDCA
CONTROL CLAUSES
CONTROL CLAUSES • Information Security policy- To provide management direction and support for information security. • Organization of information security – management framework for implementation • Assest management – To ensure security of valuable organizational IT and its related assets • Human Resources security – To reduce risks of human error, theft, fraud or misuse of facilities. • Physical & Enivironmental Security – To prevent unauthorized access, theft, compromise, damage, information and information processing facilities.
 Communications & Operations management – To ensure the correct and secure operation of information processing facilities.  Access Control – To control access to information and information processing facilities on ‘ need to know’ and ‘need to do’ basis  Information systems acquisition, Development & Maintenance – To ensure security built into information systems  Information security incident management – To ensure information security events and weaknesses associated with information systems are communicated.
CONTROL CLAUSES  Business continuity management – To reduce disruptions caused by disasters and security failures to an acceptable level.  Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
IMPLEMETATION PROCESS CYCLE – ISO 27001
BENEFITS  At the organization level – commitment  At the legal level – compliance  At the operational level – Risk management  At the commercial level – credibility and confidence  At the financial level – Reduced costs  At the human level – Improved employee awareness
USER RESPONSIBILITIES
USER RESPONSIBILITIES
USER RESPONSIBILITIES
USER RESPONSIBILITIES ISO:27001 Security Incidents  Report security incidents ( IT and NON – IT) to Helpdesk through • E-mail to info.sec@organization.com • Telephone: xxxx-xxxx-xxxx • Anonymous reporting through Drop boxes e.g.: IT Incidents: Mail spamming, Virus attack, Hacking etc., Non-IT incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized media. Do not discuss security incidents with any one outside organization Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents.
USER RESPONSIBILITIES  Ensure your desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops / media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure backup of sensitive and critical information assets  Understand compliance issues such as • Cyber Law • IPR, Copyrights, NDA • Contractual obligations with customer  Verify credentials, if the message is received from unknown sender  Always keep switch off your computer before leaving for the day  Keep yourself updated on information security aspects
BASIC SECURITY CONCEPTS CIA TRIADE PPP TRIADE Integrity Availability Confidentiality Privacy Physical Security Market Place • Confidentiality – Only individuals can access data • Integrity – data changes are tracked and properly controlled • Availability – Systems are accessible for business needs
ASSESSING RISKS ASSESSMENT CAN BE PERFORMED USING A 5-STEP PROCESS  Check existing security policies and processes  Analyze, prioritize and categorize resources  Consider business concerns  Evaluate existing security Controls  Leverage existing management and control architecture.
ASSESSING RISKS  Check existing security policies and processes  Analyze, prioritize, and categorize resources by determining:  Total cost of ownership, internal value, and external value. - TCO refers to the total monetary and labor costs calculated over a specific time period - Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company - External value refers to the money or another commodity that the asset brings to the company from external sources.
ASSESSING RISK  Consider the business concerns through the annualized loss expectancy( ALE = SLE *ARO) - Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor(EF) • Asset value = TCO + internal value + external value • EF is the percentage of asset loss that Is expected from a particular threat - Annualized Rate of Occurance (ARO) is the estimated frequency with which a particular threat may occur each year.
 Evaluate existing security controls to determine what controls are deployed and effective  Leverage existing management and control architecture to build a persuasive business case for, against, implementing new security controls. ASSESSING RISK
SECURITY POLICY  At a minimum, an organization’s security policy should cover the following: • Physical security • Access Control • Network Security • System security • Authorized security Tools • Auditing procedures
BENEFITS OF A SECURITY POLICY  A Security Policy has the following three important benefits:  Communicates a common vision for security throughout a company  Represents a single easy-to-use source of security requirements  Exists as a flexible document that should be updated at less annually to address new security threats
INPUTS FOR SECURITY POLICY  Local Laws, regulations and business contracts  Internal business goals, principles and guidelines  Security measures deemed essential through risk assessment.
BUILDING A SECURITY POLICY  An organization’s security policy should cover the following:  Foreword: Purpose, Scope, Responsibilities, and Penalties for non- compliance  Physical Security: Controls to protect the people, equipment, facilites and computer assets  USER ID and rights management: Only authorized individuals have access to the necessary systems and network devices
BUILDING A SECURITY POLICY An organization’s security policy should cover the following: • Network Security: Protect the network devices and data in transit • System security: Necessary defenses to protect computer systems from compromise • Testing: Authorized security tools and testing • Auditing: Procedures to periodically check security compliance
BUILDING A SECURITY POLICY FOREWORD • Purpose: Why is the policy being established? • Scope: What people, systems, software, information and facilities are covered? • Responsibilties: Who is responsible for the various computing roles in a company? • Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance?
BUILDING A SECURITY POLICY PHYSICAL SECURITY • Human threats: theft, vandalism, sabotage, and terrorism • Building damage: fire, water damage, and toxic leaks • Natural disasters: floods, hurricanes, and tornadoes • Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines • Equipment failure: computer system damage and network device failure
BUILDING A SECURITY POLICY USER ID AND RIGHTS Authentication: • Authentication model • Implementing technologies • Implementation mechanism Access controls – determine who gets what access to what • Access control model • Implementing mechanism
BUILDING A SECURITY POLICY NETWORK SECURITY • Specific timeframes for changing passwords on network devices • Use of network protocols • Firewalls of specific chokepoints in a network architecture • Use of authentication servers to access network devices
BUILDING A SECURITY POLICY SYSTEM SECURITY • The systems section is used to outline the specific settings required to secure a particular operating system or application - For Example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS. - For a particular UNIX flavor, shadow passwords may be required to hide user IDS and passwords from general users.
BUILDING A SECURITY POLICY TESTING AND AUDITING • Specific requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment • Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools • Specify corporate auditing requirements, frequencies and organizations.
SECURITY RESOURCES AND CERTIFICATIONS • CISSP - Certified Information Systems Security Professional. • SSCP - Systems Security Certified Practitioner • GIAC - Global Information Assurance Certification • CISA - Certified Information Systems Auditor • CIW - Certified Internet Web Professional
SUMMARY • The CIA TRIAD categorizes aspect of information that must be protected from attacks: confidentiality, integrity, and availability. • The PPP TRIAD depicts security, privacy and market place perception as three additional abstract concepts that should drive security efforts.
SUMMARY • The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: - Check for existing security policies and processes - Analyze, prioritize and categorize resources - Consider business concerns - Evaluate existing security controls - Leverage existing management and control architecture • To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO • A Security policy has three major benefits. IT: - Communicates a common vision for security throughout a company ` - Represents a single easy-to-use source of security requirements - Exists as a flexible document that should be updated at least annually to address new security threats
SUMMARY • An effective security policy includes security requirements in the following areas: - Physical security - USERID rights and rights management - Systems - Network - Security Tools - Auditing • There are a number of security related certifications to help security professionals quantify their knowledge on a resume. • Every security professional must stay current about the latest threats through web resources, mailing lists, and printed materials.
THE END

Recomendados

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 

Recomendados

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Securitychauhankapil
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Information security
Information securityInformation security
Information securityLJ PROJECTS
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
information security
information securityinformation security
information securityuniversity of karachi
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
IT security
IT securityIT security
IT securityAman Jain
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 

Mais conteúdo relacionado

Mais procurados

Information security
Information securityInformation security
Information securityLJ PROJECTS
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 

Mais procurados (20)

Information security
Information securityInformation security
Information security
 
Cia security model
Cia security modelCia security model
Cia security model
 
Information security
Information securityInformation security
Information security
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
information security
information securityinformation security
information security
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
IT security
IT securityIT security
IT security
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 

Semelhante a Information security

ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxMukesh Pant
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxNapoleon NV
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxharigopala
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 

Semelhante a Information security (20)

ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptxISO27k Awareness presentation v2.pptx
ISO27k Awareness presentation v2.pptx
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptxISO27k Awareness presentation.pptx
ISO27k Awareness presentation.pptx
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System Security
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
 
ISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdfISO 27001 Information Security Management.pdf
ISO 27001 Information Security Management.pdf
 
CCA study group
CCA study groupCCA study group
CCA study group
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 

Information security

  • 1. INTRODUCTION TO INFORMATION SECURITY By Avinash Balakrishnan ENBLISS IT SERVICES PVT LTD
  • 2. OBJECTIVES  Define Basic security concepts  Begin to Assess Security Risks  Outline a security policy  Locate Information Security Resources
  • 3. BASIC SECURITY CONCEPTS  Information Security – Perception  Information Security – Reality  CIA (Confidentiality, Data Integrity and Availability)  PPP (Physical Security, Privacy and Marketplace Security)
  • 4.  What is Information?  What is Information Security?  What is Risk?  An Introduction to ISO for information Technology.
  • 5. Information is an asset, which, like other important business assets, has the value to an organization and consequently needs to be suitably protected. BS ISO 27002:2005
  • 6. INFORMATION CAN BE:  Created  Stored  Destroyed  Processed  Transmitted  Used – ( for proper and improper processes)  Corrupted  Lost  Stolen  Printed or Written on paper  Stored electronically  Transmitted by post or using electronic means  Shown on completed videos  Displayed / Published on web  Verbal – spoken in conversations ‘ … Whatever form information takes, or means by which it is shared, or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
  • 7. WHAT IS INFORMATION SECURITY  The quality or state of being secure to be free from danger  Security is achieved using several strategies  Security is achieved using several strategies simultaneously or used in combination with one another  Security is recognized as essential to protect viral processes and systems that provide those processes  Security is not something you buy, it is something you do
  • 8. WHAT IS INFORMATION SECURITY  The architecture where an integrated combination of appliances, systems and solutions, software, alarms and vulnerability scans working together.  Monitored 24*7  Having People, Process, Technology, Policies and procedures  Security is for PPT and not for appliances or devices
  • 9. PEOPLE, PROCESS AND TECHNOLOGY:
  • 10. PEOPLE “ WHO WE ARE”  People who use or interact with the Information include: • Shareholders/owners • Management • Employees • Business Partners • Service providers • Contractors • Customers / Clients • Regulators etc…
  • 11. PROCESS : “WHAT WE DO”  The processes or “work practices” or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: • Helpdesk / Service Management • Incident Reporting and Management • Change Requests Process • Request fulfillment • Access Management • Identity Management • Service Level / Third party Services Management • IT Procurement process etc..
  • 12. TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Network Infrastructure: • Cabling, Data/ Voice Networks and equipment • Telecommunication Services (PABX), including VOIP Services, ISDN, Video Conferencing • Server computers and associated storage devices • Operating software for server computers • Communications equipment and related hardware • Intranet and Internet connections • VPNS and virtual environments • Remote access services • Wireless Connectivity
  • 13. TECHNOLOGY: “ WHAT WE USE TO IMPROVE WHAT WE DO”  Application Software: • Finance and assets systems, including accounting packages, Inventory management, HR systems, Assessments, and reporting systems • Software as a service (SaaS) – Instead of software as a packaged or custom- made-product. Etc.  Physical Security components: • CCTV cameras • Clock in systems/ Biometrics • Environmental management systems: Humidity control, ventilation, Air conditioning, Firecontrol Systems • Electricity / Power backup  Access Devices: • Desktop computers • Laptops, Ultra-mobile laptops and PDAs. • Thin client computing. • Digital cameras, Printers, Scanners, and photocopier etc.
  • 14. INFORMATION SECURITY  Protects information from a range of threats  Ensures business continuity  Minimizes financial loss  Optimizes return on investments  Increases business opportunities Business Survival depends on Information Security
  • 15. ISO 27002:2005 DEFINES INFORMATION SECURITY AS THE PRESERVATION OF: - Confidentiality - Integrity - Availability Ensuring that information is accessible to only those authorized to have access Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorized users have access to information and associated assets when required
  • 16. WHAT IS RISK?  Risk : A Possiblity that a threat exploits a vulnerability in an asset and causes damage or loss to asset  Threat: Something that can potentially cause damage to the organization, IT systems or network  Vulnerability: A weakness in the organization, IT systems, or network that can be exploited by a threat.
  • 18. THREAT IDENTIFICATION Elements of Threats Agent: The catalyst that performs the threat. Human Machine Nature Motive: Something that causes the agent to act. Accidental Intentional Only motivating factor that can be both accidental and intentional is human Results: The outcome of applied threat. The results normally lead to the loss of CIA Confidentiality Integrity Availability
  • 19. THREATS • Employees • External parties • Low Awareness of security issues • Growth in networking and distributed computing • Growith in complexity and effectiveness hacking tools and viruses • Natural disasters e.g., fire, flood, earthquake
  • 22. CYBER THREAT HISTORY  Early 1990 • DTI(UK) established a working group • Information Security Management code of practice produced as BSI- DISC publication  1995 • BS7799 published as UK Standard  1999 • BS 7799-1:1999 second revision published  2000 • BS 7799-1 accepted by ISO as ISO-17799 published • BS 7799-2:2002 published
  • 23. HISTORY  ISO 27001:2005 Information Technology – Security Techniques – Information Security management systems - Requirements  ISO 27002:2005 Information technology – Security techniques – code of practice for information security management
  • 24. ISO 27001 ISO 27001: This International standard covers all types of organizations (e.g., commercial enterprises, government agencies, non-profit organizations). This International standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of the security controls customized to the needs of the individual organizations or parts thereof. The ISMS is designated to ensure the selection of adequate and proportionate security controls that protect Information assests and give confidence to interested parties.
  • 25. FEATURES Features of ISO 27001 • Plan, Do, Check, Act (PCDA) process model • Process based approach • Stress on continual process improvements • Scope covers information security not only IT security • Covers people, process and technology. • 5600 plus organizations worldwide have been certified • 11 Domains, 39 control objectives, 133 controls
  • 26. PDCA
  • 28. CONTROL CLAUSES • Information Security policy- To provide management direction and support for information security. • Organization of information security – management framework for implementation • Assest management – To ensure security of valuable organizational IT and its related assets • Human Resources security – To reduce risks of human error, theft, fraud or misuse of facilities. • Physical & Enivironmental Security – To prevent unauthorized access, theft, compromise, damage, information and information processing facilities.
  • 29.  Communications & Operations management – To ensure the correct and secure operation of information processing facilities.  Access Control – To control access to information and information processing facilities on ‘ need to know’ and ‘need to do’ basis  Information systems acquisition, Development & Maintenance – To ensure security built into information systems  Information security incident management – To ensure information security events and weaknesses associated with information systems are communicated.
  • 30. CONTROL CLAUSES  Business continuity management – To reduce disruptions caused by disasters and security failures to an acceptable level.  Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
  • 32. BENEFITS  At the organization level – commitment  At the legal level – compliance  At the operational level – Risk management  At the commercial level – credibility and confidence  At the financial level – Reduced costs  At the human level – Improved employee awareness
  • 36. USER RESPONSIBILITIES ISO:27001 Security Incidents  Report security incidents ( IT and NON – IT) to Helpdesk through • E-mail to info.sec@organization.com • Telephone: xxxx-xxxx-xxxx • Anonymous reporting through Drop boxes e.g.: IT Incidents: Mail spamming, Virus attack, Hacking etc., Non-IT incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized media. Do not discuss security incidents with any one outside organization Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents.
  • 37. USER RESPONSIBILITIES  Ensure your desktops are having latest antivirus updates  Ensure your system is locked when you are away  Always store laptops / media in a lockable place  Be alert while working on laptops during travel  Ensure sensitive business information is under lock and key when unattended  Ensure backup of sensitive and critical information assets  Understand compliance issues such as • Cyber Law • IPR, Copyrights, NDA • Contractual obligations with customer  Verify credentials, if the message is received from unknown sender  Always keep switch off your computer before leaving for the day  Keep yourself updated on information security aspects
  • 38. BASIC SECURITY CONCEPTS CIA TRIADE PPP TRIADE Integrity Availability Confidentiality Privacy Physical Security Market Place • Confidentiality – Only individuals can access data • Integrity – data changes are tracked and properly controlled • Availability – Systems are accessible for business needs
  • 39. ASSESSING RISKS ASSESSMENT CAN BE PERFORMED USING A 5-STEP PROCESS  Check existing security policies and processes  Analyze, prioritize and categorize resources  Consider business concerns  Evaluate existing security Controls  Leverage existing management and control architecture.
  • 40. ASSESSING RISKS  Check existing security policies and processes  Analyze, prioritize, and categorize resources by determining:  Total cost of ownership, internal value, and external value. - TCO refers to the total monetary and labor costs calculated over a specific time period - Internal value refers to the monetary assessment of the importance of a particular asset to the internal working of a company - External value refers to the money or another commodity that the asset brings to the company from external sources.
  • 41. ASSESSING RISK  Consider the business concerns through the annualized loss expectancy( ALE = SLE *ARO) - Single loss expectancy (SLE) is equal to the asset’s value times the exposure factor(EF) • Asset value = TCO + internal value + external value • EF is the percentage of asset loss that Is expected from a particular threat - Annualized Rate of Occurance (ARO) is the estimated frequency with which a particular threat may occur each year.
  • 42.  Evaluate existing security controls to determine what controls are deployed and effective  Leverage existing management and control architecture to build a persuasive business case for, against, implementing new security controls. ASSESSING RISK
  • 43. SECURITY POLICY  At a minimum, an organization’s security policy should cover the following: • Physical security • Access Control • Network Security • System security • Authorized security Tools • Auditing procedures
  • 44. BENEFITS OF A SECURITY POLICY  A Security Policy has the following three important benefits:  Communicates a common vision for security throughout a company  Represents a single easy-to-use source of security requirements  Exists as a flexible document that should be updated at less annually to address new security threats
  • 45. INPUTS FOR SECURITY POLICY  Local Laws, regulations and business contracts  Internal business goals, principles and guidelines  Security measures deemed essential through risk assessment.
  • 46. BUILDING A SECURITY POLICY  An organization’s security policy should cover the following:  Foreword: Purpose, Scope, Responsibilities, and Penalties for non- compliance  Physical Security: Controls to protect the people, equipment, facilites and computer assets  USER ID and rights management: Only authorized individuals have access to the necessary systems and network devices
  • 47. BUILDING A SECURITY POLICY An organization’s security policy should cover the following: • Network Security: Protect the network devices and data in transit • System security: Necessary defenses to protect computer systems from compromise • Testing: Authorized security tools and testing • Auditing: Procedures to periodically check security compliance
  • 48. BUILDING A SECURITY POLICY FOREWORD • Purpose: Why is the policy being established? • Scope: What people, systems, software, information and facilities are covered? • Responsibilties: Who is responsible for the various computing roles in a company? • Compliance: What are the penalties for noncompliance? Which organization is responsible for auditing compliance?
  • 49. BUILDING A SECURITY POLICY PHYSICAL SECURITY • Human threats: theft, vandalism, sabotage, and terrorism • Building damage: fire, water damage, and toxic leaks • Natural disasters: floods, hurricanes, and tornadoes • Infrastructure disruption: loss of power, loss of HVAC, and downed communication lines • Equipment failure: computer system damage and network device failure
  • 50. BUILDING A SECURITY POLICY USER ID AND RIGHTS Authentication: • Authentication model • Implementing technologies • Implementation mechanism Access controls – determine who gets what access to what • Access control model • Implementing mechanism
  • 51. BUILDING A SECURITY POLICY NETWORK SECURITY • Specific timeframes for changing passwords on network devices • Use of network protocols • Firewalls of specific chokepoints in a network architecture • Use of authentication servers to access network devices
  • 52. BUILDING A SECURITY POLICY SYSTEM SECURITY • The systems section is used to outline the specific settings required to secure a particular operating system or application - For Example, for Windows NT 4.0, it may be a requirement that every logical drive be installed with NTFS. - For a particular UNIX flavor, shadow passwords may be required to hide user IDS and passwords from general users.
  • 53. BUILDING A SECURITY POLICY TESTING AND AUDITING • Specific requirements for vulnerability scanners, compliance checking tools, and other security tools run within the environment • Require auditing logs on specific devices, periodic self-audits performed by the system administrators, and the use of security compliance checking tools • Specify corporate auditing requirements, frequencies and organizations.
  • 54. SECURITY RESOURCES AND CERTIFICATIONS • CISSP - Certified Information Systems Security Professional. • SSCP - Systems Security Certified Practitioner • GIAC - Global Information Assurance Certification • CISA - Certified Information Systems Auditor • CIW - Certified Internet Web Professional
  • 55.
  • 56. SUMMARY • The CIA TRIAD categorizes aspect of information that must be protected from attacks: confidentiality, integrity, and availability. • The PPP TRIAD depicts security, privacy and market place perception as three additional abstract concepts that should drive security efforts.
  • 57. SUMMARY • The first step in creating an effective security policy is to perform a risk assessment within the environment. A risk assessment consists of five steps: - Check for existing security policies and processes - Analyze, prioritize and categorize resources - Consider business concerns - Evaluate existing security controls - Leverage existing management and control architecture • To estimate potential financial loss from security threats, the following formula works well by accounting for the most important cost factors associated with security: ALE = SLE * ARO • A Security policy has three major benefits. IT: - Communicates a common vision for security throughout a company ` - Represents a single easy-to-use source of security requirements - Exists as a flexible document that should be updated at least annually to address new security threats
  • 58. SUMMARY • An effective security policy includes security requirements in the following areas: - Physical security - USERID rights and rights management - Systems - Network - Security Tools - Auditing • There are a number of security related certifications to help security professionals quantify their knowledge on a resume. • Every security professional must stay current about the latest threats through web resources, mailing lists, and printed materials.