SlideShare uma empresa Scribd logo

Information security: importance of having defined policy & process

Information Technology Society Nepal
Information Technology Society Nepal

This document discusses the importance of information security policies and processes. It defines information and explains that information can take many forms and must be appropriately protected. It then discusses the importance of information, what constitutes information security, and why information security is needed to protect organizations. Key risks like data breaches are outlined. The document emphasizes that information security is an organizational issue, not just an IT issue, and stresses the importance of people, processes, and technology in an information security program. It provides an overview of some common information security standards and regulations like ISO 27001 and HIPAA.

Tecnologia
1 de 47
Information Security Importance of having defined Policy & Process
What is Information? Data that is •Accurate and timely •Specific and organized for a purpose •Presented within a context that gives it meaning and relevance •Lead to an increase in understanding and decrease in uncertainty
Information can be  Created, Stored or Destroyed  Processed  Transmitted  Corrupted  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
What is the Importance of Information? Information is valuable because it can affect • Behavior • Decision • An outcome
What Is Information Security?  Information security is exactly what it says, the security of information. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”  Process by which digital information BS ISO assets are protected 27002:2005
Why is information security needed?  Ensure business continuity and reduce business damage  Prevent and minimize the impact of security incidents
Data Breach Trends Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates, seizing more than 15,000 fake cards with a potential value of $37.5 million. Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
• Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
The challenges before us  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization
Where do we start? “The framework within which an organization strives to meet its need for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” – US General Accounting Office (GAO)
What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: 1. Confidentiality: Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. 2. Integrity: Ensuring that information can be relied upon to be sufficiently accurate for its purpose. 3. Availability: Assurance that information is accessible when needed.
What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: 4. Accountability: Someone is personally accountable and responsible for the protection of information assets. 5. Audit-ability: Ability to explain changes to information “state” and ongoing audit tests.
Pillar of Information Security PEOPLE PROCESSES TECHNOLOGY
People “Who we are” People who use or interact with the Information include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc…
Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
Technology “what we use to improve what we do” Network Infrastructure: Application software: Cabling, Data/Voice Networks and equipment Finance and assets systems, including Accounting packages, Inventory management, HR Telecommunications services (PABX), including VoIP services , systems, Assessment and reporting systems Software , Video Conferencing software as a packaged or custom-made ISDN as a service (Sass) - instead of product. Etc.. Server computers and associated storage devices Physical Security components: Operating software for server computers CCTV Cameras Communications equipment and related hardware. Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Intranet and Internet connections Control systems Electricity / Power backupenvironments VPNs and Virtual Access devices: access services Remote Desktop computers Wireless connectivity and PDAs Laptops, ultra-mobile laptops Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
The Foundation of Information Security
The Information Security Functions
Managing Information Security
Policies
The Purpose Provide a framework for the management of security across the enterprise
Benefits: • A blue print for a company’s security program • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • An effective information security training and awareness effort cannot be initiated without writing information security policies
What are the Objectives & Goals?  Protect company & its assets against theft, abuse and other forms of harm and loss  Estimate possible damage and potential loss through Risk analysis  Comply with requirements for confidentiality, integrity and availability  Ensure service continuity even if major security incidents occur  Ensure compliance with current laws, regulations and guidelines  Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents
Definitions  Policies  High level statements that provide guidance to workers who must make present and future decision  Standards  Requirement statements that provide specific technical specifications  Guidelines  Optional but recommended specifications
Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwords should include one non-alpha and not found in dictionary
Basic Rules in Shaping a Policy • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered
Guidelines for making policy • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
Policies should…… Clearly identify and define the information security goals and the goals of the organization.
Type of InfoSec policies • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
Elements of Policies  Statement of Purpose  Establish roles and responsibility  Define asset classifications  Provide direction for decisions  Establish the scope of authority  Provide a basis for guidelines and procedures  Establish accountability  Describe appropriate use of assets  Establish relationships to legal requirements
Bull’s Eye Model • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
Bull’s Eye Model (Contd.)
Bull’s Eye Model Layers • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
The Ten-Step Approach
What Should Management Do? It is the responsibility of senior management to:  Clarify what data should be protected  Decide how sensitive this information is  Budget for the protection of different types of data  Determine how much risk the organization is willing to accept  Implement business processes to regular monitor and improve  Assign responsibility for this to appropriate senior staff
What Should IT Do? The IT department can then decide on the best way to provide the necessary security:  Work with management to inventory the corporate information assets & develop security policy  Stay informed of breaking issues  Develop and maintain security management capabilities (in- house or contract resources)  Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures:  Become aware of the information assets that cross your desk  Each time you forward corporate information to someone ask yourself if there are any security risks  Speak up if you see evidence of security breaches  Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
HIPAA Security Guidelines  Security Administration  Physical Safeguards  Technical Security Services and Mechanisms
Minimum HIPAA Requirements  Security Administration  Certification Policy ( .308(a)(1))  Chain of Trust Policy ( .308(a)(2))  Contingency Planning Policy ( .308(a)(3))  Data Classification Policy ( .308(a)(4))  Access Control Policy ( .308(a)(5))  Audit Trail Policy ( .308(a)(6))  Configuration Management Policy( .308(a)(8))  Incident Reporting Policy ( .308(a)(9))  Security Governance Policy ( .308(a)(10))  Access Termination Policy ( .308(a)(11))  Security Awareness & Training Policy( .308(a)(12))
Minimum HIPAA Requirements  Physical Safeguards  Security Plan (Security Roles and Responsibilities) ( .308(b)(1))  Media Control Policy ( .308(b)(2))  Physical Access Policy ( .308(b)(3))  Workstation Use Policy ( .308(b)(4))  Workstation Safeguard Policy ( .308(b)(5))  Security Awareness & Training Policy ( .308(b)(6))
Minimum HIPAA Requirements  Technical Security Services and Mechanisms  Mechanism for controlling system access ( .308(c)(1)(i))  “Need-to-know”  Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))  Mechanism to authorize the privileged use of PHI ( .308(c)(3))  Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.  Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner ( .308(c)(4))  checksums, double keying, message authentication codes, and digital signatures.  Users must be authenticated prior to accessing PHI ( .308(c)(5))  Uniquely identify each user and authenticate identity  Implement at least one of the following methods to authenticate a user:  Password;  Biometrics;  Physical token;  Call-back or strong authentication for dial-up remote access users.  Implement automatic log-offs to terminate sessions after set periods of inactivity.  Protection of PHI on networks with connections to external communication systems or public networks ( .308(d))  Intrusion detection  Encryption
Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001".  Published in 2005  Formally specifies a management system that is intended to bring information security under explicit management control.  Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant  Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;  Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer)  Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
Final Note  Policies are a countermeasure to protect assets from threats  Policies exist to inform employees of acceptable (unacceptable) behavior  Are meant to improve employee productivity and prevent potentially embarrassing situations  Communicate penalties for noncompliance
Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL
Information security: importance of having defined policy & process

Recomendados

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 

Recomendados

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Edureka!
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Information security principles an understanding
Information security principles an understandingInformation security principles an understanding
Information security principles an understandingHelpWithAssignment.com
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Network security policies
Network security policiesNetwork security policies
Network security policiesUsman Mukhtar
 

Mais conteúdo relacionado

Mais procurados

Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Edureka!
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Information security principles an understanding
Information security principles an understandingInformation security principles an understanding
Information security principles an understandingHelpWithAssignment.com
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud ComputingKeet Sugathadasa
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 

Mais procurados (20)

Information security
Information securityInformation security
Information security
 
Security policy
Security policySecurity policy
Security policy
 
Information Security
Information SecurityInformation Security
Information Security
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
8. operations security
8. operations security8. operations security
8. operations security
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...Network Security Tutorial | Introduction to Network Security | Network Securi...
Network Security Tutorial | Introduction to Network Security | Network Securi...
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Information security principles an understanding
Information security principles an understandingInformation security principles an understanding
Information security principles an understanding
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 

Destaque

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Network security policies
Network security policiesNetwork security policies
Network security policiesUsman Mukhtar
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
Email and web security
Email and web securityEmail and web security
Email and web securityshahhardik27
 
Graphics programming in Java
Graphics programming in JavaGraphics programming in Java
Graphics programming in JavaTushar B Kute
 
Microsoft Hololens
Microsoft Hololens Microsoft Hololens
Microsoft Hololens arun alfie
 
Packages and inbuilt classes of java
Packages and inbuilt classes of javaPackages and inbuilt classes of java
Packages and inbuilt classes of javakamal kotecha
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityarun alfie
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaChinnu Shimna
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking Salman Memon
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 

Destaque (17)

Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
Email and web security
Email and web securityEmail and web security
Email and web security
 
Graphics programming in Java
Graphics programming in JavaGraphics programming in Java
Graphics programming in Java
 
Microsoft Hololens
Microsoft Hololens Microsoft Hololens
Microsoft Hololens
 
Packages and inbuilt classes of java
Packages and inbuilt classes of javaPackages and inbuilt classes of java
Packages and inbuilt classes of java
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Email Security
Email SecurityEmail Security
Email Security
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
 
Java packages
Java packagesJava packages
Java packages
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - Shimna
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Digital signature
Digital signatureDigital signature
Digital signature
 

Semelhante a Information security: importance of having defined policy & process

What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Innovators
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2SafeNet
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 

Semelhante a Information security: importance of having defined policy & process (20)

What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Data security
Data securityData security
Data security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptx
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Information Security
Information Security Information Security
Information Security
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 

Mais de Information Technology Society Nepal

Mais de Information Technology Society Nepal (6)

Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Information security
Information securityInformation security
Information security
 
Exploring web vulnerabilities
Exploring web vulnerabilitiesExploring web vulnerabilities
Exploring web vulnerabilities
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
Cyber law in nepal and implementation
Cyber law in nepal and implementationCyber law in nepal and implementation
Cyber law in nepal and implementation
 
Role of youth in cyber law
Role of youth in cyber lawRole of youth in cyber law
Role of youth in cyber law
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Information security: importance of having defined policy & process

  • 1. Information Security Importance of having defined Policy & Process
  • 2. What is Information? Data that is •Accurate and timely •Specific and organized for a purpose •Presented within a context that gives it meaning and relevance •Lead to an increase in understanding and decrease in uncertainty
  • 3. Information can be  Created, Stored or Destroyed  Processed  Transmitted  Corrupted  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
  • 4. What is the Importance of Information? Information is valuable because it can affect • Behavior • Decision • An outcome
  • 5. What Is Information Security?  Information security is exactly what it says, the security of information. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”  Process by which digital information BS ISO assets are protected 27002:2005
  • 6. Why is information security needed?  Ensure business continuity and reduce business damage  Prevent and minimize the impact of security incidents
  • 7. Data Breach Trends Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates, seizing more than 15,000 fake cards with a potential value of $37.5 million. Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
  • 8. Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
  • 9. Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
  • 10. What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
  • 11. The challenges before us  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization
  • 12. Where do we start? “The framework within which an organization strives to meet its need for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” – US General Accounting Office (GAO)
  • 13. What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: 1. Confidentiality: Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. 2. Integrity: Ensuring that information can be relied upon to be sufficiently accurate for its purpose. 3. Availability: Assurance that information is accessible when needed.
  • 14. What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: 4. Accountability: Someone is personally accountable and responsible for the protection of information assets. 5. Audit-ability: Ability to explain changes to information “state” and ongoing audit tests.
  • 15. Pillar of Information Security PEOPLE PROCESSES TECHNOLOGY
  • 16. People “Who we are” People who use or interact with the Information include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc…
  • 17. Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
  • 18. Technology “what we use to improve what we do” Network Infrastructure: Application software: Cabling, Data/Voice Networks and equipment Finance and assets systems, including Accounting packages, Inventory management, HR Telecommunications services (PABX), including VoIP services , systems, Assessment and reporting systems Software , Video Conferencing software as a packaged or custom-made ISDN as a service (Sass) - instead of product. Etc.. Server computers and associated storage devices Physical Security components: Operating software for server computers CCTV Cameras Communications equipment and related hardware. Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Intranet and Internet connections Control systems Electricity / Power backupenvironments VPNs and Virtual Access devices: access services Remote Desktop computers Wireless connectivity and PDAs Laptops, ultra-mobile laptops Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
  • 19. The Foundation of Information Security
  • 23. The Purpose Provide a framework for the management of security across the enterprise
  • 24. Benefits: • A blue print for a company’s security program • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • An effective information security training and awareness effort cannot be initiated without writing information security policies
  • 25. What are the Objectives & Goals?  Protect company & its assets against theft, abuse and other forms of harm and loss  Estimate possible damage and potential loss through Risk analysis  Comply with requirements for confidentiality, integrity and availability  Ensure service continuity even if major security incidents occur  Ensure compliance with current laws, regulations and guidelines  Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents
  • 26. Definitions  Policies  High level statements that provide guidance to workers who must make present and future decision  Standards  Requirement statements that provide specific technical specifications  Guidelines  Optional but recommended specifications
  • 27. Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwords should include one non-alpha and not found in dictionary
  • 28. Basic Rules in Shaping a Policy • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered
  • 29. Guidelines for making policy • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
  • 30. Policies should…… Clearly identify and define the information security goals and the goals of the organization.
  • 31. Type of InfoSec policies • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
  • 32. Elements of Policies  Statement of Purpose  Establish roles and responsibility  Define asset classifications  Provide direction for decisions  Establish the scope of authority  Provide a basis for guidelines and procedures  Establish accountability  Describe appropriate use of assets  Establish relationships to legal requirements
  • 33. Bull’s Eye Model • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
  • 34. Bull’s Eye Model (Contd.)
  • 35. Bull’s Eye Model Layers • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
  • 37. What Should Management Do? It is the responsibility of senior management to:  Clarify what data should be protected  Decide how sensitive this information is  Budget for the protection of different types of data  Determine how much risk the organization is willing to accept  Implement business processes to regular monitor and improve  Assign responsibility for this to appropriate senior staff
  • 38. What Should IT Do? The IT department can then decide on the best way to provide the necessary security:  Work with management to inventory the corporate information assets & develop security policy  Stay informed of breaking issues  Develop and maintain security management capabilities (in- house or contract resources)  Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
  • 39. What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures:  Become aware of the information assets that cross your desk  Each time you forward corporate information to someone ask yourself if there are any security risks  Speak up if you see evidence of security breaches  Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
  • 40. HIPAA Security Guidelines  Security Administration  Physical Safeguards  Technical Security Services and Mechanisms
  • 41. Minimum HIPAA Requirements  Security Administration  Certification Policy ( .308(a)(1))  Chain of Trust Policy ( .308(a)(2))  Contingency Planning Policy ( .308(a)(3))  Data Classification Policy ( .308(a)(4))  Access Control Policy ( .308(a)(5))  Audit Trail Policy ( .308(a)(6))  Configuration Management Policy( .308(a)(8))  Incident Reporting Policy ( .308(a)(9))  Security Governance Policy ( .308(a)(10))  Access Termination Policy ( .308(a)(11))  Security Awareness & Training Policy( .308(a)(12))
  • 42. Minimum HIPAA Requirements  Physical Safeguards  Security Plan (Security Roles and Responsibilities) ( .308(b)(1))  Media Control Policy ( .308(b)(2))  Physical Access Policy ( .308(b)(3))  Workstation Use Policy ( .308(b)(4))  Workstation Safeguard Policy ( .308(b)(5))  Security Awareness & Training Policy ( .308(b)(6))
  • 43. Minimum HIPAA Requirements  Technical Security Services and Mechanisms  Mechanism for controlling system access ( .308(c)(1)(i))  “Need-to-know”  Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))  Mechanism to authorize the privileged use of PHI ( .308(c)(3))  Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.  Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner ( .308(c)(4))  checksums, double keying, message authentication codes, and digital signatures.  Users must be authenticated prior to accessing PHI ( .308(c)(5))  Uniquely identify each user and authenticate identity  Implement at least one of the following methods to authenticate a user:  Password;  Biometrics;  Physical token;  Call-back or strong authentication for dial-up remote access users.  Implement automatic log-offs to terminate sessions after set periods of inactivity.  Protection of PHI on networks with connections to external communication systems or public networks ( .308(d))  Intrusion detection  Encryption
  • 44. Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001".  Published in 2005  Formally specifies a management system that is intended to bring information security under explicit management control.  Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant  Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;  Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer)  Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
  • 45. Final Note  Policies are a countermeasure to protect assets from threats  Policies exist to inform employees of acceptable (unacceptable) behavior  Are meant to improve employee productivity and prevent potentially embarrassing situations  Communicate penalties for noncompliance
  • 46. Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL