![Page 1: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/1.jpg)
1
Information security proces
The security procesRisk AssessmentPolicies and processSecurity ImplementationSecurity awarenessAudits
![Page 2: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/2.jpg)
2
Cost
Total cost of Security = Cost of the Incident + Cost of Countermesures
Cost of Information Security = Cost of Countermeasures
Cost of the Incident + Cost of Countermeasures >> Cost of Countermesures
![Page 3: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/3.jpg)
3
Process of information security
1. Assessment2. Policy3. Implementation4. Training5. Audit
Continues proces of 5 above phases
![Page 4: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/4.jpg)
4
1.Conducting an Assessment
Goal for Assessment Determine value of the information assets Determine threats to confidentiality, integrity,
avaliability and/or accountability Determine the existing vulnerabilities inherent to the
current practice of the organization Identify the risk posed to the organization with regards
to information assets Recommend change to current practice Provide a foundation on which to build an appropriate
security plan
![Page 5: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/5.jpg)
5
Conducting an Assessment
5 types of assessment System-level vulnerability assessment
Computer system are examined for known vulnerabilities
Network-level risk assessmentComputer network and infrastructure
Organization-wide risk assessment(se next slide)
Audit Penetration test
![Page 6: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/6.jpg)
6
Conducting an Assessment
Gather information from Employee interviews Document review Technical examination Physical inspection
![Page 7: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/7.jpg)
7
Conducting an Assessment
Organization Organization network The organization’s physical security measures The organization’s existing policies and procedures Precautions the organization has put in place Employee awareness of security issues Employees of the organization The workload of the employee The attitude of the employee Employee adherence to existing policies and procedures The Business of the organization
![Page 8: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/8.jpg)
8
Conducting an Assessment
Result Assessment team presents complete set
of risks and recommendations to the organization
Present risk from largest to smallest For each risk cost (in broad sence)
should be presented Develop a security plan
![Page 9: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/9.jpg)
9
2. Developing Policy
Information policySecurity policyUse policyBackup policyAccount management proceduresIncident handling procedureDisaster recovery plan
![Page 10: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/10.jpg)
10
3. Implementing Security
Security Reporting Systems Use-Monitoring System Vulnerability Scans Policy Adherence Authentication Systems Perimeter Security Network Monitoring Systems Encryption Physical Security Staff
![Page 11: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/11.jpg)
11
4. Awareness Training
EmployeesAdministratorsDevelopersExecutivesSecurity Staff
![Page 12: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/12.jpg)
12
5. Audits
3 different functions: Policy adherence audits Periodic and new project assessments
Penetration tests
![Page 13: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/13.jpg)
13
Information Security Best Practices
1. Best practices2. Administrative security
practices3. Technical security practices4. Using best practices standards
![Page 14: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/14.jpg)
14
2. Administrative Security Practices
Policies and ProceduresRessourcesResponsibilityEducationContingency PlansSecurity Projects Plans
![Page 15: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/15.jpg)
15
Policies and Procedures
Information policySecurity policyUse policyBackup policyProcedures for user managementSystem administration proceduresConfiguration management procedures
![Page 16: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/16.jpg)
16
Ressources
Time, Ressources and Scope triangle equals Project management
StaffBudget
![Page 17: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/17.jpg)
17
Education
Preventative measuresEnforcement measuresIncentive measures
![Page 18: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/18.jpg)
18
Contingency Plans
Incident ResponseBackup and Data ArchivalDisaster Recovery
![Page 19: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/19.jpg)
19
Security Project Plans
Improvement plansAssessment plansVulnerability assessment plansAudit plansTraining plansPolicy evaluation plan
![Page 20: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/20.jpg)
20
2. Technical Security Practices
Network ControlsMalicious Code ProtectionAuthenticationMonitoringEncryptionPatching SystemsBackup and RecoveryPhysical Security
![Page 21: 1 Information security proces zThe security proces zRisk Assessment zPolicies and process zSecurity Implementation zSecurity awareness zAudits](https://reader031.vdocument.in/reader031/viewer/2022012922/5697c0301a28abf838cdac77/html5/thumbnails/21.jpg)
21
3. Using best practice standards
ISO 270021. Begin with best practice of this chapter or ISO
270022. For each section what are you doing now?3. If your organization do not follow the practice try to
understand why?4. If you find recommendation tha haven’t been
implement you have a gap.5. Determine whether the gap is something to be
covered make recommendation to you management.