![Page 1: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/1.jpg)
Lesson 8-Information Security Process
![Page 2: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/2.jpg)
Overview
Introducing information security process.
Conducting an assessment.
Developing a policy.
Implementing security.
Conducting awareness training.
Conducting audits.
![Page 3: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/3.jpg)
Introduction to Information Security Process
The process of information security
![Page 4: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/4.jpg)
Conducting an Assessment
An assessment determines:
The total value of the organization’s information assets.
The size of the threats with respect to confidentiality, integrity,
availability, and accountability.
The vulnerabilities of the information assets and the
organization.
The organization’s overall risk and recommended changes to
current information security policy.
![Page 5: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/5.jpg)
Conducting an Assessment
While conducting an assessment of an organization, examine:
Network.
Physical security measures.
Existing policies and procedures.
Precautions.
Awareness.
![Page 6: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/6.jpg)
Conducting an Assessment
While conducting an assessment of an organization,
examine (continued):
Staff.
Workload and employee attitude.
Adherence.
Business.
![Page 7: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/7.jpg)
Network
The organization’s network is the easiest access point to
information and systems.
A network diagram helps examine each point of
connectivity.
Query network administrators to know the type of network
management system in use.
Perform a vulnerability scan of all systems.
![Page 8: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/8.jpg)
Network
The protection mechanism within a network should include:
Router access control lists and firewall rules on all Internet
access points.
Authentication mechanisms used for remote access.
Protection mechanisms on access points to other
organizations.
Encryption mechanism used to protect portable computers and
to transmit and store information.
![Page 9: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/9.jpg)
Network
The protection mechanism within a network should include
(continued):
Anti-virus systems in place on servers, desktops, and e-mail
systems.
Server security configurations.
![Page 10: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/10.jpg)
Physical Security Measures
Important physical security information includes identifying:
The protection mechanisms to site, buildings, office space,
paper records, and data center.
The personnel responsible for the physical security.
The critical and sensitive areas.
The location of the communication lines within the building.
The types of UPS in place and how long the current UPS will
sustain.
![Page 11: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/11.jpg)
Physical Security Measures
Important physical security information requires knowing:
How power is supplied to the site and data center.
The systems connected to the UPS.
The environment controls attached to the UPS in the data
center.
The type of suppression system in the data center.
The personnel who need to be notified incase of power or
environment control failure.
![Page 12: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/12.jpg)
Policies and Procedures
Policies and procedures must be examined for relevance,
appropriateness, and completeness.
Procedures must define the way tasks are currently performed.
Map requirements with stated goals.
Update policies and procedures on a regular basis.
Assess the organization’s security awareness program.
Examine the recent incident and audit reports.
![Page 13: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/13.jpg)
Precautions
Precautions are used to restore operations when something
goes wrong.
Backup systems and disaster recovery plans are two
components of precautions.
Understand which backup system is used and how often is it
used.
Examine the disaster recovery plan for relevance and
completeness.
![Page 14: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/14.jpg)
Awareness
Determine the staff’s level of awareness of security issues
and policies.
Create awareness of security threats, vulnerabilities, and
signs indicating that a system is compromised.
Ensure that the staff knows how to implement a disaster
recovery plan.
![Page 15: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/15.jpg)
People
Examine whether the staff members have the necessary
skills to implement a security program.
They must understand policy work and latest security
products.
Administrator’s must be able to administer the
organization’s systems and networks.
![Page 16: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/16.jpg)
Workload and Employee Attitude
Overworked employees do not contribute much to the security
environment.
Determine whether the workload is a temporary problem.
Assess management attitude with regard to security issues.
Identify responsible personnel for security within the
organization.
Employees must be aware of the management’s commitment to
security.
![Page 17: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/17.jpg)
Adherence
While determining the intended security environment,
identify the actual security environment.
The intended security environment is defined by policy,
attitudes, and existing mechanisms.
Determine whether adherence to this policy requirement is
lacking.
![Page 18: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/18.jpg)
Business
Identify the cost if confidentiality, integrity, availability, or
accountability of information is compromised.
Measure vulnerabilities in monetary terms, downtime, lost
reputation, or lost business.
Identify the flow of information across the organization.
![Page 19: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/19.jpg)
Business
Identify organizational interdependencies.
Identify which systems and networks are important to the
primary function of the organization.
Identify the back-end systems.
![Page 20: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/20.jpg)
Assessment Results
Analyze the information.
Assess all security vulnerabilities.
Compile a complete set of risks in the order of high to low.
Include a list of recommendations to manage each risk.
![Page 21: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/21.jpg)
Assessment Results
Present potential cost in terms of money, time, resources,
reputation, and lost business.
Develop a security plan.
Allocate and schedule resources to handle security.
![Page 22: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/22.jpg)
Developing a Policy
Policies and procedures define the expected state of an
organization’s security.
It defines the tasks to be performed during implementation.
Create policies for communication, security, system usage,
backup, account management, incident handling, and
disaster recovery plan.
![Page 23: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/23.jpg)
Developing a Policy
Choosing the order of policies to develop, depends on:
The criticality of risks.
The time each will take to complete. Ideally, the information
policy should be completed early in the process.
![Page 24: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/24.jpg)
Developing a Policy
Existing documents require frequent updating.
Use these documents and identify deficiencies.
Involve people who developed the policies.
![Page 25: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/25.jpg)
Implementing Security
Implementation of organizational policies include:
Identification and implementation of technical tools and
physical controls.
Hiring of security staff.
Examination of each implementation and its interactions with
other controls.
![Page 26: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/26.jpg)
Implementing Security
Security reporting systems.
Authentication systems.
Internet security.
Intrusion detection systems.
Encryption.
Physical security.
Staff.
![Page 27: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/27.jpg)
Security Reporting Systems
It is a mechanism to track adherence to policies and
procedures.
It tracks the overall state of vulnerabilities within the
organization.
It can use manual or automated systems.
![Page 28: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/28.jpg)
Security Reporting Systems
Enforce computer use policies such as:
Tracking Internet use.
Restricting access while maintaining login attempts.
Removing unwanted applications from the desktop
installations.
![Page 29: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/29.jpg)
Security Reporting Systems
System vulnerability scans include:
Tracking the number of systems on the network.
Tracking the number of vulnerabilities on these systems.
Providing vulnerability reports to system administrators for
correction or explanation.
![Page 30: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/30.jpg)
Security Reporting Systems
Policy adherence is a time-consuming security task.
It can be automated or manual.
The automated checks require more time to set up and
configure. They provide complete results in a timely
manner.
In manual system, a security personnel examines and
monitors all facets of the security policy.
![Page 31: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/31.jpg)
Authentication Systems
Authentication systems are used to prove the identity of
users accessing a network.
These systems identify authorized users and grant them
physical access to a facility.
They should be implemented with proper planning.
Password restrictions, smart cards, and biometrics are few
examples of authenticated systems.
![Page 32: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/32.jpg)
Internet Security
The implementation of Internet security includes:
Placing an access control device such as a firewall.
Setting up virtual private networks (VPN).
Changing network architecture.
![Page 33: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/33.jpg)
Intrusion Detection Systems (IDS)
IDS are designed to detect any unwarranted entry into a
protected area.
Choice of IDS depends on overall organization risks and
available resources.
Anti-virus software, manual and automated log
examination, host-based and network-based intrusion
detection software are a few IDS.
![Page 34: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/34.jpg)
Encryption
Encryption can be used to protect information in transit or
while residing in storage.
Choose well-known and well-reviewed algorithm. Private
key encryption is faster than public key encryption.
Include an effective key management technique such as
link encryptors. A system must change keys periodically.
![Page 35: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/35.jpg)
Physical Security
Ensure that a proper procedure for authenticating users is in
place.
Restrict access to data center.
Protect the data center from fire, high temperature, and power
failure.
Remodel the data center to implement fire suppression and
temperature control.
Plan for disruptions due to implementation of an UPS.
![Page 36: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/36.jpg)
Staff
Hire skilled staff:
Who can handle the security implementation.
To conduct awareness training programs.
Who will be responsible for the security of the organization.
![Page 37: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/37.jpg)
Conducting Awareness Training
Conduct awareness training to provide necessary
information to:
Employees.
Administrators.
Developers.
Executives.
Security staff.
![Page 38: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/38.jpg)
Employees
Employees should know the importance of security.
They must be trained to identify and protect sensitive
information.
Ensure that the employees are aware of the organization
policy, password selection, and prevention of attacks.
![Page 39: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/39.jpg)
Administrators
System administrators must be updated on the latest
hacker techniques, security threats, and security patches.
Include updates in regular administration staff meetings.
Send updates to administrators as and when they are
prepared.
![Page 40: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/40.jpg)
Developers
Developers should know proper programming techniques to
reduce security vulnerabilities.
They should have a proper understanding of the security
department’s role during the development process.
Security issues must be addressed in the design phase.
![Page 41: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/41.jpg)
Executives
Management must be informed of the state of security and
the progress of the program.
Periodic presentations must include the results of recent
assessments, and the status of various security projects.
Metrics that indicate the risks to the organizations must be
a part of such reports.
![Page 42: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/42.jpg)
Security Staff
Security staff must be kept up-to-date to help them provide
appropriate services to the organization.
Conduct both internal and external training programs.
Include security-related topics in the training sessions.
![Page 43: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/43.jpg)
Conducting Audits
Audit is the final step in the information security process.
It ensures that controls are configured correctly and map to
the policy.
![Page 44: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/44.jpg)
Types/Components of Audits
Policy adherence audits.
Periodic and new project assessments.
Penetration tests.
![Page 45: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/45.jpg)
Policy Adherence Audits
The audit policy determines whether or not the system
configurations adhered to the policy.
They are the traditional audit function.
Any variations are recorded as violations.
Conduct periodic audits on implementation of information
policy and storage of sensitive documents.
![Page 46: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/46.jpg)
Periodic and New Project Assessments
Changes in computer and network environments results in
change in risks and assessments.
Full assessment of the organization should be performed
periodically.
Major audits and assessment must be done by an external
firm.
![Page 47: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/47.jpg)
Penetration Tests
Penetration test attempts to exploit an identified
vulnerability to gain access to systems and information.
Test effectiveness of controls using penetration tests.
Physical penetration tests include individuals who attempt
to gain unauthorized access to a facility.
Social engineering tests include testing employees to
divulge classified information.
![Page 48: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/48.jpg)
Summary
Conducting an information security assessment involves
determining the value of an organization’s information
assets.
Policies and procedures define the work to be performed
during implementation.
The implementation of policy involves identification and
implementation of tools and controls.
![Page 49: Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing](https://reader031.vdocument.in/reader031/viewer/2022033103/56649e115503460f94afdc7f/html5/thumbnails/49.jpg)
Summary
Awareness training provides necessary security information
to employees.
Audits ensure that policies are being implemented and
followed.