information security
TRANSCRIPT
AGENDA
What is Information Security
Core Principles of Information
Security
Security Governance
Organizational Structures
Roles and Responsibilities
Information Classification
Risk Management
Information Systems Controls
General Controls
Application Controls
Auditing Information Security
OBJECTIVES
Provide an overview of
Information Security and describe
its importance
Describe one approach to
Auditing Information Security.
Describe current trends in
Information Security and how
they can be incorporated into IT
Security Audits
WHAT IS INFORMATION SECURITY
The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information.
Information security is protecting information and
information systems from unauthorized access,
use, disclosure, disruption, modification, reading,
inspection, recording or destruction.
The core principles of information security are:
Confidentiality - to prevent the disclosure of information to unauthorized individuals or systems
Integrity - to ensure that data is accurate and complete and it cannot be modified by unauthorized person(s)
Availability - to ensure the information is available when it is needed, where it is needed, and by whom it is needed
Accountability - to ensure users are responsible for their actions
CORE PRINCIPLES OF INFORMATION SECURITY
Organizational Structures
Typical Organization of and official responsibilities
for Information security include
BoD, CEO
CFO, CIO, CSO, CISO
Director, Manager
IT/IS Security
Audit
INFORMATION SECURITY GOVERNANCE
Organizational Structures
Audit should be separate from implementation and
operations
Independence is not compromised
Responsibilities for security should be defined in job
descriptions
Senior management has ultimate responsibility for
security
Security officers/managers have functional
responsibility
INFORMATION SECURITY GOVERNANCE
Roles and Responsibilities
Best Practices
Least Privilege
Mandatory Vacations
Job Rotation
Separation of Duties
INFORMATION SECURITY GOVERNANCE
Roles and Responsibilities
Owners
Determine security requirements
Custodians
Manage security based on
requirements
Users
Access as allowed by security
requirements
INFORMATION SECURITY GOVERNANCE
Information Classification
Not all information has the
same value
Need to evaluate value based on CIA
Value determines protection level
Protection levels determine procedures
Labeling informs users on handling
INFORMATION SECURITY GOVERNANCE
RISK MANAGEMENT
“Risk management is the process of
identifying vulnerabilities and threats to the
information resources used by an
organization in achieving business objectives,
and deciding what countermeasures, if any, to
take in reducing risk to an acceptable level,
based on the value of the information
resource to the organization.”
(ISACA)
RISK MANAGEMENT
The Risk management Process
Identification of assets and estimating their value.
Conduct a threat assessment.
Conduct a vulnerability assessment.
Calculate the impact that each threat would have
on each asset.
Identify, select and implement appropriate controls.
Evaluate the effectiveness of the control measures.
INFORMATION SYSTEM CONTROLS
Information system controls are methods
and devices that attempt to ensure the
accuracy, validity, and propriety of
information system activities.
Controls must be developed to ensure
proper data entry, processing techniques,
storage methods, and information output
INFORMATION SYSTEM CONTROLS
General Controls
General controls apply to informationsystem activities throughout anorganization.
The most important general controls are themeasures that control access to computersystems and the information stored there ortransmitted over telecommunicationsnetworks.
INFORMATION SYSTEM CONTROLS
Application Controls
Application controls are specific to a given
application and include such measures as
validating input data, logging the accesses
to the system, regularly archiving copies of
various databases, and ensuring that
information is disseminated only to
authorized users
AUDITING INFORMATION SECURITY
Auditing information security covers the
following topics:
the physical security of offices and data
centers
the logical security of networks databases
technical, physical and administrative
controls.
AUDITING INFORMATION SECURITY
Auditing Core Systems: Areas to Focus on
include;
Network vulnerabilities
Controls
Encryption and IT audit
Logical security audit
Specific tools used in network security
AUDITING INFORMATION SECURITY
Auditing Applications: Areas to Focus on
include;
Application security
Segregation of duties
Controls
SUMMARY
Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”
Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.
Security should be considered a balance between protection and availability
Thank You! Lusungu Mkandawire
265999989153www.linkedin.com/pub/lusungu-mkandawire/57/102/283
https://twitter.com/MLusungu