information security management.introduction
DESCRIPTION
Information Security Management. Introduction. By Yuliana Martirosyan, Based on Bell G. Reggard, Information Security Management. Concepts and Practices.TRANSCRIPT
Information Security Management
Introduction
By Yuliana MartirosyanBased on Bell G. Reggard, (2010) Information
Security Management. Concepts and Practices.
Introduction
People
Network
Activities
TechnologyData
Information Security ManagementIntroduction to Information Security
Management
• Introduction
• Layers of personnel around an information resources
Operator-System-
Security Staff
Security Administrator
System Owner
Information Security ManagementIntroduction to Information Security
Management
Information Security Management
• Why Information Security Matters?
• Information drives enterprise business value generation.
• Information is the basis of competitive advantage.
• Assets are very independent.
To protect one asset the whole computing environment should be protected.
Introduction to Information Security Management
Information Security Management
Information Sensitivity Classification
Information sensitivity taxonomy
Introduction to Information Security Management
Information Sensitivity
Public Information
Confidential Information
InternalUse
ProprietaryInformation
Highly Confidential
TopSecret
Information Security Management
Information Security Governance
Corporate governance has to do with how the board of directors and executive management run and control a companyIT governance is how technology is used and managed so that it supports business needs. Information security governance is a coherent system of integrated security components
• products
• personnel
• training
• processes
• policies ...
that exist to ensure that the organization survives and hopefully thrives.
Introduction to Information Security Management
The Computing Environment
Security of an information system
Information System Security
People security
Technology Security
Network Security
Security of IS Activities
Data Security
2. Security of IS activities
Information Security ManagementIntroduction to Information Security
Management
Security of Various Components in the Computer Environments
Protecting organization, information system , or any computing environment means following:
• Personal security to protect people• Qualification assurance• Specifications of the job• Security clearance• Screening Assurance• Authorizing of process• Security Training• Nondisclosure Agreement
Information Security ManagementIntroduction to Information Security
Management
Security of an information system
1. Introduction to Information Security ManagementCIA Triad
CIATriad
Confidentiality
Integrity
Availability
CIA triad suffers from at least 2 drawbacks:
Security Star Model
Confidentiality
Availability
Non-Repudiation
Integrity
Authentication
1. Introduction to Information Security ManagementThe Security Star
Parker’s View of Information Security
Parker’s View of Information Security • CIA Triad• Authenticity • Possession Envelope• Utility
Possession defines ownership or control of information
Authenticity aims at ensuring that the origin of the transmission is correct and that the authorship of the transmitted documents is valid
Utility emphasized the usefulness of the information in possession
Information Security ManagementIntroduction to Information Security
Management
What is Information Security Management
1. Identify computing environment, define its critically, prioritize its contribution to the organization’s business-value-generation capabilities;
2. Identify all security risks, assess them, mitigate them by devising a comprehensive risk-driven security program;
3. Provide continual improvement of the organization’s risk position.
Information Security ManagementIntroduction to Information Security
Management
Security ControlsManagerial Controls: • Risk Assessment• Planning • System and Service acquisition• Certification, accreditation and security assessment
Technical Controls:
• Personnel Security• Physical and environmental protection• Contingency planning• Configuration management
Information Security ManagementIntroduction to Information Security
Management
Security Controls
Operational Controls:
• Personnel Security• Physical and environmental protection• Contingency planning• Configuration management• Maintenance • System and Information Integrity• Media Protection• Incident Response• Awareness and Training
Information Security ManagementIntroduction to Information Security
Management
The NSA Triad for Security Assessment
Assessment - Security Planning for 3 years
Not technical, often qualitativeDoesn’t involve any testingCollaborative, often shared by users, managers, and owner
Evaluation - How to use technology to support information security
Technical but not invasivePassive testing required for self studyCollaborative to some extendsInvolves diagnostic toolsInvolves internal audit
Information Security ManagementIntroduction to Information Security
Management
The NSA Triad for Security Assessment
Penetration Testing
Non-collaborativeTechnical in natureInvasive in natureInvolves external auditActive penetration testsRisk to compromise the target system exists but has to be
avoidedActive assessment expertise is required
Information Security ManagementIntroduction to Information Security
Management