it presenation-it security

8/4/2019 IT Presenation-it Security

1/23

By:Vivek GujralShruti Goyal

Shalu WellingTripti PandeySahil GuptaRadhika SharmaRohan MehtaSourav Singh


2/23

What is an Information What is Information Security

Information Security Vulnerability andComputer Crimes

Protecting Information System Disaster Recovery Planning Auditing


3/23

Information is an asset which, likeother important business assets, has

value to an organization andconsequently needs to be suitablyprotected.


4/23

Information security means protectinginformation and information systems from

unauthorized access, use, disclosure,disruption, modification, perusal, inspection,recording or destruction.

Information security is concerned with theconfidentiality, integrity and availability ofdata regardless of the form the data maytake: electronic, print, or other forms.


5/23

PEOPLE

PROCESSES

TECHNOLOGY


6/23

People who use or interact with theInformation include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc


7/23

The processes refer to "work practices" or workflow.Processes are the repeatable steps to accomplish businessobjectives. Typical process in our IT Infrastructure could

include: Helpdesk / Service management

Incident Reporting and Management

Change Requests process

Request fulfillment

Access management

Identity management

Service Level / Third-party Services Management

IT procurement process etc...


8/23

Network Infrastructure:

Cabling, Data/Voice Networks and equipment

Telecommunications services (PABX), including VoIP services ,

ISDN , Video Conferencing Server computers and associated storage devices

Operating software for server computers

Communications equipment and related hardware.

Intranet and Internet connections VPNs and Virtual environments

Remote access services

Wireless connectivity


9/23

Application software:

Finance and assets systems, including Accounting packages, Inventory management, HRsystems, Assessment and reporting systems

Software as a service (Sass) - instead of software as a packaged or custom-made product.Etc..

Physical Security components: CCTV Cameras

Clock in systems / Biometrics

Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, FireControl systems

Electricity / Power backup

Access devices: Desktop computers

Laptops, ultra-mobile laptops and PDAs

Thin client computing.

Digital cameras, Printers, Scanners, Photocopier etc.


10/23

ConfidentialityEnsuring that information isaccessible only to those

authorized to have access

Integrity

Safeguarding the accuracy andcompleteness of informationand processing methods

Availability

Ensuring that authorizedusers have access toinformation and associatedassets when required


11/23

Protects information from a range ofthreats

Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities


12/23

Risk: A possibility that a threatexploits a vulnerability in an assetand causes damage or loss to theasset.

Threat: Something that canpotentially cause damage to the

organization, IT Systems or network. Vulnerability: A weakness in the

organization, IT Systems, or networkthat can be exploited by a threat.


13/23

Computer crime, or cybercrime, refers toany crime that involves a computer and a

network.

The computer may have been usedin the commission of a crime, or it may be thetarget.Netcrime refers to criminalexploitation of the Internet.


14/23

Agent : The catalyst that performs the threat.

Human

Machine

Nature

Motive : Something that causes the agent to act.

Accidental

Intentional

Only motivating factor that can be both accidental and intentional is human

Results : The outcome of the applied threat. The results normally leadto the loss of CIA

Confidentiality

Integrity

Availability


15/23

Source Motivation Threat

External Hackers

ChallengeEgoGame Playing

System hackingSocial engineeringDumpster diving

Internal Hackers

DeadlineFinancial problemsDisenchantment

BackdoorsFraudPoor documentation

TerroristRevengePolitical

System attacksSocial engineering

Letter bombsVirusesDenial of service

Poorly trained employees

Unintentional errorsProgramming errorsData entry errors

Corruption of dataMalicious code introductionSystem bugsUnauthorized access


16/23


17/23

Risk Analysis Risk acceptance Risk limitation Risk transference

ControlsGeneral Physical control Access control Data security control Administrative control Firewalls Virus controlsApplication Controls Input controls Processing control Output controls


18/23

Disaster recovery is the chain of eventslinking planning to protection and to

recovery. The purpose of recovery plan is to keep the

business running after a disaster occurs, aprocess called business continuity.


19/23

It is oriented towards prevention. The idea isto minimize the chances of avoidable

disasters such as arson or other humanthreats. For eg. Many companies use a device called

Uninterrupted Power Supply (UPS), whichprovides backup power in case of a poweroutage.


20/23

Information System Auditing is primarily anexamination of the system controls within an ITarchitecture

It is the process of evaluating the suitability andvalidity of an organization's IT configurations,practices and operations.

Information System Auditing has beendeveloped to allow an enterprise to achievegoals effectively and efficiently throughassessing whether computer systems safeguardassets and maintain data integrity.


21/23

Internal Auditor: Information Systemsauditing is usually a part of accountinginternal auditing, and it is frequentlyperformed by corporate internal auditors.

External Auditor: As external auditor reviewsthe findings of the internal auditor as well as

the inputs, processing, and outputs ofinformation systems. It is the part of theoverall external auditing performed by aCertified Public Accounting (CPA) firm.


22/23


23/23

it presenation-it security

Documents