1 / 31

Comprehensive Information Security Management Guide

Learn about security threats, sources, problems, and how to implement a robust security program. Understand the role of senior management, technical, data, and human safeguards, disaster preparedness, and incident response.

jlaws
Download Presentation

Comprehensive Information Security Management Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 11 Information Security Management

  2. Agenda • Security Threats • Sources • Problems • Security Program • Senior Management’s Security Role • Technical Safeguard • Data Safeguard • Human Safeguard • Disaster Preparedness • Incident Response

  3. Sources of Security Threats • Human error and mistakes • Employees and non-employees • Accidental problems • Poorly written application programs • Poorly designed procedures • Malicious human activity • Employees, former employees, hackers, and outside criminals • Intentionally destroy data or other systems components • Steal for financial gain • Terrorism • Natural events and disasters • Acts of nature • Loss of capability, service, and recovery

  4. Problems of Security Threats • Unauthorized data disclosure • Incorrect data modification • Faulty service • Denial of service • Loss of infrastructure

  5. Unauthorized Data Disclosure • Pretexting: someone pretending to be someone else • Phishing: someone pretending a legitimate company and obtaining confidential data by email • Spoofing: IP spoofing and Email spoofing • Sniffing: intercepting computer communication • Drive-by sniffers: intercepting unprotected wireless network

  6. Incorrect Data Modification • Human error • employees follow procedures incorrectly • procedures have been incorrectly designed • Hacking

  7. Faulty Service • Incorrect system operation • Human procedure mistake • Usurpation • Unauthorized program in a computer system

  8. Denial of Service • Human error • Malicious hacker • Natural disasters

  9. Loss of Infrastructure • Human accidents • Theft and terrorist events • Natural disasters

  10. Security Program • Senior management involvement • Security policy • Cost and benefit analysis • Safeguards of various kinds • Technical protection: hardware and software • Data protection: data • Human protection: people and procedure • Incident response • Program response to security incident

  11. Security Elements • By National Institute of Standards and Technology (NIST) • Support the mission of the organization • An integral element of sound management • Cost effective • Explicit security responsibilities and accountability • Comprehensive and integrated approach • Periodically reassessing • Constrained by social factor

  12. Senior Management Role • Security policy • General policy: goals and assets • Issue-specific policy: computer and email usage • System-specific policy: specific information systems • Risk management and assessment • Assets and vulnerability • Threats • Likelihood of an adverse occurrence • Consequences • Safeguard and cost • Probable loss

  13. Technical Safeguard • Identification and authentication • Encryption • Digital signature • Firewall • Malware protection • Design secure application

  14. Identification and Authentication • Identification • User name • Authentication • Pass word (what you know) • Smart card (what you have) • Biometric authentication: fingerprints, facial features, retinal scans (what you are) • Single sign-on for multiple systems (Kerberos) • Wireless: WPA (Wi-Fi Protected Access) and WPA2

  15. Encryption • Symmetric encryption: one key • Asymmetric encryption: public key and private key • Secure Socket Layer (SSL) and Transport Layer Security (TLS): only client verify true Web site • Digital signature • Hashing • Message digest (check digits) • Digital certificate and certificate authorities

  16. Firewall • Definition • A computing device to prevent unauthorized network access • Device • A special-purpose computer • A program on a general-purpose computer or on a router • Type • Perimeter firewall • Internal firewall • Packet-filtering firewall • Access control list (ACL)

  17. Use of Multiple Firewalls

  18. Malware • Malware: viruses, worms, Trojan horses, spyware, and adware • Spyware: programs installed without the user’s knowledge for spying • Adware: installed without the user’s permission for observing user behavior and popping up ads

  19. Spyware and Adware Symptoms • Slow system start up • Sluggish system performance • Many pop-up ads • Browser homepage changes, taskbar, and other interfaces • Unusual hard disk activity

  20. Malware Safeguard • Install antivirus and antispyware programs • Scan computer frequently • Update malware definitions • Open email attachments only from known sources • Promptly install software updates from legitimate sources • Browse only in reputable Internet neighborhoods

  21. Data Safeguard • Specifying user rights and responsibilities • User account and password • Store sensitive data in encrypted form • Regular backup and practice recovery • Backup copy at remote location • Reside in locked, controlled-access facilities

  22. Human Safeguard for Employee • Position definition • Job tasks and responsibilities • Least possible privilege • Documenting security sensitivity for each position • Hiring and Screening • Interviews, references, and background investigations • Dissemination and enforcement • Security policies, procedures, and responsibilities awareness • Training • Security responsibility, accountability, and compliance • Termination • Termination policies and procedures • Remove accounts and passwords • Recover keys for encrypted data

  23. Human Safeguard for Non Employee • Temporary personnel, vendors, partner personnel, and the public • Require vendors and partners to perform appropriate screening and security training • Harden (extraordinary measures to reduce a system’s vulnerability) the Web site or other facility against attack

  24. Account Administration • User accounts • Creation of new user accounts, modification of existing account permissions, and removal of unneeded accounts • Password • Change password • Use proper password • Help-desk policies and procedures for user’s forgetting password

  25. Systems Procedures • Users and operations personnel • Procedures for normal, backup, and recovery operations

  26. Systems Monitoring • Log analysis • Security testing • Investigating and learning from security incident • In-house IT personal and outside security consultants • Updating security: new technology and requirement

  27. Disaster Preparedness • Locate infrastructure in safe location • Identify mission-critical systems • Identify resources needed to run those systems • Prepare remote backup facility • Hot sites: providing remote processing centers run by commercial disaster-recovery services • Cold site: providing office space, but customers themselves provide and install the equipment needed to continue operations • Train and rehearse

  28. Incident Response • Have a plan • Critical personnel and off-hours contact information • Centralized reporting • Prepare specific response for speed • Practice

  29. Discussion • Ethic guide (343a-b) • Address the proper ethic issues of a online retailer related to its customer’s information. • Problem solving (351a-b) • Address the security issues of hiring a white hat hacker. • Security guide (357a-b) • Address the meta security issues of any organization. • Reflection guide (361a-b) • Address the future of IT and IS five years latter.

  30. Case Study • Case 11-1 Antiphishing Tactics (365-366): 2 only

  31. Points to Remember • Security Threats • Sources • Problems • Security Program • Senior Management’s Security Role • Technical Safeguard • Data Safeguard • Human Safeguard • Disaster Preparedness • Incident Response

More Related