1 / 25

Introduction to Information Security Management

Introduction to Information Security Management. Agenda. Why is Security Difficult. Objectives of Information Security. According to the “Open Security Foundation's DATALOSSdb” this pie chart represents events involving the loss,

michelleb
Download Presentation

Introduction to Information Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Information Security Management ISM

  2. Agenda

  3. Why is Security Difficult

  4. Objectives of Information Security

  5. According to the “Open Security Foundation's DATALOSSdb” this pie chart represents events involving the loss, theft, or exposure of personally identifiable information (PII) for 2008 ISM

  6. Customer loss following data breach PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data Breach Study ISM

  7. Cyber Security

  8. Key Definitions Information System A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information Security Authorization The testing and/or evaluation of management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting security requirements for the system Security Control Assessment The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system Security Authorization Boundary All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected Plan of Action and Milestones A document that identifies tasks needing to be accomplished, resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones Security Plan Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements List not all inclusive – See NIST SP 800-37, Appendix B for more detailed list

  9. Regulatory & Industry Requirements ISM

  10. Standards ISM

  11. STATE BANK : BPRD Circular No. 07 of 2016 Prevention against Cyber Attacks The Board shall, preferably on bi-annual basis, evaluate the adequacy of Banks/DFIs/Microfinance Banks’ cyber security action plan with regard to emerging cyber threats. If material gaps are identified, the Board shall ensure that the institution has proper risk management strategy in place for acceptance and controlling the risks arising out of the gaps. The risk management strategy shall be supported by concrete implementation plan with adequate manpower and financial resources to mitigate relevant risks Senior / Executive Management of the Banks/DFIs/Microfinance Banks shall ensure that an organizational plan of action for cyber security management exists and is reviewed and updated regularly for implementation. Further, senior management shall also periodically inform the Board on the latest developments on cyber security action plan, its implementation status and a summary report on major threats and attacks faced by the institution and their possible impact on its operations.

  12. Risk ownership and management responsibility – Banks/DFIs/Microfinance Banks shall define and establish ownership and management’s responsibility of the risks associated with cyber threats by taking into account the ICT and all relevant business functions. Keeping in view the technical aspects of cyber security management, the Banks/DFIs/Microfinance Banks shall ensure that sufficient resources with relevant skill set and expertise are available within the security function to exercise effective and on-going checks and balances. Periodic evaluation and monitoring of cyber security controls – Banks/DFIs/Microfinance Banks shall adopt a standard mechanism to ensure that all existing cyber security controls, processes and procedures are continuously being monitored to detect, prevent and respond to any potential cyber security incident in shortest possible time.Further, the Banks/DFIs/Microfinance Banks shall monitor all network communications to detect and/or block unauthorized or atypical network communications amongst servers, systems and endpoint devices.

  13. Regular independent assessment and tests – Banks/DFIs/Microfinance Banks shall ensure that periodic independent assessments are conducted to evaluate the adequacy and effectiveness of cyber security controls and procedures. Such assessments may include vulnerability assessments and penetration testing, which can be conducted by officials independent of the area under review. Where it is not possible to conduct such assessments by internal teams due to unavailability/shortage of skill set, the Banks/DFIs/Microfinance Banks may engage external parties having sufficient expertise in IT security assessments. Further, the Banks/DFIs/Microfinance Banks shall properly enhance and regularly test their Incident Response Mechanism and Business Continuity Plan to prepare for eventualities of cyber attacks.Industry collaboration and contingency plan – Since cyber attacks could aim at multiple institutions within a short period of time, the Banks/DFIs/Microfinance Banks may explore appropriate opportunities of collaborating with other institutions/associations/bodies for sharing and gathering cyber threat intelligence in a timely manner. Such collaboration may help the institutions to prepare for potential cyber attacks

  14. Government’s Proposed And Modified Cybercrime Bill 2015 • The following act highlights and evaluates access to authorization and intended access to information systems. It communicates the correct utilization of authorization, authentication, transmission, and usage of data. And the consequences of malicious usage of information assets will result in penalties. High level details are mentioned below: • Unauthorized access to information system or data • Unauthorized copying or transmission of data • Interference with information systems or data • Unauthorized access to critical infrastructure information system or data. • Unauthorized copying or transmission of critical infrastructure data. • Interference with critical infrastructure information system or data. • Glorification of an offence. • Cyber terrorism • Hate Speech • Recruitment, funding and planning of terrorism • Electronic forgery • Electronic fraud • Making, obtaining or supplying device for use in offence • Unauthorized use of identify information • Unauthorized issuance of SIM cards • Tampering etc. of communication equipment • Unauthorized interception • Offences against dignity of a natural person and minor • Child Pornography • Malicious code • Cyber Stalking • Spamming • Spoofing

  15. Electronic Transaction Ordinance 1999 • As per the President Ordinance on fourteenth day of October, 1999, and the Provisional Constitution Order No. 1 of 1999 focuses on the electronic transections and cover following chapters: • RECOGNITION AND PRESUMPTION • ELECTRONIC DOCUMENTS • CERTIFICATION SERVICE PROVIDERS • CERTIFICATION COUNCIL • AMENDMENTS OF CERTAIN LAWS • OTHER LAWS AND JURISDICTION • OFFENCES

  16. Why Physical Security? Not all threats are “cyber threats” Information one commodity that can be stolen without being “taken” Physically barring access is first line of defense Forces those concerned to prioritize! Physical Security can be a deterrent Security reviews force insights into value of what is being protected

  17. Layered Security • Physical Barriers • Fences • Alarms • Restricted Access Technology • Physical Restrictions • Air Gapping • Removable Media • Remote Storage • Personnel Security Practices • Limited Access • Training • Consequences/Deterrence

  18. Inner Protective Layers • Several layers • Structure • Door controls, biometrics • Signs, alarms, CCTV’s • Safes, vaults • Environment • Authorized personnel only • Purpose • Establish controlled areas and rooms

  19. Personnel Security Practices • Insider Threat the most serious • Disgruntled employee • Former employee • Agent for hire • Personnel Training • Critical Element • Most often overlooked • Background checks • Critical when access to information required • Must be updated

  20. Risk Management Framework Security Authorization is part of a dynamic risk management process ISM

  21. Preparation Phase Categorize Information System • Task 1: Describe the information system • Define system boundary • Document system in security plan • Task 2: Register system in organization asset inventory • Task 3: Determine security category and document in security plan • Organizational/business criticality • Relationship/impact to other systems • Classification of data processed by system Security Control Selection • Task: Select security controls and document in security plan • System specific (implemented), common (inherited) and/or hybrid controls • Controls used to manage system risk (i.e. management controls) • Automated system safeguards and countermeasures (i.e. technical controls) • Policy, standards, and procedural measures • (i.e. operational controls) Security Plan Approval • Task: Review and approve the security plan

  22. Continuous Monitoring - Maintenance Phase Strategy: Maintain the security authorization for the system over time in highly dynamic operational environment with changing threats, vulnerabilities, technologies and business processes Objectives: • Track the security “state” of a system on a continuous basis • Ensure security controls are checked for effectiveness on an ongoing basis • Address the security impact to systems when changes occur to hardware, software, firmware and operational environment • Provide an effective process for updating security plans, security assessment reports and plans of action and milestones • Security status reporting to authorizing official ISM

  23. Points to Remember • Assess a defined environment (authorization boundary) not the world • Security authorization is an ongoing process • Security control assessors make recommendations, they do not accept risk or approve mitigating controls on behalf of the organization • Risk acceptance is the sole responsibility of the authorizing official • Reuse and share of security control development, implementation, and assessment-related information to reduce cost and time • An active continuous monitoring program reduces time and effort ISM

More Related