290 likes | 461 Views
Information Security Management. Awareness and Action. To adequately protect information resources, managers must be aware of the sources of threats to those resources the types of security problems the threats present how to safeguard against both. .
E N D
Awareness and Action • To adequately protect information resources, managers must be aware of • the sources of threats to those resources • the types of security problems the threats present • how to safeguard against both.
Threats to Information Security • Human error and mistakes • Malicious human activity • Natural events and disasters
More info… • Human Error and Mistakes • Could be employee or non-employee • Poorly written programs or procedures • Data entry errors • Misuse • Physical mistake (ex. Unplugging something) • Malicious Activity • Could be employee, former employee, or hacker • Breaking into systems to steal/damage • Introducing worms or viruses • Terrorism
Natural Disasters • Problems when initial loss occurs and during recovery • Fires • Floods • Hurricanes • Earthquakes • Other acts of nature
Three components to a security program? • Senior management establishes a security policy and manages risks. • Safeguards must be established for all five components of an IS as the figure below demonstrates. • The organization must plan its incident response before any problems occur.
Management’s role • Have an effective security policy • Elements • A general statement of the organization’s security program • Issue-specific policies like personal use of email and the Internet • System-specific policies that ensure the company is complying with laws and regulations. • Manage risks • Risk is the likelihood of an adverse occurrence. • You can reduce risk but always at a cost. The amount of money you spend on security influences the amount of risk you must assume. • Uncertainty is defined as the things we do not know that we do not know.
Risk Assessment • Risk Assessment Factors • Once you’ve assessed the risks to your information system, you must make decisions about how much security you want to pay for. • Some risk is easy and inexpensive. • Some risk is expensive and difficult. • Managers have a fiduciary responsibility to the organization to adequately manage risk.
Five Technical Safeguards • For Hardware and Software components of Info System
Identification and Authentication • Includes passwords (what you know), smart cards (what you have), and biometric authentication (what you are). • Often more secure, and easier, to establish a single sign-on for multiple systems. • Wireless systems pose additional problems • Wired Equivalent Privacy (WEP)-first developed • Wi-Fi Protected Access (WPA)-more secure • Wi-Fi Protected Access (WPA2)-newest and most secure
Encryption • Symmetric • Asymmetric • SSL/TLS • Digital Signatures • Digital Certificates
Other Technical Safeguards • Firewall • Should be installed on every computer connected to a network, especially the internet • Malware protection • Protects from spyware and adware • Symptoms of a PC with spyware or adware installed
Protecting Your Own Computer • Install antivirus and antispyware programs. • Scan your computer frequently for malware. • Update malware definitions often or use an automatic update process. • Open email attachments only from known sources and even then be wary. • Promptly install software updates from legitimate sources like Microsoft for your operating system or McAfee for your spyware programs. • Browse only in reputable Internet neighborhoods. Malware is often associated with rogue Web sites.
Human Safeguards - NonEmployees • Ensure any contracts between the organization and other workers include security policies. Third-party employees should be screened and trained the same as direct employees. • Web sites used by third-party employees and the public should be hardened against misuse or abuse. • Protect outside users from internal security problems. If your system gets infected with a virus, you should not pass it on to others.
Human Safeguards – Account Admin • Account management • Establishing new accounts • Modifying existing accounts • Terminating unnecessary accounts • Password management • Immediately change newly created passwords • Change passwords periodically • Sign an account acknowledgment form • Help-desk policies • What do you think some of the problems might be?
Human Safeguards – Security Monitors • Procedures for normal, backup, and recovery processes • Activity log analyses • Security testing • Learning from past problems
Response to Security Incidents • Disaster Preparedness Tasks http://www.availability.sungard.com/Pages/SunGardVirtualTour.aspx