• “The quality or state of being secure—to be free
from danger” • A successful organization should have multiple layers of security in place: – Physical security – Personal security – Operations security – Communications security – Network security – Information security Principles of Information Security, 3rd 1 Edition What is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools or controls: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information
Principles of Information Security, 3rd
2 Edition Principles of Information Security, 3rd 3 Edition Components of Information System • Hardware • Software • Data • People • Procedures – using information as a resource within and outside the organization. Controls in IT Environments • There are two general methods of implementing such technical controls:
– Access control lists
– Configuration rules Access Control Lists • Include the user access lists, matrices, and capability tables that govern the rights and privileges • A similar method that specifies which subjects and objects users or groups can access is called a capability table • These specifications are frequently complex matrices, rather than simple lists or tables • In general, ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file Management of Information Security, 2nd Slide 6 ed. - Chapter 4 ACLs • In general, ACLs regulate: – Who can use the system – What authorized users can access – When authorized users can access the system – Where authorized users can access the system from – How authorized users can access the system – Restricting what users can access, e.g., printers, files, communications, and applications Management of Information Security, 2nd Slide 7 ed. - Chapter 4 ACLs (continued) • Administrators set user privileges, such as: – Read – Write – Create – Modify – Delete – Compare – Copy
Management of Information Security, 2nd
Slide 8 ed. - Chapter 4 Figure 4-5 Windows XP ACLs
Management of Information Security, 2nd
Slide 9 ed. - Chapter 4 Configuration Rules • Configuration rules are the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it • Rule policies are more specific to the operation of a system than ACLs, and may or may not deal with users directly • Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process
Slide 11 ed. - Chapter 4 ISMS (Information Security Management System ) • A set of policies and procedures for systematically managing an organization’s sensitive data • Goal of ISMS - To minimize risk - Ensure business continuity by proactively limiting the impact of a security breach. ISMS With an ISMS we are not intending to make the system ‘hacker proof’ but develop a mechanism which can, to a large extent: ❑ Anticipate potential problems ❑ Prepare through proactive measures ❑ Protect against considerable damages ❑ Ensure recovery and restoration ‘Failure is not when you fall down, but when you fail to get up’ msb.intnet.mu 2004-04-29/ Information Security Seminar 13 Why ISMS ? • Information security that can be achieved through technical means is limited • Security also depends on people, policies, processes and procedures • Resources are limited • It is not a once off exercise, but an ongoing activity All these can be addressed effectively and efficiently only through a proper ISMS msb.intnet.mu 2004-04-29/ Information Security Seminar 15 Who needs ISMS? • Every organisation which values information needs to protect it e.g. • Banks • Call centers • IT companies • Government & parastatal bodies • Manufacturing concerns • Hospitals • Insurance companies
msb.intnet.mu 2004-04-29/ Information Security Seminar 16
Benefits of ISMS • Assurance through discipline of compliance • Risk management • Secure environment (protection of IPRs) • Minimize security breaches (continuity of business) • Increase trust & customer confidence & business opportunities
msb.intnet.mu 2004-04-29/ Information Security Seminar 17
Components of an information security management system
ISMS involves the following essential components :
- Management Principles - Resources - Personnel - Information security process Management Principles • Assumption of overall responsibility for information security The topmost management level of an organization is responsible for the correct functioning of the institution in accordance with the institution's objectives and is therefore also responsible for assuring information security both on the inside and out. • Integrating information security Information security must be integrated in all the institution's processes and . projects in which information is processed and IT utilised • Managing and maintaining information security The management level must actively initiate, manage and supervise the security process. e.g. - A strategy for information security as well as information security objectives must be agreed upon. - Sufficient resources must be made available for IT operations and information security - The IT security strategy must be reviewed regularly and the achievement of objectives monitored. Any vulnerabilities and faults detected must be corrected. Resources for IT operations and information security
• Maintaining a particular level of information security always
requires financial and personnel resources and time, which must be made available in sufficient quantities by the management level.
• A prerequisite for secure IT operations is an IT operation that
functions well.
• Sufficient resources must therefore be made available for IT
operations. Involving personnel in the information security process • Information security concerns all personnel without exception. • By acting responsibly and with awareness, every individual can avoid damages and contribute to success. • Increasing the awareness for information security and providing appropriate training for staff members as well for management personnel • This must also involve teaching them about the security-related aspects of their job. • If personnel leave the institution or their responsibilities change, this process must be accompanied by appropriate security safeguards (e.g. withdrawal of authorisation, returning keys and identity cards). The information security process
• The management level must be aware of all the
relevant prevailing conditions and must specify information security objectives based on the company's business targets
• The procedure is planned with an security strategy to
establish a continuous information security process.
• The security strategy is implemented with the help of
an security concept and an information security organisation. Conceptual Framework of ISMS
• ISMS provides a framework to establish,
implement, operate, monitor, review, maintain and improve the information security within an organization • ISMS provides means to ❑ Manage risks to suit the business activity ❑ Manage incident handling activities ❑ Build a security culture ❑ Conform to the requirements of the Standard
msb.intnet.mu 2004-04-29/ Information Security Seminar 24
The conceptual framework of the Information Security Management System The conceptual framework of ISMS • Steps 3 and 4, the Risk Assessment and Management process, comprise the heart of the ISMS and are the processes that “transform” on one hand the rules and guidelines of security policy and the targets; and on the other to transform objectives of ISMS into specific plans for the implementation of controls and mechanisms that aim at minimizing threats and vulnerabilities. • The processes and activities related to the steps 5 and 6 do not concern information risks. They are rather related to the operative actions required for the technical implementation, maintenance and control of security measurements. • Appropriate controls may either be derived from existing sets of controls or mechanisms, usually included in information security standards and guidelines. • step 6 is the documented mapping of the identified risks, applied to the specific organization with the technical implementation of security mechanisms the organization has decided to deploy. • Finally, although the ISMS is a recurring process as a whole, steps 1 and 2 recur on a longer cycle than steps 3, 4, 5 and 6. This is mainly because the establishment of a security policy and the definition of the ISMS scope are more often management and strategic issues while the Risk Management process is an everyday operational concern. Risk Management • Risk Management and Risk Assessment are major components of Information Security Management System (ISMS). • Risk management can be defined as “the process of identifying vulnerabilities and threats within the framework of an organization, as well as producing some measurements to minimize their impact over the informational resources”. This process of the risk management includes some basic processes. • Risk Assessment requires the covering of three steps: risk identification, risk analysis and risk evaluation. • Every organization is continuously exposed to an endless number of new or changing threats and vulnerabilities that may affect its operation or the fulfillment of its objectives. • Identification, analysis and evaluation of these threats and vulnerabilities are the only way to understand and measure the impact of the risk involved and hence to decide on the appropriate measures and controls to manage them.