What is Security?

• “The quality or state of being secure—to be free

from danger”
• A successful organization should have multiple
layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
Principles of Information Security, 3rd
1
Edition
 What is Information Security?
• The protection of information and its critical elements,
including systems and hardware that use, store, and
transmit that information
• Necessary tools or controls: policy, awareness,
training, education, technology
• C.I.A. triangle was standard based on confidentiality,
integrity, and availability
• C.I.A. triangle now expanded into list of critical
characteristics of information

Principles of Information Security, 3rd

2
Edition
Principles of Information Security, 3rd
3
Edition
Components of Information System
• Hardware
• Software
• Data
• People
• Procedures – using information as a resource
within and outside the organization.
 Controls in IT Environments
• There are two general methods of implementing
such technical controls:

– Access control lists

– Configuration rules
 Access Control Lists
• Include the user access lists, matrices, and
capability tables that govern the rights and
privileges
• A similar method that specifies which subjects and
objects users or groups can access is called a
capability table
• These specifications are frequently complex
matrices, rather than simple lists or tables
• In general, ACLs enable administrations to restrict
access according to user, computer, time, duration,
or even a particular file
Management of Information Security, 2nd
Slide 6
ed. - Chapter 4
 ACLs
• In general, ACLs regulate:
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system
from
– How authorized users can access the system
– Restricting what users can access, e.g., printers,
files, communications, and applications
Management of Information Security, 2nd
Slide 7
ed. - Chapter 4
 ACLs (continued)
• Administrators set user privileges, such as:
– Read
– Write
– Create
– Modify
– Delete
– Compare
– Copy

Management of Information Security, 2nd

Slide 8
ed. - Chapter 4
 Figure 4-5
Windows XP ACLs

Management of Information Security, 2nd

Slide 9
ed. - Chapter 4
 Configuration Rules
• Configuration rules are the specific configuration
codes entered into security systems to guide the
execution of the system when information is
passing through it
• Rule policies are more specific to the operation of
a system than ACLs, and may or may not deal with
users directly
• Many security systems require specific
configuration scripts telling the systems what
actions to perform on each set of information
they process

Management of Information Security, 2nd

Slide 10
ed. - Chapter 4
 Figure 4-6
Firewall Configuration Rules

Management of Information Security, 2nd

Slide 11
ed. - Chapter 4
 ISMS
(Information Security Management System )
• A set of policies and procedures for
systematically managing an organization’s
sensitive data
• Goal of ISMS
- To minimize risk
- Ensure business continuity by proactively
limiting the impact of a security breach.
 ISMS
With an ISMS we are not intending to make
the system ‘hacker proof’ but develop a
mechanism which can, to a large extent:
❑ Anticipate potential problems
❑ Prepare through proactive measures
❑ Protect against considerable damages
❑ Ensure recovery and restoration
‘Failure is not when you fall down, but when you
fail to get up’
msb.intnet.mu 2004-04-29/ Information Security Seminar 13
 Why ISMS ?
• Information security that can be achieved
through technical means is limited
• Security also depends on people, policies,
processes and procedures
• Resources are limited
• It is not a once off exercise, but an ongoing
activity
All these can be addressed effectively and
efficiently only through a proper ISMS
msb.intnet.mu 2004-04-29/ Information Security Seminar 15
 Who needs ISMS?
• Every organisation which values information
needs to protect it e.g.
• Banks
• Call centers
• IT companies
• Government & parastatal bodies
• Manufacturing concerns
• Hospitals
• Insurance companies

msb.intnet.mu 2004-04-29/ Information Security Seminar 16

 Benefits of ISMS
• Assurance through discipline of compliance
• Risk management
• Secure environment (protection of IPRs)
• Minimize security breaches (continuity of
business)
• Increase trust & customer confidence &
business opportunities

msb.intnet.mu 2004-04-29/ Information Security Seminar 17

Components of an information security management system

ISMS involves the following essential components :

- Management Principles
- Resources
- Personnel
- Information security process
 Management Principles
• Assumption of overall responsibility for information security
The topmost management level of an organization is responsible for the correct
functioning of the institution in accordance with the institution's objectives and
is therefore also responsible for assuring information security both on the inside
and out.
• Integrating information security
Information security must be integrated in all the institution's processes and
.
projects in which information is processed and IT utilised
• Managing and maintaining information security
The management level must actively initiate, manage and supervise the security
process. e.g.
- A strategy for information security as well as information security objectives
must be agreed upon.
- Sufficient resources must be made available for IT operations and information
security
- The IT security strategy must be reviewed regularly and the achievement of
objectives monitored. Any vulnerabilities and faults detected must be corrected.
Resources for IT operations and information security

• Maintaining a particular level of information security always

requires financial and personnel resources and time, which
must be made available in sufficient quantities by the
management level.

• A prerequisite for secure IT operations is an IT operation that

functions well.

• Sufficient resources must therefore be made available for IT

operations.
Involving personnel in the information security process
• Information security concerns all personnel without exception.
• By acting responsibly and with awareness, every individual can
avoid damages and contribute to success.
• Increasing the awareness for information security and
providing appropriate training for staff members as well for
management personnel
• This must also involve teaching them about the
security-related aspects of their job.
• If personnel leave the institution or their responsibilities
change, this process must be accompanied by appropriate
security safeguards (e.g. withdrawal of authorisation, returning
keys and identity cards).
 The information security process

• The management level must be aware of all the

relevant prevailing conditions and must specify
information security objectives based on the
company's business targets

• The procedure is planned with an security strategy to

establish a continuous information security process.

• The security strategy is implemented with the help of

an security concept and an information security
organisation.
 Conceptual Framework of ISMS

• ISMS provides a framework to establish,

implement, operate, monitor, review, maintain
and improve the information security within an
organization
• ISMS provides means to
❑ Manage risks to suit the business activity
❑ Manage incident handling activities
❑ Build a security culture
❑ Conform to the requirements of the Standard

msb.intnet.mu 2004-04-29/ Information Security Seminar 24

 The conceptual framework of the
Information Security Management System
 The conceptual framework of ISMS
• Steps 3 and 4, the Risk Assessment and Management process, comprise the
heart of the ISMS and are the processes that “transform” on one hand the
rules and guidelines of security policy and the targets; and on the other to
transform objectives of ISMS into specific plans for the implementation of
controls and mechanisms that aim at minimizing threats and vulnerabilities.
• The processes and activities related to the steps 5 and 6 do not concern
information risks. They are rather related to the operative actions required
for the technical implementation, maintenance and control of security
measurements.
• Appropriate controls may either be derived from existing sets of controls or
mechanisms, usually included in information security standards and
guidelines.
• step 6 is the documented mapping of the identified risks, applied to the
specific organization with the technical implementation of security
mechanisms the organization has decided to deploy.
• Finally, although the ISMS is a recurring process as a whole, steps 1 and 2
recur on a longer cycle than steps 3, 4, 5 and 6. This is mainly because the
establishment of a security policy and the definition of the ISMS scope are
more often management and strategic issues while the Risk Management
process is an everyday operational concern.
 Risk Management
• Risk Management and Risk Assessment are major components of
Information Security Management System (ISMS).
• Risk management can be defined as “the process of identifying
vulnerabilities and threats within the framework of an organization,
as well as producing some measurements to minimize their impact
over the informational resources”. This process of the risk
management includes some basic processes.
• Risk Assessment requires the covering of three steps: risk
identification, risk analysis and risk evaluation.
• Every organization is continuously exposed to an endless number of
new or changing threats and vulnerabilities that may affect its
operation or the fulfillment of its objectives.
• Identification, analysis and evaluation of these threats and
vulnerabilities are the only way to understand and measure the
impact of the risk involved and hence to decide on the appropriate
measures and controls to manage them.