University of Guyana

CSE 3100 : Information

Assurance and Security
Session 01 – September 16, 2022

Lecturer : Jerome Allicock

 University of Guyana
Jerome Allicock

Session Outline
Intro To Information
Assurance (IA) Information Assurance Scope Of Information
Introduction  Learning Objectives IA Core Principles Process & Model Assurance A Bit On Risk

1 2 3 4 5 6 7 8 9 10 11 12

About CSE 3100 The Need For IA Architecture IA vs InfoSec The Security Security Big
 Description Information Assurance Framework & Views Paradigm Picture
 Learning Objectives
 Required Readings
 Session Schedules
 Weekly Topics
 Course Assessment

2
 University of Guyana
Jerome Allicock

Hello!
Mr. Jerome Allicock B.Sc., IMBA.
⬡ 12+ years in Telecoms
⬡ 7+ years in Revenue Assurance
⬡ Entrepreneur & Tech Enthusiast
⬡ Contact #: 621-5866
⬡ Email: jerome.allicock@uog.edu.gy

3
 University of Guyana
Jerome Allicock

CSE 3100 Description

⬡ This course is a third year first semester course intended for students pursuing the four year full
time degree program.

⬡ This course will equip the students with the analytical knowledge required to apply information
security knowledge.

⬡ Students will be introduced to current, real-world cases which are widely reviewed in the
practitioner community.

4
 University of Guyana
Jerome Allicock

CSE 3100 Description Cont’d

⬡ CSE 3100 “Information Assurance (IA) & Security” is a dedicated study that will equip you with
the knowledge and skills to:

 Assess risks

 Be aware of threats & vulnerabilities associated with the use of various computing
technologies

 Reduce risks associated with access, storage, transmission and processing of

data/information

 Implement reaction plans for service restoration and business continuity

5
 University of Guyana
Jerome Allicock

CSE 3100 Description Cont’d

⬡ Security encompasses:
 Computer security
 Communications security
 Operations security
 Physical security

⬡ The core elements of the course are:

 Risk assessment
 Data and systems protection
 Threat & vulnerability detection
 Reaction/response plans

6
 University of Guyana
Jerome Allicock

Learning Objectives
⬡ By the end of this course students will be able to:

 Describe the nature of security risk in a business and an IT context.

 Compare and apply several models for security risk assessment.

 Facilitate a risk assessment process and gain consensus on risk-based decisions.

 Incorporate risk assessment into an IT security plan.

7
 University of Guyana
Jerome Allicock

Required Readings
⬡ Information Assurance: Security in the Information Environment by Andrew Blyth and Gerald L.
Kovacich

⬡ Information Assurance: Managing Organizational IT Security Risks by Joseph Boyce and Daniel
Jennings

⬡ Information Assurance and Security Technologies for Risk Assessment and Threat Management:
Advances by Te-Shun Chou

Lecture Sessions
⬡ Fridays @ 04:15PM – 07:15PM

 3hrs lecture time weekly

 2hrs tutorial sessions weekly

8
 University of Guyana
Jerome Allicock

Weekly Topics
⬡ Introduction to Information Assurance
⬡ Metrics for Information Assurance /Risk Assessment
⬡ Networking and Cryptography
⬡ Information Assurance Planning and Deployment
⬡ Vulnerabilities and Protection
⬡ Identity and Trust Technologies
⬡ Verification and Evaluation
⬡ Incident Response
⬡ Human Factors / Cultural Anthropology
⬡ Legal, Ethical, and Social Implications

9
 University of Guyana
Jerome Allicock

Course Assessment
⬡ Coursework: 40%

 Tests (20%), Assignments (20%)

⬡ Finals: 60%

Course Requirements
⬡ Attend all class sessions and labs

⬡ Read the slides and other required/assigned readings before class

⬡ Participate in class discussions

⬡ Submit all assignments inside the submission period

10
 University of Guyana
Jerome Allicock

“ Passwords are like underwear:

don’t let people see it, change it
very often, and you shouldn’t
share it with strangers.
Chris Pirillo

11
 University of Guyana
Jerome Allicock

Information
Assurance & Security
 University of Guyana
Jerome Allicock

Learning Objectives
⬡ Understand the concept of Information Assurance.

⬡ The need and importance of Information Assurance.

⬡ The core principles surrounding IA.

⬡ IA Architecture Framework, Process and Model.

⬡ Difference between Information Assurance and Information Security.

⬡ Overview of Risk Management and Security.

13
 University of Guyana
Jerome Allicock

Brief Re-cap

Baltzan, Paige 2017. Information Systems. 4/e, McGraw Hill. ISBN: 978-1-259-81429-7

14
 University of Guyana
Jerome Allicock

What is Information?
⬡ “Information is data endowed with relevance and purpose. Converting data into information thus
requires knowledge. Knowledge by definition is specialized.” (Blyth and Kovacich, p. 17)

⬡ Characteristics that information should possess to be useful:

 Accurate, timely, complete, verifiable, consistent, available

What is Information Assurance?

⬡ Measures that protect and defend information and information systems by ensuring their:
 Availability, Integrity, Authentication, Confidentiality, Nonrepudiation

⬡ These measures include providing for restoration of information systems by incorporating

 Protection, Detection and Reaction capabilities

15
 University of Guyana
Jerome Allicock

What is Information Assurance?

⬡ IA defines and applies a collection of policies, standards, methodologies, services and mechanisms to
maintain mission integrity with respect to people, process, technology, information and supporting
infrastructure

⬡ IA provides for confidentiality, integrity, availability, possession, utility, authenticity, nonrepudiation

authorized use, and privacy of information in all forms and during all exchanges

⬡ Information assurance is the practice of managing information-related risks

⬡ More specifically, IA practitioners seek to protect and defend information and information systems by
ensuring
 Confidentiality, integrity, authentication, availability, and non-repudiation.

⬡ These goals are relevant whether the information are in storage, processing, or transit, and whether
threatened by malice or accident

⬡ In other words, IA is the process of ensuring that authorized users have access to authorized
information at the authorized time
16
 University of Guyana

Why Do We Need Information Jerome Allicock

Assurance?
⬡ Discussions on…
 Ecommerce
 Banking
 Business Processes
 National Defense
 Mission-critical information
processing
 Aircraft Flight Management
Systems
 Other Navigation Systems

Aspects of Information Assurance taken from Storage Networking

Industry Association, 2009, “Introduction to Information Assurance”
17
 University of Guyana
Jerome Allicock

IA Core Principles
⬡ Confidentiality – disclosure to authorized user

⬡ Integrity – original intended form

⬡ Availability – ready for use within stated operational

parameters

⬡ Possession – remains in the custody of authorized

personnel
⬡
Image source: https://www.naavi.org/wp/starting-
Authenticity – conforms to reality or not misrepresented an-information-assurance-program/

⬡ Utility – fit for a purpose and in a usable state

⬡ Privacy – protection of personal information and adherence to relevant privacy compliances

⬡ Authorized Use- available only to authorized personnel

⬡ Nonrepudiation – ensure that the originator of a message or transaction may not later deny action

18
 University of Guyana
Jerome Allicock

IA Architecture Framework
⬡ Conceptual structure for defining and describing an IA architecture

⬡ IA root driver is Risk

 Business drivers
 Technical drivers

⬡ IA Architectural Perspectives
 People
 Policy
 Business process
 System & Application
 Information/data
 Infrastructure

19
 University of Guyana
Jerome Allicock

Information Assurance Process

⬡ Enumeration & Classification of the Data/Information assets
 value, state, location, sensitivity, form

⬡ Risk Assessment (vulnerabilities & threats)

⬡ Risk Analysis (probability & impact)

⬡ Risk Management (treatment, systems)

⬡ Test, Review, Monitor

⬡ Repeat…

20
 University of Guyana
Jerome Allicock

Information Assurance Model

⬡ IA Model is a tool dedicated to defend 3 key elements
 People - training, ethics, culture, education,
motivation
 Process - procedures, rules, standards, security
guidelines
 Technology - tools to mitigate attacks, eg.
firewall, antiviruses, encryption etc.

Image source:
https://cybersecnugget.wordpress.com/2015/04/26/it-
security-modelling-tools-information-assurance-model/

21
 University of Guyana

IA vs Information Security Jerome Allicock

(InfoSec)
⬡ IA is a complete process/model that includes the elements of InfoSec

⬡ Both involve people, processes, techniques, and technology e.g. administrative, technical, and
physical controls

⬡ Often used interchangeably (incorrectly)

⬡ InfoSec – Confidentiality, integrity and availability, also known as the CIA triad

⬡ IA explicitly includes reliability, access control, and nonrepudiation as well as a strong

emphasis on strategic risk management

⬡ ISMS are more closely aligned with IA

⬡ Common Security Frameworks include ISO/IEC 27001-2:2005-6, ITGI, COBIT, COSO, FFIEC,
NIST, CICA, ITCG, OGC and ITIL

22
 University of Guyana

Scope Of Information Assurance Jerome Allicock

Image source: https://www.researchgate.net/figure/Relationship-Between-IA-and-

INFOSEC-Information-Assurance-is-now-viewed-as-both_fig3_235470635
23
 University of Guyana
Jerome Allicock

The Security Paradigm

⬡ Principle 1: The Hacker will probably be someone you know

⬡ Principle 2: Trust No One

⬡ Principle 3: Make the hacker believe s/he will be caught

⬡ Principle 4: Protect in layers

⬡ Principle 5: While planning, presume complete failure of a single layer

⬡ Principle 6: Make security part of the initial design

⬡ Principle 7: Disable unneeded services, packages, features

⬡ Principle 8: Before connecting, understand and secure

⬡ Principle 9: Prepare for the worst

24
 University of Guyana
Jerome Allicock

Image source:
https://commons.wikimedia.org/wiki/File:A_Reference_Model_
of_Information_Assurance_and_Security_%28RMIAS%29.png

Risk Management Lifecycle

Image source:
https://www.snia.org/sites/default/education/tutorials/2009/sprin
g/security/EricHibbard-Introduction-Information-Assurance.pdf
25
 University of Guyana
Jerome Allicock

Security Big Picture

Image source:
https://www.snia.org/sites/default
/education/tutorials/2009/spring/s
ecurity/EricHibbard-Introduction-
Information-Assurance.pdf

26
 University of Guyana
Jerome Allicock

Risk Treatment Decision Making Process

Image source:
https://www.snia.org/sites/default
/education/tutorials/2009/spring/s
ecurity/EricHibbard-Introduction-
Information-Assurance.pdf

27
 University of Guyana
Jerome Allicock

Risk Treatment Options

⬡ Risk Avoidance - seeks to avoid compromising events entirely
⬡ Risk Transfer - involves the contractual shifting of a pure risk from one party to another
⬡ Risk Reduction – measures to reduce the risk
⬡ Risk Retention – keep the risk and have plans to deal with it when it occurs

28
Points to note…
University of Guyana
Jerome Allicock

⬡ Root driver of IA is risk

⬡ Effective IA requires integration from inception

⬡ The weak link in security is most often the human

element

⬡ Manage the risks or mitigate the consequences

⬡ A holistic approach to security includes people, the

organization, governance, process and technology

⬡ The security program is expected to keep the

organization out of trouble and out of the
headlines

⬡ Implementing firewalls and hardening systems are

not really security issues any longer but
operational issues

⬡ Risk management is a balance of cost and risk

29
 University of Guyana
Jerome Allicock

Thanks!
Any questions?

30