IS 620:

Information
Security and Risk
Management
Information Security Concepts
ICT Revolution
• Has impacted all aspects of lives
• Politics, Economics, Social, Technical

• Information has intrinsic value

• Protection of information has become
a critical concern

Impacts of information
threats
• Financial Loss
• Loss of Sensitive Data
• Reputation Damage
• Legal and Regulatory Consequences
• Compromise of National Security

Financial Loss
WannaCry ransomware
attack in 2017
Legal and Regulatory
Consequences
Global state of security
What is security?
• Security is the protection of assets
from harm to
• property: prevent burglary and theft of
property, i.e. physical security
• infrastructure: security of critical
infrastructures, i.e., societal security
• stability: political stability and national
integrity, i.e., national security
• life: security of life and health, i.e., safety
 • environment: stop pollution and invasive
species, i.e., environmental security
• information: information security and
data protection

What is information
security?
• Is the protection of information assets
from damage or harm
• What are the assets to be protected?
• Example: data files, software, IT
equipment and infrastructure

• Covers both intentional and accidental

events
• Threat agents can be humans or acts of
nature
 • People can cause harm by accident or by
intent

The Internet changed

information security
• The Internet brings millions of
unsecured computer networks into
communication with each other.
• The ability to secure a computer’s data
is influenced by the security of every
computer to which it is connected.
• The growing threat of cyber-attacks has
increased the need for improved
security.
Can we remove
all vulnerabilities
once and for all?
No, we can’t

Why is security
difficult?
• Cyber threats are constantly evolving
• Human error or negligence
• Implementing and maintaining strong
security measures requires significant
resources
• Rapid Technological Advancement
• Interconnectedness
• Modern IT systems are complex

Therefore,
information
security doesn't
have a final goal
It’s a continuing process

Security services
• A security service supports a general
security goal
• The traditional definition of
information security is to ensure the
three CIA security services/goals for
data and systems:
• Confidentiality
• Integrity
• Availability

Security objectives
Security control
categories
Security control by
function
• Preventive controls:
 • Prevent attempts to exploit vulnerabilities
• Example: encryption of files

• Detective controls:
• Warn of attempts to exploit vulnerabilities
• Example: Intrusion detection systems
(IDS)

• Corrective controls:
• Correct errors or irregularities that have
been detected.
• Example: Restoring all applications from
the last known good image to bring a
corrupted system back online
Use a
combination of
controls
To ensure that the organisational processes,
people, and technology operate within
prescribed bounds.

Controls by information
states
• Information security involves
protecting information assets from
harm or damage.
• Information is considered in one of
three possible states:
 • During storage: Information storage
containers; Electronic, physical, human
• During transmission: Physical or
electronic
• During processing (use): Physical or
electronic

Security controls
for all
information states
are needed
Security services and
controls
• Security services (security goals or
properties) are
• implementation-independent
• supported by specific controls

• Security controls (mechanisms) are

• Practical mechanisms, actions, tools or
procedures that are used to provide
security services

Confidentiality
• The property that information is not
made available or disclosed to
unauthorized individuals, entities, or
processes.
• Can be divided into:
• Secrecy: Protecting business data
 • Privacy: Protecting personal data
• Anonymity: Hide who is engaging in what
actions

• Main threat: Information theft,

unintentional disclosure
• Controls: Encryption, Access Control,
Perimeter defense

Integrity
• Data Integrity: The property that data
has not been altered or destroyed
unauthorized.
• System Integrity: The property of
accuracy and completeness.
• This can include the accountability of
actions.
• Threats: Data and system corruption,
loss of accountability
• Controls:
• Hashing and checksums
• Authentication, access control, and
logging
• Digital signatures
• Configuration management and change
control (system integrity)

Accountability
(considered part of
integrity)
• Goal: Trace action to a specific user
and hold them responsible
 • Audit information must be selectively kept
and protected so that actions affecting
security can be traced to the responsible
party (TCSEC/Orange Book)

• Threats:
• Inability to identify the source of incident
• Inability to make attacker responsible

• Controls: Identify and authenticate

users, log all system events (audit),
Electronic signature, Non-repudiation
based on digital signature – Forensics

Availability
• The property of being accessible and
usable upon demand by an authorized
entity.
• Threats: Denial of Service (DoS),
equipment failure, natural disasters
• Controls: Redundancy and failover
systems, DDoS mitigation strategies,
regular system backups, disaster
recovery, and business continuity
planning.

Authentication
• Verifying the identity of a user, process,
or device, often as a prerequisite to
allowing access to resources in a
system.
• Threats: Identity theft, phishing
attacks, credential stuffing.
• Controls: Multi-factor authentication
(MFA), strong password policies,
biometric verification systems, and
security awareness training to
recognize phishing.

Taxonomy of
authentication
Non-repudiation (strong
form of data
authentication)
• Goal: Making sending and receiving
messages undeniable through
unforgible evidence.
 • Non-repudiation of origin: proof that data
was sent.
• Non-repudiation of delivery: proof that
data was received.
• NB: imprecise interpretation: Has a
message been received and read just
because it has been delivered to your
mailbox?

• Main threats:
• Sender falsely denying having sent
message
• Recipient falsely denying having received
message

• Control: digital signature

• Cryptographic evidence that a third party
can confirm
• Data origin authentication and non-
repudiation are similar – Data origin
authentication only provides proof to
recipient party
• Non-repudiation also provides proof to
third parties

Authorization
• Determining whether an authenticated
user or process has the right to access
and perform operations on a particular
resource
• Specify access and usage permissions
for entities, roles, or processes
• Authorisation policy is normally defined
by humans
 • Issued by an authority within the
domain/organisation

• Threats: Privilege escalation,

unauthorized access, insider threats.
• Controls: Role-based access control
(RBAC), least privilege principle, regular
review and auditing of user
permissions, segregation of duties.

Authorization vs Access
Control
• The term authorization is often
wrongly used in the sense of access
control.
• Authorization
 • Defines what actions users are permitted
to do.
• Based on policies after authentication.

• Access Control
• Implements how policies are enforced.
• Includes mechanisms like passwords and
firewalls.

Identity and Access

Management Scenario
Technical solutions are
not enough
• Governance and operational processes
are needed
 • Incident management response process
• Classifying the business value of data
• Risk assessments on internal systems
• Security Audits
• Governance, risk and compliance

How do we achieve
information security?
• Policy
• Technology
• Training and awareness programs
Security requirements
• What assets do we need to protect?
• How are those assets threatened?
• What can we do to counter those
threats?

Information security
management
• Answers these questions
• Determine security objectives and risk
profile
• Perform security risk assessment of assets
 • Select, implement, and monitor controls

Information security
management
• A process used to achieve and maintain
appropriate levels of confidentiality,
integrity, availability, accountability,
authenticity and reliability.

Information security
management
• Consists of activities to control and
reduce the risk of damage to
information assets
• IS management focuses on:
• Evaluate threats, vulnerabilities and risks
• Control security risks by reducing
vulnerability to threats
• Detection and response to attacks
• Recovery from damage caused by attacks
• Investigate and collect evidence about
incidents (forensics)

Information security
management functions
• Organisational IT security objectives,
strategies and policies
• Determining organisational IT security
requirements
• Identifying and analysing security
threats to IT assets
• Identifying and analysing risks
• Specifying appropriate safeguards
• Monitoring the implementation and
operation of safeguards
• Developing and implementing a
security awareness program
• detecting and reacting to incidents
Information security
management process
Principles of
information security
management
• Planning
• Policy
• Programs
• Protection
• People
• Project management
Planning
• Activities necessary to support the
design, creation, and implementation
of information security strategies
• Types
• Incident response planning, Business
continuity planning, Disaster recovery
planning, Policy planning, Personnel
planning, Technology rollout planning,
Risk management planning, Security
program planning

Policy
• The set of organisational guidelines
that dictate certain behaviour within
the organisation
• Three general categories of policy:
• Enterprise information security policy
(EISP)
• Issue-specific security policy (ISSP)
• System-specific policies (SysSPs)

Programs
• Information security operations that
are specifically managed as separate
entities
 • Example: a security education training and
awareness (SETA) program

• Other types of programs

• Physical security program i.e. complete
with fire, physical access, gates, guards,
etc.

Protection
• Executed through risk management
activities
• Includes:
• Risk assessment and control

• Protection mechanisms
 • Technologies

• Tools

• Each of these mechanisms represents

some aspect of managing specific
controls in the overall information
security plan.

People
• Managers must recognise people's
crucial role in the information security
program.
• This area of information security
includes security personnel and the
security of personnel, as well as
aspects of a SETA program.
• The most critical link in the
information security program

Project management
• Identifying and controlling the
resources applied to the project
• Measuring progress
• Adjusting the process as progress is
made