Introduction to Information Security Zurina Saaya, PhD

and Information Security Faculty of Information and

Communication Technology
Management University Teknikal Malaysia
Lecture 1 Melaka
Outline
• Security Principles (CIA)
• Terminologies
• Security Frameworks
• Control / Countermeasure
• Security management
Introduction to
Information Security
• Security is being secure,
freedom from risk or danger
• Information Security refers to
the processes to protect print,
electronic, or any other form of
confidential, private and
sensitive information or data
from unauthorized access,
misuse, disclosure, destruction,
modification, or disruption.
Why we need Information Security?
Unauthorized
access

Misuse

Disclosure

Destruction

Modification

Disruption
https://www.techrepublic.com/article/35-of-zoom-users-fear-d
ata-leaks-amid-the-platforms-security-issues/
https://www.thestar.com.my/tech/tech-news/2
020/04/24/cybersecurity-firm-cyble-claims-hack
er-sold-267-million-facebook-profiles-for-rm235
0
https://www.cshub.com/attacks/arti
cles/incident-of-the-week-nintendo-
investigating-160000-account-breac
hes
 Availability

Security
Principles Security
Objectives

Confidentiality Integrity
 Reliable and timely access to
data and resources is
provided to authorized
individuals.
• Redundant array of inexpensive disks

Availability
(RAID)
• Load balancing
• Redundant data and power lines
• Software and data backups
• Disk shadowing
• Co-location and off-site facilities
• Roll-back functions
 Accuracy and reliability of the
information and systems are
provided and any unauthorized
modification is prevented.

Integrity • Hashing (data integrity)

• Configuration management (system
integrity)
• Change control (process integrity)
• Access control (physical and technical)
• Software digital signing
• Transmission CRC functions
 Necessary level of secrecy is
enforced and unauthorized
disclosure is prevented

Confidentiality • Encryption for data at rest (whole

disk, database encryption)
• Encryption for data in transit
(IPSec, SSL, SSH)
• Access control (physical and
technical)
What is the reverse of Confidentiality,
Integrity and Availability (CIA)?

• The reverse of CIA is disclosure,

alteration, and destruction (D.A.D.)
 Some important
terms in Security
• Vulnerability - weakness or a lack of a
countermeasure.
• Threat agent - entity that can exploit a vulnerability.
• Threat - the danger of a threat agent exploiting a
vulnerability.
• Risk - the probability of a threat agent exploiting a
vulnerability and the associated impact.
• Exposure - presence of a vulnerability, which exposes
the organization to a threat
• Countermeasure / Control - safeguard that is put in
place to reduce a risk.
Relationships among the different security concepts

Threat
Directly affects agent Give rise to..

Countermeasure by Safeguard Threat

exploits

and causes an Exposure Vulnerability

Leads to

Can damage
Asset Risk
Control / Countermeasure
To reduce the risk an organization faces

3 main approaches
1. Administrative -  security documentation, risk
management, personnel security, and training.
2. Technical -  software or hardware components, as in
firewalls, IDS, encryption, identification and
authentication mechanisms
3. Physical -  items put into place to protect facility,
personnel, and resources. E.g. security guards,
locks, fencing, and lighting.
Defense-in-
depth
 • ISO/IEC 27000 series - International standards
on how to develop and maintain an ISMS
developed by ISO and IEC  
• TOGAF - Model and methodology for the
development of enterprise
Security •  SABSA model - Model and methodology for the
development of information security enterprise
Frameworks architectures
• CobiT - Set of control objectives for IT
management developed by Information
Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
• many more…
 • Provide industry best practices for the
management of security controls
• Originally from British Standard 7799 (BS7799)
that was developed in 1995
• The goal was to provide guidance to
organizations on how to design, implement, and
maintain policies, processes, and technologies
ISO/IEC 27000 to manage risks to its sensitive information
series assets
• Follow the Plan – Do – Check – Act (PDCA) cycle
• Plan: establish objectives and making plan
• Do: implementation of the plans
• Check: measure results if objectives are met
• Act: provides direction on how to correct and
improve plans to better achieve success
Plan – Do –
Check – Act
(PDCA)
cycle
 • Access control
• Control access to assets based on business
requirements, user management,
authentication methods, and monitoring.
• System development and maintenance
• Implement security in all phases of a
ISO/IEC system’s lifetime through development of
security requirements, cryptography,
27000 series integrity protection, and software
development procedures.
Topics covered • Business continuity management
• Counter disruptions of normal operations by
using continuity planning and testing.
• Compliance
• Comply with regulatory, contractual, and
statutory requirements by using technical
controls, system audits, and legal awareness.
ISO/IEC 27000 series
• ISO/IEC 27000 Overview and vocabulary
• ISO/IEC 27001 ISMS requirements
• ISO/IEC 27002 Code of practice for information
security management
• ISO/IEC 27003 Guideline for ISMS implementation
• ISO/IEC 27004 Guideline for information security
management measurement and metrics framework
• ISO/IEC 27005 Guideline for information security risk
management
• ISO/IEC 27006 Guidelines for bodies providing audit
and certification of information security management
systems
• ISO/IEC 27011 Information security management
guidelines for telecommunications organizations
• ISO/IEC 27031 Guideline for information and
communications technology readiness for business
continuity
• ISO/IEC 27033-1 Guideline for network security
• ISO 27799 Guideline for information security
management in health organizations
• ISO/IEC 27007 Guideline for information security
management systems auditing
• ISO/IEC 27013 Guideline on the integrated
implementation of ISO/IEC 20000-1 and ISO/IEC
27001
• ISO/IEC 27014 Guideline for information security
governance
• ISO/IEC 27015 Information security management
guidelines for the finance and insurance sectors
• ISO/IEC 27032 Guideline for cybersecurity
• ISO/IEC 27033 Guideline for IT network security, a
multipart standard based on ISO/IEC 18028:2006
• ISO/IEC 27034 Guideline for application security
• ISO/IEC 27035 Guideline for security incident
management
• ISO/IEC 27036 Guideline for security of
outsourcing
• ISO/IEC 27037 Guideline for identification,
collection, and/or acquisition and preservation of
digital evidence
 https://www.iso.org/isoiec-27001-information-securi
ty.html
Document Price CHF 118 = RM 480
Discussion 1
Besides CIA the are other important concept related to Information
Security. These concepts include identification, authentication,
accountability, authorization, and privacy. Discuss what you
understand about these concepts and please give example.
 Activities that are needed to keep a
security program up and running and
evolving.
• Risk management
• Documentation
 Security • Security control implementation and
management management, processes and
procedures
• Personnel security
• Auditing
• Security awareness training.
 Security policy
• An overall general statement produced by senior
management (or a selected policy board or committee)
that dictates what role security plays within the
organization

Standards
Security • mandatory activities, actions, or rules. Standards support

Management policy and reinforcement in direction

Guidelines
Documents • recommended actions and operational guides to users, IT
staff, operations staff, and others when a specific
standard does not apply.

Procedures
• detailed step-by-step tasks that should be performed to
achieve a certain goal
Example: Security Policy
Discussion 2
Give examples document for security guidelines and
procedures.
Hint: You may search on the web to find these documents from
organizations website (E.g. banking, government
organization).
Security Awareness,
Training, and Education
• Things to consider:
• purpose and role of training
• approaches to training and
promoting awareness
• specific information security training
• awareness of information security. E.g.
campaign
• Training materials
• Continuous process rather than as a
one-time exercise.
Discussion 3
• You were recently hired as a Chief Security Officer of the Faculty of
Information and Communication Technology and your first task is to
propose one free online training to the staff in your organization that
related to security awareness. Produce short proposal with the
following information.
• Objective
• Topics
• Duration
• Target Audience