Professional Documents
Culture Documents
Misuse
Disclosure
Destruction
Modification
Disruption
https://www.techrepublic.com/article/35-of-zoom-users-fear-d
ata-leaks-amid-the-platforms-security-issues/
https://www.thestar.com.my/tech/tech-news/2
020/04/24/cybersecurity-firm-cyble-claims-hack
er-sold-267-million-facebook-profiles-for-rm235
0
https://www.cshub.com/attacks/arti
cles/incident-of-the-week-nintendo-
investigating-160000-account-breac
hes
Availability
Security
Principles Security
Objectives
Confidentiality Integrity
Reliable and timely access to
data and resources is
provided to authorized
individuals.
• Redundant array of inexpensive disks
Availability
(RAID)
• Load balancing
• Redundant data and power lines
• Software and data backups
• Disk shadowing
• Co-location and off-site facilities
• Roll-back functions
Accuracy and reliability of the
information and systems are
provided and any unauthorized
modification is prevented.
Threat
Directly affects agent Give rise to..
exploits
Leads to
Can damage
Asset Risk
Control / Countermeasure
To reduce the risk an organization faces
3 main approaches
1. Administrative - security documentation, risk
management, personnel security, and training.
2. Technical - software or hardware components, as in
firewalls, IDS, encryption, identification and
authentication mechanisms
3. Physical - items put into place to protect facility,
personnel, and resources. E.g. security guards,
locks, fencing, and lighting.
Defense-in-
depth
• ISO/IEC 27000 series - International standards
on how to develop and maintain an ISMS
developed by ISO and IEC
• TOGAF - Model and methodology for the
development of enterprise
Security • SABSA model - Model and methodology for the
development of information security enterprise
Frameworks architectures
• CobiT - Set of control objectives for IT
management developed by Information
Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
• many more…
• Provide industry best practices for the
management of security controls
• Originally from British Standard 7799 (BS7799)
that was developed in 1995
• The goal was to provide guidance to
organizations on how to design, implement, and
maintain policies, processes, and technologies
ISO/IEC 27000 to manage risks to its sensitive information
series assets
• Follow the Plan – Do – Check – Act (PDCA) cycle
• Plan: establish objectives and making plan
• Do: implementation of the plans
• Check: measure results if objectives are met
• Act: provides direction on how to correct and
improve plans to better achieve success
Plan – Do –
Check – Act
(PDCA)
cycle
• Access control
• Control access to assets based on business
requirements, user management,
authentication methods, and monitoring.
• System development and maintenance
• Implement security in all phases of a
ISO/IEC system’s lifetime through development of
security requirements, cryptography,
27000 series integrity protection, and software
development procedures.
Topics covered • Business continuity management
• Counter disruptions of normal operations by
using continuity planning and testing.
• Compliance
• Comply with regulatory, contractual, and
statutory requirements by using technical
controls, system audits, and legal awareness.
ISO/IEC 27000 series
• ISO/IEC 27000 Overview and vocabulary • ISO/IEC 27007 Guideline for information security
management systems auditing
• ISO/IEC 27001 ISMS requirements
• ISO/IEC 27013 Guideline on the integrated
• ISO/IEC 27002 Code of practice for information implementation of ISO/IEC 20000-1 and ISO/IEC
security management
27001
• ISO/IEC 27003 Guideline for ISMS implementation
• ISO/IEC 27014 Guideline for information security
• ISO/IEC 27004 Guideline for information security governance
management measurement and metrics framework
• ISO/IEC 27015 Information security management
• ISO/IEC 27005 Guideline for information security risk guidelines for the finance and insurance sectors
management
• ISO/IEC 27032 Guideline for cybersecurity
• ISO/IEC 27006 Guidelines for bodies providing audit
and certification of information security management • ISO/IEC 27033 Guideline for IT network security, a
systems multipart standard based on ISO/IEC 18028:2006
• ISO/IEC 27011 Information security management • ISO/IEC 27034 Guideline for application security
guidelines for telecommunications organizations
• ISO/IEC 27035 Guideline for security incident
• ISO/IEC 27031 Guideline for information and management
communications technology readiness for business
continuity • ISO/IEC 27036 Guideline for security of
outsourcing
• ISO/IEC 27033-1 Guideline for network security
• ISO/IEC 27037 Guideline for identification,
• ISO 27799 Guideline for information security
management in health organizations collection, and/or acquisition and preservation of
digital evidence
https://www.iso.org/isoiec-27001-information-securi
ty.html
Document Price CHF 118 = RM 480
Discussion 1
Besides CIA the are other important concept related to Information
Security. These concepts include identification, authentication,
accountability, authorization, and privacy. Discuss what you
understand about these concepts and please give example.
Activities that are needed to keep a
security program up and running and
evolving.
• Risk management
• Documentation
Security • Security control implementation and
management management, processes and
procedures
• Personnel security
• Auditing
• Security awareness training.
Security policy
• An overall general statement produced by senior
management (or a selected policy board or committee)
that dictates what role security plays within the
organization
Standards
Security • mandatory activities, actions, or rules. Standards support
Guidelines
Documents • recommended actions and operational guides to users, IT
staff, operations staff, and others when a specific
standard does not apply.
Procedures
• detailed step-by-step tasks that should be performed to
achieve a certain goal
Example: Security Policy
Discussion 2
Give examples document for security guidelines and
procedures.
Hint: You may search on the web to find these documents from
organizations website (E.g. banking, government
organization).
Security Awareness,
Training, and Education
• Things to consider:
• purpose and role of training
• approaches to training and
promoting awareness
• specific information security training
• awareness of information security. E.g.
campaign
• Training materials
• Continuous process rather than as a
one-time exercise.
Discussion 3
• You were recently hired as a Chief Security Officer of the Faculty of
Information and Communication Technology and your first task is to
propose one free online training to the staff in your organization that
related to security awareness. Produce short proposal with the
following information.
• Objective
• Topics
• Duration
• Target Audience