Professional Documents
Culture Documents
N
INFORMATION SECURITY
F
T
I
O
N
S
E
What is Information?
What is Information Security?
A
What is RISK?
G
An Introduction to ISO for information
E technology
User Responsibilities
N
2
I
N
'Information is an asset which, like other
F
important business assets, has value to
O an organization and consequently
needs to be suitably protected‟
R
M BS ISO 27002:2005
A
T
I
3
I
Information can be
N
F Created
Stored
O
Destroyed
R
Processed
N I
M
Transmitted
A F
Used – (For proper & improper purposes)
T E
I Corrupted
C Lost
O
Y Stolen
L
C 4
I
N
Printed or written on paper
F
Stored electronically
O
Transmitted by post or using electronics means
R Shown on corporate videos
T T
I ‘…Whatever form the information takes, or
Y means by which it is shared or stored, it
O should always be appropriately protected’
P
(BS ISO 27002:2005)
N
E
5
I
What Is Information Security
N
F
R
Security is achieved using several strategies
M
Security is achieved using several strategies simultaneously or
A used in combination with one another
T
I Security is recognized as essential to protect vital processes
S and the systems that provide those processes
O
E
N
C Security is not something you buy, it is something you do
I
6
I
What Is Information Security
N
F
The architecture where an integrated combination
O of appliances, systems and solutions, software,
alarms, and vulnerability scans working together
R
Monitored 24x7
M
Having People, Processes, Technology, policies,
A procedures,
O
N
S
E 6/16/201
1
Mohan Kamat 7
I
O
PEOPLE
E C
PROCESSES
C O
P TECHNOLOGY
E
6/16/2011 Mohan Kamat 8
People “Who we are”
6/16/201
1
Mohan Kamat 9
Process “what we do”
The processes refer to "work practices" or workflow.
Processes are the repeatable steps to accomplish
business objectives. Typical process in our IT
P Infrastructure could include:
10
Technology “what we use to improve what we do”
T
Network Infrastructure:
Cabling, Data/Voice Networks and equipment
E Telecommunications services (PABX), including VoIP
services , ISDN , Video Conferencing
C Server computers and associated storage devices
Operating software for server computers
H Communications equipment and related hardware.
Intranet and Internet connections
VPNs and Virtual environments
N
Remote access services
Wireless connectivity
O
G 6/16/201
1
Mohan Kamat 11
Technology “what we use to improve what we do”
Application software:
Finance and assets systems, including Accounting packages,
T Inventory management, HR systems, Assessment and reporting
systems
Software as a service (Sass) - instead of software as a packaged or
E custom-made product. Etc..
O
Access devices:
Desktop computers
L Laptops, ultra-mobile laptops and PDAs
Thin client computing.
Digital cameras, Printers, Scanners,
O Photocopier etc.
G 6/16/201
1
Mohan Kamat 12
I INFORMATION SECURITY
N
O
1. Protects information from a range of threats
R 2. Ensures business continuity
3. Minimizes financial loss
M 4. Optimizes return on investments
5. Increases business opportunities
A
T
I
O
Ensuring that information is
R
– Confidentiality accessible only to those
authorized to have access
A
M T
O
N T
A Safeguarding the accuracy and
R completeness of information
– Integrity and processing methods
T
I I
T 6/16/201
Mohan Kamat 14
1
Security breaches leads to…
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions (Cyber
Law)
• Loss of customer confidence
• Business interruption costs
LOSS OF GOODWILL
6/16/201
1
Mohan Kamat 15
I
N
• Information Security is “Organizational Problem”
rather than “IT Problem”
F • More than 70% of Threats are Internal
S
• More than 60% culprits are First Time fraudsters
O
E • Biggest Risk : People
T
Y
S
U 6/16/201
1
Mohan Kamat 16
W
What is Risk?
H
A
IT Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
S loss to the asset.
R
I
Threat: Something that can potentially cause damage
S to the organisation, IT Systems or network.
17
Relationship between Risk, Threats, and Vulnerabilities
exploit
Threats Vulnerabilities
R Elements of threats
E
I Agent : The catalyst that performs the
A threat.
D
T
Human
E
Machine
N Nature
T
I
F
I
A 6/16/201
Mohan Kamat 19
1
T
H Threat Identification
R
Elements of threats
E I
Motive : Something that causes the agent
A D
to act.
T E Accidental
N
Intentional
Only motivating factor that can be both
T
accidental and intentional is human
I
F
I
A 6/16/201
1
Mohan Kamat 20
T
H
Threat Identification
R
E I Elements of threats
A D Results : The outcome of the applied
T E
threat. The results normally lead to the
loss of CIA
N
Confidentiality
T Integrity
I
Availability
F
I
A 6/16/201
1
Mohan Kamat 21
T
H
Threats
R • Employees
• External Parties
E
• Low awareness of security issues
A • Growth in networking and distributed computing
T
• Growth in complexity and effectiveness of hacking tools
and viruses
S • Natural Disasters eg. fire, flood, earthquake
6/16/201
1
Mohan Kamat 22
Threat Sources
System attacks
Social engineering
Letter bombs
Revenge Viruses
Terrorist Political Denial of service
Unintentional Corruption of data
errors Malicious code
e/2 ployees
Programming introduction
Poorly
6/16
1 trained entry Unauthorized access 23
No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or Unauthorized Access and/or data collection
trespass
&
K
High User
Theft, Virus Attacks
Knowledge of IT
Sabotage,
Systems
S Misuse
E Natural
Systems & Lack Of Lapse in
Calamities &
Network Documentation
Fire
Failure Physical
A
Security
6/16/201
1
Mohan Kamat 25
SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?
6/16/201
1
Mohan Kamat 26
I
History
N
Early 1990
T • DTI (UK) established a working group
• Information Security Code of Practice
Management produced as BSI-DISC
R publication
O
I I 1995
D S • BS 7799 published as UK Standard
O
U
N
O 2 1999
T • BS 7799 - 1:1999 second revision published
7
C 0
0 2000
O 1 • BS 7799 - 1 accepted by ISO as ISO - 17799 published
T • BS 7799-2:2002 published
6/16/201
1
Mohan Kamat 27
I History
N
T • ISO 27001:2005
D
Information technology — Security techniques —
U T
R Information security management systems —
C Requirements
O
O
I I
T
O S
• ISO 27002:2005
N
O 2 Information technology — Security techniques — Code
7 of practice for information security management
0
0
1
6/16/201
1
Mohan Kamat 28
ISO 27001
I
ISO 27001: This International Standard covers all types of
organizations (e.g. commercial enterprises, government
S agencies, non-profit organizations). This
O
2 International Standard specifies the requirements for
establishing; implementing, operating, monitoring, reviewing,
7 maintaining and improving documented ISMS within the context
0 of the organization’s overall business risks. It specifies
0 requirements for the implementation of security controls
customized to the needs of individual organizations or parts
1 thereof.
6/16/201
1
Mohan Kamat 29
Features
F
Features of ISO 27001
E
• Plan, Do, Check, Act (PDCA) Process Model
• Process Based Approach
A • Stress on Continual Process Improvements
• Scope covers Information Security not
T
only IT
Security
U • Covers People, Process and Technology
• 5600 plus organisations worldwide have
R been certified
• 11 Domains, 39 Control objectives, 133 controls
E
S
6/16/201
1
Mohan Kamat 30
P PDCA Process
D
ISMS PROCESS
Interested Interested
C Parties Parties
Management Responsibility
A
PLAN
Establish
ISMS
P
DO ACT
Implement &
Maintain &
Operate the
R ISMS
Improve
C
Information
O Security Managed
E Requirements CHECK Information
& Monitor & Security
Review ISMS
Expectations
S
Information
O Security Policy
Organisation
N Compliance of Information
Security
T
Business
Asset
Continuity
R Planning
Management
O
C Incident
Human
Resource
Management
L Security
L Availability
A System
Development Physical
&
Maintenance Security
U
Communication
Access Control & Operations
S Management
32
C
S
6/16/201
1
Mohan Kamat 33
C
• Communications & Operations Management - To
ensure the correct and secure operation of information
O
processing facilities.
N • Access Control - To control access to information
and information processing facilities on „need to know‟
T and „need to do‟ basis.
• Information Systems Acquisition, Development
R
& Maintenance - To ensure security built into
O information systems
C • Information Security Incident Management - To
L ensure information security events and weaknesses
L associated with information systems are
communicated.
A
S
6/16/201
1
Mohan Kamat 34
C
N
•Business Continuity Management - To reduce
T disruption caused by disasters and security failures to an
acceptable level.
R •Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual obligations
O
and of any security requirements.
C
L
L
S
6/16/201
1
Mohan Kamat 35
I
M
IS POLICY
P
L SECURITY
ORGANISATION
MANAGEMENT
REVIEW
PLAN
E Establish
ISMS
M
T C ASSET
DO
Implement &
ACT
Maintain & CORRECTIVE &
E IDENTIFICATION
&
Operate the
Improve
PREVENTIVE
ISMS ACTIONS
N
I CLASSIFICATION
O E
S
N
P S
CHECK
Monitor &
Review
T C ISMS
CONTROL
CHECK
SELECTION &
R Y
PROCESSES
IMPLEMENTATION
A
C OPERATIONALIZ
E THE
PROCESES
O
L
6/16/201
1
Mohan Kamat 36
B
N
• At the organizational level – Commitment
E
• At the legal level – Compliance
F • At the operating level - Risk management
I
• At the commercial level - Credibility
T and confidence
• At the financial level - Reduced costs
S
• At the human level - Improved
employee awareness
6/16/201
1
Mohan Kamat 37
U
R R
SECU RITY
S
S
I
U- R
B
I
L
I 6/16/201
1
Mohan Kamat 38
U
R R
S
I
B
I
L
I 6/16/201
1
Mohan Kamat 39
I
Information Asset Classification
N
CONFIDENTIAL:
If this information is leaked outside Organisation, it will result in major financial and/or image loss.
F Compromise of this information will result in statutory, legal non- compliance.
Access to this information must be restricted based on the concept of need-to-know. Disclosure
A
C requires the information owner‟s approval. In case information needs to be disclosed to third
O parties a signed confidentiality agreement is also required. Examples include Customer contracts,
L rate tables, process documents and new product development plans.
S
S
E A INTERNAL USE ONLY:
S If this information is leaked outside Organisation, it will result in Negligible financial loss and/or
embarrassment.
T Disclosure of this information shall not cause serious harm to Organisation, and access is provided
S freely to all internal users. Examples include circulars, policies, training materials etc.
I PUBLIC:
Non availability will have no effect. If this information is leaked outside Organisation, it will result
in no loss.
F This information must be explicitly approved by the Corporate Communications Department or
I Marketing Department in case of marketing related information, as suitable for public
dissemination. Examples include marketing brochures, press releases.
T
I
6/16/201
1
Mohan Kamat 40
I Confidentiality - Information Asset
T
S Availability
I
Requireme Explanation
F nt
I Low There is minimal impact on business if the
asset / information is not Available for up
C
to 7 days
A
Medium There is significant impact on business if
the asset / information is not Available for
T up to 48 hours
I High The Asset / information is required on 24x7
6/16/201
1 basis Mohan Kamat 43
N
O
Non-information Assets [Physical]
N
I
N Information is processed with the help of technology. The
F C
L assets, which are helpful in creating, processing, output
O
A generation and storage. Such assets need to be identified
A S
S and valued for the purpose of their criticality in business
S process.
I
S
F
Asset valuation of non information / physical Assets like
I software, Hardware, Services is carried out based on
E different criteria applicable to the specific group of physical
C assets involved in organization‟s business processes.
T
T
I
6/16/201
O 1
Mohan Kamat 44
N
Confidentiality - Non-information Asset
O
Confidentiality factor is to be determined by the services rendered by the particular
asset in specific business process and the confidentiality requirement of the
N
I information / data processed or stored by the asset. This table provides a guideline to
identify the Confidentiality requirements and its link to Classification label.
N
F C
L
O Confidentiality
A
Requirement Explanation
A S Low Information processed / stored /
S S carried or services rendered by the
I
asset in the business process have
S confidentiality requirements as LOW.
F
I Medium Information processed / stored /
E carried or services rendered by the
C asset in the business process have
T confidentiality requirements as
A Medium.
High Information processed / stored /
T carried or services rendered by the
I asset in the business process have
confidentiality requirements as HIGH.
6/16/201
O 1
Mohan Kamat 45
N Integrity - Non Information Asset
O Integrity factor is to be determined by the reliability and dependability of the
particular asset in specific business process and the Integrity requirement of
the information / data processed or stored by the asset. This table provides
N
I a guideline to identify the Integrity requirements and its link to
N Classification label.
F C
L Integrity
O Requirement Explanation
A
S Low Dependency and reliability of the services rendered by
A S the particular asset in a business process is LOW.
S Information processed / stored / carried or services
I
rendered by the asset in the business process have
S Integrity requirements as LOW.
F Medium Dependency and reliability of the services rendered by
I the particular asset in a business process is Medium.
E
Information processed / stored / carried or services
C rendered by the asset in the business process have
T Integrity requirements as Medium.
High Dependency and reliability of the services rendered by
A
the particular asset in a business process is HIGH.
Information processed / stored / carried or services
T rendered by the asset in the business process have
I Integrity requirements as High.
6/16/201
O 1
Mohan Kamat 46
N
Availability - Non-information Asset
O
Availability factor is to be determined on the basis of impact of non
availability of the asset on the business process. This table provides a
N
I guideline to identify the Availability requirements and its link to
N Classification label.
F C
Integrity
O Requirement Explanation
Low Impact of non availability of an asset in a business
S
process is LOW.
S L Information processed / stored / carried or services
I
rendered by the asset in the business process have
S A Availability requirements as LOW.
F Medium Impact of non availability of an asset in a business
A
E I
S
process is Medium.
Information processed / stored / carried or services
T C rendered by the asset in the business process
have
A Availability requirements as MEDIUM.
High Impact of non availability of an asset in a business
process is HIGH.
T
Information processed / stored / carried or services
I rendered by the asset in the business process have
Availability requirements as HIGH.
6/16/201
O 1
Mohan Kamat 47
P
People Assets
E
Information is accessed or handled by the people from within the
O organisation as well as the people related to organisation for business
requirements.
P C
It becomes necessary to identify such people from within
A organisation as well as outside the organisation who the
L L organization‟s information assets. handle the
S A
S S
E The analysis such people, who has access rights to the assets of the
S organisation, is to be done by Business Process Owner i.e. process /
E
I function head.
T
I
6/16/201
1
Mohan Kamat 48
P
Confidentiality - People Assets
E
Confidentialit
y
O Explanation
Requirement
C
Low The role or third party identified has access
P
limited to information assets classified as
A
L 'Public'. Security breach by individual/s whom
L A
S
S the role is assigned would insignificantly affect
S
the business operations.
E
S Medium The role or third party identified has access
E
I limited to information assets classified as
'Internal‟ and 'Public'. Security breach by
T
F individual/s whom the role is assigned would
I moderately affect the business operations.
High The role employee or third party identified has
C access to all types of information assets
including information assets classified as
A 'Confidential' Or IT Assets classified as
'Critical'. Security breach by individual/s to
T whom the role is assigned would severely
I affect the business operations.
6/16/201
1
Mohan Kamat 49
P
Integrity – People Assets
E
O
Integrity
Requirement Explanation
P C Low The role or third party identified has limited privilege
A to change information assets classified as 'Internal' or
L L 'Public' and the his work is supervised. Security
S A
S S breach by individual/s to whom the role is assigned
E would insignificantly affect the business operations.
E S Medium The role or third party identified has privilege to
I change information assets classified as 'Internal', and
T 'Public' Security breach by individual/s whom the role
F is assigned would moderately affect the business
I operations.
High The role or third party identified has privilege to
change information assets classified as 'Confidential'
C
Or Change the configuration of IT assets classified as
'Critical' Security breach by individual/s to whom the
A role is assigned would severely affect the business
operations.
T
I
6/16/201
1
Mohan Kamat 50
P
Availability – People Assets
E
P C Availability
A Requiremen
L Explanation
L
S A t
S S
Low Unavailability of the individual/s whom the
E
S
role is assigned would have insignificant
E
I affect the business operations.
T
Medium Unavailability of the individual/s whom the
F role is assigned would moderately affect
I the business operations.
High Unavailability of the individual/s whom the
C
role is assigned would severely affect the
business operations.
A
T
I
6/16/201
1
Mohan Kamat 51
U
L
I 6/16/201
1
Mohan Kamat 52
U
S Password Guidelines
E
Always use at least 8 character password with
R R combination of alphabets, numbers and special characters (*, %, @,
#, $, ^)
E Use passwords that can be easily remembered by you
Change password regularly as per policy
S Use password that is significantly different from earlier passwords
O
Use passwords which reveals your personal
N information or words found in dictionary
Write down or Store passwords
S Share passwords over phone or Email
I
Use passwords which do not match above complexity
criteria
B
I
L
I 6/16/201
1
Mohan Kamat 53
U
Internet Usage
S
R R
E
Do not access internet through dial-up connectivity
S Do not use internet for viewing, storing or
transmitting obscene or pornographic material
P Do not use internet for accessing auction sites
Do not use internet for hacking other computer systems
O Do not use internet to download / upload
commercial software / copyrighted material
N
S
I
L
I 6/16/201
1
Mohan Kamat 55
U
S Security Incidents
E
Report Security Incidents (IT and Non-IT) to
R R Helpdesk through
• E-mail to info.sec@organisation.com
E • Telephone : xxxx-xxxx-xxxx
• Anonymous Reporting through Drop boxes
S
P
e.g.:
O IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information
N
leakage, Bringing unauthorized Media
S
I
• Do not discuss security incidents with any one outside organisation
B
• Do not attempt to interfere with, obstruct or prevent anyone from reporting
I
incidents
L
I 6/16/201
1
Mohan Kamat 56
U
S
Ensure your Desktops are having latest antivirus updates
E
Ensure your system is locked when you are away
Always store laptops/ media in a lockable place
R Be alert while working on laptops during travel
R Ensure sensitive business information is under lock and
key
E when unattended
Ensure back-up of sensitive and critical information assets
S
Understand Compliance Issues such as
P Cyber Law
IPR, Copyrights, NDA
O Contractual Obligations with customer
Verify credentials, if the message is received from
N unknown sender
Always switch off your computer before leaving for the day
S Keep your self updated on information security aspects
I
B
I
L
I 6/16/201
1
Mohan Kamat 57
Human Wall Is Always Better Than A Firewall