Professional Documents
Culture Documents
Fundamentals of IS Security
1
IS Security Fundamentals
A. Confidentiality
Information has confidentiality when it is protected from disclosure or
exposure to unauthorized individuals or systems.
It ensures that only those with the rights and privileged to access
information's are able to do so.
When unauthorized individuals or systems can view information
confidentiality is breached(loss of confidentiality).
2
IS Security Fundamentals (cont.)
Threats to Confidential Information
Breaches of confidentiality can come from both inside and outside of a
business.
Outside threats include:
Theft
Hacking
Commercial espionage
Information disclosed as part of negotiations with an outside entity that eventually fall
3 apart.
Protecting Confidential Information
To protect confidentiality of information you can use a number of
measures including the following:
Information classification (Label confidential information)
Train staff to know what is confidential and what is not.
Put in place rules and procedures. Your staff need to know how to handle
and administer confidential information.
Secure document storage
Have a digital device policy
Sign a non-disclosure agreement
4
B. Integrity
Information has integrity when it is whole, complete and uncorrupted.
5
Key methods for assuring information integrity are:-
7
Factors that affect the availability of information and information security
system(threats):-
Infrastructure failure
Infrastructure overload
Malicious activity
Data inconsistency
Files stored in personal directories may not be available to other employee value
needed.
Hardware failures could affect the availability of company resource
Embrace redundancy: a failure in one of the disks, servers or databases that hosts
your data will not lead to a disruption in availability.
Back up data
9
Components of Information Security
10
The CIA Triad
11
Principles of IS Security
Information security principles denote the basic guideline that should be used when designing a
secure system.
There are many best practices in information security that are specific to certain industries or business
but some apply broadly.
“openness.”
It deals in information system security the way of finding a balance between resource availability,
and then finding acceptable ways to protect the rest with out making them useless.
assign access by a persons job types and may need to further refine those limits according to
12 organizational separations.
Contd.
3. Assign minimum privileges:-
An individual should be assigned the minimum privileged needed to carry out his
or her responsibilities, if a persons responsibilities change so will the privilege.
Assigning minimum privilege reduce the chance just from design will walk out
the door with all the marketing data.
6. Record:-
A security system will never be breached but when a security break does take place the
event should be recorded.
In fact IT staff often record as much as they can even when a breach isn’t happening.
Sometimes the causes of breaches aren’t apparent after the fact. So it is important to have
data to track backwards.
Data from breaches will eventually help to improve the system and prevent future attacks-
even if it doesn't initially make sense.
14
Contd.
Hackers are constantly running their craft. Which means information security must
evolve to keep up.
IT professionals run tests conduct risk assessments reread the disaster recovery plan,
check the business continuity plan in case of attack and then do it all over again.
15
Balancing Information Security and Access
Impossible to obtain perfect
security. it is a process, not an
absolute.
16
The Security Trinity
The three legs of the "security trinity“
Prevention
Detection, and
Response
The security trinity should be the foundation for all security policies
17
Cont.
1. Prevention:- is the foundation of the security trinity.
18
Cont.
3. Response:- Organizations need to develop a plan that identifies the
19
IS Security Policy
What is a security policy?
Designing a policy?
20
What is Security Policy?
A policy is
A plan or course of action, as of a government, political party, or
It is also a set of rules laid down by the security authority governing the use
and provisions of security services and facilities.
21
The Key Components to an Information Security Policy
Purpose
Scope
Information security objectives
Authority & Access Control Policy
Classification of Data (high risk, confidential, public)
Data Support & Operations
Security Awareness Sessions
Responsibilities, Rights and Duties of Personnel
Reference to Relevant Legislation
Other items that it may include:
Virus Protection Procedure, Intrusion Detection Procedure, Remote Work
Procedure, Technical Guidelines, Audit, Employee Requirements,
Consequences for Non-compliance, Disciplinary Actions, Terminated
Employees, Physical Security of IT, References to Supporting Documents
and so on.
Conclusion
22
Why do we need a security policy?
Provides a inclusive framework for the selection and implementation of security
measures.
It’s a Communication means among different stakeholders.
Management of resources
people, skills, money, time
Conveys the importance of security to all members of the organization
Helps create a “security culture”
Shared beliefs and values concerning security
Legal obligation
Helps promote “trust relationships” between the organizations and its business
partners / clients.
23
Types of Security Policy?
Computer-Oriented:
Information Security Policies that implement access control (Discretionary Access
Control, Mandatory Access Control)
Operating systems
Networks
Application
Human Oriented:
Scope: department, organization
Applied by IS users
Individual:
application or system (e.g. email policy)
“use policies”
24
Cont.
Modular:
comprehensive document with multiple annexes containing specific (e.g.
per application or system) policies
can be in hypertext form
Comprehensive:
one document addressing all applications, processes and systems
- big volume, not easy to use
- contain high level security guidelines
25
Cont.
Management defines three types of security policy:
General or security program policy
Issue-specific security policies
Systems-specific security policies
26
General or security program policy
A security program policy (SPP) is also known as a general security
policy, IT security policy, or information security policy.
Sets the strategic direction, scope, and tone for all security efforts
within the organization .
An executive-level document, usually drafted by or with, the CIO of
the organization and is usually 2 to 10 pages long.
27
Issue-specific security policies(ISSP)
As various technologies and processes are implemented, certain
guidelines are needed to use them properly
The ISSP:
addresses specific areas of technology
requires frequent updates
contains an issue statement on the organization’s position on an issue
Three approaches:
Create a number of independent ISSP documents
Create a single comprehensive ISSP document
Create a modular ISSP document
28
ISSP Structure
29
ISSP Structure
Statement of Policy
The policy should begin with a clear statement of purpose. The introductory
section should outline the scope and applicability of the policy.
What does this policy address?
Who is responsible and accountable for policy implementation?
What technologies and issues does the policy document address?
Authorized Access and Usage of Equipment
This section of the policy statement addresses who can use the technology
governed by the policy, and what it can be used for.
This section defines “fair and responsible use” of equipment and other
organizational assets and should also address key legal issues, such as protection
of personal information and privacy.
Prohibited Usage of Equipment
While the policy section described above detailed what the issue or technology
can be used for, this section outlines what it cannot be used for. Unless a
particular use is clearly prohibited, the organization cannot penalize its
employees.
30
Cont.
Systems Management
There may be some overlap between an ISSP and a systems-specific policy, but
this section of the policy statement focuses on the users relationship to systems
management.
It is important to identify all responsibilities delegated to both users or the
systems administrators, to avoid confusion.
Violations of Policy
Once guidelines on equipment use have been outlined and responsibilities have
been assigned, the individuals to whom the policy applies must understand the
penalties and repercussions of violating the policy.
Violations of policy should carry appropriate penalties.
This section should also provide instructions on how individuals in the
organization can report observed or suspected violations, either openly or
anonymously.
Policy Review and Modification
Since any document is only as good as its frequency of review, each policy
should contain procedures and a timetable for periodic review.
Limitations of Liability
The final section is a general statement of liability or set of disclaimers.
The policy should state that if employees violate a company policy or any law
using company technologies, the company will not protect them and the company
is not liable for their actions.
31
Systems-Specific Policy (SysSP)
While issue-specific policies are formalized as written documents,
distributed to users, and agreed to in writing, SysSPs are frequently codified
as standards and procedures used when configuring or maintaining systems.
Systems-specific policies fall into two groups:
1) Access control lists (ACLs) consists of the access control lists,
matrices, and capability tables governing the rights and privileges of a
particular user to a particular system.
2) Configuration Rules comprise the specific configuration codes entered
into security systems to guide the execution of the system
32
15 Must-Have Information Security Policies
Acceptable Encryption and Key Management Policy
Acceptable Use Policy
Clean Desk Policy
Data Breach Response Policy
Disaster Recovery Plan Policy
Personnel Security Policy
Data Backup Policy
User Identification, Authentication, and Authorization Policy
Incident Response Policy
End User Encryption Key Protection Policy
Risk Assessment Standards and Procedures
Remote Access Policy
Secure Systems Management Policy
Monitoring and Logging Policy
Change Management Policy
33
What makes a security policy effective(criteria)?
Dissemination(distribution)- the organization must be able to validate that the
policy has been made readily available for review by the employee. Common
dissemination techniques includes hard copy and electronic distribution.
34
Cont.
Compliance(agreement):-the organization must be able to validate that the
employees agrees to comply with the policy through act or affirmation. Common
techniques includes logon banners which require a specific action(mouse click or
keystroke) to acknowledge agreement or signed document clearly indicating the
employee has read understood and to comply with the policy.
Uniform enforcement:- the organization must be able to validate that the policy
35
Who involved In Policy?
Security experts
design, review and update the policy
System / network administrators
implement security controls, guidelines
Management
set security goals
provide resources
Users
follow security procedures
Auditors
monitor compliance
36
Designing a Security Policy
Economy of mechanism: the design of security measures should be as
simple as possible
Simpler to implement and to verify
Fewer vulnerabilities
Fail-safe default: access decisions should be based on permissions; i.e., the
default is lack of access
Complete mediation: every access should checked against an access control
system
Open design: the design should be open rather than secret (e.g., encryption
algorithms)
37
Cont.
Isolation
Public access should be isolated from critical resources (no connection
between public and critical information)
Users files should be isolated from one another (except when desired)
Security mechanism should be isolated (i.e., preventing access to those
mechanisms)
Encapsulation: similar to object concepts (hide internal structures)
Modularity: modular structure
Least common mechanism: a design should minimize the function shared
by different users (providing mutual security; reduce deadlock)
38
Cont.
Layering (defense in depth): use of multiple, overlapping protection
approaches
Least astonishment: a program or interface should always respond in a
way that is least likely to astonish a user
Separation of privilege: multiple privileges should be needed to do
achieve access (or complete a task)
Least privilege: every user (process) should have the least privilege to
perform a task
Psychological acceptability: security mechanisms should not interfere
unduly with the work of users
39
Approaches to Information Security Implementation
Two type of implementation
bottom-up
top-down
Bottom Up Approach To Security Implementation
Security can begin as a grass-roots effort when systems administrators
attempt to improve the security of their systems. This is referred to as
the bottom-up approach.
The key advantage of the bottom-up approach is the technical
expertise of the individual administrators.
Unfortunately, this approach seldom works, as it lacks a number of
critical features, such as participant support and organizational staying
power.
40
cont.
Top-down Approach to Security Implementation
An alternative approach, which has a higher probability of success, is called the
top-down approach. The project is initiated by upper management who issue
policy, procedures and processes, dictate the goals and expected outcomes of the
project, and determine who is accountable for each of the required actions.
The top-down approach has strong upper management support, a dedicated
champion, dedicated funding, clear planning and the opportunity to influence
organizational culture.
The most successful top-down approach also involves a formal development
strategy referred to as a systems development life cycle.
41
General information security services
Authentication:
The assurance that the communicating entity is the one that it claims to be.
Access control
The prevention of unauthorized use of a resource (i.e., this service controls who
can have access to a resource, under what conditions access can occur, and what
those accessing the resource are allowed to do).
Data confidentiality
The protection of data from unauthorized disclosure.
Data integrity
The assurance that data received are exactly as sent by an authorized entity (i.e., contain no
modification, insertion, deletion, or replay).
Non-repudiation
Provides protection against denial by one of the entities involved in a communication of
having participated in all or part of the communication.
42