Information

Security
 Aim

To discuss the requirements for Information

Security and to define what information is
required to be kept securely.

As required by Part B Para 13.1.11

Objectives
• To ascertain what information should
be regarded as security sensitive
• To recognise the need to protect
information from unauthorised
disclosure
• To recognise methods used to protect
security sensitive information
• To identify the most common
breaches of information security
History of Information
Security
Heads of State and military
commanders have always understood
the necessity to provide some
mechanism to protect the
confidentiality of written
correspondence and to have some
means of detecting tampering.
History of Information
Security

The end of the 20th century and early

years of the 21st century saw rapid
advancements in telecommunications,
computing hardware and software, and
data encryption.
History of Information
Security
The rapid growth and wide spread use of
electronic data processing and electronic
business conducted through the Internet,
along with numerous occurrences of
international terrorism, fueled the need
for better methods of protecting these
computers and the information they store,
process and transmit.
Information Security
What could be considered as security
sensitive information?
• Ship/Port surveys, assessments, designs
and architecture.
• Security plans and emergency
procedures.
• ETAs & ETDs
• Contingency Plans & Emergency
procedures.
The Threat

• Espionage: (Industrial Spying)

• Sabotage: (NGO’s, Greenpeace
/Animal liberation)
• Subversion (Actions designed to
weaken economic stability)
• Terrorism: (Any terrorist organisation
as prescribed by the UK Government)
Basic Principles of Information
Security
For over twenty years information
security has held that three key concepts
form the core principles of information
security:

• Confidentiality
• Integrity
• Availability
Basic Principles of
Information Security
Confidentiality

Information that is considered to be confidential in

nature must only be accessed, used, copied, or
disclosed by persons who have been authorized to
access, use, copy, or disclose the information.

A breach of confidentiality occurs when information

that is considered to be confidential in nature has
been, or may have been, accessed, used, copied, or
disclosed to, or by, someone who was not authorized
to have access to the information.
Integrity

Integrity means that data cannot be created,

changed, or deleted without authorisation.

A loss of integrity occurs when an employee

deletes important data files either accidentally
or with malicious intent.
Availability

The concept of availability is that the

information, the computing systems
used to process the information, and
the security controls used to protect the
information are all available and
functioning correctly when the
information is needed.
Other Threats

• Criminals

• Disaffected or dishonest staff

• Investigative Journalism

• Computer hackers
Information Risk Management

Risk is the likelihood that something bad will

happen that causes harm to an informational
asset (or the loss of the asset).

A threat is anything (man made or act of

nature) that has the potential to cause harm.
Hacking and Virus
Transmission

Up to 2003 75% of all UK business interests

reported being subjected to an electronic
attack. 44% of these in the last year. The
average cost of a serious attack was
£30,000.

Currently the USA puts the cost to business

at over $250 Billion annually.
Common Unintentional
Breaches of Security

• Incorrect handling procedures.

• Insufficient custody control.
• Insufficient control of access.
• Discussion of sensitive information in
a social/uncontrolled context.
Three types of controls

• Administrative

• Logical

• Physical
Administrative Controls

• Administrative controls are comprised of

approved written policies, procedures,
standards and guidelines.
• Administrative controls form the
framework for running the business and
managing people.
• Administrative controls form the basis for
the selection and implementation of
logical and physical controls.
Logical Controls

• Logical controls (also called technical controls)

use software and data to monitor and control
access to information and computing systems.
• For example: passwords, network and host
based firewalls, network intrusion detection
systems, access control lists, and data
encryption are logical controls.
Physical Controls

• Physical controls monitor and control

the environment of the work place
and computing facilities
• They also monitor and control access
to and from such facilities
• Separating the network and work
place into functional areas are also
physical controls
Personnel Security

The aim of Personnel Security is to

ensure that only those whose reliability,
trustworthiness and personal
circumstances are not in doubt, have
access to sensitive material.
Aims of Personnel Security

• Primary:
– Exclude those who may be involved in
Terrorism, Espionage, Subversion or
Unauthorised disclosure.
• Secondary:
– Ensure that only those who ‘Need to
Know’ are allowed access.
Methods of
Personnel Security

• Background checks.
• Verifiable work history.
• Personal references.
• Security vetting.
Vetting Categories

• Basic checks.
• Intermediate checks. E.g. Security Check (SC)
• High level vetting. E.g. Developed Vetting (DV)
• Crypto authorisation.
• All of the above are effected by
change in circumstances.
Principle of least privilege
(Need to Know)

The principle of least privilege requires

that an individual, programme or system
process is not granted any more access
privileges than are necessary to perform
the task.
Principle of least privilege

Violations of this principle can occur when an

individual collects additional access privileges
over time. This happens when employees' job
duties change, or they are promoted to a new
position, or they transfer to another
department. The access privileges required by
their new duties are frequently added onto
their already existing access privileges which
may no longer be necessary or appropriate.
Physical Security

Measures appropriate to:

• The threat.
• The value.
• The sensitivity of the information.
Secure Areas

• Must have controlled access.

• Clear notices announcing: ‘Authorised
Persons Only’.
• Remain secure when not in use.
• Screened from viewing (e.g.
windows).
• May require physical protection.
Protective Markings

Example Guide to access to

Documents:

• Unclassified – General Public.

• Restricted – Officers and above.
• Confidential – Master, SSO, Officers.
• Secret – Master, SSO, CSO.
• Top Secret – Master, CSO.
Degrees of Protective
Marking
Protective Marking Degree of damage
caused by disclosure
Restricted Undesirable to the
Company’s Interests
Confidential Embarrassment/damage
to Company’s Interests
Secret Serious Injury to
Company’s Interests
Top Secret Exceptionally grave
damage
Disposal of Sensitive
Material

• Shredding
• Burning
• Pulping
• Tearing in to
small pieces
Cryptographic Computer
Security

Information security uses cryptography

to transform usable information into a
form that renders it unusable by anyone
other than an authorised user; this
process is call encryption.
Defence in depth

• Information security must protect

information through out the life span
of the information, from the initial
creation of the information on through
to the final disposal of the information
• The building up, layering on and
overlapping of security measures is
called defence in depth
Summary

• Recall the earlier discussion about

administrative controls, logical controls,
and physical controls. The three types of
controls can be used to form the bases
upon which to build a defence in depth
strategy.
• Using a defence in depth strategy, should
one defensive measure fail there are other
defensive measures in place that continue
to provide protection.
Remember

No Company or individual with access,

or potential access to sensitive material
is immune from attack.

Remember Your Own Security!

Remember!

Easy Information = Easy Target

Summary
Personnel security: Helps prevent internal
sources of compromise.

Physical security: Makes it difficult for

both internal and external individuals to gain
access to sensitive information.

Crypto and Computer: Security prevents

information from being accessed by
electronic means.
Any Questions ?