Professional Documents
Culture Documents
FANDAMENTALS OF INFORMATION
SYSTEMS SECURITY
IS Security Fundamentals
Deals with some fundamental concepts within the area of information
security
Needs of IS security
Enabling Safe Operation application: Organizations must create integrated,
efficient, and capable applications. Organization need environments that
safeguard applications
Protecting Data: An effective information security program is essential to the
protection of the integrity and value of the organization’s data
Safeguarding Technology Assets: Organizations must have secure IT
infrastructure services based on the size and scope of the enterprise.
Cont.…
2. Assign Minimum Privileges: assign the minimum privileges needed to carry out his or her
responsibilities. If a person’s responsibilities change, so will the privileges
3. Plan for Failure : Planning for failure will help minimize its actual consequences should it occur.
Having backup systems in place allows us to constantly monitor security measures and react quickly
to a breach.
4. Record: Ideally, a security system will never be breached, but when a security breach does take
place, the event should be recorded.
5. Run Frequent Tests: IS professionals run tests, conduct risk assessments, reread the disaster
recovery plan, check the business continuity plan in case of attack, and then do it all over again.
Components of Information System Security
• Component of Information System Security: It is entire set of software, hardware,
data, people, procedures, and networks necessary to use information as a resource
in the organization.
Cont....
• Software: The exploitation of errors in software programming accounts for a substantial portion of
the attacks on information
• Hardware: Hardware is the physical technology that houses and executes the software, stores and
transports the data, and provides interfaces for the entry and removal of information from the
system.
• Physical security policies deal with hardware as a physical asset and with the protection of
physical assets from harm or theft.
• Data: stored, processed, and transmitted by a computer system must be protected. Data is often
the most valuable asset possessed by an organization and it is the main target of intentional attacks.
• People: people have always been a threat to information security. Unless policy, education and
training, awareness, and technology are properly employed to prevent people from accidentally or
intentionally damaging or losing information, they will remain the weakest link.
• Procedures: are written instructions for accomplishing a specific task. When an unauthorized user
obtains an organization’s procedures, this poses a threat to the integrity of the information.
• Network: steps to provide network security are essential as is the implementation of alarm and
intrusion systems to make system owners aware of ongoing compromises.
Introduction to Information Security Policy
• Information Security Policy (ISP) is a set of rules enacted by an organization to
ensure that all users or networks of the IT structure within the organization's
domain abide by the prescriptions regarding the security of data stored digitally
within the organization.
• The security policy should be concise and easy to read, in order to be effective
• The four components of security documentation are policies, standards,
procedures, and guidelines.
• Policy is a high-level statement of requirements.
• It describe security in general terms, not specifics.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to
be compliant with the intentions of the policy.
• It’s mandatory requirements regarding processes, actions and configurations .
• It is rules that give formal policies support and direction.
Cont....
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• It is a documented set of steps necessary to perform a specific task.
examples of procedures, Installing operating systems, performing a
system backup, granting access rights to a system, and setting up new user
accounts.
• Guidelines are advice about how to achieve the goals of the security policy,
but they are suggestions, not rules.
• It is additional guidance that is recommended, but not mandatory. It is a
recommendations to users when specific standards do not apply.
Cont.…
• In the absence of clear policy, organizations put themselves at risk and often
flounder in responding to a violation.
• For managers, a security policy identifies the expectations of senior management about roles,
responsibilities, and actions that should be taken by management with regard to security
controls.
• For technical staff, a security policy clarifies which security controls should be used on the
network, in the physical facilities, and on computer systems.
• For all employees, a security policy describes how they should conduct themselves when
using the computer systems, e-mail, phones, and voice mail.
Security Policy Development
• When developing a security policy for the first time, one useful approach is to focus on the why,
who, where, and what during the policy development process:
1. Why should the policy address these particular concerns? (Purpose)
2. Who should the policy address? (Responsibilities)
3. Where should the policy be applied? (Scope)
4. What should the policy contain? (Content)
Phased Approach
• If you approach security policy development in the following phases, the work
will be more manageable:
1. Requirements gathering
2. Project definition and proposal based on requirements
3. Policy development
4. Review and approval
5. Publication and distribution
6. Ongoing maintenance (and revision)
• After the security policy is approved, standards and procedures must be developed
in order to ensure a smooth implementation.
• This will require the policy developer to work closely with the technical staff to
develop standards and procedures relating to computers, applications and
networks.
Security Policy Contributors
• Human Resources: The enforcement of the security policy, when it involves
employee rewards and punishments, is usually the responsibility of the HR
department.
• Legal: Often, an organization that has an internal legal department or outside
legal representation will want to have those attorneys review and clarify legal
points in the document and advise on particular points of appropriateness and
applicability.
• Information Technology: Security policy tends to focus on computer systems,
and specifically on the security controls that are built into the computing
infrastructure.
• Physical Security: Physical Security (or Facilities) departments usually
implement the physical security controls specified in the security policy. In some
cases, the IT department may manage the information systems components of
physical security.
Security Policy Audience
• Employees
• Contractors and temporary workers
• Consultants and service providers
• Business partners and third-party vendors
• Employees of subsidiaries and affiliates
• Customers who use the organization‘s information resources
The following are the goals of security policies: