Information Security - I.T Project Management

Welingkar’s Distance Learning Division
I.T. for Management
CHAPTER-18
Information Security
We Learn – A Continuous Learning Forum

IT Security, Control, Audit & governance
Information is Power is a very old adage in the IT sector.
In today’s world information is being increasingly
viewed as an Asset which has real value & is to be
protected
Accumulating information was once done more for
Statutory purposes. Today sophisticated data
warehouses are hold what may be considered as “gold
mine” of knowledge & data mining tools are available to
extract the right information at right time

Objectives of IT Security Management
The purpose of IT Security Management is to ensure:
• Confidentiality: Restricting access to right people for
the right purpose
• Integrity: Correctness& validity of information stored
or processed
• Availability: Ensuring information is available to
authorized persons

In almost every large enterprise, the physical and IT
security departments operate independently of
each other. They are generally unaware of the
strengths and weaknesses of one another's
practices, the liabilities of operating independently,
and the benefits of integrated security
management.

Physical Security and IT Security
Physical security focuses on the protection of physical
assets, personnel and facility structures. This involves
managing the flow of individuals and assets into, out of, and
within a facility. IT security focuses on the protection of
information resources, primarily computer and telephone
systems and their data networks. This involves managing the
flow of information into, out of, and within a facility’s IT
systems, including human access to information systems and
their networks. Clearly these two are separate domains.
Why should they be integrated?

Physical Security and IT Security a Management Issue
The question above accurately reflects the thoughts of most security
practitioners as they approach this subject. How is the question
misleading? To lean on a common idiom, it focuses on the trees rather
than the forest.
It is the management of physical and IT security that must be
integrated. No one is going to integrate a brick wall and a database.
However, the management of who is allowed inside the wall and inside
the database must be integrated, or there will be gaps in the
organization’s security. Figure 1 below illustrates the concept of
integrated security management. Whenever you hear or read the
phrase “integration of physical and IT security,” think “integration of
physical and IT security management” and you’ll be on the right track.

While it is true that many of the physical and IT security
processes and procedures must be integrated at the
technology level, it is not the technology that defines the
integration. The business processes and procedures define
it; the technology implements it. That's why the first step in
integrating physical and IT security is an examination of
security-related business requirements and the physical and
IT security processes that support them. The integration of
the business processes will determine where integration of
physical security and IT technology is required

Types of control Examples
Physical
control
Doors & Lock, Security gates, raised floors, double
doors, ups system
IT related Password, Directory services, Firewall, antivirus
Application server, Hot standby server, backup of
software
Document
related
Correct labeling, version control, copies of key
documents
Application
Specific
Data validation so that correct data only accepted
Length, Range, Code checked
Process related checks
Output controls

Information Security Standards
BS 7799 Standard
The subject of IT security is therefore not one of merely putting
appropriate control measures
A process approach whereby the information security has
• Defined organizational policy
• Backed by management commitment
• Necessary resources, Defined procedures
• Appropriate control objectives
• Suitable control measures
• Recording & reviewing incidences
• Continuous improvement of security process

BS 7799 Standard
The BS7799 is a British standard which addresses precisely this aspect.
It provides a comprehensive framework within which an organization
can set up an effective Information Security Management System(ISMS)
More specifically some of controls objectives which it describes include
following
• Management of ISMS
• Physical security
• Information processing
• Access to information to IT employees, outsourced vendors
• Access from remote location

BS 7799 Standard
To implement the BS7799 standard an organization must take
following steps.
Define Information security policy
Organization & its management must demonstrate its
commitment to information There must be formal reviews
related with security incidents
Risk assessment. The organization must conduct risk assessment.
This will help to identify the more important sources of risk. It
would select from the following strategies
Risk avoidance, Migration, Insurance or transfer Assumption of
risk Cont…..

BS 7799 Standard
• Based on the strategy decided for each risk asset combination
it will select appropriate control to manage the risk.
• For instance to prevent unauthorized entry it may provide
smart card or biometric entry
• The organization would have also identified detailed
procedure for implementing and monitoring ,defined roles
various controls, Dos & don’t to all employees
• Finally process needs to be sustained & continuously
evaluated

Business Continuity Planning (BCP)
Availability is one of the key elements in the information
security. Failure in IT for e.g incidents like power failure, Virus
attack can be disastrous
Organizations such as the stock exchange or a bank works
on a Central data center. BCP outlines:
The Objective of plan in event of disaster
The resources
Priorities assigned for Business continuity
Procedures to follow in the event of disaster
Communication to outsider

The BCP ensures that certain critical business functions continue
despite a disaster
The BCP also can be viewed from point of 3 stages
• Pre-disaster
• During the disaster
• Post disaster
Thus each procedure should cover these three stages
Disaster Recovery is a set of plans to enable an organization to
come back to normalcy

Disaster Recovery
The time frame within which the recovery must happen
is a matter of practicality & organizations policy.
Solutions used for BCP
Hard disk crash RAID Arrays Mirror disk
SAN/NAS solution
Complete data center crippled Hot remote site e.g. NSE has a hot site at
Pune, which take over if Mumbai center fails
Telecom/ISP crashes Have a leased line from more than one ISP

The choice of solution depends upon the perceived
impact of the disaster on business continuity
Most of the times the BCP/DR misses out on Mock Drills
This can be best done thru simulation by generating a
disaster conditions thereby enabling & training people
to understand individual role at the time of disaster &
specific actions to be taken

End of Chapter 18

Information Security - I.T Project Management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Information Security - I.T Project Management

Similar to Information Security - I.T Project Management (20)

More from We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.

More from We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program. (20)

Recently uploaded

Recently uploaded (20)

Information Security - I.T Project Management