SlideShare une entreprise Scribd logo

Information Security

Télécharger en tant que PPTX, PDF
Alok Katiyar
Alok Katiyar

for any query please drop me a mail at rentforge@gmail.com

Technologie
1  sur  28
Information Security By: Alok Katiyar 10210004
Overview • What is Information Security ? • Key component • Security controls • Classification of security • Laws and regulations
What is information security ? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology
Information security: a “well-informed sense of assurance that the information risks and controls are in balance.”— Jim Anderson, Inovant (2002)
Why Information Security ? The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimizing the impact of security incidents.
Elements of Information Security
According to Organization of Economic Co- operation and development: 9 generally accepted principles are 1. Awareness 2. Responsibility 3. Response 4. Ethics 5. Democracy 6. Risk Assessment 7. Security Design and Implementation 8. Security management 9. Reassessment
Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Example: Password hacking in online money transaction systems Prevention: by encrypting the data and by limiting the places where it might appear.
Integrity In information security, integrity means that data cannot be modified undetectably. Example: Prevention: message authentication & integrity codes (MAC/MIC), and message digests such as MD5 or SHA-1 hashes.
Availability Ability of the infrastructure to function according to business expectations during its specified time of operation Prevention: Backup systems
Utility Utility means usefulness Example: Encrypted data stored in hard disk and the decryption key is lost. Prevention: Use a specific computer architecture for a specific purpose ( MS word file can’t be open in Notepad)
Risk management “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.” Certified Information System Auditor (CSIA)
The Risk management Process consist of: • Identification of assets and estimating their value. • Conduct a threat assessment. • Conduct a vulnerability assessment. • Calculate the impact that each threat would have on each asset. • Identify, select and implement appropriate controls. • Evaluate the effectiveness of the control measures.
Threats to Information System • Human Errors • Environmental Errors Unintentional • System Failure Threats • Information Extortion • Theft Intentional • Identify theft Threats • Software Attack
Controls Three different main types of controls are: 1. Administrative 2. Logical 3. Physical
Administrative Controls • Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. • Administrative controls form the framework for running the business and managing people. • Laws and regulations created by government bodies are also a type of administrative control because they inform the business. • Example: corporate security policy, password policy, hiring policies, and disciplinary policies.
Logical Controls • Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. Example: Firewall network instruction detection system • An important logical control that is frequently overlooked is the principle of least privilege. Example where this principle fails: logging windows as administrator
Physical Controls • Physical controls monitor and control the environment of the work place and computing facilities. Example: Fire alarms, fire suppression systems, cameras, security guards, cable locks etc. • An important physical control that is frequently overlooked is the separation of duties. Example: An application programmer should not also be the server administrator or the database administrator.
Access control Access to protected information must be restricted to people who are authorized to access the information. Main Elements: • Identification • Authentication • Cryptography
Defense in depth Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms.
Balancing Information Security and Access • Impossible to obtain perfect security—it is a process, not an absolute • Security should be considered balance between protection and availability • To achieve balance, level of security must allow reasonable access, yet protect against threats
Security classification of Information • In the business sector  Public  Sensitive  Private  Confidential • In Government Sector  Unclassified  Sensitive but unclassified  Restricted  Confidential  Secret  Top Secret  And Their non English equivalent
Laws and regulations The original Information Technology Act (section 43 and 66) • Passed in 2000 • Deals with computer misuse • Does not have any express provision for data security. The IT (Amendment ) Act 2008 (“Amendment Act”) (section 43A and section 72A) • Under Section 43A, “bodies corporate” can be liable if they are negligent in implementing and maintaining “reasonable security practices and procedures” to protect “sensitive personal data or information”.
New data security regulations , 2011 (“sensitive personal data rules”) The Sensitive Personal Data Rules defines “sensitive personal data or information” of a person to include information about: • Passwords; • Financial information such as bank accounts, credit and debit card details; • Physiological and mental health condition, medical records; • Biometric information; • Information received by body corporate under lawful contract or otherwise; • User details as provided at the time of registration or thereafter; and • Call data records. Information that is freely available in the public domain or accessible under the Right to Information Act, 2005 or any other law will not be regarded as sensitive personal data or information.
Summary • Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” • Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information. • Security should be considered a balance between protection and availability
Types of IT Threats 1. Computer virus 2. Trojan Horses 3. DNS poisoning 4. Password grabbers 5. Network worms 6. Logic Bombs 7. Hijacked home page 8. Password cracker Types of Attacks 1. SQL Injection 2. Dictionary attack 3. Phishing 4. Cross site scripting (XSS) 5. UI redressing
Thank You 

Recommandé

internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
IJERD Editor
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security
Information security Information security
Information security
razendar79
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 

Recommandé

internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
IJERD Editor
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security
Information security Information security
Information security
razendar79
 
Information security
Information securityInformation security
Information security
Sanjay Tiwari
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
Priyank Hada
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
yuliana_mar
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset Security
Hamed Moghaddam
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
KATHEESKUMAR S
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
Information Security
Information SecurityInformation Security
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
Wiliam Ferraciolli
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
NeelkanthGovindji
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
bhaskard8
 
Infromation Assurance
Infromation AssuranceInfromation Assurance
Infromation Assurance
Akshay Pal
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
ITNet
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
joevest
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
TikdiPatel
 

Contenu connexe

Tendances

Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
Priyank Hada
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 

Tendances (20)

Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 
CISSP Certification-Asset Security
CISSP Certification-Asset SecurityCISSP Certification-Asset Security
CISSP Certification-Asset Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
 
Information Security
Information SecurityInformation Security
Information Security
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information Security
Information SecurityInformation Security
Information Security
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 
Infromation Assurance
Infromation AssuranceInfromation Assurance
Infromation Assurance
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
Information security
Information securityInformation security
Information security
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
information security management
information security managementinformation security management
information security management
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 

Similaire à Information Security

Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 

Similaire à Information Security (20)

1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf1678784047-mid_sem-2.pdf
1678784047-mid_sem-2.pdf
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
 
Information security background
Information security backgroundInformation security background
Information security background
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
CC ss.pptx
CC ss.pptxCC ss.pptx
CC ss.pptx
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
I0516064
I0516064I0516064
I0516064
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 

Dernier

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Information Security

  • 1. Information Security By: Alok Katiyar 10210004
  • 2. Overview • What is Information Security ? • Key component • Security controls • Classification of security • Laws and regulations
  • 3. What is information security ? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology
  • 4. Information security: a “well-informed sense of assurance that the information risks and controls are in balance.”— Jim Anderson, Inovant (2002)
  • 5. Why Information Security ? The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimizing the impact of security incidents.
  • 7. According to Organization of Economic Co- operation and development: 9 generally accepted principles are 1. Awareness 2. Responsibility 3. Response 4. Ethics 5. Democracy 6. Risk Assessment 7. Security Design and Implementation 8. Security management 9. Reassessment
  • 8. Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Example: Password hacking in online money transaction systems Prevention: by encrypting the data and by limiting the places where it might appear.
  • 9. Integrity In information security, integrity means that data cannot be modified undetectably. Example: Prevention: message authentication & integrity codes (MAC/MIC), and message digests such as MD5 or SHA-1 hashes.
  • 10. Availability Ability of the infrastructure to function according to business expectations during its specified time of operation Prevention: Backup systems
  • 11. Utility Utility means usefulness Example: Encrypted data stored in hard disk and the decryption key is lost. Prevention: Use a specific computer architecture for a specific purpose ( MS word file can’t be open in Notepad)
  • 12. Risk management “Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.” Certified Information System Auditor (CSIA)
  • 13. The Risk management Process consist of: • Identification of assets and estimating their value. • Conduct a threat assessment. • Conduct a vulnerability assessment. • Calculate the impact that each threat would have on each asset. • Identify, select and implement appropriate controls. • Evaluate the effectiveness of the control measures.
  • 14. Threats to Information System • Human Errors • Environmental Errors Unintentional • System Failure Threats • Information Extortion • Theft Intentional • Identify theft Threats • Software Attack
  • 15. Controls Three different main types of controls are: 1. Administrative 2. Logical 3. Physical
  • 16. Administrative Controls • Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. • Administrative controls form the framework for running the business and managing people. • Laws and regulations created by government bodies are also a type of administrative control because they inform the business. • Example: corporate security policy, password policy, hiring policies, and disciplinary policies.
  • 17. Logical Controls • Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. Example: Firewall network instruction detection system • An important logical control that is frequently overlooked is the principle of least privilege. Example where this principle fails: logging windows as administrator
  • 18. Physical Controls • Physical controls monitor and control the environment of the work place and computing facilities. Example: Fire alarms, fire suppression systems, cameras, security guards, cable locks etc. • An important physical control that is frequently overlooked is the separation of duties. Example: An application programmer should not also be the server administrator or the database administrator.
  • 19. Access control Access to protected information must be restricted to people who are authorized to access the information. Main Elements: • Identification • Authentication • Cryptography
  • 20. Defense in depth Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms.
  • 21. Balancing Information Security and Access • Impossible to obtain perfect security—it is a process, not an absolute • Security should be considered balance between protection and availability • To achieve balance, level of security must allow reasonable access, yet protect against threats
  • 22.
  • 23. Security classification of Information • In the business sector  Public  Sensitive  Private  Confidential • In Government Sector  Unclassified  Sensitive but unclassified  Restricted  Confidential  Secret  Top Secret  And Their non English equivalent
  • 24. Laws and regulations The original Information Technology Act (section 43 and 66) • Passed in 2000 • Deals with computer misuse • Does not have any express provision for data security. The IT (Amendment ) Act 2008 (“Amendment Act”) (section 43A and section 72A) • Under Section 43A, “bodies corporate” can be liable if they are negligent in implementing and maintaining “reasonable security practices and procedures” to protect “sensitive personal data or information”.
  • 25. New data security regulations , 2011 (“sensitive personal data rules”) The Sensitive Personal Data Rules defines “sensitive personal data or information” of a person to include information about: • Passwords; • Financial information such as bank accounts, credit and debit card details; • Physiological and mental health condition, medical records; • Biometric information; • Information received by body corporate under lawful contract or otherwise; • User details as provided at the time of registration or thereafter; and • Call data records. Information that is freely available in the public domain or accessible under the Right to Information Act, 2005 or any other law will not be regarded as sensitive personal data or information.
  • 26. Summary • Information security is a “well-informed sense of assurance that the information risks and controls are in balance.” • Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information. • Security should be considered a balance between protection and availability
  • 27. Types of IT Threats 1. Computer virus 2. Trojan Horses 3. DNS poisoning 4. Password grabbers 5. Network worms 6. Logic Bombs 7. Hijacked home page 8. Password cracker Types of Attacks 1. SQL Injection 2. Dictionary attack 3. Phishing 4. Cross site scripting (XSS) 5. UI redressing
  • 28. Thank You