2. Overview
• What is Information Security ?
• Key component
• Security controls
• Classification of security
• Laws and regulations
3. What is information security ?
The protection of information and its critical
elements, including systems and hardware that
use, store, and transmit that information
Necessary tools: policy, awareness, training, education,
technology
4. Information security: a “well-informed sense of
assurance that the information risks and
controls are in balance.”—
Jim Anderson, Inovant (2002)
5. Why Information Security ?
The purpose of information security management
is to ensure business continuity and reduce
business damage by preventing and minimizing
the impact of security incidents.
7. According to Organization of Economic Co-
operation and development:
9 generally accepted principles are
1. Awareness
2. Responsibility
3. Response
4. Ethics
5. Democracy
6. Risk Assessment
7. Security Design and Implementation
8. Security management
9. Reassessment
8. Confidentiality
Confidentiality is the term used to prevent the
disclosure of information to unauthorized individuals or
systems.
Example: Password hacking in online money transaction systems
Prevention: by encrypting the data and by limiting the places
where it might appear.
9. Integrity
In information security, integrity means that data
cannot be modified undetectably.
Example:
Prevention: message authentication & integrity codes
(MAC/MIC), and message digests such as MD5 or SHA-1 hashes.
10. Availability
Ability of the infrastructure to function according to
business expectations during its specified time of
operation
Prevention: Backup systems
11. Utility
Utility means usefulness
Example: Encrypted data stored in hard disk and the decryption key
is lost.
Prevention: Use a specific computer architecture for a specific
purpose ( MS word file can’t be open in Notepad)
12. Risk management
“Risk management is the process of
identifying vulnerabilities and threats to the
information resources used by an organization in
achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an
acceptable level, based on the value of the information
resource to the organization.”
Certified Information System Auditor (CSIA)
13. The Risk management Process consist of:
• Identification of assets and estimating their value.
• Conduct a threat assessment.
• Conduct a vulnerability assessment.
• Calculate the impact that each threat would have on
each asset.
• Identify, select and implement appropriate controls.
• Evaluate the effectiveness of the control measures.
14. Threats to Information System
• Human Errors
• Environmental Errors
Unintentional • System Failure
Threats
• Information Extortion
• Theft
Intentional • Identify theft
Threats • Software Attack
16. Administrative Controls
• Administrative controls (also called procedural controls)
consist of approved written policies, procedures, standards
and guidelines.
• Administrative controls form the framework for running the
business and managing people.
• Laws and regulations created by government bodies are also a
type of administrative control because they inform the
business.
• Example: corporate security policy, password policy, hiring
policies, and disciplinary policies.
17. Logical Controls
• Logical controls (also called technical controls) use
software and data to monitor and control access to
information and computing systems.
Example: Firewall network instruction detection system
• An important logical control that is frequently
overlooked is the principle of least privilege.
Example where this principle fails: logging windows as administrator
18. Physical Controls
• Physical controls monitor and control the
environment of the work place and computing
facilities.
Example: Fire alarms, fire suppression systems, cameras,
security guards, cable locks etc.
• An important physical control that is frequently
overlooked is the separation of duties.
Example: An application programmer should not also be the
server administrator or the database administrator.
19. Access control
Access to protected information must be restricted to
people who are authorized to access the information.
Main Elements:
• Identification
• Authentication
• Cryptography
20. Defense in depth
Information security must protect
information throughout the life span of
the information, from the initial creation
of the information on through to the
final disposal of the information.
To fully protect the information during its lifetime, each component of
the information processing system must have its own protection
mechanisms.
21. Balancing Information Security and Access
• Impossible to obtain perfect security—it is a
process, not an absolute
• Security should be considered balance between
protection and availability
• To achieve balance, level of security must allow
reasonable access, yet protect against threats
22.
23. Security classification of Information
• In the business sector
Public
Sensitive
Private
Confidential
• In Government Sector
Unclassified
Sensitive but unclassified
Restricted
Confidential
Secret
Top Secret
And Their non English equivalent
24. Laws and regulations
The original Information Technology Act (section 43
and 66)
• Passed in 2000
• Deals with computer misuse
• Does not have any express provision for data security.
The IT (Amendment ) Act 2008 (“Amendment Act”)
(section 43A and section 72A)
• Under Section 43A, “bodies corporate” can be liable if they
are negligent in implementing and maintaining “reasonable
security practices and procedures” to protect “sensitive
personal data or information”.
25. New data security regulations , 2011 (“sensitive personal
data rules”)
The Sensitive Personal Data Rules defines “sensitive personal data
or information” of a person to include information about:
• Passwords;
• Financial information such as bank accounts, credit and debit card details;
• Physiological and mental health condition, medical records;
• Biometric information;
• Information received by body corporate under lawful contract or otherwise;
• User details as provided at the time of registration or thereafter; and
• Call data records.
Information that is freely available in the public domain or accessible
under the Right to Information Act, 2005 or any other law will not be
regarded as sensitive personal data or information.
26. Summary
• Information security is a “well-informed sense of
assurance that the information risks and controls are
in balance.”
• Successful organizations have multiple layers of
security in place: physical, personal, operations,
communications, network, and information.
• Security should be considered a balance between
protection and availability
27. Types of IT Threats
1. Computer virus
2. Trojan Horses
3. DNS poisoning
4. Password grabbers
5. Network worms
6. Logic Bombs
7. Hijacked home page
8. Password cracker
Types of Attacks
1. SQL Injection
2. Dictionary attack
3. Phishing
4. Cross site scripting (XSS)
5. UI redressing