2. Information Security
Business Need
• Ethics as an Individual: Did you know ?
• You are a bonded labor – Did you agree for the EULA/NDA and
company joining agreements.
• Your assets are attached to your profession – Did u read your
NDA violation policy.
• Your privacy is at stake – Are you a BPO employee, u cannot
carry even tissue papers with you.
• You are watched – every activity on your PC is monitored.
• Don’t you do whistle blowing – You may a victim be careful, as
ignorant pretenders can be fired for not blowing the whistle.
3. Information Security
Business Need
• Corporate Ethics: Did you know ?
• Many large corporate like Microsoft have cases filed for breach of
conduct and ethics.
• Ex.: The antitrust ruling in South Korea followed allegations raised
by internet firm Daum Communications that Microsoft was
breaching antitrust rules by selling a version of Windows that
included its instant messenger software.
• Phaneesh Murthy’s sex scandal brought Infosys name trembling
down with huge charges of USD 3 Million( ~12 crores).
• Internal politics in recruitment, giving incentives etc.. Can cost
company a fortune.
4. Information Security
Business Need
• Ethics in Society: Did you know ?
• You can be suspended:
• If you were put to work with a group of HIV +ve members and
you disagree to do so ?
• You can be terminated:
• Like Late Saddam if you go anti-social
5. Information Security
Employee Awareness
• You arrive at the office on Monday morning,
get your first cup of coffee, turn on your
computer, and bring up your E-mail.
• You have one new message, it says, "Two
computer security experts will be arriving
at your office today to brief you on
computer security issues”.
• Briefing will highlight/make aware of the below
issues:
1. Desktop usage & safety,
2. Phone ethics &
3. Personal security
6. Information Security
Desktop usage & safety
• Incidents:
• Files containing several months worth
of scientific research lost in a computer
virus attack
• Floppy disks containing important
administrative records damaged by a
magnetic source
• Lab work disrupted for 3 days due to
failure of computer program controlling
the lab equipment
7. Information Security
Desktop usage & safety
• Remedies:
• 1.Never leave your computer logged on
unattended, even for a minute. LOCK !!
• 2. Always log off when you are done or are
leaving your work area for an extended
period of time.
• 3. Create an "uncrackable/unguessable"
password.
• 4. Do not give your password to anyone
for any reason or type your password when
someone is watching.
• 5.Don't write down your password, include
it in automated scripts, store it on your
hard drive/PDA.
9. Information Security
Desktop usage & safety
• 5. Never send confidential or personal
information through the network.
• 6. Do not open unexpected emails
and unexpected detachments, even
they come from contact list
• 7. Systems maintenance technicians
from outside vendors who come on
site should be
ESCORTED/ATTENDED by the local
site administrator.
12. Information Security
Social Engineering
• Acquisition of sensitive information or
inappropriate access privileges by an
outsider, based upon the building of an
inappropriate trust relationship with
insiders
• The goal of social engineering is to trick
someone into providing valuable information
or access to that information
• Remedies:
• If you cannot personally identify a caller
who asks for personal information about you
or anyone else, for information about your
computer system, or for any other sensitive
information, do not provide the information.
• Insist on verifying the caller’s identity by
calling them back at their proper telephone
number as listed in telephone directory.
13. Information Security
Phone ethics
• Incident:
–“Someone calls you in the middle of the night:
‘Have you been calling US for the last 2 hours
on a conf call?’
–‘No.’
– And they’ll say, ‘well, we have a call that’s
actually active right now, it’s on your calling
card and it’s to US and as a matter of fact,
you’ve got about $2,000 worth of charges from
somebody using your card.
–You’re responsible for the $2,000, you have to
pay that...’ They’ll say, ‘I’m putting my job on
the line by getting rid of this $2,000 charge for
you.
–But you need to read off that calling card
details like number/pass code and then I’ll get
rid of the charge for you.’ People fall for it
14. Information Security
Phone ethics
• Remedies:
• Don’t fall to sweet voices of opposite sexes.
• Don’t give away any confidential data.
• If possible keep note of the phone number usually
these are also done from public booths.
• Call up your card/service provider and report this incident,
many have a money back policy for such baseless calls made
from your card.
• If you are on BPO job don’t reveal any trade secrets for a fee
from any one.
15. Information Security
Personal security
• Call centre workers are main targets as they work
in night shifts or alone. Adequate security needs to
be provided for such persons.
• Use of qualified entry systems like Biometrics.
• Use of proper security alarms / pepper sprays/
police notification systems need to be carried by
them.
• Attend a security awareness camp and learn
martial arts.
• Don’t carry sensitive data /records during night
shifts.
• Don’t take strangers for granted and give/take
lifts.
16. Information Security
Connecting from Home
• Connecting from Home – Dangers
• Analogy for example. I leave my home window OPEN when I
leave for work every day, and for weeks nothing could happen.
One day, someone choose to enter through that open window
and I might just get burned.
• Threat #1: Outside Attack
• Most attacks are either automatic probes or result from
malware. E.x.Denial of Service, password stealer
• Threat #2: Virus, worm or spyware infection
• Adware, Browser hijacker, Spy ware, Dialer, Worms and
viruses, Trojans, Root kits (software that hides itself and
associated malware by modifying core Windows functions. This
makes detection and removal far harder and may require a
disk reformat and Windows reinstall
17. Information Security
Connecting from Home
• Never run files you don't trust or reliably verified.
• Disable ActiveX, Java and Javascript either in your browser
software.
• Use Opera or Firefox for web browsing instead of Internet
Explorer.
• Install an anti-virus scanner and always keep it updated.
• Use Windows default Fire wall.
• Use advanced packages for protection and content filtering.
• I recommend to use VPN, Checkpoint that filters and blocks all
such issues.
• A VPN incorporates two features, encryption and tunneling , to
ensure that the data is delivered safely and privately across the
public space.
• In Tunneling you can take non-routable data packets and
encapsulate them inside routable packets for transmission over
the Internet. Tunneling protocol is the heart of the VPN, and
handles authentication, forming and keeping the tunnel (data
path) between the source and destination intact over the
Internet.
18. Information Security
Glossary
• Non-repudiation: is the concept of ensuring that a contract cannot later
be denied by either of the parties involved
• Accountability: It stands for answerability, enforcement, responsibility,
blameworthiness, liability and other terms associated with the expectation
of account-giving.
• Reliability: is the probability that an item will perform a required function
under stated conditions for a stated period of time. The probability of
survival, R(t), plus the probability of failure, F(t), is always unity.
• Expressed as a formula: F(t) + R(t) = 1 or, F(t)=1 - R(t).
• Authenticity: is the assurance that the authorship or source of the
information is as indicated.
• CtO: Concept-to-Offer
• CSPO: Chief Security and Privacy Office
• ESPS: Enterprise Security Policies and Standards
• ESIS:-Enterprise Security Information System
• SANS Institute: Sys Admin, Audit, Networking, and Security
19. Information Security
Info Sec basics
• 'Information security' is, according to the internationally recognized
code of information security best practice, ISO 17799:2005, the
'preservation of the confidentiality, integrity and availability of
information;
• In addition, other properties, such as authenticity, accountability,
non-repudiation and reliability can also be involved'.
• This is commonly called as CIA triangle
What is 'information security'?
20. Information Security
Info Sec basics
• Confidentiality:
• Information that is considered to be confidential in nature must
only be accessed, used, copied, or disclosed by persons who
have been authorized to access, use, copy, or disclose the
information, and then only when there is a genuine need to
access, use, copy or disclose the information.
• Example:
• If a laptop computer, which contains employment and benefit
information about 100,000 employees, is stolen from a car (or is
sold on eBay) could result in a breach of confidentiality because
the information is now in the hands of someone who is not
authorized to have it.
21. Information Security
Info Sec basics
• Integrity:
• In information security, integrity means that data can not be
created, changed, or deleted without authorization. It also means
that data stored in one part of a database system is in agreement
with other related data stored in another part of the database
system (or another system).
• Example:
• A loss of integrity occurs when an employee accidentally, or with
malicious intent, deletes important data files. A loss of integrity
can occur if a computer virus is released onto the computer.
22. Information Security
Info Sec basics
• Availability:
• The concept of availability means that the information, the
computing systems used to process the information, and the
security controls used to protect the information are all available
and functioning correctly when the information is needed. The
opposite of availability is denial of service (DOS).
• Example:
• DOS virus attack is one such example that violates this.
23. Information Security
Risk and mitigation
• Risk is the likelihood that something bad will happen that causes
harm to an informational asset (or the loss of the asset).
• A vulnerability is a weakness that could be used to endanger or
cause harm to an informational asset.
• A threat is anything (man made or act of nature) that has the
potential to cause harm
• A risk assessment is carried out by a team of people who have
knowledge of specific areas of the business
• The assessment may use a subjective qualitative analysis based
on informed opinion, or where reliable dollar figures and historical
information is available, the analysis may use quantitative
analysis
24. Information Security
Risk and mitigation
• For any given risk, Executive Management can choose to
1. Accept the risk assuming low impact and occurrence.
2. Mitigate the risk by selecting and implementing appropriate
control measures to reduce the risk
– Administrative controls are comprised of approved written policies,
procedures, standards and guidelines. Administrative controls form the
framework for running the business and managing people. the Payment
Card Industry (PCI) Data Security Standard required by Visa and
Master Card is such an example
– Logical controls (also called technical controls) use software and data
to monitor and control access to information and computing systems.
For example: passwords, network and host based firewalls, network
intrusion detection systems, access control lists, and data encryption
are logical controls.
– Physical controls monitor and control the environment of the work
place and computing facilities. They also monitor and control access to
and from such facilities. For example: doors, locks, heating and air
conditioning, smoke and fire alarms, fire suppression systems
3. Transferred to another business by buying insurance or out-
sourcing to another business
25. Information Security
Info Sec basics
• Info Sec is classified by different organization in different topics and
scopes. We will discuss more on the (ISC)2
based 10 domains.
• The International Information Systems Security Certification
Consortium, Inc. [(ISC)²] is a not-for-profit organization
incorporated under the laws of the Commonwealth of Massachusetts
and the U.S. Internal Revenue Code.
• CISSP was the first certification to earn the ANSI accreditation to
ISO/IEC Standard 17024:2003, a global benchmark for assessing
and certifying personnel. It is formally approved by the U.S.
Department of Defense (DoD) in both their Information Assurance
Technical (IAT) and Managerial (IAM) categories. The certification is
also endorsed by the U.S. National Security Agency (NSA) as the
benchmark for information security.
26. Information Security
Info Sec basics
Info Sec Domains
1. Security Management Practices
2. Access Control Systems
3. Telecommunications and Network Security
4. Cryptography
27. Information Security
Info Sec basics
5. Security Architecture and Models
6. Operations Security
7. Applications and Systems Development
8. Business Continuity Planning and Disaster
Recovery Planning
9. Law, Investigation, and Ethics
10.Physical Security
28. Information Security
Products/Certificates:
• Products for specified areas of Info Sec are given in
the spread sheet.
• Certificates like CEH,CISA,CISSP … all details in one
spreadsheet as attached.
Microsoft Excel
Worksheet
Microsoft Excel
Worksheet
29. Information Security
Case Study
• Why was SOX created? What are the reasons behind
that.
• History:
–Enron's collapse contributed to the creation of the U.S.
Sarbanes-Oxley Act (SOX).
–It is considered the most significant change to federal
securities laws since FDR's New Deal in the 1930s.
–August of 2000, Enron's stock price hit its highest value
of $90. At this point Enron executives, who possessed
the inside information on the hidden losses, began to
sell their stock. At the same time, the general public and
Enron's investors were told to buy the stock. Executives
told the investors that the stock would continue to climb
until it reached possibly the $130 to $140 range, while
secretly unloading their shares.
30. Information Security
Case Study
–Kenneth Lay, Chairman of the Board and Chief
Executive Officer would issue a statement or
make an appearance to calm investors and
assure them that Enron was headed in the right
direction.
–After a series of scandals involving irregular
accounting procedures bordering on fraud,
perpetrated throughout the 1990s, involving
Enron and its accounting firm Arthur Andersen, it
stood at the verge of undergoing the largest
bankruptcy in history by mid-November 2001
–These are classic examples of high-level
corruption, accounting errors, insider trading
,non complaint to governance, policies, violation
of code of ethics.
31. Information Security
Case Study
• Enron Code of Ethics:
• "Compliance with the law and ethical standards are conditions of employment
and violations will result in disciplinary action, which may include
termination...in addition to responding to the Act, we are adopting this Policy
Statement to avoid even the appearance of improper conduct on the part of
anyone employed by or associated with the Company...We have all worked
hard over the years to establish our reputation for integrity and ethical
conduct. We cannot afford to have it damaged.“
• The document prohibits directors, officers or employees from trading in Enron
shares when they have "non-public" information about Enron or its
subsidiaries.
•
And there is also a ban on officers or employees from owning, or participating
in "the profits of any other entity which does business with or is a competitor
of the Company" without running it past the chairman or chief executive.
32. Information Security
Case Study
– What went missing:
– No elaborate policies for accounts management
– No serious to code of ethics
– Non complaint to governance
– No visibility of companies standing to public
–Remedy:
– US parliament brought in SOX came into existence signed into law on
July 30, 2002.
– This law provides stronger penalties for fraud and, among other things,
requires public companies to:
– avoid making loans to management,
– to report more information to the public,
– to maintain stronger independence from their auditors,
– to report on and have audited, their financial internal control procedures.
33. Information Security
Appendix
Info Sec Domains
1. Security Management Practices
2. Access Control Systems
3. Telecommunications and Network Security
4. Cryptography
5. Security Architecture and Models
6. Operations Security
7. Applications and Systems Development
8. Business Continuity Planning and Disaster Recovery Planning
9. Law, Investigation, and Ethics
10.Physical Security
34. Information Security
Domain 1: Security Management Practices
• Domain Definition:
• The Info Sec domain of Security Management incorporates
the identification of the information data assets with the
development and implementation of policies, standards,
guidelines, and procedures.
• It defines the management practices of data classification
and risk management.
• It also addresses confidentiality, integrity, and availability by
identifying threats, classifying the organization’s assets,
and rating their vulnerabilities so that effective security
controls can be implemented.
• Data classification: Unclassified, Confidential, Secret
,Top Secret , Public Use, Internal Use Only, Company
Confidential
35. Information Security
Domain 2: Access Control Systems
• Controls are implemented to mitigate risk and reduce the potential
for loss. Controls can be preventive, detective, or corrective.
• Controlling access by a subject (an active entity such as individual
or process) to an object (a passive entity such as a file) involves
setting up access rules. These rules can be classified into three
categories or models:
• Mandatory Access Control.
• Discretionary Access Control.
• Non-Discretionary Access Control
• Passwords, Biometrics, Single sign On, Kerberos, Intrusion
detection are some typical methods for this domain.
36. Information Security
Domain 2: Access Control Systems
• Mandatory Access Control:
–Here an individual with a clearance of secret can have access to
secret and confidential documents with a restriction. This
restriction is that the individual must have a need to know
relative to the classified documents involved. Therefore, the
documents must be necessary for that individual to complete
an assigned task. Even if the individual is cleared for a
classification level of information, unless there is a need to
know, the individual should not access the information.
• Discretionary Access Control:
–The subject has authority, within certain limitations, to specify
what objects can be accessible. For example, access control lists
can be used. This type of access control is used in local, dynamic
situations where the subjects must have the discretion to specify
what resources certain users are permitted to access.
37. Information Security
Domain 2: Access Control Systems
• Non-Discretionary Access Control:
• A central authority determines what subjects can have access
to certain objects based on the organizational security policy.
The access controls may be based on the individual’s role in the
organization (role-based) or the subject’s responsibilities and
duties (task-based).
• Another type of non-discretionary access control is lattice-
based access control. In this type of control, a lattice model is
applied. In a lattice model, there are pairs of elements that
have the least upper bound of values and greatest lower bound
of values.
38. Information Security
Domain 3:Telecom and Network Security
• The Telecommunications and Network Security domain includes
the structures, transmission methods, transport formats, and
security measures that are used to provide CIA for transmissions
over private and public communications networks and media.
• Remote Access Security Management (RASM) is defined as the
management of the elements of the technology of remote
computing.
• Intrusion Detection (ID) and Response is the task of monitoring
systems for evidence of an intrusion or an inappropriate usage.
This includes notifying the appropriate parties to take action in
order to determine the extent of the severity of an incident and to
remediate the incident’s effects. This is not a preventative
function.
• As part of a structured program of Intrusion Detection and
Response, a Computer Emergency Response Team (CERT) or
Computer Incident Response Team (CIRT) is commonly created
39. Information Security
Domain 3:Telecom and Network Security
• A Single Point of Failure is an element in the network design that, if it
fails or is compromised, can negatively affect the entire network.
Network design methodologies expend a lot of time and resources to
search for these points;
• Blackouts, brownouts, surges, and spikes are all examples of power
fluctuations that can seriously harm any electronic equipment.
Servers, firewalls, routers, and mission-critical workstations are
network devices that should have their own Uninterruptible Power
Supply (UPS) attached.
• Manage the various types of attacks and abuses of networked
systems like Denial of Service attacks, Spoofing, Session hijacking
etc by implementing proper systems and Firewalls.
40. Information Security
Domain 4: Cryptography
• The purpose of cryptography is to protect transmitted
information from being read and understood by anyone
except the intended recipient.
• The two principal types of cryptographic technologies are
symmetric key (secret key or private key) cryptography
• asymmetric (public key) cryptography.
• In symmetric key cryptography, both the receiver and sender
share a common secret key. In asymmetric key cryptography,
the sender and receiver respectively share a public and
private key. The public and private keys are related
mathematically and, in an ideal case, have the characteristic
where an individual, who has the public key, cannot derive
the private key.
41. Information Security
Domain 4: Cryptography
• Symmetric key or secret key
1. Data Encryption Standard (DES)
2. Triple DES
3. The Advanced Encryption Standard
(AES)
42. Information Security
Domain 4: Cryptography
• Public (Asymmetric) Key:
• Public key systems employ two keys, a public key and a private
key. The public key is made available to anyone wanting to
encrypt and send a message. The private key is used to decrypt
the message. Thus, the need to exchange secret keys is
eliminated. The following are the important points to note:
• The public key cannot decrypt the message that it encrypted.
• Ideally, the private key cannot be derived from the public key.
• A message that is encrypted by one of the keys can be decrypted
with the other key.
• The private key is kept private.
• Important public key algorithms that have been developed include
the Diffie—Hellman key exchange protocol, RSA, El Gamal,
Knapsack, and Elliptic Curve
44. Information Security
Domain 5: Security Architecture and Models
• Distributed Architecture:
• Security mechanisms can be put into place to counter security
vulnerabilities that can exist in a distributed environment. Such
mechanisms are
• Email and download/upload policies
• Robust access control, which includes biometrics to restrict access
to desktop systems
• Graphical user interface mechanisms to restrict access to critical
information
• File encryption
• Separation of the processes that run in privileged or non-privileged
processor states
• Protection domains
• Protection of the sensitive disks by locking them in non-movable
containers and by physically securing the desktop system or laptop
• Distinct labeling of disks and materials according to their
classification or an organization’s sensitivity
• A centralized backup of desktop system files
45. Information Security
Domain 5: Security Architecture and Models
• Protection mechanism:
• One way is use of protection rings. These rings are organized with
the most privileged domain located in the center of the ring and
the least privileged domain in the outermost ring.
46. Information Security
Domain 6 : Operations Security
• Operations Security refers to the act of understanding the
threats to and vulnerabilities of computer operations in order to
routinely support operational activities that enable computer
systems to function correctly.
• Controls used: Preventative Controls , Detective Controls,
Corrective (or Recovery) Controls
• Orange Book Controls: The Trusted Computer Security Evaluation
Criteria (TCSEC, the Orange Book) defines operational assurance
and life cycle assurance.
• The operational assurance requirements specified in the Orange
Book are as follows:
• System architecture
• System integrity
• Covert channel analysis
• Trusted facility management
• Trusted recovery
47. Information Security
Domain 6 : Operations Security
• The life cycle assurance requirements specified in the Orange
Book are as follows:
• Security testing
• Design specification and testing
• Configuration management
• Trusted distribution
• Covert channels are a secret way to convey information to
another person or program.
• Trusted facility management is defined as the assignment of a
specific individual to administer the security-related functions of a
system.
48. Information Security
Domain 7: Applications and Systems Development
1. The software life cycle development process
2. The software process capability maturity model
3. Object-oriented systems
4. Artificial intelligence systems
5. Database systems
6. Application controls
•. Artificial intelligence systems:
– Expert Systems :
– These systems attempt to mimic the workings of the human
mind.
49. Information Security
Domain 7: Applications and Systems Development
• Computer programs are usually defined as
• algorithm + data structures = program
• In an expert system, the relationship is
• inference engine + knowledge base = expert system
• The knowledge base contains facts and the rules concerning the
domain of the problem in the form of If-Then statements.
• The inference engine compares information it has acquired in
memory to the If portion of the rules in the knowledge base to see
if there is a match. If there is a match, the rule is ready to “fire”
and is placed in a list for execution.
• Certain rules may have a higher priority or salience, and the system
will fire these rules before others that have a lower salience
50. Information Security
Domain 7: Applications and Systems Development
–Neural Networks:
–An analog of the biological neuron system is shown. Inputs Ii
to the neuron are modified by weights, Wi , and then summed
in unit S. If the weighted sum exceeds a threshold, unit S will
produce an output, Z. The value of a neural network is its
ability to dynamically adjust its weights in order to associate
the given input vectors with corresponding output vectors.
51. Information Security
Application
Control Type
Accuracy Security Consistency
Preventive Data checks,
forms,
custom
screens,
validity
checks,
contingency
planning,
and
backups.
Firewalls, reference monitors,
sensitivity labels, traffic
padding, encryption, data
classification, one-time
passwords, contingency
planning, separation of
development, application and
test environments
Data dictionary, programming standards,
and database management system.
Detective Cyclic
redundancy
checks,
structured
walk-
throughs,
hash totals,
and
reasonablen
ess checks.
Intrusion detection systems and
audit trails.
Comparison controls, relationship tests, and
reconciliation controls.
Corrective Backups,
control
reports,
before/after
imaging
reporting,
and
checkpoint
restarts.
Emergency response and
reference monitor controls.
Program comments and database
52. Information Security
Domain 8: Business Continuity Planning and Disaster
Recovery Planning
• BCP: Business continuity plans are created to prevent interruptions
to normal business activity. They are designed to protect critical
business processes from natural or man-made failures or disasters
and the resultant loss of capital due to the unavailability of normal
business processes.
• There are four major elements of the BCP process:
• Scope and Plan Initiation. This phase marks the beginning of the
BCP process. It entails creating the scope and the other elements
needed to define the parameters of the plan.
• Business Impact Assessment. A BIA is a process used to help
business units understand the impact of a disruptive event. This
phase includes the execution of a vulnerability assessment.
• Business Continuity Plan Development. This refers to using the
information collected in the BIA to develop the actual business
continuity plan. This includes the areas of plan implementation, plan
testing, and ongoing plan maintenance.
• Plan Approval and Implementation. This involves getting the final
senior management sign-off, creating enterprise-wide awareness of
the plan, and implementing a maintenance procedure for updating
the plan as needed.
53. Information Security
Domain 8: Business Continuity Planning and Disaster
Recovery Planning
• DR Planning:
• The objectives of the DRP are multiple but each is important.
• They include the following:
• Protecting an organization from major computer services failure
• Minimizing the risk to the organization from delays in providing
services
• Guaranteeing the reliability of standby systems through testing and
simulation
• Minimizing the decision-making required by personnel during a
disaster.
• 3 steps involved:
• The DRP process
• Testing the disaster recovery plan
• Disaster recovery procedures
54. Information Security
Domain 9:Law, Investigation, and Ethics
• Law:
• The U.S. Kennedy-Kassenbaum Health Insurance Portability and
Accountability Act (HIPAA) addresses the issues of health care
privacy and plan portability in the United States.
• The rights that an individual who is a subject of individually
identifiable health information should have
• The procedures that should be established for the exercise of such
rights
• The uses and disclosures of such information that should be
authorized or required”
• Inform all that email is being monitored by means of a prominent
log-on banner or some other frequent notification
55. Information Security
Domain 9:Law, Investigation, and Ethics
• 1984 U.S. Medical Computer Crime Act. Addresses illegal
access or alteration of computerized medical records through
phone or data networks.
• 1986 U.S. Electronic Communications Privacy Act. Prohibits
eavesdropping or the interception of message contents without
distinguishing between private or public systems
• 1991 U.S. Federal Sentencing Guidelines. Provides
punishment guidelines for those found guilty of breaking federal
law. These guidelines are as follows:
• Treat the unauthorized possession of information without the intent
to profit from the information as a crime.
• Address both individuals and organizations.
56. Information Security
Domain 9:Law, Investigation, and Ethics
• Investigation:
• The field of investigating computer crime is also known as computer
forensics. Specifically, computer forensics is the collecting of
information from and about computer systems that is admissible in a
court of law
• Involves
• Evidence gathering
• Searching and seizing source computers
• Trial and punishment
• Laws are not clear in these areas.
57. Information Security
Domain 9:Law, Investigation, and Ethics
• Ethics:
• Conduct themselves in accordance with the highest standards of
moral, ethical, and legal behavior.
• Not commit or be a party to any unlawful or unethical act that may
negatively affect their professional reputation or the reputation of
their profession.
• Appropriately report activity related to the profession that they
believe to be unlawful and shall cooperate with resulting
investigations.
• Support efforts to promote understanding and acceptance of
prudent information security measures throughout the public,
private, and academic sectors of our global information society.
• Provide competent service to their employers and clients, and shall
avoid any conflicts of interest.
• Execute responsibilities in a manner consistent with the highest
standards of their profession.
• Not misuse the information in which they come into contact during
the course of their duties, and they shall maintain the
confidentiality of all information in their possession that is so
identified.
58. Information Security
Domain 10:Physical Security
• The Physical Security domain addresses the threats,
vulnerabilities, and countermeasures that can be utilized to
physically protect an enterprise’s resources and sensitive
information. These resources include personnel, the facility in
which they work, and the data, equipment, support systems, and
media with which they work.
• Physical security often refers to the measures taken to protect
systems, buildings, and their related supporting infrastructure
against threats that are associated with the physical environment.
• Interruptions in providing computer services, Physical damage,
Unauthorized disclosure of information, Loss of control over
system, Physical theft
• Administrative Controls, and Physical and Technical Controls.