2. • Understanding of information security and Key
concepts
• Understanding role model for having robust
Information Security Management System
Implementation
• Empowerment of Information Security Management
System through implementing best practices for
People, Process and Technology.
• Few Guidelines to maintain Network and Personal
Security
Aims
I
N
F
O
S
E
C
3. The Growth of Internet Crime
“Of the top five categories of offenses reported to law enforcement during
2009, non-delivered merchandise and/or payment ranked 19.9%; identity
theft, 14.1%; credit card fraud, 10.4%; auction fraud, 10.3%; and computer
fraud (destruction/damage/vandalism of property), 7.9%.”
4. Information Security
• What is it?
- The process in which “Confidentiality”,
“Integrity” & “Availability” of information
ensured.
• In other words:
- protecting information and information
systems from unauthorized access, use,
disclosure, disruption, modification,
perusal, inspection, recording or
destruction.
(United States Code, title 44)
5. Main Concepts
– Confidentiality
Preventing unauthorized
persons, or parties to get
access to the information
– Integrity
Safeguarding the accuracy and
completeness of information
and processing methods
– Availability
Ensuring access for
authorized persons/parties
anytime it’s needed.
6. Information classification
• Act of tagging information with labels to make divide them to
different groups.
• When it’s related to information security, It should be first
step!
• It enables to treat information in sets with similar procedures
for easier handling and better management.
7. Information classification
• It clarifies information usage with respect to access
control and confidentiality protection.
– First is the issue of who is qualified to determine this
– Mostly context and content dependent
– Normally can be changed by Time and Circumstances
• Best example is military classical classification
– Unclassified
– Secret
– Top secret
• In data world both “data” and “persons” are
categorized to manage access control
8. Confidentiality
• Confidentiality ensures that only those with the
rights and privileges to access information are able
to do so.
• Having complete Confidentiality can be impossible to
insure at times.
• Examples:
– research data,
– medical and insurance records,
– new product specifications
– corporate investment strategies.
9. Integrity
• Information has integrity when it is whole, complete,
and uncorrupted.
• The integrity of information is threatened when the
information is exposed to corruption, damage,
destruction, or other disruption of its authentic state.
• When information is modified in unexpected ways, the
result is known as loss of integrity.
• It defines authenticity and level of trust
10. Availability
• Timely, reliable access to data and information
services for authorized users, and has three main
factors;
– Reliability: degree in which a system performs its purpose
for the period of time intended under the operating conditions
encountered
– Accessibility: degree in which a system is usable by as
many people as possible without modification and is
characterized in terms of the ability of users to have physical
access to the system.
– Timeliness: is the responsiveness of a system or resource to
a user request. In fact,
11. Availability
• Traditionally Info AV has
mostly been measured by the
amount of time an information
resource is either processing or
not (uptime and downtime)
• Other secondary factors;
– Redundancy and thorough
system backups
– Preventative and correctative
maintenance
12. Possible Threats
High User
Knowledge of IT
Systems
Theft,
Sabotage,
Misuse
Virus Attacks
Systems &
Network
Failure
Lack Of
Documentation
Lapse in
Physical
Security
Natural
Calamities &
Fire
14. Planning of InfoSec
• An Strategic view will be:
– Analysis of the current situation;
– Identification of business-strategy requirements;
– Identification of legal and regulatory requirements;
– Identification of requirements due to external trends;
– Definition of the target situation;
– Definition and prioritization of strategic initiatives;
– Distribution of the draft strategy;
– Agreement and publication of final strategy.
InfoSec Policy is approved by Top
Management
15. History
Early 1990
• DTI (UK) established a working group
• Information Security Management Code of Practice produced as
BSI-DISC publication
1995
• BS 7799 published as UK Standard
1999
• BS 7799 - 1:1999 second revision published
2000
• BS 7799 - 1 accepted by ISO as ISO - 17799 published
• BS 7799-2:2002 published
16. History
• ISO 27001:2005
Information technology — Security techniques — Information
security management systems — Requirements
• ISO 27002:2005
Information technology — Security techniques — Code of
practice for information security management
17. Security Triangle again
Information
Security Policy
Organisation
of Information
Security
Asset
Management
Human
Resource
Security
Physical
Security
Communication
& Operations
Management
Access Control
System
Development
&
Maintenance
Incident
Management
Business
Continuity
Planning
Compliance
Availability
19. Technologies
• Prevention of physical access by unauthorized people
• Data Network Security by using proper access control
• Communication line Security
– Preventing eavesdroppers
– Avoid tapping to line
– Stopping intruders attacks
20. Technologies
• Proper Hardware design is
main Solution:
– Firewalls; Prevents
unauthorized access from
outside network
– VPN; Provides Secure
channels for transferring
sensitive information
– Antivirus; Ensures security of
stored data by stopping
worms, viruses, malwares,
Trojans
21. Processes
• The processes refer to "work practices" or workflow. Processes are
the repeatable steps to accomplish business objectives.
• Generally this part which managed by software in data networks
and administrative paperwork in physical environment, works
under supervision of set of rules called “Policies”
• As mentioned before Policy makers are made by strategic planners
and approved by top management.
• Asset management is main process of any InfoSec Solution
22. Human Factor
• People are biggest assets
• But also they are biggest threat
– More than 70% of Threats are Internal
– More than 2/3rd express their inability to determine “Whether
my systems are currently compromised?”
– Psychological manipulation “Social Engineering”
• Human awareness is most important issue
• Also handled under asset management part
23. THE 10 RULES OF THE SOHO INTERNET
• 1. Safeguard your computer.
• 2. Use strong passwords and a screensaver.
• 3. Update and patch your operating system.
• 4. Have an up-to-date firewall.
• 5. Have up-to-date anti-virus software.
• 6. Act anti-spam.
• 7. Use up-to-date anti-spyware/adware tools.
• 8. Be sensible – don’t take unnecessary risks.
• 9. Back it up.
• 10. Fix problems as soon as they arise.
24. Safe Password
Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you
Change password regularly as per policy
Use password that is significantly different from earlier passwords
Use passwords which reveals your personal
information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria
25. Enterprise Security Evaluation
• Five Questions:
– What assets are you trying to protect?
– What are the risks to these assets?
– How well does the security solution mitigate those risks?
– What other risks does the security solution cause?
– What costs and trade-offs does the security solution impose?
• These Questions doesn’t bring solution but
evaluates a particular one
26. • InfoSec is up-to-date sense of understanding of Risks and
Assurance Controls.
• Balancing between Protection from Risks and Controls is
guarantee of business continuity Availability of Information
• Policies are statements of management intentions and goals
• Value defines the importance of info and required protection
level
• Protection level determines procedures and policies
• Policies are approved by high level managers
• Senior Management support and approval is vital to success
• Successful system should have different level of Security to
urge flexibility
Concluding Remarks